With vehicles relying heavily on software and increasingly complex software supply chains, and the cyber threat landscape evolving, safety and security standards are more important than ever.
Industry-wide awareness of automotive cybersecurity risks has prompted regulators and industry leaders to double down on oversight. The recently adopted UNECE WP.29 R155 and ISO/SAE 21434 standards place the responsibility for cybersecurity directly on the shoulders of manufacturers, requiring them to manage the risks associated with suppliers, service providers and other organisations.
To help automotive product security experts understand the different regulatory requirements and standards designed to help the automotive industry secure vehicles throughout development, all the way through to post-production, we've put together an overview of today's top automotive cybersecurity standards and regulations.
1. Directory
- The evolution of automotive regulations
- The ever-expanding attack surface of vehicles
- International Cybersecurity Regulations and Standards
- ISO 26262 standard - Road vehicles - Functional safety
- ISO/SAE 21434 Standard – Road vehicles – Cybersecurity engineering
- MISRA C:2012 and CERT C Guidelines
- united nations regulations
- Relationship between WP.29 and ISO/SAE 21434
- Better Automotive Cybersecurity Compliance
2. Evolution of automobile regulations
As early as the 1980s, U.S. government regulators saw the benefits of GM's On-Board Diagnostic Port (ODB) -- which provided direct access to engine performance and other data the car monitors and collects -- and quickly adopted it among manufacturers and authorized Normalize it within the scope of its pass.
The expansion of the OBD port gave rise to protocols such as ISO 9141, and later SAE J1979/ISO 15031-5, which specified requirements for the exchange of digital information between emissions-related on-board electronic control units (ECUs) and external test systems.
The standardized SAE OBD II makes it easy for technicians to efficiently service a wide variety of vehicles quickly and accurately. It also provides accurate performance data, enabling manufacturers and automotive suppliers to improve their products while monitoring compliance with emissions standards.
3. The ever-expanding attack surface of vehicles
According to McKinsey , new cars run 100 million lines of code on 150 or more ECUs. By 2030, the volume of software will reach more than 300 million lines. A new car can generate 25 gigabytes of data per hour, or 4,000 gigabytes per day. These troves of data could be worth as much as $750 billion by 2030 .
A typical car can utilize the services of more than seven independent networks running various communication and control protocols from traditional CAN to SAE J1850 to Media Oriented System Transport (MOST). Add smartphones, and Bluetooth, WiFi, and other communication protocols enter the vehicular environment. Soon, vehicles will communicate with each other via vehicle-to-vehicle (V2V) protocols, and with external objects such as road signs via vehicle-to-everything (V2X) communications. This year, 237 million connected cars are on the roads of the US, EU, China and Japan. By 2035, this number will increase to over 800 million.
Ever-growing applications and databases, combined with constant connectivity, create a very large attack surface and make every car an extremely attractive target for hackers.
4. International network security regulations and standards
Automakers, relatively new to the cybersecurity space, have been tackling cybersecurity issues individually. But as the frequency of cyberattacks on cars continues to rise— a 225 percent increase from 2018 to 2021 —manufacturers need to work together to find protective regulations, standards and guidelines that span the industry.
International agencies quickly filled the void. They are working feverishly to ensure cybersecurity is a focus for manufacturers at every level of the automotive supply chain.
Early regulatory and standards bodies were national (US and Japan) and regional (EU) institutions, but momentum has shifted to international institutions. Below, we survey these institutions and their work.
NOTE: The Regulations are legally binding in all countries (aka "Contracting Parties") that have signed the Regulations. "Standards" and "Guidelines" are not legally binding, but ideally become the practice of the industry.
5. ISO 26262 Standard – Road Vehicles – Functional Safety
First published in 2011, ISO 26262 is somewhat irrelevant to today's cyber realities and is limited to safety-related systems, which include one or more electrical or electronic (E/E) systems installed in a passenger vehicle with a maximum gross vehicle mass of Over 3500 kg. Safety standards address hazards arising from failure of E/E safety-related systems, but not hazards associated with electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, etc., unless Malfunctioning behavior of E/E safety-related systems is directly caused by the following causes.
Some of the original objectives and definitions of ISO 26262 served as the basis for later regulations. For example, 26262 defines a complete automotive safety lifecycle, including management, development, production, operation, service, and decommissioning. It also covers the functional safety aspects of the entire development process, including activities such as requirements specification, design, implementation, integration, verification, verification, and configuration.
6. ISO/SAE 21434 Standard – Road Vehicles – Cyber Security Engineering
Published in 2020, SO SAE 21434 follows the structure of ISO 26262 - addressing the entire lifecycle of road vehicles - but focuses on cybersecurity management and risk assessment for modern vehicles. Unlike 26262's restrictions on E/E systems, the scope of 21434 includes all electronic systems, components and software in the vehicle, as well as all external connections.
