
Proposed rule banning Chinese, Russian tech in vehicles could be major challenge for some OEMs
By onAnnouncements | International | Legal | Technology
Major vehicle manufacturers that have been reliant on Chinese or Russian technology may face considerable challenges if the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) moves forward with proposed rules to address connected vehicles, according to a Morgan Lewis report.
The BIS published a notice of proposed rulemaking (NPRM) on Sept. 23 outlining proposed rules to address national security risks associated with information and communications technology and services (ICTS) integral to connected vehicles designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China and Russia.
“This rulemaking highlights the U.S. government’s concerns that user data collected by connected vehicles — including but not limited to sensitive data such as geolocation — could be exploited by certain countries for national security gain, similar to how smartphones and other connected devices are potential intelligence targets,” the report says.
The proposed rules were published following a March advanced notice of proposed rulemaking (ANPRM) that was issued under an Executive Order.
According to the report, the ANPRM received 57 comments from OEMs, component suppliers, foreign governments, nonprofit organizations, and individuals.
An additional comment period remains open until Oct. 28, the report says. It says it expects the BIS will finalize rules, which will take effect 60 days after publication in the Federal Register.
“The draft rules identify significant cybersecurity and national security risks in the connected vehicle supply chain due to certain foreign countries’ ability to access sensitive data or introduce vulnerabilities into US infrastructure,” the report says. “These concerns are particularly acute given the integration of Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS) in modern vehicles, and as such the proposed rules target VCS and ADS that are designed, developed, manufactured, or supplied by persons owned or controlled by certain foreign countries, currently scoped to include the People’s Republic of China (PRC or China) and Russia.”
The BIS previously identified six systems but reduced its focus to only VCS and ADS, the report says.
“BIS ultimately chose to subject only VCS and ADS to the proposed regulations, explaining that this deliberate choice was being made to strike a balance between minimizing supply chain disruptions and addressing the national security risks by focusing on those systems that most directly facilitate the transmission of data both to and from the vehicle, rather than focusing on all systems,” according to the report.
VCS hardware is defined as software-enabled or programmable components and subcomponents that support the function of VCS or are part of an item that supports the function of the VCS. This could include a microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, WiFi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, and external antennas.
ADS is defined as hardware and software capable of performing the entire dynamic driving task for completed connected vehicles. BIS defines ADS to correspond to automation Levels 3, 4, and 5.
Manufacturers and importers would be given until 2027 model year to comply with software and the 2030 model year for hardware. Exemptions exist for vehicles produced prior to these deadlines.
“To ensure they do not inadvertently engage in prohibited transactions, these companies will likely need to overhaul their compliance systems, conducting deep supplier audits with a specific focus on VCS and ADS,” the release says. “This could also mean rethinking sourcing strategies, especially for key components such as connectivity and ADS systems. Suppliers of microcontrollers, software, sensors, and telecommunications equipment that incorporate such technology will need to diversify their sourcing or invest in developing alternative technologies, all of which could significantly reshape their supply chain.”
According to JD Supra, violations for not following the proposed rule carry a maximum civil penalty per violation of $368,136 and a maximum criminal penalty of $1 million.
A recent whitepaper by Leddar Tech additionally explores the need for cyber security in ADAS.
“A modern car runs on over 100 million lines of code and 250 GB of data flowing through its system,” the whitepaper says. “It contains more than 1,500 wires stretching for miles. In comparison, vehicles produced in the early 2000s had significantly fewer software components and wiring, and those from the 1970s had even less.”
The automotive industry has unique challenges not typically encountered by many software-based products, the paper says. Automakers must comply with stringent safety requirements and integrate multiple systems from third-party suppliers.
“Exceptional cybersecurity is crucial for automakers to successfully deploy SDVs [software-defined vehicles],” the paper says.
Relay attack is one prevalent method of car theft, the report says. In a relay attack, thieves use handheld radio relays to extend the communication range between the car and its key.
“They first use one relay to capture the car’s signal and transmit it to a second relay placed near the key, which is typically kept in a home,” the article says. “This second relay then sends the signal back to the car, causing it to unlock. The thieves can then steal the vehicle. As awareness of this method grew, car owners began storing their keys in metal boxes to block the signal. In response, thieves have developed new techniques.”
