This is a coordinated Union level security risk assessment of connected and automated vehicles (CAVs) and their supply chains carried out under Article 22 of the NIS2 Directive by the Network and Information Systems (NIS) Cooperation Group in cooperation with the European Commission and ENISA. The primary objective of this report is to provide a comprehensive overview of the cybersecurity risks and their consequences, as mitigating measures wshich are considered necessary to efficiently address them.
As digitalisation and connectivity spread through the automotive sector, CAVs are increasingly being used in the EU. CAVs offer numerous potential benefits, including improved road safety by reducing human error and their contribution to environmental sustainability through more efficient driving patterns and reduced emissions.
However, CAVs also come with new and significant cybersecurity risks. CAVs process troves of personal and sensitive data, making them potential targets or vectors for surveillance and espionage and in possibly allowing even for their weaponisation.
Member States, the Commission and ENISA identified and assessed 107 risks associated with CAVs, of which 14 are identified as top risks. The assessment expounds on each risk, reviewing related incidents, existing scientific literature and existing measures in place for each of the top-ranking risks.
The assessment identifies vehicle control systems and processing and decision-making systems are particularly critical asset groups. Attacks on these asset groups are linked to severe consequences, including loss of life and significant material damage. Communication and connectivity systems, as well as cloud and backend systems, are also identified as critical asset groups as they constitute typical vectors of attack, in large part due to their public-facing interfaces. Additionally, these systems contain troves of sensitive data which require stringent protection against loss. Furthermore, experts identified the lack of cybersecurity in charging infrastructure as an additional concern.