EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
How enterprises can overcome automotive cybersecurity challenges
In the fourth episode of our 'Cybersecurity Awareness Month' podcast series, we explore the intricate world of automotive cybersecurity with Akshay Tiku, Partner, Technology Consulting, EY India. As connected and autonomous vehicles become more prevalent, the automotive industry is facing unique challenges and evolving threats. Akshay shares his insights on the importance of cybersecurity in ensuring vehicle and user safety, the role of regulatory frameworks, and the key skills that are in demand for cybersecurity professionals. Join us as we navigate the complexities of securing the future of our vehicles.
Akshay Tiku
Partner, Technology Consulting, EY India
Key takeaways
The rise of connected and autonomous vehicles expands the cybersecurity threat landscape, necessitating advanced security measures and collaboration among stakeholders.
Regulatory frameworks like ISO 21434 and AIS 189 are essential for standardizing cybersecurity practices and building consumer trust in vehicles.
Continuous education and understanding of automotive technology are crucial for cybersecurity professionals to effectively address emerging ris ks and vulnerabilities.
Ensuring automotive cybersecurity is vital; it is about safeguarding passengers and securing data in an increasingly connected vehicle landscape.
Akshay Tiku
Partner, Technology Consulting, EY India
For your convenience, a full text transcript of this podcast is available on the link below:
Pallavi: Welcome to the latest episode of ‘Cybersecurity Awareness Month’ podcast series, a key part of EY India Insights podcast collection. I am your host, Pallavi, and today we are navigating to the intricate world of automotive cybersecurity. We have the privilege of welcoming Akshay Tiku, Partner, Technology Consulting, EY India, to our show. Akshay is a seasoned professional with over 18 years of experience in the field of cybersecurity, focusing on managed security, automotive security, operational technology (OT), Internet of Thing (IoT) security, and data security.
Akshay brings a wealth of global experience in various facets of cybersecurity, including IT risk management, penetration testing, and business resilience. His credentials include Certified Information Systems Auditor (CISA), ISO 27001, ISO20000 and ISO 22301, and he is recognized as a Lead Privacy Assessor.
Akshay, welcome to the podcast. It is a pleasure to have you on this episode.
Akshay: Thanks, Pallavi. It is a pleasure to be here. Thank you for inviting me here and selecting this topic. It is something that is very critical to the world nowadays.
Pallavi: Thank you, Akshay. Looking forward to the discussion. To start off, could you highlight the importance of cybersecurity in the automotive industry and the unique challenges it faces today, especially with the rise of connected and autonomous vehicles?
Akshay: When we talk about the automotive industry as a whole, one aspect is traditional security, which is at the enterprise level. Then, it moves on to the many digital applications that automakers use today. For example, the dealer management system, the customer management system, and a host of security requirements that emerge from a plant perspective, which we call operational technology (OT) security, where we look at how to ensure that the automated systems within the plant are working correctly.
Finally, the most important aspect – and probably something that we will emphasize a lot today – is securing the vehicle in itself, whether it is a passenger or commercial vehicle. When we think about vehicles, we often just stop at passenger vehicles, but commercial vehicles make the bulk of the overall automotive security use cases. And of course, electric vehicles nowadays are bringing in a significantly larger threat landscape.
So, when we talk about these vehicles, the most important aspect is safety. As a user, I would want the vehicle to be safe and reliable. Modern vehicles are increasingly reliant on critical functions like braking, steering, and advanced driver assistance systems, called ADAS in common parlance. All of these are heavily dependent on software. The moment software comes into the picture, vulnerabilities arise. This becomes an important area where we need to prevent malicious attacks to ensure vehicle safety and reliability, and also secure passengers in the vehicle.
The second aspect that makes automotive security so important is data protection. Nowadays, with all the rulings and new laws on data protection, vehicles collect a lot of data such as where you are going and what is your driving behavior. This is also a major threat area. So, from an automotive security perspective, the ongoing innovation going in connected cars, electric vehicles, and all the new features now integrated into cars contribute to increasing the attack surface.
We are more digital now. For example, today’s cars are no longer like traditional cars; they are more attuned to mobile phones, where you can install apps. However, while mobile phones have a lifespan of two to three years, cars have a lifespan of 15 to 20 years. That is where the challenge lies.
Then, regulatory compliance – both international as well as local – is another critical aspect that adds to the complexity of ensuring security.
The other part of the question was about the challenges, which are also linked to what we discussed. As I mentioned, with connected vehicles, there are so many systems that are interconnected – your stereo system, you can talk to the car and tell it to open the windows or switch on the AC. Now, all this connectivity extends the attack surface. If you just take an example and just extrapolate it, something of recently, which, you know, a lot of these pagers go blasted because probably, you know, there were some, allegedly there were some explosive or, you know, through the, heating of the battery.
Now, imagine just to kind of put that scenario into, say, if it happens in a Cars environment, you know, all of these EVs and other cars, if they start exploding like that, what kind of, catastrophe that would be. So that is one of a very unique challenge which this industry faces.