The standard places a responsibility on automakers and suppliers to exercise due diligence in implementing cybersecurity and to support it by applying cybersecurity management throughout the supply chain. It defines the minimum requirements for processes and activities to enable network control and facilitates cooperation between parties involved in the value chain of the automotive industry.
7. MISRA C:2012 and CERT C Guidelines
The C programming language is commonly used in automotive software. MISRA C (2012) and CERT C Guidelines (2011) are recommended in ISO/SAE 21434 for any project using C.
The purpose of these guidelines is to prevent the use of C features that may cause serious or unspecified behavior. For example, strong typing ensures understanding of language data types, preventing certain classes of programming errors. Defensive implementation techniques that enable software to continue operating even in unforeseen circumstances are also part of the guidance.
CERT C is a language security standard designed to identify vulnerabilities unique to cybersecurity. MISRA C:2012 1 defines a subset of the language that applies both to security and security.
8. ENISA company
The European Cyber Security Agency's ( ENISA ) 2019 " Good Practices for Smart Car Security " defines best practices to consider when developing and deploying connected vehicles.
Since its release, cyberattacks against modern vehicles have only increased. While many vehicle hacks involve property theft, increased connectivity threatens brand confidence and consumer safety because attacking one ECU can also access all other software components.
To address this issue, ENISA published " How to Secure the Connected and Automated Mobility (CAM) Ecosystem ". According to ENISA: "Today, connected vehicles, environments and infrastructures require the design of new functions and features. These capabilities and features should aim to provide:
- increase security;
- better vehicle performance;
- Competitive digital products and services;
- Improve comfort;
- Environmental friendly;
- User-friendly systems and equipment for customer convenience. "
9. United Nations Regulations
The United Nations Economic Commission for Europe (UNECE) has become the main regulatory body. UNECE's World Forum for the Harmonization of Vehicle Regulations has adopted UN regulations on cybersecurity and software updates for connected vehicles. The 54 signatories, including the European Union, South Korea, Japan, Turkey and Russia, are now bound by UNECE Working Group 29 (WP.29) regulations, which come into effect in January 2021 and are imposed on the EU next month. Binding.
The new international regulation, formally titled WP.29 Cybersecurity and Cybersecurity Management Systems (CSMS), addresses four main areas:
- Managing Vehicle Cyber Risk
- Protecting vehicles by design to reduce risk along the value chain
- Detect and respond to security incidents across your fleet
- Provides secure and reliable software updates, including over-the-air (OTA) and ensures vehicle safety is not compromised
WP.29 puts the onus of cybersecurity certification on the manufacturer. It requires the incorporation of best practices in vehicle design and holds manufacturers accountable for the cybersecurity of their vehicles. It also requires continuous cybersecurity for vehicles throughout all phases of their lifecycle, including years on the road.
WP.29 describes the types of cyber threats associated with:
- backend server
- vehicle communication channel
- vehicle updater
- unexpected human behavior
- Vehicle external connections and connections
- Vehicle data and/or codes
- Other vulnerabilities such as: compromised or underapplied encryption technology, compromised parts or consumables, vulnerable software or hardware, vulnerable network design, unintentional data transmission, and physical manipulation of the system
Note: WP.29 does not apply to North American automakers that are not currently signatories.
10. The relationship between WP.29 and ISO/SAE 21434
WP.29 and ISO/SAE 21434 are complementary. While WP.29 generally specifies what must be done to achieve compliance, ISO/SAE 21434 gives us the means. Here are some examples:
- CSMS: A Cyber Security Management System (CSMS) is the first step towards compliance with WP.29. Manufacturers must implement a CSMS to monitor security events, threats and vulnerabilities. However, WP.29 does not describe how to establish a CSMS, but ISO 21434 explains the implementation of cybersecurity policies, assignment of responsibilities and management of system maintenance to support cybersecurity activities.
- Risk management: WP.29 calls for risk assessment and management throughout the life cycle of the vehicle, but does not explain how. ISO/SAE 21434 provides details on risk assessment, risk analysis and cybersecurity management for organizations.
- Securing the supply chain: WP.29 clearly states that manufacturers are responsible for cybersecurity management in the supply chain, but does not address how components will be authenticated. It specifies some of the strategies that OEMs can use to manage supplier-related risks, such as assessing a supplier's capabilities by considering a supplier's record of cybersecurity activities, and entering into contractual agreements with suppliers to maintain and conduct cybersecurity throughout the vehicle lifecycle Activity. car.
Better Automotive Cybersecurity Compliance
With international bodies entering the cybersecurity space and developing regulations, standards and guidelines, it looks like the public will have better cyber protection in the vehicles they use. Over time, vehicle cybersecurity will evolve to address the dynamic nature of cyber threats.