Cybellum and the Automotive Security Research Group (ASRG) survey finds that the automotive industry isn’t ready for upcoming cybersecurity regulations

Cybellum and The Automotive Security Research Group (ASRG) released a report outlining the results of a joint survey conducted amongst top global OEMs and Tier-1-2 suppliers, to assess how the automotive industry currently handles vulnerability management.

“With UNECE WP.29 R155 enforcement fast approaching in Japan, South Korea and the EU, and ISO/SAE 21434 just officially released, it is concerning to find that about 30% of respondents have not started preparing for these new cybersecurity requirements and only 6% are fully prepared,” said John Heldreth, founder of ASRG. “As of 2022, automotive cybersecurity will no longer be a best-practice, but rather mandated and enforced – the industry must shift gears and ready itself for this new era.”

According to the report, automotive players are not ready for the upcoming regulation and are lagging behind IT security practices in their organization. Some of the key findings include:

• 63% of respondents haven’t automated any aspect of their vulnerability management process
• 65% consider timely assessment of new vulnerabilities to be a growing challenge
• 43% note manual processes as the reason behind lengthy security assessments while 42% cite lack of coordination along the supply chain as a hurdle for timely assessments
• 74% prioritize vulnerability management solutions that automate post-production continuous monitoring
• Only 6% are fully ready for the upcoming UNECE WP.29 R155 regulation

“The continued rise in automotive cyber risk and regulatory requirements developed in response require that the automotive industry – one whose core operations haven’t changed much over the last few decades – rethink its approach to vulnerability management,” noted Slava Bronfman, CEO of Cybellum. “Manual processes deemed sufficient in the past will not be good enough. The survey shows this is a major concern of OEMs and their suppliers – Automation of product security assessments and post-production security operations is needed to scale vulnerability management in light of new challenges.”

The Cybellum/ASRG report covers a wide range of issues relevant to automotive cybersecurity and vulnerability management ranging from current levels of preparedness for the regulations to the average time to fix vulnerabilities all the way to vulnerability management use cases.