In addition to that, there are significant risks that come from the supply chain. If you understand the automotive industry, a car has many components which are sourced from different vendors, and all of them have to work towards security to ensure that the car is secure.
As I mentioned earlier, the long lifespan of a car is of 15 to 20 years, you have to ensure security from all kinds of vulnerabilities that may emerge in the next 10, 12, 13 or 14 years. That really highlights the enormity of the challenge that the automotive industry is facing.
Pallavi: Thank you, Akshay. How are the international standards and regulatory frameworks shaping the development of robust cybersecurity in the automotive sector? What proactive measures should industry players take to enhance their cyber defenses?
Akshay: These regulatory frameworks are playing a pivotal role in shaping the cybersecurity practices, and they are needed. If you look at the automotive industry , it is diverse and global. For example, a German car is sold all over the world, just like an India-manufactured vehicle. So, there has to be standardization. International standards help in creating a standardized approach to cybersecurity.
The lead was taken through the UNECE WP.29 regulatory framework, which mandates comprehensive cybersecurity measures and outlines specific requirements that a vehicle must meet. Many countries are signatories to this UN regulation, which makes it mandatory for them to implement comprehensive security measures.
For compliance with this regulatory framework, there is also an ISO standard—ISO 21434—which ensures that all manufacturers follow the same security protocols.
In fact, take India’s example. There is a draft standard called AIS 189, followed by AIS 190 which, once approved, will mandate the application of these security standards to cars in India before they get any type of approval to be on the road. This ‘type approval’ will require these organizations to achieve these certifications and constantly monitor security threats.
All this is possible due to the evolving global standards and frameworks, which also help build consumer trust. If I am using a connected vehicle, I would be more comfortable knowing that there are certain level of security practices such as risk management that are in place to ensure that I am safe in the car, or that vehicles are safe on the road is safe. This highlights the important role of regulatory frameworks and how they are shaping the industry.
From an industry perspective, while these standards are in place, I would say certain proactive measures that some organizations are taking, and a few others are adopting due to regulatory requirements. Firstly, this includes the ISO 2143 as the default standard, and integrating it with the overall security practice within the firm. This is one proactive measure that organizations should take.
While some of them have already started adopting it, it needs to trickle down to Original Equipment Manufacturer (OEMs) and Tier1 organizations as well. They should regularly conduct risk assessments and evaluate potential vulnerabilities. For example, For example, if a new patch or functionality is added to your telemetry or infotainment system—which is connected to the car’s onboard computer or electronic control unit (ECU), along with various other functions via Wi-Fi or Bluetooth—there could be security vulnerabilities that a hacker could potentially exploit. This could lead to the compromise of the entire vehicle.
So, it is important to ensure that patches are regularly updated, that security updates are pushed to vehicles, that secure software development practices are followed, and that security incidents are actively monitored.
One important aspect of the regulatory framework is that all OEMs will have to establish a Vehicle Security Operations Center (VSOC). Just like we have security operations centers (SOCs) in enterprises, they need to have a dedicated SOC that monitors all vehicles on the road in real-time, assessing their security posture and alerting them if any security threats are detected. This will be a regulatory requirement once AIS 189 comes into effect in India.
Another important aspect is collaboration. Collaborating with industry peers and other automotive organizations to share threat intelligence and other best practices can help strengthen security.
In addition to that, one last point that comes to mind is ensuring that any security practices you adopt are also passed down the supply chain. For instance, if a supplier provides your braking system, headlight system, or Bluetooth module, it is essential to push these security practices to those component manufacturers as well. This ensures that the entire vehicle, as a package, is secure.
Pallavi: Thank you, Akshay. In the context of increasing cyber threats, how vital is collaboration among automotive stakeholders in mitigating risks? In addition to that, what should vehicle owners like me know about protecting their cars from cyber vulnerabilities?
Akshay: When we talk about the vehicle ecosystem, there are various stakeholders—the OEMs who manufacture the vehicles, along with Tier 1 and Tier 2 suppliers who provide components like batteries, electrical systems, and more. All of them need to collaborate to manage the risks, especially as vehicles become increasingly connected. Today, we refer to them as software-defined vehicles (SDVs) because so much software is integrated into them.
As I said earlier, whenever software is involved, vulnerabilities follow. So, it is essential that all stakeholders work together to mitigate these risks, adopt standardized practices, and share best practices with industry peers. This can be done through autonomous bodies or industry forums that bring together all the stakeholders—whether it is suppliers, users, fleet management operators, the government, the highway authority, or even smart city stakeholders.
All these stakeholders will have to work together because, at the end of the day, the biggest risk is the risk of large-scale sabotage. From a vehicle perspective, something like that happened on the pager attack, then that is also something that kind of what is going to happening in the automobile ecosystem that everything become a catastrophe.
It is very important to share these and collaborate. The learnings have to be distributed. Of course, the regulatory framework helps to standardize these efforts, but collaboration is key to building consumer trust and ensuring the safety of those actually using the vehicles.
