The U.S., EU and China have issued stringent regulations that require automotive and medical device manufacturers to secure their products against cyber attacks. David Barzilai of Karamba Security explores how seemingly disparate industries overlap when it comes to consumer cybersecurity.
Though it may not seem entirely obvious, a fine line connects the cars we drive and medical devices we use. Both run critical applications and are often connected to the internet. Both are, as a result, exposed to cyber attacks that could compromise consumer safety and privacy.
These are not theoretical risks: Bluetooth vulnerabilities have exposed millions of vehicle users to cyberattacks; a 19-year-old remotely infiltrated 25 Tesla vehicles in 13 countries, switching their engines on and off; Medtronic insulin pumps were hacked remotely by white-hat researchers; and the FDA recalled 500,000 of Abbot pacemakers due to a security vulnerability that could have been used to drain their batteries.
It’s reasonable to assume that such customer safety and brand risks would drive medical device and automotive manufacturers to proactively harden their products and improve their security posture against cyber risks, but that’s not the case. That’s one reason why regulators around the globe have taken action.
Global standards and regulations
Over the past several years, multiple international bodies have sought to establish standards and regulations regarding cybersecurity of both medical devices and automobiles:
- United Nations Economic Commission for Europe: UNECE’s regulation (R155), which went into effect in 2022, requires automotive manufacturers to prove to an authorized third-party auditor that their vehicle software has gone through rigorous cybersecurity measures during development and after production.
- International Organization for Standardization: In 2021, this group, along with SAE International, ratified ISO/SAE 21434, which details the steps and work products original equipment manufacturers (OEMs) and Tier 1 suppliers must take and document in order to confirm to the UN’s R155 regulation.
- China: Just this year, China passed a requirement that OEMs and suppliers prove the vehicles they want to sell are protected from various types of cyber attacks.
- U.S.: Later this year, the FDA will begin refusing new medical devices for cybersecurity reasons. Starting Oct. 1, the agency will reject applications that lack evidence of cybersecurity best practices being used in the software development lifecycle and lifelong support policies.
CDO Roles Are Becoming More Popular, But They Often Lack Staying Power
Increasingly, companies are hiring chief data officers and chief data analytics officers to oversee their data environment. But while the need for these professionals is catching on, studies show they tend not to stay long.
Read moreDetailsCommon threads
Though they target different types of products, these regulations have several features in common:
- Manufacturers must document and prove their vehicles or medical device cybersecurity posture.
- A failure to prove such posture (i.e. putting customers at risk) would severely affect manufacturers’ business plans, as they are not allowed to sell their products until they remediate the security gaps.
- Manufacturers’ responsibility to their customer safety doesn’t stop at product release. They must keep track of new vulnerabilities, as they are reported throughout the use of their products and be responsible to patch their devices in a timely manner against exploiting newly reported critical vulnerabilities.
Industry challenges
The requirement to meet those cybersecurity regulations and standards has created business challenges for automotive and medical device product manufacturers. Without implementing cybersecurity best practices as part of their software-development lifecycles, they can’t sell their products. But implementing those processes and security controls may delay time to market, and/or increase the cost of manufacturing them altogether.