The Network and Information Systems (NIS) Cooperation Group in cooperation with the European Commission and ENISA released the “NIS Cooperation Group – Risk assessment on Connected and Automated Vehicles,” a coordinated Union-level security risk assessment of connected and automated vehicles (CAVs) and their supply chains carried out under Article 22 of the NIS2 Directive. 

The report has identified and analysed 107 risks associated with Connected and Automated Vehicles, among which 14 are highlighted as top risks. For these key risks, the document reviews related incidents, relevant scientific literature and existing mitigation measures.

According to the assessment, vehicle control systems and processing as well as decision making systems are particularly critical asset groups. Attacks on such assets could be linked with substantial consequences such loss of life and significant material damage.

Other critical assets include communication and connectivity systems, and cloud backend systems, which constitute typical vectors of attack, mostly because of their public-facing interfaces. The sensitive data accessible via these systems also calls for stringent protection against loss. Lack of cybersecurity in charging infrastructure has also been indicated as an additional concern.

According to the assessment, the EU’s current type-approval rules addresses several of these risks, but it is not able to cover them all. The type-approval regime was mainly created to ensure traffic safety and does not sufficiently mitigate against such risks. Research indicates that CAVs can be hacked through various pathways that can lead to the full remote takeovers of vehicles or the leaking large amounts of highly sensitive data. Also, high-risk suppliers might be subjected to pressure to implement hidden and malicious hardware or software, updates or configurations, or even to change the functioning of in-vehicle automated driving systems. As a result, both known and hidden direct access pathways to the vehicle could become vectors, effectively bypassing many of the controls mandated by the type-approval regulation.

The Consulting group therefore recommends (1) for the Commission, together with the Member States, to identify proportionate measures to de-risk EU supply chains from high-risk suppliers, especially where it pertains to processing and decision-making systems, communication and connectivity systems and vehicle control systems that can receive remote updates, (2) for Member States to have national policies and/or regulations in place in order to take decisions to restrict or exclude high-risk suppliers from supply chains identified as critical and it suggests the implementation of follow-up research to assess the impact of cyberattacks on charging infrastructure on the wider energy grid.

---

Source: The original article was published here.