Zero-Trust in the age of software-defined vehicles

Evolving cybersecurity to keep up with expanding capabilities

In the past, vehicle manufacturers differentiated themselves with mechanical features such as performance and reliability. Today, consumers are increasingly looking for features defined by software, such as driver assistance features, personalized infotainment, real-time digital features and user-centered services.

As the focus of the whole industry expands from manufacturing vehicles to providing mobility services, the automotive technology stack is rapidly growing. Providing customizable mobility services is not possible with today’s coupled vehicle software and hardware architecture. Today’s automotive software development processes yield monolithic blocks of code that are built, tested, and then flashed into the electronic control units (ECUs) on the production line. Changing functionalities results in a tedious and costly process of reintegration, retesting, and reflashing for which today’s development cycle and production lines are not built.

Understanding the impact

Automotive service-oriented architecture (SOA) revolutionizes how vehicle software is built. SOA incorporates a group of components to act as middleware between applications and the operating system (OS). This middleware decouples the individual software components from the underlying hardware, enabling software portability inside a vehicle’s architecture. The adoption of a Secure SOA framework will simplify the vehicle’s development process from concept through development, to deployment, and maintenance.

The move toward software-defined vehicles is enabling a wealth of safety, comfort, and convenience innovations—and the innovations don’t stop when those vehicles leave a dealership. Through over-the-air (OTA) updates, the software that runs the vehicle can continue to evolve and improve throughout its life cycle, continuously enhancing consumers’ digital experience for years to come. As original equipment manufacturers (OEMs) shift toward a software-defined architecture, cybersecurity strategies will become even more critical to identify, detect, and defend against cyberattacks. A Zero-Trust mindset enables organizations to incorporate cybersecurity into their software development life cycle and create systems with built-in cybersecurity.

Business-drivers for Zero-Trust security

Complex internet of things (IOT) ecosystem: The increasingly global third-party landscape creates complexities as companies manage risks across a wide range of information and operational technology environments and expand to emerging markets or higher risk geographies.

Interconnected ecosystem of mobility services: Organizations are continuing to expand not only the number of business operations that are outsourced, but also activities that are considered critical services, to provide customers with a leading experience and gain efficiencies and flexibility.

Increased complexity and frequency of cyberattacks: Data breaches are often a top concern for executives who worry about the security of highly confidential information. Increasingly, cybersecurity and cyber resilience are two of the top trending topics on board agendas.

Push toward software-defined transformation: Greater use of emerging technologies, such as cloud and machine learning, and open-sourced software increase the surface area for potential vulnerabilities and the need to keep security at the heart of modernization.

Dissolving network perimeters: Organizations are moving to remote and virtual working models, increasing the need for transparent and strong approaches to identify, manage, and reduce risk. As automotive network perimeters continue to dissolve, trust should be established and constantly revalidated for each connection.

Brand, reputational, and regulatory concerns: Damage to an organization’s brand can cause as much financial setback as regulatory fines. The effort and cost of regaining customer trust and dealing with regulatory impacts after an incident can be mitigated with proactive security and privacy measures.

Mitigating the risks

Vehicle attacks now pose not only a cybersecurity but also an enterprise-wide risk, threatening business continuity and the operations of organizations. Therefore, to mitigate their effects, organizations should consider implementing solutions to enhance cyber resilience and remediate enterprise risk.

Deloitte combines industry-leading strategic advisory services with deep technical capabilities and managed services to help organizations design, implement, and operate advanced cyber and strategic risk programs that build resiliency, deepen trust, and fuel performance.

Our offerings for the automotive industry include:

• Cybersecurity management systems
• DevSecOps
• Vehicle cybersecurity risk management
• Software update management systems
• Supplier cybersecurity management
• Vehicle cybersecurity monitoring

Learn more about our Cyber & Strategic Risk practice