Positioning Automotive Cybersecurity for the Future
Cybersecurity is a relatively new concern for the automotive industry. As automobile manufacturers began to include electronically controlled steering and brakes in their vehicles, the risk increased, but connectivity opened the door to much more risk.
Observers often point to vehicles’ direct connections to the internet as a source of risk, but they tend to overlook indirect connections, such as through a cellphone via USB or Bluetooth. Even a vehicle that otherwise does not appear to have any connectivity could have a wireless tire pressure monitoring system or an onboard diagnostic module that allows access to vehicle information.
Connectivity without robust enough security led to a widely publicized incident in 2015 in which researchers were able to remotely control certain functions of a vehicle. Despite being a painful experience for many, the incident forced the automotive industry to more deeply consider what a systematic approach to vehicle cybersecurity might look like.
Of course, other industries have had similar journeys, so security management practices from a variety of industries have helped shape the framework for automotive cybersecurity. While one might think of business IT and its high-profile ongoing defense against malware, there is a closer analog: the aerospace industry. That industry has long supported the idea of having very sensitive code running next to less sensitive code. In fact, it classifies software by Design Assurance Level, or DAL, a risk classification system that is similar to the automotive industry’s Automotive Safety Integrity Level, or ASIL.
Other industries’ experience with cybersecurity provided the basis for new regulations that specify how to create a comprehensive cybersecurity management system in automotive, such as Regulation 155 (R155) from the United Nations Economic Commission for Europe (UNECE). The demand for hardware-backed security has created economies of scale in specialized microprocessors from which the automotive industry benefits. And defense-in-depth strategies developed for other industries provide a clear path for ensuring security at multiple layers throughout a vehicle.
Well-structured cybersecurity management must go hand in hand with the development of software-defined vehicles. Developers must bake security into every layer, making no assumptions about the safety of a particular application or any of the supporting software.
A cybersecurity management system represents a systematic approach to defining processes and governance with security in mind — from the start of development through the maintenance of the software over time — and it allows an organization to apply that approach at every layer of the automotive system. In this white paper, we discuss some of the key areas of focus in automotive.
