The European cybersecurity agency ENISA is putting together a team of experts to start working on connected cars next year.
Following the high-profile experimental hacking of a Jeep this summer in the US, ENISA is beefing up its research staff to focus on security and the Internet of Things, including technologies that connect cars, homes and energy supplies to the internet.
ENISA plans to start meetings early next year with car manufacturers, suppliers of software for cars and national agencies responsible for cybersecurity. ENISA director Udo Helmbrecht told EURACTIV that the agency will first draft security recommendations aimed at manufacturers and may put together suggestions for legislation on connected cars in 2017.
The EU agency’s new research on security and connected cars comes at a time when European manufacturers are stepping up their use of software for various functions in cars. At the Frankfurt Auto Show last month, the European Automobile Manufacturers’ Association teamed up with telecommunications companies and pledged to work together on cars and internet connectivity, and deliver results to the European Commission next year.
ENISA’s staff increase to focus on the Internet of Things means the agency will slash its budget in other areas, cutting expenses paid to external experts in order to make room for nine or ten new staff researchers.
EURACTIV previously reported on ENISA’s staff shortage and struggles to research new cybersecurity threats on a small budget that hasn’t changed in years. As of July, ENISA had no researchers working on security and the Internet of Things.
According to Helmbrecht, ENISA started planning its expansion early last year, before journalists hacked a Jeep in July and raised concerns about the security of connected cars.
Helmbrecht told EURACTIV that with the auto manufacturers and other industries that predate new software, there’s a tendency to neglect IT security.
“What we’ll see in the next couple of years is that a lot of available technology, because it’s cheap and can be used in business models, will also move into cars. The challenge is if you have new technologies in old infrastructures, a lot of people don’t think of IT security from the beginning,” he said.
“In the past you could take a knife and cut the brakes. But today you can hack a car remotely with a PC like you can hack an online store or a bank account,” Helmbrecht added.
“This is the challenge of opening the car to this new infrastructure and to the internet between cars. You get all the threats we know in other sectors coming into this sector.”
Helmbrecht said BMW has already agreed to work with ENISA on connected cars. The agency wants to add a handful of other auto manufacturers to the group before meetings start next year.
ENISA’s work with national agencies and car manufacturers will be selective and include representatives only from EU member states where there are car companies and dedicated cybersecurity agencies, according to Helmbrecht.
“If you look at Germany, you have the big BSI (Federal Office for Information Security) with 500-600 people and the strong car manufacturing industry, which is a priority for the government. It’s logical that they start working together,” Helmbrecht said.
Paul Timmers, director of DG CONNECT’s Sustainable and Secure Society unit, said last month that DG MOVE and DG CONNECT are both working on legislation to address security in connected cars.