You asked earlier what a user can do. As a vehicle user myself, I would say: make sure that the software in your car is regularly updated. That is what I generally do. I keep regular checks on notifications for any updates or security patches and make sure to install them.
If you look at connected cars, there are apps which have password requirements. It is important to use strong and unique passwords, because if those are compromised, your vehicle will be at risk.
I know a few people who store games on their infotainment systems, which might not really be necessary. It is better to keep things simple and focused on what you truly need for driving. After all, there is limited storage space available. So just use for what you require. I know a few people who store games on their infotainment systems, which may not be required.
So, be very careful and selective about what you install in your car. Also, ensure that your car’s Wi-Fi and Bluetooth connections are secure. And from a physical security perspective, protect your vehicle’s access points—like key fobs and remote controls—by storing them securely. Avoid exposing your vehicle to unnecessary external influence from a physical security standpoint.
At the end of the day, stay informed and aware of potential threats. Keep yourself updated on what is happening in your surroundings. I would say it is crucial to educate yourself about the security aspects of your vehicle.
These are some of the key practices that, if adopted, can significantly reduce cybersecurity risks.
Pallavi: Thank you, Akshay. According to you, what are the key trends in automotive cybersecurity and how can the industry prepare for these evolving challenges? Also, for cybersecurity professionals, what are the skills that they can focus on to specialize in this domain?
Akshay: Key trends in automotive security include the rise of connected and autonomous vehicles, which leads to deeper integration with IoT devices and, consequently, an expanded threat landscape. Another significant trend is the growing use of cloud-based security solutions within the automotive industry.
The third trend is the use of AI and machine learning, which is becoming just as prevalent in the automotive industry as in any other sector. These technologies help analyze vast amounts of data and are being used frequently within the industry.
Another trend is the growing focus on software security, as vehicles are increasingly dependent on software. And of course, the adoption of regulatory frameworks is a major shift. Companies have already started aligning with these standards because it is a reality that no one can escape. These standards are helping the industry shape up and address cybersecurity challenges.
In terms of preparation, the key is to invest in advanced security technologies, AI-driven threat detection, cloud-based security systems, and more. We need to recognize that vehicles today are not traditional anymore; as we introduce more capabilities into them, the threat landscape grows, and it is crucial to invest in these AI-driven solutions.
Enhancing collaboration between carmakers, suppliers, and all stakeholders is essential. Knowledge sharing plays a vital role in this process. Organizations must prioritize continuous threat monitoring. It is important to start thinking about how we will monitor vehicles once they are on the road and, more importantly, how we will respond if we detect something wrong with the vehicle.
Another critical aspect is regularly updating and patching systems. Since vehicles can operate in areas with limited or no connectivity, we need to account for these scenarios when designing them. This forward-thinking approach is essential to staying ahead of cybersecurity challenges.
Finally, regarding the skills needed for cybersecurity professionals: First and foremost, it is crucial to understand the automotive industry. Second, gain a strong technical understanding of how the technology works—especially vehicle networks, such as the Controller Area Network (CAN), Local Interconnect Network (LIN), and Ethernet. These are key technical areas that professionals need to focus on.
Professionals need to familiarize themselves with standards like ISO 21434, WP.29, and AIS 189, and stay updated on any changes. From a risk assessment perspective, it is important to understand the kinds of risks and use cases that can arise from a cybersecurity standpoint. For example, you might think gaining control over the headlight management system is not a big deal—you might assume it only affects the headlights. But it is actually critical because other systems, like braking or steering controls, may be linked. If someone remotely disables your headlights at night, it becomes a serious safety hazard.
The key is to think holistically. Understanding how various systems interact is crucial. Beyond that, skills in software security and cryptography are important, but ultimately, it all comes down to continuous education and collaboration. Constantly raising your knowledge and sharing it with others is essential.
These are the key skills I think professionals should focus on: understanding vehicles, mastering the technical aspects, recognizing risks, and embracing continuous learning. This is a constantly evolving environment. We cannot be thinking about internal combustion engine (ICE) vehicles in the age of electric vehicles (EVs). We have to keep evolving.
Pallavi: Thank you, Akshay. With that, we come to the end of this episode. Your insights have illuminated the complex and dynamic field of automotive cybersecurity. We are very grateful for the knowledge that you have shared, which is essential for both industry insiders as well as the everyday consumers. So, thank you so much for joining us today for this episode.
Akshay: Well, thanks a lot. I am actually glad to have had the opportunity to join you today, Pallavi. It is imperative kind of lead that we continue to elevate the conversation around cyber security in the automotive sector. So, thanks a lot once again.
Pallavi: Thank you. And thank you to all our listeners for tuning in today for this enlightening discussion. We hope you have gained actionable insights in the world of automotive cybersecurity. Be sure to join us for the next episode as we delve deeper into the pressing cybersecurity topics of our time. Stay informed, stay secure.
If you would like to listen to our podcasts on the go:
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Discover how EY's identify and access management (IAM) team can help your organization manage digital identities for people, systems, services and users.
