Enhancing Global Collaboration for the Security of Connected Vehicles

Yueqiang Cheng, Director, Security Research, NIO

In an era of exponential growth in the global electric vehicle (EV) market, the need for alternative transportation options has soared, driving heightened attention to cybersecurity. While all vehicles, including internal combustion engines (ICE), possess inherent security risks, connected vehicles have emerged as prime targets for cyber attackers due to their access to valuable data and potential safety vulnerabilities within vehicle systems.

Fortunately, smart vehicles hold a distinct advantage in defending against cyber-attacks. These vehicles are meticulously designed and constructed with robust hardware and dedicated software, providing essential protection for vehicles and drivers. Addressing vehicle security threats necessitates comprehensive vulnerability and risk assessments, targeted security protection strategies, and the deployment of appropriate security solutions.

These measures encompass secure software development practices, network encryption, access control and authentication mechanisms, intrusion detection and prevention systems, and regular security audits and assessments.

The advanced research and development capabilities and cutting-edge electric vehicle systems, integrated with elevated security levels, safeguard EV users and associated products from cyber threats. 

Prompt and efficient responses are implemented in the face of cybersecurity risks or attacks, ensuring the protection of EV users' assets and personal safety.

International Collaboration and Certifications for Enhanced Security

The European Union mandates that only vehicles holding R155 CSMS and VTA model certifications are authorized for sale. NIO, having obtained the ISO/SAE 21434 CSMS certification, aligns with these requirements, guaranteeing the ongoing security of our products throughout their lifecycle, encompassing conception, design, development, testing, production, and post-production stages. NIO remains committed to delivering vehicles that adhere to the highest safety and security standards.

"Addressing vehicle security threats necessitates comprehensive vulnerability and risk assessments, targeted security protection strategies, and the deployment of appropriate security solutions." 

Compliance with the R155 regulation is significantly reinforced by the ISO21434 standard, which establishes a comprehensive framework for vehicle cybersecurity and related life cycle processes. As of July 2022, all newly introduced vehicle types in UN countries must possess R155 CSMS and R155 VTA certifications. The R155 VTA certification involves rigorous work item reviews for developing cybersecurity and ensuring the successful implementation of vehicle protection technologies and mechanisms.

Attaining R156 SUMS certification ensures alignment between vehicle design and software update processes. The Software Update Management System (SUMS) guarantees the security of vehicle software updates, eliminating threats throughout the update process and securing both the process and the software itself.

Ensuring Security through Public Key Infrastructure (PKI)

Cloud security is maintained through stringent access control policies, cloud firewalls, failover mechanisms, and off-site disaster recovery protocols. Onboard systems of vehicles are secured using VLAN networks, OBD firewalls, security over-the-air (OTA) measures, access control, and data security protection. Mobile phone endpoints are fortified through equipment certificates, reinforced application (APP) security, PIN code verification, and login defense systems. Communication channel security is achieved through APN network access, channel encryption, and other comprehensive security measures.

A secure cloud service center leverages Public Key Infrastructure (PKI) technology and digital certificates to provide system information security services and verify the identity of digital certificate holders. Meanwhile, an onboard IDS/IPS system ensures comprehensive monitoring and defense against cyber-attacks, while dedicated security diagnostic tools are employed for vehicle diagnostics.

Proactive Measures and Comprehensive Capabilities

Addressing these challenges proactively, NIO has independently developed various security systems, including a data security system, a secure cloud service center, a vehicle IDS/IPS system, and security diagnostic tools. The data security system protects sensitive data through desensitization processing, secure transmission, trusted computation/analysis, encrypted storage, and holistic lifecycle management.

NIO has cultivated various capabilities encompassing security technology, research, and development, automotive software, and hardware.