New Delhi: The government is set to make it mandatory for automakers to put in place a cybersecurity management system in passenger and goods carriers to secure vehicles from cyberattacks.
The road transport and highways ministry has finalised draft automotive industry standards that seek to prevent vehicles from cyberattacks. It will notify these standards by early next month, a government official said on condition of anonymity.
As per the draft norms , all automakers will have to install a cyber security management system in the vehicles and submit a certificate of compliance to the government at the time of vehicle type approval.
The standards will apply to all M and N category vehicles, which include passenger vehicles and good carriers as well as tractors if they have even one electronic control unit.
“The enhanced need for cybersecurity for the automotive sector is being felt as most modern vehicles are equipped with advanced technologies such as autonomous driving, infotainment systems and connected services that make them highly prone to cyberattacks,” the official told ET.
According to the official, even electric vehicle charging stations could be susceptible to cyberattacks and cybersecurity incidents, owing to which there is a need to put in place standards to prevent them.
Possible cyber threats include hacking of back-end servers, spoofing of messages or data received by the vehicle, extraction and manipulation of vehicle data or code and manipulation of vehicle connectivity functions.
Road transport and highways minister Nitin Gadkari had told Parliament in March that the Indian Computer Emergency Response Team (CERT-In), which is mandated to track and monitor cybersecurity incidents in India, had received reports of vulnerabilities in products and applications related to electric vehicle charging stations and the government was taking steps to combat the issue of hacking.
The United Nations Economic Commission for Europe World Forum for Harmonization of Vehicle Regulations (WP.29) requires automotive manufacturers to establish cybersecurity measures to prevent cyber threats. This includes creating a management system, risk assessments and continuous monitoring against potential vulnerabilities and threats.
The government’s proposed move is in line with international standards laid out under WP.29 that requires all original equipment manufacturers and their supply chains to include multi-layered cybersecurity solutions to protect against current and future cyberattacks from July 2024.
Cyber protection is needed for vehicles in view of increased connectivity and use of software, according to industry experts.
Ravi Bhatia, president, JATO Dynamics India, an automotive data and consulting company, said over the past few years cars have changed from hardware-based to software-based, with enhanced connectivity to provide more comfort, convenience and safety. “However, this makes all our data vulnerable to hacking. Therefore, we need robust systems to ensure protection of data,” he said.
It is for the first time that standards are being introduced in India, more than two years after the United Nations introduced them in January 2021.
According to Bhatia, the move will lead to greater compliance on the part of OEMs (original equipment manufacturers). “OEMs will need to align their engineering hiring to meet the enhanced requirements and the higher costs will need to be passed on to customers, leading to enhanced manpower requirements for mechatronics and greater cost implications for end users,” he said.