As vehicles become increasingly connected and rely on sophisticated electronic control units (ECUs) and networked systems, they become vulnerable to cyber threats. The threats can range from unauthorized access for data theft to more serious risks like remote manipulation of critical vehicle functions. So, the practices, technologies, and measures to protect vehicles and their electronic systems from unauthorized access, attacks, and potential breaches of security is of utmost importance in automotive engineering. Therefore, worldwide several organizations and government bodies have established guidelines and regulations pertaining to automotive cybersecurity. Following blog shares insights on some of the regulations, standards, and guidelines.
UN R155 is an automotive regulation for cybersecurity established by the United Nations Economic Commission for Europe (UNECE). The regulation is part of the World Forum for Harmonization of Vehicle Regulations (WP.29), which aims to harmonize technical standards for vehicles worldwide. UN R155 is a significant step towards establishing standardized cybersecurity requirements for road vehicles on a global scale. It aims to enhance the security of connected vehicles and protect them from cyber threats that could potentially compromise safety and functionality. UN R155 requires that vehicle manufacturers implement a Cybersecurity Management System (CSMS). This system includes processes, procedures, and organizational measures to ensure the cybersecurity of the vehicle and its components. Vehicles must go through a type approval process to demonstrate compliance with UN R155 before they can be sold or registered.
Fig 1: UN R155 Approval mark
UN R155 Approval Authority verifies that the vehicle manufacturer has taken the necessary measures relevant for the vehicle type to:
- Collect and verify the information required under this Regulation through the supply chain to demonstrate that supplier-related risks are identified and are managed.
- Document risks assessment (conducted during development phase or retrospectively), test results and mitigations applied to the vehicle type, including design information supporting the risk assessment.
- Implement appropriate cyber security measures in the design of the vehicle type.
- Detect and respond to possible cyber security attacks.
- Log data to support the detection of cyber-attacks and provide data forensic capability to enable analysis of attempted or successful cyber-attacks.
UN R155 contains Annex 5 with;
- Part A describing the baseline for threats, vulnerabilities and attack methods containing;
- Threats regarding back-end servers to vehicles in the field
- Threats to vehicles regarding their communication channels
- Threats to vehicles regarding their update procedures
- Threats to vehicles regarding unintended human actions facilitating a cyber attack
- Threats to vehicles regarding their external connectivity and connections
- Threats to vehicle data/code
- Potential vulnerabilities that could be exploited if not sufficiently protected or hardened.
- Part B describing mitigations to the threats which are intended for vehicle types.
- Part C describing mitigations to the threats which are intended for areas outside of vehicles, e.g. on IT backends.
According to UN R156, the vehicle manufacturer must provide evidence of their established processes and procedures to guarantee that when an over-the-air update necessitates specific, skilled, or intricate actions—such as recalibrating a sensor post-programming—the update process can only advance when a qualified individual with the necessary expertise is either physically present or has full control over the process. This safeguards that critical and technically demanding tasks within the update can only be executed by qualified personnel, ensuring the overall integrity and success of the update process.
UN R156 is organized in 12 sections with chapters devoted for Approval, Certificate of compliance for s/w update, general specifications for software update management system, Modification and extension of vehicle type and conformity of production among other sections.
This is well known standard developed jointly by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). It provides a framework with best practices and recommendations to be applied for each phase of the road vehicle life cycle. ISO/SAE 21434 released in Aug 2021 supporting UN R155 cyber security regulations which mandates vehicle type approvals from threat mitigation perspective. The standard contains 15 clauses and 37 sub clauses with 101 requirements and 13 recommendations.
Fig 1: Overview of ISO/SAE 21434 standard
The major outline of ISO/SAE 21434 standard are:
- Organizational Cybersecurity Management which includes polices, rules, process, responsibilities, awareness, tooling & developing CS culture in the organization.
- Project Cybersecurity Management which contains;
- Cybersecurity plan about what to achieve.
- Cybersecurity case about what degree of achievement happened.
- Cybersecurity assessment to independently certify that achievement.
- Distributed Cyber security activities which contains Supplier CS competency evaluation, formal CS quote request and CS development responsibility alignments.
