Today, the vehicles on our roads are equipped with a minimum of technologies – Bluetooth, GPS, Airbag, eCall emergency call in the event of an accident, remote control key and even an app that allows control of vehicle data and functions from a mobile device – and, if they are not cyber-secure, they are susceptible to being stolen or remotely manipulated – taking control of the steering or brakes – by someone with intent to harm, putting at risk the lives of the people on board; stealing the driver’s personal information – phone contacts and messages, location, photos, route being taken… -. And all of this, with the aim of spying, blackmailing, guiding the user to a dangerous destination… and, ultimately, attempting on his or her own life.
Since 2012 this has become a reality: cars have been remotely stolen , vehicles have been ‘hijacked’ for a bitcoin reward, drivers’ personal information has been accessed via Bluetooth while driving,
access to the interior of the vehicle has been blocked, cars have been recalled due to a cybersecurity flaw. This is one of the reasons why the UNECE – United Nations Economic Commission for Europe – has developed in record time a cybersecurity standard for vehicles: UNECE/R155, which establishes the minimum cybersecurity requirements that a vehicle must accomplish.
The EUROCYBCAR test and the European cybersecurity regulation UNECE/R155
EUROCYBCAR anticipated the regulation, creating the first test in the world that measures and evaluates the cybersecurity level of a vehicle, using the ESTP methodology and according to the requirements of the UNECE/R155. This regulation came into force in January 2021 and requires that cars, buses, trucks, vans, trailers and motorhomes that are homologated -from July 2022- and marketed -from July 2024- in the European Union and countries adhering to the regulation, such as Japan, South Korea, Russia, Australia or South Africa, must be cybersecure.
Although this regulation does not cover motorbikes, as the UNECE considers that they are not sufficiently connected, EUROCYBCAR has succeeded in demonstrating that UNECE/R155 will also have to include mopeds and motorbikes – vehicles of categories L1, L3 and L4 – as these vehicles are also connected and therefore susceptible to cyber-attacks.
The world’s first cyber-secure vehicle is a European-made motorbike
For the first time in history, a vehicle has passed the test that guarantees its status as a “cybersecure vehicle”: It is the NUUK Cargopro electric motorbike, which has obtained this accreditation after passing the EUROCYBCAR Test, in accordance with the requirements of the UNECE/R155 standard and according to the ESTP -EUROCYBCAR Standard Test Protocol- procedure and methodology, developed by EUROCYBCAR -a technology-based company established in Vitoria-Gasteiz, which identifies, evaluates and prevents risks affecting vehicle cybersecurity, fleet management systems and telecommunications infrastructures, in accordance with current regulations-.
In this scenario, the Basque firm NUUK Mobility Solutions (NMS) -which develops and markets intelligent light electric vehicles- becomes the first automotive firm in the world to offer one of its electric motorbike models with a Vehicle Cybersecurity certificate, according to the new European cybersecurity regulations. After passing the EUROCYBCAR cybersecurity test, AENOR will audit compliance and subsequently issue a certificate that will be valid for three years.
Vehicles that pass the EUROCYBCAR Test and obtain the certificate demonstrate that they implement effective means to minimize the risk of a cyber-attack against the privacy and lives of the people on board, as well as the integrity of the vehicle’s systems.
The EUROCYBCAR Test
To pass the test, the ESTP methodology is applied, subjecting the vehicle to three types of tests: physical access, remote access and applications, which are carried out in the technical laboratory that EUROCYBCAR has located in Vitoria-Gasteiz.
- Physical Access: it is checked, for example, whether a cybercriminal could manipulate – through the vehicle’s OBD port – the ABS, its brakes or its steering; or whether a virus could be introduced through the USB port that could paralyse the vehicle’s systems and put passengers’ lives at risk.
- Remote Access: wireless systems such as Bluetooth connection – which allows linking the mobile device to the vehicle to share its data -, Wi-Fi – which provides Internet connection to passengers’ mobile devices – or the keyless system – which, for example, allows unlocking or locking a car without using the key – are analysed to check whether the security of the vehicle or the users’ private data is at risk.
- Application testing: vulnerabilities of applications that are already integrated in the vehicle are assessed, as well as the official apps of the brand that the user downloads to his or her mobile phone. Some of these apps allow the user to control various vehicle parameters from their smartphone – such as turning on the heating before entering or starting the engine – or to access information stored in the vehicle – such as mileage, alert messages or the routes usually followed by the driver. This is obviously a danger if a cybercriminal manages to breach such applications, as they could access vehicle systems and even cause an accident.
