Modelling cybersecurity regulations for automated vehicles.

Technological advancements in Connected and Automated Vehicles (CAVs), particularly the integration of diverse stakeholder groups (communication service providers, road operators, automakers, repairers, CAV consumers, and the general public) and the pursuit of new economic opportunities, have resulted in the emergence of new technical, legal, and social challenges. The most pressing challenge is deterring criminal behaviour in both the physical and cyber realms through the adoption of CAV cybersecurity protocols and regulations. However, the literature lacks a systematic decision tool to analyze the impact of the potential cybersecurity regulations for dynamically interacting stakeholders, and to identify the leverage points to minimise the cyber-risks. To address this knowledge gap, this study uses systems theory to develop a dynamic modelling tool to analyze the indirect consequences of potential CAVs cybersecurity regulations in the medium to long term. It is hypothesized that CAVs Cybersecurity Regulatory Framework (CRF) is the property of the entire ITS stakeholders. The CRF is modelled using the System Dynamic based Stock-and-Flow-Model (SFM) technique. The SFM is founded on five critical pillars: the Cybersecurity Policy Stack, the Hacker's Capability, Logfiles, CAV Adopters, and intelligence-assisted traffic police. It is found that decision-makers should focus on three major leverage points: establishing a CRF grounded on automakers' innovation; sharing risks in eliminating negative externalities associated with underinvestment and knowledge asymmetries in cybersecurity; and capitalising on massive CAV-generated data in CAV operations. The formal integration of intelligence analysts and computer crime investigators to strengthen traffic police capabilities is pivotal. Recommendations for automakers include data-profiteering in CAV design, production, sales, marketing, safety enhancements and enabling consumer data transparency.Furthermore, CAVs-CRF necessitate a balanced approach to the trade-off between: i) data accessibility constraints on CAV automakers and ITS service providers; ii) regulator command and control thresholds; iii) automakers' business investment protection; and iv) consumers' data privacy guard.

A conceptual system dynamics model for cybersecurity assessment of connected and autonomous vehicles.

Emerging Connected and Autonomous Vehicles (CAVs) technology have a ubiquitous communication framework. It poses security challenges in the form of cyber-attacks, prompting rigorous cybersecurity measures. There is a lack of knowledge on the anticipated cause-effect relationships and mechanisms of CAVs cybersecurity and the possible system behaviour, especially the unintended consequences. Therefore, this study aims to develop a conceptual System Dynamics (SD) model to analyse cybersecurity in the complex, uncertain deployment of CAVs. Specifically, the SD model integrates six critical avenues and maps their respective parameters that either trigger or mitigate cyber-attacks in the operation of CAVs using a systematic theoretical approach. These six avenues are: i) CAVs communication framework, ii) secured physical access, iii) human factors, iv) CAVs penetration, v) regulatory laws and policy framework, and iv) trust-across the CAVs-industry and among the public. Based on the conceptual model, various system archetypes are analysed. "Fixes that Fail", in which the upsurge in hacker capability is the unintended natural result of technology maturity, requires continuous efforts to combat it. The primary mitigation steps are human behaviour analysis, knowledge of motivations and characteristics of CAVs cyber-attackers, CAVs users and Original Equipment Manufacturers education. "Shifting the burden", where policymakers counter the perceived cyber threats of hackers by updating legislation that also reduces CAVs adaptation by imitations, indicated the need for calculated regulatory and policy intervention. The "limits to success" triggered by CAVs penetration increase the defended hacks to establish regulatory laws, improve trust, and develop more human analysis. However, it may also open up caveats for cyber-crimes and alert that CAVs deployment to be alignment with the intended goals for enhancing cybersecurity. The proposed model can support decision-making and training and stimulate the roadmap towards an optimized, self-regulating, and resilient cyber-safe CAV system.