Autonomous Vehicle Cybersecurity: An overview (2024)

Autonomous driving. Currently an exciting vision for the masses. Being able to move around on the roads in a vehicle without anyone having to drive. While there are already several such approaches on the roads, in everyday life, autonomous driving is still more of a futuristic topic.

For those involved in the value creation processes of automotive development work, however, the situation is quite different. The development of autonomous solutions has been underway for many years, along with all its forward, backward steps and in circles.

So, it’s about time to start thinking about autonomous vehicle cybersecurity. In this blog article, we’ll look at the status quo of autonomous driving from the cyber security perspective at the technical level, as well as from the perspective of global regulations. Let’s get started.

Let’s first go over the technicalities that make the so far available autonomous vehicles possible.

An introduction to autonomous vehicles

Technicalities in autonomous vehicles overview

A combination of computer vision, machine learning, and sensor fusion technologies are what enable autonomous vehicles to navigate and drive without human intervention. We’ll explain them briefly:

• Computer vision: interprets visual information captured by cameras and LiDAR sensors. This enables the vehicle to understand its surrounding environment and detect other vehicles, pedestrians and traffic signals.
• Machine learning: as a subset of artificial intelligence, which allows systems to learn and improve, ML is being used in transportation by helping to train vehicles. Based on visual information gathered through sensors such as cameras, computer vision is used to interpret the data captured and used to train vehicles to recognize objects such as lanes, other vehicles, pedestrians, traffic signals and then make decisions to brake, accelerate, or change lanes.
• Sensor fusion: combines data from multiple sensors including cameras, LiDAR, RADAR, and GPS to provide a more robust scanning of the vehicle’s surroundings, which enables the vehicle to navigate in diverse environments.

Let us recap on the sensor technologies driving the development of autonomous vehicles.

• LiDAR (Light Imaging Detection and Ranging): uses laser light beams to read the environment details and 3D scan of the surrounding. It is composed of a scanner, a laser and a GPS tracker, plus other components. Therefore, the system can also determine closeness of the object based on its exact global location.
• RADAR: uses radio waves to determine location, angle, and velocity of objects.
• ViDAR (Visual Detection and Ranging): a combination of video cameras and AI-based “machine vision” that enables the collection and analyzing of visual information from the environment.

Most autonomous vehicles also use a combination of the following approaches to make the car drive safely:

• Rule-based systems: where predefined rules govern the vehicle’s behavior
• Behavior-based systems: where predefined behaviors govern the vehicle’s behavior, such as following other cars or avoiding obstacles
• Machine-learning based systems: where data and training are used to learn and make decisions, enabling the vehicle to adapt to new situations and environments

SAE’s Classification of level of automation in a vehicle

Regardless of all these technological advancements, but how close are we really to the finish line in producing a fully autonomous vehicle? First, let’s get on the same page on what a full automation or what the so-called Level 5 is. Five levels of autonomous driving have been defined by the Society of Automotive Engineers (SAE) International to classify the level of automation in a vehicle:

• (Level 0 – No automation: driver is in full control at all times)
• Level 1- Driver Assistance: vehicle can assist the driver with specific functions, like braking or steering, but driver remains in full control
• Level 2 – Partial Automation: driver must monitor the environment and be ready to take over at all times, but vehicle can e.g. park, perform automated lateral and longitudinal tasks during overtaking within certain limits
• Level 3 – Conditional Automation: vehicle can brake, steer, change lanes, and overtake on its own and monitor the environment under certain conditions, but driver must be ready to take over at any time, so drivers’ attention may only be diverged temporarily. This is today’s state of the art, where drivers must be ready to take wheel back in their hands for example within 10 seconds if required by the system.
• Level 4 – High Automation: done correctly, it can perform all level 3 tasks, but the difference is they won’t have to be monitored by a human anymore, shifting drivers’ roles to passengers. If the automated mode is to be aborted, the driver must take over, but even if the driver does not react, the system will place the vehicle autonomously in a minimal risk condition, such as stopping the vehicle on a hard shoulder. Passengers can also prompt an emergency stop at all times.
• Level 5 – Full Automation: vehicle can perform all functions in complex conditions such as pedestrian crossings or junctions and no human driver is required. This is the level of automation that opens up new vehicle concepts such as cabinless vehicles.

How far are we from achieving Level 5 automation in vehicles?

As far as available products, based on SAE’s classification of automation levels in vehicles, most released vehicles are at Level 2 and Level 3. Level 4 commercial vehicles is still in the early phases of the implementation.

