FW: Against a backdrop of evolving cyber and data privacy regulations, how important is it for the automotive sector to be proactive in protecting data? What are the potential consequences for an automotive company that falls victim to a cyber attack or data breach?
Karniyevich: As a cyber attack or data breach can have an impact on the safety of the driver and passengers, in the context of connected vehicles it is of vital importance for manufacturers and security vendors to be proactive in protecting data and to address the risk of hackers attempting to exploit connected vehicles’ vulnerabilities. Besides reputational damage, an automotive company that falls victim to a cyber attack or a data breach will likely face a fine under the GDPR, as well as the European cyber security regulations, in particular the Network & Information Systems (NIS) Directive which will soon be replaced by the NIS2 Directive and which introduces a new and expanded EU cyber security regime also covering the road transport sector. In addition, the supervisory authority will likely investigate the organisation’s compliance practices and highlight any areas that fail to meet the applicable requirements.
FW: In your experience, are current levels of data security deployed by automotive companies generally sufficient to address cyber risks?
Karniyevich: With smart car connectivity increasing, the growing use of data and the emergence of semi-autonomous cars, new cyber security risks and threats are developing. Security measures deployed by automotive companies need to be constantly updated to take into account recent cyber security developments to eliminate or mitigate the potential risks, especially as these attacks threaten the security, safety and privacy of vehicle and all other road users. As highlighted by the European Union Agency for Cybersecurity (ENISA), there have been some experimental remote attacks on autonomous cars’ cameras and light detection and ranging (LiDAR) systems, showing effective camera blinding, making real objects appear further than their actual locations or even creating fake objects. In addition to malicious sensors and manipulations, other attack vectors have been demonstrated, such as global navigation satellite systems (GNSS) spoofing and fooling AI-based functions, with the famous example of trapping a self-driving car by just drawing a chalk circle around the vehicle. Such attacks may lead to data breaches, vehicle immobilisation, road accidents, financial losses, and even endanger road users’ safety.
Ballhausen: In our experience, automotive companies are generally very keen to ensure data security. The sector is used to dealing with security requirements. Data security requirements are often seen as an additional set of security requirements which must be met. Nonetheless, automotive companies have faced data breaches and personal data collected by automotive companies has been lost. With an increase in cyber security attacks, it is safe to assume that the number of security issues and data breaches will increase and that despite all efforts, many of today’s security measures are not yet sufficient.
FW: What technical and organisational measures do data controllers in the automotive sector need to adopt to ensure compliance with relevant legislation?
Karniyevich: From the perspective of a data controller, to ensure compliance with data protection regulations, automotive companies need to ensure they have access to hardware and software security, taking advantage of best practices and current security standards, beginning with design and manufacturing to operation and retirement. In addition, in-vehicle network security should be ensured to protect the processed personal data, such as location data, navigation history, call history, microphone recordings and so on. Finally, as vehicle systems need, in some circumstances, to communicate with cloud-based security services to detect and correct threats, cloud security services need to be implemented in a secure manner.
Ballhausen: The technical and organisational measures that need to be adopted depend on various factors. There are, of course, principles such as “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”, as referred to in article 32 of the GDPR. However, this ability needs to be ensured through different means, such as if you take access control to ensure confidentiality, for example. If the personal data is processed within a vehicle, access control measures may be limited to password protection and potentially encryption or pseudonymisation, whereas it will generally be possible to restrict the access to personal data processed on servers in a data centre, such as part of a ‘smart’ or cloud solution, physically. Furthermore, the level of security that needs to be achieved depends on the sensitivity of the personal data being processed. The more sensitive the data, the higher the security measures that need to be implemented. Therefore, there is not one definitive set of technical and organisational measures that must be adopted by data controllers in the automotive sector. Instead, data controllers should carefully consider what personal data they will be processing, the sensitivity of this data and the security measures available to them in a specific setup.