Small automakers and suppliers challenged by new cybersecurity regulations

New regulations governing cybersecurity for software-defined vehicles will start next year but the automotive industry may not be prepared, according to Israel's Argus Cyber Security.

Argus, a subsidiary of Germany's Continental AG, found that 58 percent of small automakers and automotive suppliers are not prepared to create a management system focusing on vehicle cybersecurity that complies with Regulation 155 from the United Nations Economic Commission for Europe.

Additionally, the commission's Regulation 156 governs cybersecurity protocols for software updates in new vehicles and will start that same month.

"No one's prepared and to be honest, the complete automotive chain is not prepared," Gulroz Singh, an executive at NXP Semiconductors, in Austin, Texas, told Automotive News.

The regulations provide standards for vehicle software and system security, personal data protection and cybersecurity incident management. They also spell out cybersecurity practices at automakers and suppliers.

In the European Union, the regulation will be mandatory for all new vehicles produced from July 2024.

Although the U.S. is not technically subject to the regulations, domestic automakers and suppliers must adopt them to do business in most of Europe starting July 2024. It doesn't make financial sense for the companies to produce vehicles with different standards, so they are likely to adopt the regulations across their product lineup, experts told Automotive News. Companies in China will likely do the same.

Argus surveyed 200 senior executives, including 100 from companies making fewer than 10,000 vehicles annually and 100 at automotive suppliers with up to 25,000 employees.

The executives who reside in the U.S., Canada, Western Europe, United Kingdom, Turkey, Japan and Korea work directly or indirectly in cybersecurity, security, safety, compliance, regulation, engineering, homologation, quality and testing.

Argus surveyed small electric vehicle automakers because their architecture is more heavily software based compared with the internal combustion engine models from the legacy brands, Rachel Pekin, Argus' vice president for marketing and strategic alliances, told Automotive News.

Automakers have a greater need for cybersecurity as they move to over-the-air vehicle updates and subscription-based features.

Vehicles are becoming more vulnerable to cybersecurity threats because they now have many interfaces that can be attacked, Singh said.

The automotive supply chain must be secured at all levels, including software, components and other parts, Singh said.

"I think the narrative is that the industry is already not prepared, but now there are regulations put in place—guardrails for these different automakers to follow," Singh said.

He called the regulations a step in the right direction.

"It's one standard for the complete automotive chain," Singh said. "Vehicle manufacturers can push that law back to the suppliers and say, 'OK, we're following this, and you should follow this as well.'"

Large automakers and suppliers have cybersecurity weaknesses but have more resources and are better prepared for the new regulations, Pekin said.

"The smaller ones don't have the knowledge and sometimes the ownership of taking care of security falls on the IT department at these companies," Pekin said. "So, they're very concerned about how to do it and how to tackle it and they need help."

Despite the challenges faced by small automakers and suppliers, 53 percent of respondents told Argus their companies are designing products with cybersecurity features in mind.

Budgetary constraints are also a concern for a significant number of these small companies.

Argus found that 38 percent of suppliers and 17 percent of automakers ranked budget issues as the biggest challenge in complying with Regulation 155, although 46 percent of respondents say their companies have all the internal resources and expertise they need to comply with the rule.