Smart keys have mitigated theft in more modern vehicles, the paper says. The smart key exchanges cryptographic messages with the vehicle.
“When the vehicle requests authentication from the key, it requires a valid cryptographic response to unlock the car and disable the engine immobilizer,” the paper says. “This advanced security measure helps to prevent unauthorized access and theft.”
Thieves have responded by using Controller Area Network (CAN) injection, according to the paper. CAN is a communication protocol that allows various electronic control units (ECUs) within a vehicle to communicate with one another via a communication cable.
“CAN injection works as follows: Thieves gain access to the car’s internal communication system, the CAN bus, and transmit fake messages that mimic those sent by the smart key,” the paper says. “These false messages unlock the vehicle and disable the engine immobilizer. Most cars today do not verify the authenticity of internal CAN bus messages, allowing the vehicle to be stolen.”
Cybersecurity breaches can also lead to accidents, unauthorized surveillance, and data breaches, the paper says.
“Most vehicles today are equipped with cameras, often multiple,” the paper says. “As vehicles navigate roads and travel from point A to point B, they capture images of people’s faces. Ensuring that cars are not used for surveillance and protecting individuals’ privacy and data are also key concerns for all stakeholders.”
The paper also outlines concerns about the lack of cybersecurity in ADAS and autonomous driving (AD) systems. It says it results in loss of vehicle control, incorrect navigation, people trapped inside the vehicle, or accidents.
“To ensure that present and future vehicles are secure, the automotive industry has adopted standards and processes designed to manufacture products that are safe, secure, and reliable,” the release says.
These standards include:
-
- “ISO 26262 – Automotive Functional Safety (FuSA): FuSA is a comprehensive approach to ensuring the electronic safety of vehicles. It aims to protect drivers, passengers, and vulnerable road users (VRUs), including pedestrians, cyclists, motorcyclists and others, from injuries caused by faults in vehicle electronics and software.
- ISO 21448 – Safety of the Intended Functionality (SOTIF): SOTIF focuses on eliminating unreasonable risks caused by hazards resulting from functional inadequacies of the intended functionality or foreseeable misuse by individuals. ISO 21448 provides guidelines to help achieve this level of safety.
- ISO 21434 – Automotive Cybersecurity: This standard provides guidelines to enhance cybersecurity within the automotive industry and addresses issues such as: Organizational and project-based cybersecurity management, managing cybersecurity with suppliers, cybersecurity throughout the product concept, development, and production phases and Incident response, threat analysis, and risk assessment
- IATF 16949 – International Automotive Task Force: The IATF 16949 is an automotive quality management system standard focused on continual improvement. It emphasizes defect prevention and the reduction of variation in the automotive supply chain and assembly processes.”
The white paper says 21434 offers the most comprehensive set of guidelines for enhancing vehicle cybersecurity. It covers everything from design and development to production and maintenance.
“This standard applies to various subsystems within the vehicle, including connected vehicles, electronic systems, software, ADAS, and AD, among others,” the paper says. “It provides developers with the necessary knowledge to integrate cybersecurity measures throughout the development cycle and across the supply chain.”
The paper outlines types of risks that could impact particular ADAS systems. An example includes vehicle-to-everything technology vulnerable to man-in-the-middle attacks, spoofing, and jamming. Hackers could feed false information to sensors leading to incorrect decision-making.
Over-the-air updates could be intercepted, modified, or corrupted without proper security, the paper says. It also says secure boot mechanisms are needed to prevent malicious code from being executed within the vehicle’s systems.
“Cybersecurity is fundamental for ADAS-enabled vehicles as it directly affects safety, reliability, and regulatory compliance,” the paper says. “Cyberattacks on these systems could lead to unauthorized control of crucial functions such as steering, braking or acceleration, posing significant risks to the driver, passengers and others on the road. Implementing robust cybersecurity measures contributes to maintaining the reliability of ADAS features, which is key to building public trust and encouraging user acceptance.”
IMAGES
Photo courtesy of metamorworks/iStock