Europe

Meanwhile the regulatory scenario today differs from country to country. In Germany, level 3 lane keeping assistance system (ALKS — Automated Lane Keeping System) is already allowed in at up to 60 km/h speed and has already been adopted at UN level (BMDV, 2021). Permission in Germany has already been granted to two worldwide known OEMs. Currently, the amendment to allow ALKS for up to 130 km/h speeds is already in force by contracting parties who decided to apply it since January 2023 (UNECE, 2022).

Asia

Going East, the Chinese city of Shenzhen allowed self-driving cars on the road on August 1^st, 2022 after ensuring an end-to-end regulatory coverage during testing and a yardstick for determining responsibility in traffic accidents. This was possible thanks to the coordination between central and local governments to implement pilots. Policies are then created using the information gathered in pilots. (McKinsey, 2023).

Moreover, China has also launched a pilot area for commercial autonomous driving vehicle services who will offer robotaxis, without human safety drivers in the car within a 60 square kilometer area in Yizhuang, south from Beijing (China Daily, 2022).

Japan was the first country to issue a L3 permit back in 2020. (NPA, 2023) Like China, Japan will also allow L4 autonomous vehicles beginning of April 2023 within limited areas in regions with decreasing population. However, a stand-by driver is still required.

United States

The federal government of the United States has published guidelines that enables states to create autonomous vehicle frameworks based on the states’ risk tolerance. However, despite efforts, L3 autonomous vehicles are not available for consumers in the United States as of today (NHSA, 2023).

Therefore, the advancements in autonomous driving activities differs across the country. However, some states have positioned themselves as the leaders in this topic.

Michigan, home of motor city for instance, was the first state to extend manufacturers license plates for autonomous driving testing to OEMs back in 2013. Moreover, automated vehicle fleets that provide on-demand transportation within defined limits is allowed under the Safe Autonomous Vehicle (SAVE) Project since 2016. In addition, on 2022 Michigan announced the creation of the first connected and automated corridor between Detroit and Ann Arbor for autonomous transportation

In contrast, California has rather made more restrictive testing of autonomous vehicles. Today, only four autonomous vehicle stakeholders hold permits under the AV Tester Driverless Program, launched in 2014 and revised in 2018. However, several shared autonomous vehicles (SAV) projects are taking place.

Arizona does not require having a safety driver in autonomous vehicles as long as the system is being monitored remotely since 2018. The state also allowed testing and operation of for-profit autonomous vehicle on-demand transportation service (Automotive World, 2022).

With this overview on current regulations for autonomous driving around the world, we can conclude there is a lack of global standardization, which also makes it harder for manufacturers to develop autonomous vehicles that fit global market needs and local infrastructure.

At the same time, the governmental bodies involved are already trying to keep pace as best as they can with the ongoing technological development and to create legal certainty for all stakeholders in this evolution. It can be assumed that there will be further far-reaching adjustments to these regulations and legal frameworks worldwide in the near future.

Technological challenges for L5 autonomous vehicles

Besides the obvious lack of global standardization for autonomous vehicles requirements, there is also a lack of suitable technology to fully achieve level 5.

Away from the testing fields, in the real-world setting, autonomous vehicles must be able to handle unpredictable situations, such as bad weather, construction, or emergency vehicles.

Taking all these into consideration, challenges remain ahead for each one of the currently most common technologies.

For LiDAR systems, weather conditions remain a threat although it would have better visibility at night than people. Just like their human counterparts, visibility can be reduced in snow, fog, or heavy rain conditions or completely blind depending on where the LiDAR sensor is placed. Moreover, driving through construction sites where dust and smoke burst, can also impact the vehicle’s ability to form a picture of its surroundings and navigate. In general, in cases where human visibility is limited, so is LiDAR’s.

Similar to LiDAR, ViDAR also struggles in low visibility conditions. They can also be tricked and mistake objects. An important disadvantage to consider compared to the LiDAR and RADAR, is the depth of field for cameras is limited. Thus, it is more likely to miss objects at long distances due to their limited depth of field, making them unfit for long distance ranges outside of their depth of field. In fact, this is why OEMs prefer working with LiDAR and RADAR.

In fact, shortcomings have already been proved with rising automotive hacks, in which they attackers managed to control vehicles remotely and were able exploit the system’s shortcomings to manipulate autonomous vehicles and put drivers, passengers or pedestrians’ life in danger.

RADAR, on the other side, could get around these challenges by detecting objects even at night and low visibility conditions through the radio waves. Another advantage is cost. Since RADAR is an older technology, it is more cost efficient to implement. However, it is still disadvantaged in detecting smaller objects. Moreover, RADAR systems are vulnerable to waves of the same wavelength if they are present at the same frequency as the RADAR’s as it can cause interference and prevent the RADAR’s ability to correctly detect and locate objects. Therefore, leading to missing objects or considering moving objects as stationary.