The EUROCYBCAR test analyses up to 70 specific cybersecurity threats included in the stringent UNECE/R155 regulation.
TOWARDS CYBER-SECURE MOBILITY
- Ixone Busturia, Deputy Director of NUUK Mobility Solutions
“We are proud that NUUK is the first brand in the world to obtain the Vehicle Cybersecurity certificate issued by AENOR, according to the requirements of the UNECE/R155 standard”. And she assures that “it is an important milestone for the company that, as an agent for the transition to smart electric mobility, we are looking for secure solutions in all aspects and cybersecurity is a necessary requirement for our vehicles and systems”. Ixone emphasizes, above all, that “it gives us great peace of mind to have the knowledge of EUROCYBCAR which, for months, has tested and proposed improvements for NUUK to successfully reach this historic moment and, together, we are laying the foundations for a more cybersecure future for society. Furthermore -she adds- this project has had the support of the SPRI Group – Agencia Vasca de Desarrollo Empresarial (Basque Business Development Agency)- through the Industrial Cybersecurity 2021 programme”.
- Azucena Hernández, CEO of EUROCYBCAR
“It is an unprecedented milestone that EUROCYBCAR has been the first technology company to create and successfully apply its own methodology, unique in the world, to issue a Vehicle Cybersecurity certificate, according to the requirements of the UNECE/R155 standard. It is also an unprecedented milestone that NUUK, a motorbike brand from the Basque Country, Spain, is going to obtain the first Vehicle Cybersecurity certificate”. Azucena assures that “counting on AENOR, allows us to continue advancing and to take another step towards our objective of achieving cybersecure mobility so that drivers and passengers travel on board cybersecure vehicles, because their privacy is at stake, but, above all, their lives”. Rafael García Meiro, CEO of AENOR.
“For the development of technology and innovation, it is essential that there is confidence among all the parties involved; and especially among users that this innovation will respond to what is expected of it; this is the value of certification. AENOR is firmly committed to promoting innovation in Spain, both by creating and certifying benchmarks that favour it, and by supporting cutting-edge initiatives on a global scale, as in this case”.
- Estíbaliz Hernáez Laviña, Deputy Minister of Technology, Innovation and Digital Transformation of the Basque Government.
“We often talk about the importance of R+D+i for the strengthening and growth of the economy of a region or a country, so I am proud that two Basque companies, focused on innovation and led by women, are the protagonists of a historic moment for the mobility of Europe. The time has come to demonstrate the technological and innovative potential that we have in the Basque Country and that, of course, we will contribute to this important transition towards a new, more cyber-secure mobility”.
- Galo Gutiérrez-Monzonís, Managing Director for Industry and SMEs
“From the Ministry of Industry we are committed to supporting projects that can become a European benchmark in the new evolution of the mobility industry and, therefore, this year we have considered EUROCYBCAR worthy of funding from ENISA, through the programme aimed at Digital Entrepreneurs 2021”.
EUROCYBCAR S.L. is a technology company based in Vitoria-Gasteiz, Spain -under the umbrella of the Basque Cybersecurity Centre- that identifies, evaluates and prevents risks affecting vehicle cybersecurity, fleet management systems and telecommunications infrastructures.
It has developed and patented the EUROCYBCAR Test, the first test in the world which, using ESTP’s own methodology, measures the cybersecurity level of a vehicle according to UNECE/R155 requirements and taking into account ISO 21434. It also develops training actions on cybersecurity assessment methodologies, current regulations and other areas of cybersecurity applied to the automotive and mobility ecosystem. EUROCYBCAR’s objective is to work towards cyber-secure mobility.
NUUK Mobility Solutions is a startup located at Boroa-Amorebieta, in Bizkaia (North of Spain), dedicated to the commercialization of intelligent light electric mobility solutions. We offer vehicles with high performance, equivalent or superior to combustion models, and aimed at both a particular use and a professional (Cargo Line). Following the AENOR audit, the company has achieved the world’s first certificate with the new cybersecurity standard to be met by all vehicles traded in the EU since July 2024. NUUK Mobility Solutions has a wide network of strategic partners that allow most of the components used in its manufacture to originate in Europe and in European top-level companies. The design and development of all models is carried out in Bizkaia (Basque Country) while their assembly is carried out in the facilities of the Catalan manufacturer of motorcycles RIEJU.