Cyber Security for Connected and Automated Vehicles

We are hearing in the news more and more stories that the next generation of connected and autonomous vehicles are right around the corner. The benefits these vehicles could bring to society are very attractive – greater economy; increased safety; reductions in congestion are just a few of the things we could look forward to.

In some ways, this is an evolutionary step, as many vehicles on sale today already have some degree of autonomy and connectivity. Things like adaptive cruise control; low-speed autobraking for collision avoidance; lane-keeping steering assistance; GPS rerouting if congestion is detected ahead; and auto-dialling the emergency services if a collision occurs are present in many cars but often have to be enabled by the driver.

The big leap (that is always just around the corner) is entrusting all of these systems to the control and oversight of the vehicle without human input. There is still a big difference from the driver enabling the car to control following distance and braking on a motorway and disabling it on the back roads, to sitting back selecting a destination and letting the CPU determine the best route, speed limit, traffic density, weather, road type etc and delivering you there safely.

As if that weren’t enough, the connected vehicles of the future will all be intercommunicating with their immediate neighbours to share local information, plus communicating back to central servers with position and diagnostic data.

Many people are focussing on the various challenges that this will bring in terms of computing power and wireless connectivity, not to mention the legislative and insurance minefield. But, there are also growing concerns about the cyber security of vehicles that are highly connected and fully reliant on the onboard computer systems for correct & safe operation.

The UK government has recently released a paper (link) entitled ‘The Key Principles of Cyber Security for Connected and Automated Vehicles’

The document is intended as a starting point to ensure that the relevant requirements of cyber security are addressed right from the beginning of the development of these new vehicles. It lists out 8 key principles, the detail of which may be specific to the auto industry, but the overarching principles are good sense for all industry to follow:

  1. organisational security is owned, governed and promoted at board level
  2. security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
  3. organisations need product aftercare and incident response to ensure systems are secure over their lifetime
  4. all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
  5. systems are designed using a defence-in-depth approach
  6. the security of all software is managed throughout its lifetime
  7. the storage and transmission of data is secure and can be controlled
  8. the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail

The government is rightly considering the connected and automated vehicle space to be a key part of the national infrastructure and that everyone from the systems designers to the executive board should understand the requirement for good cyber hygiene.

Whether you are from the automotive sector or another industry vertical, if you would like to see how Regency’s security consultancy can help understand and implement these security principles, then call our office on 01242 225699 or email us at


The government’s publication page for the document can be found here