This article is not only for organization that have already been hacked… even if you (wrongly) think that you are not potentially subject to cyber attacks, future regulations and upcoming homologation schemes already planned to integrate cyber security as core component to be demonstrated by manufacturers as of 2024. Indeed, the UNECE World Forum for Harmonization of Vehicle Regulations adopted two new cybersecurity regulations (WP.29 regulation) in June 2020 – one for ECU cybersecurity and one for software updating – and they require automobile manufacturers to implement control processes across four domains:
- Managing vehicle cyber risks
- Securing vehicles “by design,” to decrease the likelihood of risks being introduced by the technical architecture or through supply chain partners
- Detecting and responding to security incidents across the vehicle fleet
- Providing software updates for the whole life of each vehicle
While enforcement dates for WP.29 cybersecurity compliance may seem relatively far off – in the EU, for example, manufacturers must be able to show cybersecurity compliance for all vehicles, both new and legacy models, as of July 2024, to receive vehicle type approval (the deadline is two years earlier for newly developed car series). This is a significant challenge given the development cycle of new models, which is typically around three to four years. In other words, engineers developing new models for 2022 or 2024, when the regulations are in force, are already into their development projects and must now retrofit cybersecurity into their designs.
What does cyber security mean for the automotive industry ?
Across almost every industry, too many organisations have never integrated cyber security aspects into their processes and believe that performing a penetration test will be sufficient to identify all vulnerabilities, patch them and deliver a so-called “secure product” or run a “secure infrastructure”. Unfortunately, cyber security cannot be limited to just adding few technical security features in a target. In a similar way as for functional safety, cyber security should be seen as a complete lifecycle, requiring an holistic approach for dealing with new types of risks, mainly rising from the growing number of connected systems
By holistic approach, cyber security standards try to address cyber risks from three perspectives:
- Technical measures
- Processes
- human factors
For tackling cyber security in the automotive industry, the SAE J3061 (“Cybersecurity Guidebook for Cyber-Physical Vehicle Systems”) has been published in January 2016. This document is considered as the first-ever reference for cyber security for automotive-related systems. Even if it was considered as a reference, this document did not provide any formal requirements because of its purpose to be a guidance and not a real standard. Based on that document and other cyber security specific ones, and to cope with the industry request for establishing common cyber security requirements, the development of a new document has been initiated in October 2016: the “ISO21434 – Cyber security for Road vehicles“. This freshly new standard is currently in its final draft version (FDIS release) and its official release is planned for Q1-Q2 2021.
ISO21434 is strongly aligned with the well-known ISO26262, which defines the requirements for the functional safety lifecycle applied in the automotive industry. The strategy behind this alignment is clear: Make the integration of cyber security practices as practicle and easy as possible for automotive stakeholders. The current issue remains the understanding of the sense of cyber security in that context.
Why should I take care of cyber security when my product is already considered safe?
Reliability and functional safety are covered by ISO26262. However, in terms of risks, intentionnal and malicious attacks against a system are not addressed by such standards. Those scenarios will appear more and more in the future with connected and even automated cars. The representation below illustrates the differences between reliability, functional safety and cyber security issues.
Traditional approaches (quality, reliability and functional safety) require analysis to be performed right from the concept phase are focused on the system itself and the potential consequences that could impact its environement. For cyber security now, we are going to talk about the second side of the same coin: the analysis of potential impact of the environment on the same system.
Let’s take the example of the system illustrated above describing the traffic light detection system from an automated car and traffic light:
- Regarding the detection function, if some system limitations leads to a risks (e.g. no traffic light detection leading to a crash), we are going to talk about safety issues.
- Now, if the detection system is working well but an attacker is able to send malicious message to reproduce a green light when the traffic light is red, then the same risk of crash is also there but the risk origin is strongly different. We are now talking about cyber security issue.
Interfaces and communications are considered as key elements for evaluating the cyber security of a system. The analysis of such high-level system threat in a specific context is called a threat model and is documented in the automotive industry through a so-called Threat Analysis and Risk Assessment (TARA). This work product is supposed to document the entire set of potential threats against a specific system. The world of cyber security is much more dynamic than other traditional field (e.g. functional safety) in the sense that 0-days attacks are newly discovered every day. It means that organization should be aware of the evolution of the threat landscap and regularly update every product-specific threat model to ensure a secure system.
This paradigm is strongly different than for functional safety where a system will ever be considered as safe as long as it is certified and not modified. For cyber security, a system will ever be evaluated against its threat model, which will change on a daily- or even second-basis. Therefore it means that a certified product today could lose its security consideration after some times, if a vulnerability is existing without being patched, or at least treated.
This highlights the fact that cyber security shall be seen as a continuous process instead of single objective to be reached. That represents the key reason why we are discussing about the certification of Cyber Security Management Systems before any product certification
How to initiate the integration of cyber security activities across my organization ?
As mentionned above, the alignement of ISO21434 and ISO26262 is an opportunity for organization to reuse some of the FuSa processes, but with a cyber security flavour.
A good approach is to analysis the current set of organization processes and evaluate the manner to integrate cyber security across them. There are two options:
- Integrate directly the cyber security across the existing processes, or
- build a specific set of cyber security processes and integrate some interface between such activities and other related ones (quality, functional safety or any other ones).
Both are possible and every organization context is basically different. The main goal is to identifiy the most efficient solution to handle cyber security. Only after establishing a compliant CSMS , it will be the time to get your hands dirty and start thinking about your threat model.
At a glance…
Upcoming standards for automotive cyber security will not reinvent the wheel. It will be based on State-of-the-Art practices (incl. both technics and processes) which are already standardized by other industries, but with a automotive flavour regarding its lifecycle integration. Indeed, as soon as its development began, the ISO21434 has been voluntarily aligned with the functional safety lifecycle (ISO26262) to make its integration as practical as possible for automotive stakeholders.
Of course, despite this standards alignement, it is not so trivial to integrate best cyber security practices in an organization. it requires the establishment of a strong cyber security culture and additionnal competencies to be able to handle such topics in an efficient way.
Based on those considerations, CertX is proposing several types of services for supporting automotive organizations:
- Trainings and certification of engineers and managers
- Cyber security: ISO21434, SAE J3061, ISO27K, EU-GDPR
- Functional Safety: ISO26262, IEC61508, ISO13849
- Others: SOTIF, ASPICE
- Gap analysis for evaluating your current posture against standardized requirements
- Cyber Security Checkups for identifying weakest spots in your systems
- Support for the establishment of certification strategy
- Certification of Cyber Security Management Systems (CSMS) and automotive components/systems
If you have any questions about cyber security, in the automotive domain or any other industrial fields , please do not hesitate to contact our cyber security specialist: Kilian Marty