Industry In Depth

Introduction

Standards, regulations, and business requirements demand that vehicles are secure, especially when cybersecurity becomes more critical with features like autonomy, connectivity, and other advanced use cases. If you were given a car and a budget, then you were told, “Figure out how to use this budget to install controls that make the vehicle more secure,” a skilled cybersecurity practitioner would likely be successful. Many of the more significant challenges in vehicle cybersecurity result from the unique characteristics of the automotive industry. For example, a typical consumer vehicle has over 100 electronic control units, typically sourced individually from different suppliers to reduce reliance. In this scenario:

Who owns the cybersecurity efforts when both parties are performing development: the automaker/OEM or the suppliers? And, importantly, who pays for it? If the automaker ultimately owns the risk, should the automaker check the cybersecurity work of the suppliers? How does the supplier implement cybersecurity consistently when different automakers have different requirements? Can suppliers get ahead of requests from automakers by implementing their cybersecurity processes?

This course provides an overview of how cybersecurity activities are distributed through vehicle supply chains.


Traditional vs New Automotive: Cybersecurity Strategies

The automotive industry is going through some of the most significant transitions in its history. The shift from ICE to EV, vehicle autonomy, and features released over the air are the tip of the iceberg regarding new opportunities for innovation in vehicles - and they’re quickly materializing. With new automakers and new suppliers entering the arena, vehicle cybersecurity tends to be approached differently by traditional automakers/suppliers versus new-to-market organizations. For example, many conventional automakers & suppliers tend to have the following characteristics:

  • Implementing cybersecurity in legacy, or “carry-over” architectures that seek to reuse efforts from previous vehicle programs.
  • Slower and more methodical development processes.
  • A highly distributed supply chain with software/hardware IP ownership that is also distributed.
  • Many “silos” within the organization (e.g., off-board versus on-board cybersecurity)
  • Strong capabilities in existing automotive frameworks like functional safety or ASPICE.

On the other hand, newer automakers and suppliers tend to exhibit the following:

  • A relatively “clean slate” that can facilitate more advanced cybersecurity features.
  • More agile development processes.
  • A strong focus on product delivery to market at the cost of thorough testing and quality control
  • Cross-functional teams juggling many areas (e.g., safety and security).

Nonetheless, the standards and regulations in vehicle cybersecurity apply to both newer and traditional companies in the automotive industry. In the following lessons, we’ll outline how to think about the vehicle cybersecurity industry. We will draw from our insights in working with both types of companies, new and old.


History of UN R155

Enforcing and motivating a long-standing industry to focus on new requirements, such as cybersecurity, is not easy. To achieve this, the UNECE establishes Sector Committees to achieve their mission on specific focus areas.

The automotive landscape falls under the Inland Transport Committee, whose mission is “We work to promote sustainable transport which is safe, clean and competitive, through the development of freight and personal mobility by inland transport modes, by improving traffic safety, environmental performance, energy efficiency, inland transport security and efficient service provision in the transport sector.” This committee is the parent of specific working groups such as WP.29 - World Forum for Harmonization of Vehicle Regulations, which is responsible for developing vehicle regulations.

WP.29 incorporates the technological innovations of vehicles into its regulatory framework to make them safer and more environmentally sound, thus contributing to the implementation of UNECE Sustainable Development Goals known as SDGs.

Ultimately, this governance and legal framework established through UNECE has resulted in United Nations Regulations being released that are adopted by member states. These UN Regulations prescribe specific requirements and expectations for automotive industry OEMs. In the context of vehicle cybersecurity, multiple regulations apply. Still, to start, we will focus on UN Regulation No. 155: Uniform provisions concerning the approval of vehicles regarding cyber security and cyber security management system.

We have previously discussed that to achieve this CSMS UN Regulation No. 155 regulatory obligation, and many OEMs have chosen to utilize ISO/SAE 21434: Road Vehicles — Cybersecurity Engineering as the standardized guidance on establishing an effective CSMS for handling vehicle-related activities.


UN R155: Regulation Breakdown

Next, let’s get down to business and talk about what this regulation requires and what it takes to meet it.

Regulation No.155 requires an assessment to be performed by a government-appointed Approval Authority on each vehicle type planned to be sold in member countries. The Approval Authority can grant or deny type approval for the vehicle type based on provided documentation and evidence, thereby legally allowing or prohibiting the sale of vehicles in these countries. This is similar to EPA approvals.

The assessment is performed on two significant areas: the CSMS and the vehicle type.

We have briefly mentioned the CSMS requirement established by R155 before and how ISO/SAE 21434:2021 can meet most CSMS requirements. The Approval Authority shall assess whether the OEM process sufficiently meets the requirements outlined in the regulation. Note this is an assessment of the company’s PROCESS, and the resulting Certificate of Compliance remains valid for a maximum of three years or until the company process changes, in which case the changes may need to be reassessed. This Certificate of Compliance can be reused for different Vehicle Type applications as long as it remains valid.

In terms of the vehicle type assessment, the Approval Authority is expected to assess the quality and completeness of the cybersecurity activities involved in the development of the vehicle type, such as the Threat and Risk Assessment (TARA) on vehicle systems and components as prescribed by ISO/SAE 21434.

Additionally, R155 requires:

  1. TARA is to be performed on any external systems supporting or related to the vehicle,
  2. the TARA must include the list of threats and mitigations called out in the Annex of R155,
  3. adequate security measures put in place to secure the vehicle and supporting systems,
  4. tests to be performed demonstrating the effectiveness of said measures,
  5. additional logging and intrusion detection capabilities
  6. up-to-date cryptographic capabilities

To verify the above requirements, the Approval Authority is expected to review and scrutinize the technical work products provided by the OEM and perform tests on the vehicle to validate the adequacy of the mitigation measures.

In conclusion, UN R155 relies on standards such as ISO/SAE 21434 to define a detailed CSMS for OEMs while adding some extra considerations and technical requirements.


Intro to Automotive Cybersecurity - Course Completion 55%
Last updated on