All in all, there is no substitute for LiDAR or ViDAR available. Nevertheless, using RADAR for short distances in conjunction with LiDAR for long distances could take full advantage of existing technology.

Though it is difficult to predict when L5 autonomous driving technology will happen, many automakers are actively looking to develop the necessary technology and it is expected to become possible in the future.

Cybersecurity for autonomous vehicles as an added challenge

As autonomous vehicles are indeed rolling computers and dependent on software to operate, they are of course vulnerable to software related security flaws, in addition to input attacks.

Due to their heavy reliance on complex networks of software and hardware systems to function and connection to the internet, autonomous vehicles become susceptible to cyber threats including:

• Remote hacking: control vehicle’s functions remotely by exploiting a software vulnerability
• Vehicle spoofing: tricking vehicle into thinking it is in a different scenario or location
• Data breach: stealing sensitive information such as driver’s information or vehicle’s location
• Tampering with sensor data: tricking vehicle’s vision with false images projected on road
• Tampering with software updates: attacker can interfere with software updates and gained unauthorized access and control of the vehicle
• Insider threat: an employee can have access to sensitive data and systems and harm production, this is why cybersecurity in vehicle production is also important

Large amounts of data are being processed and collected in autonomous vehicles including sensitive information such as passenger’s personal information or vehicle’s location in real-time remains a challenge. This provides the need for implementing data privacy and security measures, else this data can be exposed to unauthorized parties or stolen by cyber criminals.

Moreover, going back to the technicalities, where we find a variety of navigation systems and sensors that steer the vehicle’s decision making there is no doubt that attacks to these systems could lead to vehicle malfunction and therefore, accidents and even fatalities.

To add on to the challenges, since autonomous vehicles have complex and distributed systems, it is difficult to detect and react to cyber attacks in real time. Moreover, a simple shutdown, as it is common with conventional IT systems, is not feasible since it could lead to dangerous situations. In order to ensure critical safety functions continue being operational even in the case of malfunction, additional fallback systems and redundancy are required.

All these considerations must of course be taken into account right from the concept phase onwards and must be monitored across the entire product lifecycle. Special attention must also be paid to managing software updates also in accordance to UN Regulation No. 156, so considerations during the concept phase also affect the operation and maintenance stage.

Get a full overview of the impact of cybersecurity on product lifecycle with our dedicated CYRES Academy on demand video course:

Tackling autonomous vehicle cybersecurity outlook

Unlike Functional Safety (FuSa), which is a well-established discipline in the automotive industry, automotive cybersecurity is still emerging. Nevertheless, not only must cybersecurity be added as a discipline next to functional safety in order to ensure safe and reliable vehicles, but also new processes such as Threat Analysis and Risk Assessment must be implemented and a cybersecurity concept needs to be developed.

Here, both disciplines should strive to protect humans against threats arising from technical system failures disturbed by the environment or humans.

Considering the previous realization that we must embed cybersecurity across the product lifecycle, it becomes clear security-by-design is also required. In short, security-by-design, a common IT concept, is an approach that ensures security requirements are defined and taken into account from the very start of the product development, specifically already at the design stage and ideally enables teams to take action to reduce vulnerabilities from early on.

However, in the current automotive industry landscape it is hard to turn this concept into practice without sufficiently allocated resources and know-how. Insufficient cybersecurity competences, lacking holistic standardization of cybersecurity by design, as well as cybersecurity awareness are all realities factoring into making cybersecurity by design hard to implement.

Certainly, several companies are tirelessly working to continue securing autonomous vehicle systems. We recommend simultaneously to invest in enabling resources to integrate cybersecurity.

Some action steps include:

• Increasing cybersecurity awareness at the executive level to enable proper resource allocation and establish management’s buy-in to cybersecurity
• Invest in furthering cybersecurity knowledge to ensure competence requirements as demanded by ISO/SAE 21434 and UN Regulation No. 155
• Get organization’s specific cybersecurity recommendations and requirements to foster best practices and a cybersecurity culture or establish policies and processes at the level of the organization
• Get guidance to establish guidelines for secure software development, testing and validation procedures, and secure communication during the project
• Design and implement systems and components securely with guidelines for secure coding practices

From the point of view of automotive cybersecurity consulting, a kind of “race” can currently be observed in which, in addition to the large OEMs, various suppliers also want to position their technologies appropriately for this growth market – not infrequently, the holistic aspects of the strategic coordination and operational implementation of cybersecurity as a quality dimension are not sufficiently taken into account.

Raising awareness at the highest decision-making level at an early stage proves time and again to be critical to success.