Getting Started

Why do Cybersecurity?

This training will lay out the foundational information you need to understand about the automotive industry. At the end, you should understand why cybersecurity is essential to vehicles and their passengers and the regulations and standards that enforce it.

Mechanical brakes, cable throttles, and rack-and-pinion steering are all but ancient relics of what cars used to be.

Today’s vehicles are controlled digitally, relying on miles of wire to transmit signals between upwards of a hundred different electronic control modules. From simple communications devices like tire pressure monitoring systems (TPMS) to complex telematics data connecting cars with external infrastructure, vehicles are also increasingly dependent on wireless and remote communications.

What happens when you can remotely control a computer physically connected to the controller that tells the engine to go FULL THROTTLE? Yikes.

Just in case you haven’t heard (I doubt it,) here is what happened back in 2015:


Industry Respnse

What followed was a steady stream of “Car Hacked!” headlines and automakers having to recall vehicles to fix these high-profile vulnerabilities/bugs.

Industry professionals got together and started developing standard methods to reduce these vulnerabilities, and government task forces started looking at enforcing regulations. While a few companies were proactive and adopted security into their core business strategy early, the majority of the automotive industry would not see movement until the year 2022, when these standards and regulations went into effect, and products could no longer be sold without adhering to new regulations in major markets.

ISO/SAE 21434

The Society of Automotive Engineers first released a guideline for vehicle cybersecurity development: SAE J3061, in 2016 following the publicity and “awakening” of the automotive industry regarding cyber-attacks. This eventually evolved into the formal ISO/SAE 21434 Road Vehicles - Cybersecurity Engineering publication in 2021. This engineering process standard requires specific activities and work products to be produced in all vehicle or component development stages while giving no guidance on selecting technological solutions. It is less specific than the standard ISO 26262 for Functional Safety, covering a different scope to include post-production/monitoring activities.

UNECE WP.29 R155

The United Nations Economic Commission for Europe: World Forum for Harmonization of Vehicle Regulations (WP.29) is a set of legal frameworks which applies to more than 50 UN member countries (complete list), including the European Union and Japan. Because these laws are legally enforceable, they accelerated the adoption of cybersecurity processes in a way that no other standard could achieve alone.

Regulation 155: Cyber security and cyber security management system aims to enforce the addition of mandatory cybersecurity activities throughout the entire vehicle lifecycle. It became mandatory from July 2022 onward for all NEW vehicles applying for type approval and from July 2024 for ALL vehicles produced (even older models) to be sold in member states.

Although the USA and Canada are not yet part of this regulation, respective government bodies (NHTSA and Transport Canada) are working to enact similar regulations that will likely reference the R155 and adopt some of its practices.


How does this affect you?

If you are in the automotive industry, whether directly involved in the development of automotive ECUs, or other company functions such as sales or purchasing, it is more than likely that the new standards and regulations will affect your work in some capacity.

To summarize, if you are:

Leadership

Organizational culture and reporting structure must be in place to manage cybersecurity responsibilities and activities. There must be formal training for personnel, processes, and clear direction regarding all cybersecurity-related incidents.

Engineering / Process / Quality

The bulk of the new processes and features that must be added to the existing development workload, e.g., TARA, mitigations development, security testing, vulnerability management, etc. Refer to most of ISO 21434.

Information Technology (IT)

Increased requirements around IT security as a part of industry-standard practice. Also, secure data exchange and secret storage between all aspects of the supply chain are often required as part of product development. IT Security is often the department with the most relevant expertise to develop this infrastructure.

Manufacturing / Service / Warranty

Manufacturing and service equipment must be added or updated to provision/manage cryptographic secrets, unique identities for parts produced, and training to work with these new technologies. This process must be done securely and is often now the target of security audits and assessments.

Sales and Purchasing

Those involved in sales and purchasing should understand the cost of requirements that the customers/regulators will now expect for cybersecurity compliance and how these are propagated down through the supply chain. Avoid promising too much and asking too little without properly understanding what is required.

Legal

To avoid legal consequences due to new regulations and standards, new contractual and risk-sharing documentation between OEM and suppliers that goes beyond the scope of product sale and warranty are commonplace. Due to the ever-changing landscape of cybersecurity, added legal language and long-term vulnerability management contracts are often added as a part of an SOW. A standard procedure for handling these terms should be in place, with consideration of extended support, as mandatory software updates due to cybersecurity risks may now be required during the entire lifecycle of the vehicle.

For more details continue to the Industry in Depth section.


Intro to Automotive Cybersecurity - Course Completion 11%
Last updated on