“Human life is involved, so cybersecurity is our top priority,” said Kevin Tierney, General Motors’ vice president for global cybersecurity. The company, which has 90 engineers working full time on cybersecurity, practices what it calls “defense in depth,” removing unneeded software and creating rules that allow vehicle systems to communicate with one another only when necessary.
It’s a practice also followed by Volkswagen, said Maj-Britt Peters, a spokeswoman for the company’s software and technology group. She noted that Volkswagen’s sensitive vehicle control systems are kept in separate domains.
Continental, a major supplier of electronic parts to automakers, employs an intrusion detection and prevention system to thwart attacks. “If the throttle position sensor is talking to the airbag, that is not planned,” Mr. Smoly said. “We can stop this, but we wouldn’t do so while the vehicle was moving.”
Still, determined hackers will eventually find a way in. To date, vehicle cybersecurity has been a patchwork effort, with no international standards or regulations. But that is about to change.
This year, a United Nations regulation on vehicle cybersecurity came into force, obligating manufacturers to perform various risk assessments and report on intrusion attempts to certify cybersecurity readiness. The regulation will take effect for all vehicles sold in Europe from July 2024 and in Japan and South Korea in 2022.
While the United States is not among the 54 signatories, vehicles sold in America aren’t likely to be built to meet different cybersecurity standards from those in cars sold elsewhere, and vice versa. “The U.N. regulation is a global standard, and we have to meet global standards,” Mr. Tierney of G.M. said.