Over the past decade, the automotive industry has undergone a digital transformation. Today virtually all vehicles come with built-in connectivity options; today’s software-defined and connected cars have more than 100 million lines of code and can process 25 GB of data per hour. These trends, together with the development of autonomous vehicles, cloud-based functionality, and shared mobility – all expose vehicles to greater cyber risk. From the OEM’s point of view, cybersecurity has become just as important as functional safety and quality when it comes to ensuring a vehicle’s safety and achieving certifications and registration licenses.
This article overviews the current state cybersecurity regulations for automotive and the organizational considerations OEMs are required to address, providing real-world insights.
UNRs 155, 156, GB, and GB/T standards as well as other proposed and developing regulations have emerged as a response to the growing cyber-risk in the motor vehicle manufacturing and transportation sectors of the economy. For example, UNR 155 came into effect in July 2022 in the EU and Japan and applied cybersecurity management and vehicle-type specifications to the body of knowledge manufacturers must demonstrate in order to achieve whole vehicle type approval.
The new requirements established by UNR 155 include a well-defined strategy with defined management processes for the integration of cybersecurity competencies into vehicle development and maintenance programs, as well as the purposeful and targeted application of vehicle and backend security controls and data analysis tools.
These activities, and more broadly the implications of software and connectivity inside vehicles, present new challenges, and a steady ramp-up of capabilities in each domain has taken place
Essential #1 – Structure
As a first step towards UNR 155 compliance, automakers should evaluate their existing process landscape and risk management policies to identify potential gaps between what exists and the requirements of UNR 155. Such gap analysis work is the common first step in identifying inadequacies and prioritizing the work going forward. Each manufacturer has a unique makeup of policies, processes, and procedures related to cyber-risk management that place them at vastly different stages in their pursuit of UNR 155 compliance.
The results of this initial evaluation highlight the topics that need to be most pressingly addressed, those that need to be improved or harmonized with other standards/best practices, and those that may already be addressed within the existing process landscape.
There is no one-size-fits-all when it comes to developing a Cyber Security Management System (CSMS) due to variations in organizational size, structure, and culture. Nevertheless, certain development standards and frameworks (e.g., ISO/SAE 21434 for the overall approach of the organization and ASPICE for product development and quality) can serve as important tools for manufacturers to ensure that there are systematic and repeatable processes and activities, for example, to achieve a level of assurance in delivered products from suppliers.
Having the processes in place not only helps with regulatory compliance, but it also provides the guiding framework for people. The next area of strategic importance is in human capital and ensuring the right personnel and know-how is “baked-in” to the vehicle cybersecurity management as well as the development and maintenance programs.
Essential #2 – Know-how
Manufacturers must be able to act on the guidance of internal audit evaluations and the overall needs of cybersecurity management, development, and maintenance. This increases the importance of skilled personnel with the right knowledge and experience. Just as UNR 155 requires policy, process, and procedural changes within the organization, the organization also needs to assimilate new competencies, whether it be through hirings, external engagements, internal trainings and etc.
Given the challenges related to recruiting experienced cyber security professionals (analysts, engineers, project managers, etc.), the automotive industry, and vehicle manufacturers, in particular, have adopted a hybrid approach that draws on an array of cybersecurity-related human resources available in the market. The exact formula for each automaker differs significantly as internal considerations regarding platforms, components, budgets, policies, strategy, existing competencies, etc. create unique operating environments for manufacturers.
What has also taken place is a corollary growth in cybersecurity innovation and entrepreneurship as well as the expansion of capabilities offerings from well-known industrial and consulting firms. This trend is an important component of solving the challenge of automotive cybersecurity, not only in terms of compliance but also for enablement; with more people working together on solving these issues, the economy can expect a wide swath of benefits as the promises of a connected, software-serviced world accrue to the public.
Essential #3 – Technology
Technology is the third essential aspect of UNR 155 compliance. With the fusion of cybersecurity as an ever-changing, digital domain, and automotive as a highly competitive, electro-mechanical one, competitive organizations need more than just a well thought out process landscape and capable personnel. UNR 155 also directs motor vehicle manufacturers to ensure prevention, monitoring, detection, and response capabilities are available to management systems (CSMS) and each vehicle type/program.
To certify these capacities are in place, manufacturers should consider a range of security controls and tools, in the vehicle and in the IT backend, which enables visibility and a certain level of control in vehicle-level anomaly detection, continuous vulnerability scanning of relevant software as well as analytics and updating mechanisms to gain the full picture and respond accordingly.
The first step in addressing the security needs of vehicle networks is the identification and specification of requirements for onboard security controls, based on a thorough threat analysis of the end-to-end architecture. The onboard controls should be supported by offboard technologies for monitoring and responding to any security incidents. Based on real-world experience with manufacturers, some of the most common capabilities being introduced today include network traffic monitoring and filtering (such as CAN or Ethernet IDPS), hardening and monitoring of applications, and overall increased segregation of functionality. All of these methods are being used by OEMs for addressing security on the vehicle level.
To address ever-increasing cyber threats and to facilitate UNR 155 compliance, OEMs need to introduce new organizational capabilities with respect to processes, personnel, and technology. Similar to IT security, vehicle security needs both onboard (e.g., network monitoring) and offboard (SOC) tools that are aligned with the process and procedures.
UNR 155 mandates a risk-oriented approach to vehicle development and maintenance. By focusing on the core areas of structure, know-how, and technology, OEMs can implement a sound UNR 155 compliance strategy. In addition, the responsibility for vehicle cybersecurity should be shared across the automotive ecosystem. All stakeholders (i.e, government, regulators, OEMs, Tier-1 suppliers) across the value chain must be involved to achieve the desired outcome and minimize the burden on a single entity.
Co-Founder and Chief Architect
Argus Cyber Security
Oron Lavi is co-founder and Chief Architect of Argus Cyber Security, a global leader in cyber security for connected mobility, providing products and services for embedded automotive systems and backend, fleet-level security functions. Founded in 2014, Argus is headquartered in Tel Aviv, Israel, with offices in Michigan, Stuttgart, Paris, Tokyo, Shanghai, and Seoul.
Published in Telematics Wire