
Progress in sight in battle against cyberattacks on cars
Just 5 years ago, Charlie Miller and Chris Valasek brought the IT security of vehicles into the public eye with their famous hack: Via the entertainment system’s Internet connection, the two IT experts gained control over multimedia systems, windshield wipers, air conditioning, brakes and speed of a Jeep Cherokee. In the end, they remotely stopped the test ride in the middle of the highway. Since then, an increasing number of attacks have been observed. They all take advantage of the vehicles’ growing attack surface due to increasing connectivity. This has made it clear to the automotive industry what risks the digitalization and networking of vehicles poses to manufacturers, users and uninvolved road users.
Efforts are therefore underway worldwide to regulate and standardize cyber security. Examples of corresponding legislative initiatives are the Cybersecurity Act in the EU, the Chinese ICV programme and new JASPAR guidelines in Japan. Three major trends can be identified in all these regulations:
- A stronger concretization of cyber security to the specific needs of the automotive industry,
- the requirement to maintain the security of vehicles in the field, and
- the increasingly mandatory nature of the relevant specifications at the time of type approval.
These developments are currently manifesting themselves in two regulatory initiatives in particular, which for the first time define explicit management systems for the protection of vehicles: The UNECE WP.29 TF-CS/OTA and the forthcoming ISO/SAE 21434 standard.
The United Nations World Forum for Harmonisation of Vehicle Regulations (UNECE WP.29) is currently developing a set of rules that will make cyber-security mandatory for the approval of new vehicle types. The proposal of the sub-working group TF-CS/OTA (Task Force on Cybersecurity and over-the-air issues) consists of two core requirements: The operation of a certified cybersecurity management system (CSMS) and the application of the CSMS to specific vehicle types at the time of type approval. The EU plans to require compliance with these requirements for new vehicle types as early as mid 2022 and to extend them to existing architectures at a later date.
In view of the typical development times in the automotive sector, manufacturers and suppliers must therefore already address these cyber security requirements today in order to be able to secure type approvals for their future products. In order to do so, according to the Escrypt experts, they must pursue a risk-based approach that can consistently identify, achieve and maintain an appropriate level of risk for the vehicle type, its external interfaces and its subsystems. The security-relevant dependencies and information from suppliers, service providers and other third parties must also be taken into account. In view of the constantly changing threat environment and long vehicle lifecycles, the required CSMS also focuses in particular on the phase after the start of production and continuous risk management during vehicle operation.
In parallel to TF-CS/OTA, the automotive industry is working on the ISO/SAE 21434 standard for cyber security of vehicles within the framework of the International Organization for Standardization (ISO) and the Association of Automotive Engineers (SAE). Just like the CSMS defined by WP.29, this standard focuses on the necessary organisation and correct processes to protect the vehicle against cyberattacks throughout its life cycle. This is a challenge in that new attacks can emerge during the use phase of a car that were not known at design time. An update capability of the vehicle software should therefore be absolutely necessary. Since an accompanying document of the UN draft regulation consistently refers to this standard for the implementation of the CSMS requirements, ISO/SAE 21434 deserves special attention. With a common terminology and defined measures, an industry-wide basis is created here on which manufacturers and suppliers can build their interfaces, shared responsibilities and processes. The final version is expected at the end of 2020.
More information: https://www.escrypt.com/en/news-events
Related articles:
Hackers take over a moving vehicle remotely
Argus, NXP jointly strengthen cybersecurity of cars
Automotive cybersecurity begins with secure ASIC, FPGA and SoC hardware
Bosch, cybersecurity provider work to mitigate car security flawIT security becomes essential feature for cars
Car designers stress security at developers meeting
