A User-Enterprise Approach to Cybersecurity: A Comprehensive Approach to Global EV Cybersecurity

In 2015, a WIRED reporter unraveled the tale of a life-threatening hack on a connected car. Although electric and connected vehicles have become more widely adopted, security concerns exist. Lately, there have been news stories of hacking, causing apprehension to current EV owners and unease for potential drivers. In 2020, researchers from the Southwest Research Institute in Texas successfully hacked North America's most popular charging system. Cyber vulnerabilities were found in six home EV chargers and a large public charging network.

As electric cars populate more cities, the need for more charging stations has emerged. However, this brings vulnerabilities to hacking and security concerns, as charging stations are potential targets because they are connected to the internet and communicate with cars.As a pioneer and leading manufacturer of premium smart electric vehicles, we have listed our users' concerns and implemented infrastructure to reduce security risks in the vehicles to protect our cars and users.  

NIO is the first Chinese-headquartered company and one of the first few in the world to get WP29 R155 certification. The United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations awards this certification.   

Protecting The Various Methods of Charging  

For public charging stations provided by NIO or NIO's partners, once the autoauthentication and payment feature for charging is enabled, a token is signed by the vehicle, and the vehicle identity sends it to the charging station. This data is then sent from the charging station to the charging station cloud to validate the sign and vehicle ID to triple confirm this automatic charging request's authentication. This authentication design is already considered one of the international standard requirements.

The charging solution from NIO, including the publicly available stations and Power Home (the company's home charging station), offer multiple protection layers. Only authenticated cars know the hidden Wi-Fi in a Power Home, and each Wi-Fi has its unique password. NIO supplies a certificate-based mutual authentication scheme to authenticate the car and the charging station. Additionally, a cloud-based server will also issue a token signed by NIO public key infrastructure (PKI), sent to the charging station through the car for further authentication.   

The Role of Hardware and System Design

NIO actively defends, discovers, and protects potential and existing threats and attacks. As a result, security is essential in hardware and system design. As a whole, the company is also actively building and improving the SDL platform to improve its code quality. Meanwhile, the organizational structure has grown to support emerging threats. For example, at NIO, we have emergency response systems and bug bounty programs that instantly use internal and external resources to respond to potential attacks and threats.  

Enabling Security Through Convenience and Quick Addressability   

NIO's award-winning Firmware Over The Air (FOTA) downloads data packets over a wireless network to update the system. It is the only car company that has developed a full end-to-end FOTA rollout entirely inhouse. As a result, we were honored to receive the DEVIES Award 2021. Led by our commitment to our user enterprise, our FOTA can continuously upgrade the system, provide convenience and comfort to our users, fix security vulnerabilities, and improve the entire smart EV's security and practicality.

To minimize the cyber-attack risks of FOTA, NIO built its CodeSec platform. This checks the code quality, scans for security vulnerabilities, and tests de-fuzzing and penetration. In addition, NIO cooperates with universities to conduct formal verifications to ensure that the entire FOTA protocol has no bugs. Furthermore, the company builds a security platform with a private VPN to ensure safe communication. Also, it has a state-of-the-art operational system to respond to any problems and fix them immediately.

"As a pioneer and leading manufacturer of premium smart electric vehicles, we have listed our users' concerns and implemented infrastructure to reduce security risks in the vehicles to protect our cars and users"

Improving the design and using hardware and system resources will be essential for security in smart vehicles. For example, NIO generally uses hardware as a Root of Trust (RoT) and accelerators to provide trusted environments. For system resources, NIO leverages these to build computing systems with data protection, access control, and threat detection & response, among others.  

Making Security a Design Opportunity Through Artificial Intelligence

NIO promotes a philosophy of "phys-gital" interaction and serves a vital role in that interaction by becoming the embodiment of tailored services that facilitate a greater emotional connection between users and their vehicle. To do this, NIO has incorporated the world's first in-vehicle artificial intelligence called NOMI. NOMI serves a key role in interaction by becoming the embodiment of tailored services that facilitate a greater emotional connection between users and their vehicles.

In addition, NOMI improves safety for driving and keeps up with users' driving status. For example, NOMI can give drivers a quick safety reminder to detect user fatigue.

The AI technology engineered into NOMI allows it to learn user preferences over time to understand the specific context of the car and the owner/ driver. Designed with a unique face-like interface that swivels and blinks its oval "eyes" to address each vehicle occupant directly, NOMI becomes a digital assistant that interacts with the driver, having "conversations" and tailoring the preferences of the driver.

Respecting Data Privacy and Collection

NIO always complies with local regulations in countries with security and AI data collection. NIO users authorize all collected data instances, and drivers can cancel data authorization with system technical support. In cases where information is authorized, all collected data is only used to improve NOMI's accuracy and user experience.

"As a pioneer and leading manufacturer of premium smart electric vehicles, we have listed our users' concerns and implemented infrastructure to reduce security risks in the vehicles to protect our cars and users"

Ensuring information is secure, and well-protected data is NIO's priority and has been since the beginning of the product design. NIO implements company-wide classified data protection. Any user-related information has the highest level of confidentiality. Risk analysis and improvements continue through the entire lifecycle. This includes information collection, transmission, usage, and processing to storage and destruction so that data is appropriately protected in every online and offline scenario. NIO was honored as champion at the Information Security Challenge at WIDC in 2021.

An Electric Vehicle is More Secure

All vehicles, including internal combustion engines (ICE), propelled via gasoline, have potential security issues. Electric vehicles have many interfaces to interact with the outside environment, increasing security risks. However, smart cars have powerful modern hardware devices and software systems, which gives NIO enough space and the ability to deploy more advanced security defense mechanisms.

The challenges and opportunities are coexisting. All manufacturers need to constantly improve the design and make full use of hardware and system resources for a vehicles' security.

Security Led by a Focus on User Experience

At NIO, we are always guided, first and foremost, by the experiences of our users and their feedback and concerns. As we have extended our product offerings beyond our Chinese headquarters market, security and varying cultural norms toward it have also become more robust. In so doing, we have learned and are humbled by security challenges and the need to address multiple systems and layers.