- Continual Cybersecurity activities which contain continuous monitoring and evaluation of cyber security activities. Continuous vulnerability analysis and its treatment is major part of it.
- Product development phase which contains.
- Concept phase with Cyber security goals & concepts
- Development phase with product development and validations of CS goals on vehicle level
- Post development phase with no-vulnerable production, incident response during operation/maintenance & end of support with proper decommissioning.
- TARA (Threat Analysis and Risk Assessment) which is a deep exercise to identify Threats, Vulnerabilities and Risks that can potentially target the system and developing strategies to mitigate them.
NHTSA (U.S) Cybersecurity guidelines
National Highway Traffic Safety Administration (NHTSA)’s Cybersecurity Guidelines with the title, “Cybersecurity Best Practices for Modern Vehicle Safety” is designed to assist the automotive industry in establishing best practices for cybersecurity. NHTSA emphasizes the importance of conducting risk assessments to identify potential cybersecurity vulnerabilities and threats. This information should then be used to implement appropriate security measures. Incident response plans, access controls for vehicle system & data, security considerations from design stage are some of the major parts of this guideline. While not legally binding, the guidelines serve as a reference for automotive industries best practices.
IEC 62443 is international standards developed by the International Electrotechnical Commission (IEC) that addresses industrial automation and control systems (IACS) security. These standards provide a comprehensive framework for establishing cybersecurity measures in industries that rely on automation and control systems. It provides guidelines, best practices, and requirements for implementing cybersecurity measures. It defines security levels to categorize the level of protection needed for different assets. The framework comprises of four key functions: Identify, Protect, Detect, and Respond. IEC 62443 is applicable for automotive industry especially in the context of securing the control systems and networks used in vehicles.
Trusted Information Security Assessment Exchange (TISAX) is a framework and standard developed by the German Association of the Automotive Industry (VDA) for assessing and ensuring the information security of companies in the automotive industry. TISAX is particularly relevant for suppliers and service providers in the automotive sector. TISAX assessments encourage a culture of continuous improvement in information security practices. This assessment cover various aspects of information security, including data protection, access control, incident management, and more.
ASPICE extension for Cybersecurity
In February 2022, the VDA formally expanded the scope of ASPICE with cybersecurity extensions. Serving as the product development lifecycle baseline for automotive System and SW, this extension defines new areas for cybersecurity assessment including requirements elicitation, cybersecurity implementation, risk treatment verification, and risk treatment validation. Though ASPICE is not mandated like CSMS and UN R155 during type approval, CS addition to ASPICE V model shows the importance of security mindset during all stages of function development from the start to end.
Though EU General Data Protection Regulation (GDPR) is not specific to vehicles, GDPR sets strict rules for data protection and privacy in the European Union, which has implications to handle personal data within connected vehicles. So, privacy management is part of cybersecurity strategy of the OEM’s which includes measures to avoid unauthorized access, data breaches, and other security incidents. GDPR requires that personal data be processed only for specified, explicit, and legitimate purposes which limits the amount of data collected and processed, which in turn reduces the potential attack surface for cyber threats. GDPR mandates for organizations to notify authorities and affected individuals of data breaches without delay which requires to have strong incident response and notification processes in place.
Apart form the above standards, In the realm of information technology (IT), a wide-ranging spectrum of security standards exists, each tailored to specific aspects of distributed IT systems. The relevance of these standards varies depending on several critical factors, including the components, applications, functional domains, and the overall enterprise architecture of the organization. These standards encompass a broad array of security measures, protocols, and best practices designed to safeguard sensitive data, ensure system integrity, and protect against cyber threats. From encryption methods for data protection to access control mechanisms, compliance frameworks, and threat detection protocols, the choice of security standards must be carefully aligned with an organization’s unique IT ecosystem to establish a robust defence against evolving cyber risks.
About the Author
Ishwaraprasada is a product owner with several years of experience in the Automotive domain. His area of expertise includes Autosar, Cyber security, Functional safety, Base Software, Battery management system, Vehicle Charging standards, Inverters & Engine management software for PC and Trucks.
Siri AB is Gothenburg, Sweden based organisation with expertise in Automotive, Telecom and IoT engineering. Siri AB can provide you with consultative and implementation support for CyberSecurity in various applications.