Automakers, Regulators Take on Cybersecurity
Can automakers and regulators beat hackers at their own game? That’s the goal in the world of automotive cybersecurity — where connected cars have put OEMs in cybercriminals’ crosshairs.
By Mike Hodge
If I were to ask you to imagine someone hacking a car, what’s the first thing that comes to mind?
Let me guess. You’re picturing someone wearing a black hoodie and a Guy Fawkes mask. They’re sitting in front of a state-of-the-art computer rig in an otherwise unkempt basement, as a ‘90s-era techno soundtrack bumps with pulsating energy. Following some cloak-and-dagger coding wizardry, they hijack a cellular signal, take control of someone’s vehicle, and run it off the road.
Just like the movies, right?
Okay, so maybe that’s a little over the top. But for original equipment manufacturers (OEMs), cybersecurity is anything but a trivial matter. In fact, a single cyberattack can cost an automaker as much as $1.1 billion.
But sheer monetary impact isn’t the only thing keeping business leaders up at night. The effects of a cyberattack extend far and wide — including potential legal / compliance fines, brand reputation impact, and crippling market capitalization losses.
Cybercriminals set their sights on connected cars
These days, if something is connected to an information stream, it’s vulnerable to cyberattacks. And since modern cars are essentially data centers on wheels, it’s easy to understand why they’ve piqued the interest of hackers. From infotainment systems and engine control units all the way down to steering columns and brake lines, almost everything in a vehicle is tied into an array of computer-based subsystems.
The trouble is that each of those systems offers multiple footholds for attackers to work their way in. But that’s only half the problem. Cars connect over a number of different interfaces — including USB, CAN bus, Wi-Fi, Bluetooth, cellular, and automotive ethernet. This doesn’t just give cybercriminals a veritable smorgasbord of attack options, it’s a nightmare for your engineering and testing teams to secure.
But regulators and standards bodies aren’t waving a white flag. In fact, they’ve outlined a blueprint to fight back.
Recent standards and regulations making big impact on automakers
Over the last year or two, you’ve probably heard a lot about standards like ISO / SAE 21434 and regulations like UNECE WP.29 and UN R155. But what do they actually mean — and what kind of practical impact do they have on automakers?
UNECE WP.29: The Big Picture
The World Forum for Harmonization of Vehicle Regulations, UNECE WP.29 is a wide-ranging strategic initiative to bring OEMs into lockstep on a variety of vehicle regulations, all the way from the headlights to the exhaust pipe. In June 2020, WP.29 adopted a new framework to combat cybersecurity risks on passenger vehicles. The group’s work resulted in a pair of regulations — instructing automakers to implement measures to:
- Manage vehicle cybersecurity risks.
- Secure vehicles by design to mitigate risks along the supply chain.
- Detect and respond to security incidents across the vehicle fleet.
- Provide safe, secure software updates that do not compromise vehicle security.
Think of this high-level guidance as the proverbial carrot, while the included regulations are the stick.
UN R155: The Forcing Function
The chief regulation to come out of WP.29’s cybersecurity framework in June 2020, UN R155 mandates OEMs build cybersecurity into the full lifecycle of their vehicle engineering processes. In layman’s terms, it boils down to two key details:
- OEMs must establish and implement a cybersecurity management system (CSMS) that implements risk-driven engineering processes for vehicular components, subsystems, and assemblies.
- Automakers must demonstrate compliance within their CSMS to secure “type approval” from the UN. Without approval, a vehicle won’t be allowed to operate on public roads.
UN R155 begins enforcement in major markets like the EU, UK, and Korea on July 1 — affecting all new vehicle types produced from that point onward. Beginning on July 1, 2024, all vehicles in production will need to comply.
ISO / SAE 21434: The Key to Compliance
If you imagine UN R155 as a lock, then ISO / SAE 21434 is the key. Unlike UN R155, this isn’t a regulation — it’s a standard. Whereas UN R155 mandates the deployment of a CSMS, ISO / SAE 21434 explains how to actually implement one.
Much like functional safety, automotive cybersecurity follows the traditional “V Model” of engineering. That means all component and system testing are covered by verification and validation processes — which take place on the right side of the model.
But there’s a catch. “Security” is a constantly moving target. You only need to test functional safety once per component. But with new threats, exploits, and vulnerabilities emerging every day, cybersecurity testing is anything but a “one and done” proposition.
That’s where a CSMS comes in. A good CSMS requires applicable threats to be evaluated extensively — which is accomplished via a Threat Analysis and Risk Assessment (TARA). Following a TARA, OEMs can identify, implement, and verify mitigations, before pushing them out to components and systems via software update. With an efficient CSMS, OEMs can reevaluate and mitigate emerging threats in a timely manner — all while ensuring their fixes don’t inadvertently expose other components or systems to attack.
How can automakers fight back against cybercriminals?
Now that the standards have been written and regulations have been adopted, the next question seems all too obvious.
“Where do we go from here?”
Given the state of the threat landscape and the incoming regulations, it’s easy to understand the uncertainty. But ISO / SAE 21434, WP. 29, and UN R155 aren’t a threat. They’re a playbook to beating cybercriminals at their own game.
But what does that mean? Well, for automakers, that means attacking your own vehicles — before someone else gets the chance.
It all comes down to thinking like the enemy. Where a cybercriminal would seek to exploit system and component vulnerabilities, automakers can perform controlled cyberattacks to accurately test vehicular security in accordance with their CSMS. Sometimes referred to as automotive penetration testing, this practice encompasses multiple test types — including functional cybersecurity testing, fuzz testing, and vulnerability testing.
Not only do these tests need to cover a comprehensive suite of potential threat vectors, they also need to account for the various points of ingress an attacker can take. That means testing across all the interfaces a modern car uses — including cellular, Wi-Fi, Bluetooth, CAN, automotive ethernet, and more.
But that’s only half the battle. Software updates —the preferred method to mitigate vulnerabilities across automotive components and systems — require extensive reverification. This process is painstakingly iterative, and automation is key to making this a reality. Think about how often your phone updates. If you had to pay a tester to verify all the mitigations you think are in place for every release, it would cost an exorbitant amount of time and money to execute.
At the end of the day, compliance with UN R155 demands a repeatable, scalable, and well-documented testing approach. And between sprawling attack surfaces, emerging threats, and mandatory compliance processes, integration and automation aren’t luxuries — they’re table stakes. While it’s possible to cobble individual hardware and software components together into an automotive cybersecurity test platform, the time commitment of managing a homegrown system can easily outweigh any potential benefits.
Protect what matters most
By its very nature, the world of cybersecurity is in a near-continuous state of change. In the coming years, we’ll likely see a mass proliferation of new attack vectors, component threats, and system vulnerabilities. It should come as no surprise, then, that the automakers who respond the swiftest will emerge as the most protected, the most secure, and the safest choice for discerning customers.
That’s why it’s so important to get in front of attackers. And with an automated, integrated, and intelligent approach to cybersecurity, it’s never been easier to stay a step ahead. No matter what the future holds, you can rest assured knowing your systems are shielded, your vehicles are secure, and — most importantly — your passengers are safe.
About the Author
Mike is a Cybersecurity Solutions Lead at Keysight. A self-professed geek, he enjoys making technology accessible to everyone by stripping complex topics down to layman’s terms. Over the last decade, he’s spun stories on a wide variety of topics — including aerospace and defense, software development, and the multifaceted world of cybersecurity.
When he’s not working, you'll typically find Mike in the mountains of Colorado with his wife and floppy-eared hounds.