Cybersecurity Engineering in the Automotive industry

A lot is happening in the Automotive industry these days. It has to do with connectivity, autonomous driving, autonomous parking, and so on.

All these have one thing in common: they are producing extremely large amounts of data which needs to be processed in the backend by very powerful computers.

When we talk connectivity, we MUST talk about cybersecurity.


This is why the Automotive industry has started to take this very seriously:

ACEA represents currently the 15 Europe-based car, van, truck and bus manufacturers (Source):
  • BMW Group,
  • DAF Trucks,
  • Daimler,
  • Fiat Chrysler Automobiles,
  • Ford of Europe,
  • Hyundai Motor Europe,
  • Iveco,
  • Jaguar Land Rover,
  • Opel Group,
  • PSA Group,
  • Renault Group,
  • Toyota Motor Europe,
  • Volkswagen Group,
  • Volvo Cars, and
  • Volvo Group

ACEA and its members have identified a set of six key principles to enhance the protection of connected and automated vehicles against cyber threats.
1. Cultivating a cybersecurity culture
2. Adopting a cybersecurity life cycle for vehicle development
3. Assessing security functions through testing phases: self-auditing & testing
4. Managing a security update policy
5. Providing incident response and recovery
6. Improving information sharing amongst industry actors
These principles take account of the recommendations of the European Union Agency for Network and Information Security (ENISA), the guidelines of the UNECE Informal Working group
on Intelligent Transport Systems and Automated Driving (IWG ITS/AD), and the US Automotive Information Sharing and Analysis Centre’s (Auto-ISAC) best practices.3 This proactive approach
demonstrates the automobile industry’s commitment to continue to ensure user safety. Furthermore, ACEA members are currently involved in UN and German Institute for Standardisation (DIN) working groups drafting two documents of crucial importance:

• An international ISO/SAE standard on cybersecurity (ISO 21434);
• A recommendation which will be presented to the UNECE/WP.29 World Forum for Harmonisation of Vehicle Regulations.


What do all these mean?

Cybersecurity in automotive is not new. It started more than 5 years ago. I wrote about it and I will continue to write.

But, until recently these topics were things which “don’t happen to us”.

Now, all manufacturers have started to take this very seriously because a recall due to security problems is even more expensive than replacing some hardware in the car.


Back to ACEA now.

I really like their approach, but in my opinion, it is coming too late.

I created with Magility a Cybersecurity Management System (a framework) which describes how to introduce and implement cybersecurity in the entire company.


Because CSMS is more generic, it is better, if done right. 🙂

ACEA is also very good, but it is exclusively focused on cars and their internal architecture. Which is not bad at all.

At some point also CSMS would have to focus its Cybersecurity Program to use one framework or another.



I am very happy to see that I and Magility came up with something very good and solid, even before the big guys started to think about it.

If you are interested in finding out more on CSMS, drop me a note.

© Copyright 2017 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: