Automotive Cybersecurity Standard Gets Everyone Speaking the Same Language
With advances in connectivity, consumers stand to reap tremendous benefits as their vehicles receive updates over the air for improved features and enhanced safety, communicate with other vehicles or city infrastructure, or provide networked information through their user interface.
However, advanced connectivity requires advanced cybersecurity to protect the driver and other road users from would-be attackers. Attacks might come from physical access to a vehicle, or even via Wi-Fi or Bluetooth, but cellular connections mean an attacker could potentially access the vehicle’s systems from anywhere in the world.
The automotive industry is well aware of this. It will take time to fully address these risks, but first there has to be a coordinated approach to addressing cybersecurity in this growing market. Existing cybersecurity standards are not well suited to automotive-specific challenges, where vehicle safety is of utmost concern, the technology in the vehicle has a long life cycle, and the systems reside in embedded controllers.
Each OEM or supplier has had to develop its own set of cybersecurity requirements. In fact, there is not even a common way to describe the risk associated with a cyberattack on various functions in a vehicle.
That’s changing. The International Organization for Standardization (ISO) and SAE International have drafted a standard that defines a structured process to ensure cybersecurity is designed into vehicles up front. It provides a common language that can be used throughout the supply chain to quantify the cyber risk to different systems or functions in a vehicle, so that companies can agree on what level of rigor is required to mitigate that risk. While a standard, in and of itself, will not inoculate a vehicle from cyber harm, it can give the industry tools to build the products that will address risks.
The draft standard, ISO/SAE 21434, gauges risk based on two primary factors: the feasibility of an attack occurring, and the impact if a threat is realized. The standard also introduces the concept of the Cybersecurity Assurance Level (CAL), which can convey how critically a system must be protected from attacks. Based on the CAL, an organization would scale its cybersecurity activities accordingly — that is, it would use more or less rigor, depending on the CAL.
The idea is similar to the Automotive Safety Integrity Level (ASIL) specified in ISO 26262 for functional safety, which deals with the risk of failure for specific automotive systems. In fact, when assessing risk to safety, the new standard indicates that the level of impact has to be assessed based on ISO 26262 levels.
One key difference is that the feasibility of a cyberattack can change over time. A system might seem impervious one day, but an exploit could become publicly available the next day. The draft standard takes this dynamic aspect of risk into account.
The second major part of the draft standard lays out best practices for managing cyber risk throughout the life cycle of a product. Cybersecurity has to be baked into companies’ processes from the very beginning, from design and development through manufacturing. The best practices also cover situations where a vulnerability comes to light while vehicles are in the field. And they specify actions to take when a vehicle is decommissioned or sold — for example, to purge any personal data that might still reside in the systems.
What the draft standard will not do is prescribe specific cybersecurity technologies or solutions. As long as we can talk about the challenges we face in a common way, individual companies can differentiate themselves in the technologies and techniques they use to address those challenges.
Interest in the draft standard has been extremely high. The United Nations Economic Commission for Europe’s Working Party 29 references ISO/SAE 21434 as a way to meet European regulations (now labeled UN-1R55) requiring vehicles to have a cybersecurity management system. These requirements have been approved and will be binding in the European Union in summer 2022.
OEMs are also already requesting that their suppliers ensure they are compliant with the standard. In the end, the OEMs will drive adoption throughout the industry. Governments could potentially push ISO/SAE 21434 as well, as they monitor its adoption and effectiveness.
This international effort to define an automotive cybersecurity standard has been tremendous, as experts from around the globe come together to tackle this very important challenge. The final standard is expected in 2021.