New EU cybersecurity rules push carmakers to shun old models
April 15, 2024While in the movies, master spy James Bond usually saves the world with his well-equipped cars, the villains in today's world have long found ways to turn ordinary passenger cars into vehicles that serve their criminal purposes.
The European Union now wants to put the brakes on the growing security threats connected with modern car technology, especially in electric vehicles (EVs). The electronic equipment in cars not only serves the convenience of their drivers and contributes to road safety, but also allows cars and their users to be increasingly monitored.
The United Nations and the European Union have recognized this and responded with UN regulations R155 and R156, which address cybersecurity threats from software updates in cars. The new rules impose higher requirements on car companies and their suppliers and will be implemented in the EU starting July 7.
Spies on four wheels
For German economist Moritz Schularick, cybersecurity in the auto industry is even a "question of national security."
"It's about sensitive data that can be siphoned off — especially with electric cars. From the perspective of intelligence agencies, these cars, with their many sensors and cameras, are nothing but spying machines on four wheels," Schularick told German business daily Handelsblatt in March.
In December 2023, the economist and cybersecurity expert warned during a conference on the topic, co-hosted by DW, that modern electric vehicles (EVs) driving around our cities would "film everything happening around them" and would transfer the data to their manufacturers, many of which are in China.
"Do we want that? Do we want the eyes and ears of a foreign government to surveil our streets through millions of cars?" he asked the audience.
Here and there and everywhere
According to a March 2024 study titled "Automotive Cyber Security"— authored by Germany's Center of Automotive Management (CAM) in cooperation with US software giant Cisco Systems — the threats to cybersecurity in the auto industry are imminent.
The risk of cyberattacks on the automotive industry is rising due to the increasing networking and digitalization of cars, production, and logistics, the study says. "With the proliferation of software-defined vehicles, electromobility, autonomous driving, and interconnected supply chain, cyber risks are further escalating," CAM director Stefan Bratzel, one of the study's co-authors, told DW.
The study vividly illustrates how vulnerable the industry has come to be.
Two years ago, for example, Toyota had to halt production because a supplier was affected by a suspected cyberattack. In 2022, multinational auto components manufacturer Continental was targeted by cybercriminals, who stole crucial data from IT systems despite massive protections against a hacking attack. Another example cited in the study was that of US electric-car pioneer Tesla which was targeted in March 2023. At the time, hackers gained access to vehicle software controlling car functions like honking the horn, opening the trunk, turning on the headlights, and operating the car's infotainment system.
End of the road for multiple car models
Due to the new regulations, some manufacturers are now withdrawing models from their lineup.
For Germany's mass-market carmaker Volkswagen (VW), this includes the Up compact car and the Transporter T6.1 van. Luxury carmaker Porsche is discontinuing the Macan, Boxster, and Cayman models in Europe and will only sell them as combustion-engine versions in countries with less rigid rules, German news agency dpa reported recently. Audi, Renault, and Smart also plan to cease production of older models because they don't meet the new cybersecurity standards.
VW brand chief Thomas Schäfer told dpa the measures were necessary due to the high compliance costs. "Otherwise, we would have to integrate a completely new electronic architecture [in the car model], which would simply be too expensive," he said.
Wiebke Fastenrath from Volkswagen's Commercial Vehicles unit confirmed this to DW, saying implementation of the regulation in the T6.1 van, for example, would have required "very high investments" for a platform that is soon to be discontinued. "Due to the short remaining lifespan of the model, these investments were not made, especially since the successor models are already on the market," she said.
'Cybersecurity cleanup essential for car industry'
German premium automaker Mercedes-Benz is "well-prepared" for the switch to safer car electronics, company spokesperson Juliane Weckenmann told DW. "The regulations have no impact on our portfolio. All our architectures meet the requirements and are or will be certified according to UN R155/R156 in time."
Volkswagen's Wiebke Fastenrath said the company is ready to make the switch "for the new 2025 model year."
CAM director Stefan Bratzel noted that a professional cybersecurity strategy is gaining importance for a "cleanup in the car industry."
Christian Korff from Cisco System, who co-authored the study with Bratzel, is convinced that the automotive industry "cannot afford vulnerabilities in the cyber domain."
"Only those who provide secure vehicles and services at all levels will retain the trust of customers," he wrote in the conclusions of the study.
This article was originally written in German.