Curbing Automotive Cybersecurity Attacks

The relentless cyberattacks on the automotive sector are not limited to vehicles and have an impact on the entire automotive supply chain, so the pressure is on the automotive ecosystem to understand the necessary standards and regulations for vehicles and components. While the process of attaining compliance adds additional effort, in the long run, the increase in cybersecurity will save the automotive industry development costs by fending off cyberattacks.

Remote cyberattacks outnumber physical attacks by 85%, with 40% of those attacks targeting back-end servers used to support connected vehicles and related infrastructure, according to AI EdgeLabs. The firm estimates losses for the auto industry could reach $505 billion by 2024. Perhaps more alarming, cyberattacks have increased 225% in the past three years, in large part because of all the connected electronics.

To counter cyberattacks and improve security, several new regulations have been released. The United Nations Economic Commission for Europe (ECE or UNECE) established UN Regulations 155 (UN R155) and 156 (UN R156). Starting in 2024, OEMs are required to be compliant in order to sell new model vehicles into UNECE member countries. In addition, ISO/SAE recently released ISO/SAE 21434.

Many standards/regulations relating to transportation and automotive have appeared over the years, but understanding them is a challenge. These include WP.29, R155, R156, ISO 26262, and ISO/SAE 21434.

The history of WP.29 began in 1952, when two organizations — the Inland Transport Committee (ITC) and the United Nations Economic Commission for Europe (UNECE) — established a working party called WP.29 to look after the construction of vehicles. In 2000, WP.29 also became known as the “World Forum for Harmonization of Vehicle Regulations.” Its goals include vehicle safety, performance, energy efficiency, and environment protection. Cars, trucks, buses, agricultural vehicles, and off-road mobile machinery all fall under the organization’s purview. Three multilateral agreements (adopted in 1958, 1997, and 1998) established the legal framework for WP.29.

It’s important to note the difference between standards and regulations. Regulations are the requirements established by legal entities and can be enforced. Standards are best practices and policies established by industrial organizations. Standards usually support and/or help regulations. OEMs would comply with regulations and also get standard certifications to achieve the highest level of cybersecurity.

A simple way to understand this is from the perspective of the tests one must pass before obtaining a driver’s license. This Department of Motor Vehicles (DMV) requirement equates to the “regulations” required by UNECE. The DMV does not care how and where one learns to drive so long as all the required tests are passed. An individual may go to a driving school that provides a set of guidelines and lessons designed to help him or her pass DMV requirements. The guidelines covered in those lessons equate to the “standards.”

In the case of the ISO/SAE 21434 standard, it was established with the cooperation of the International Organization for Standardization (ISO) and SAE International (SAE). These organizations also work together with WP.29. SAE 21434 and R155/R156 overlap in some instances, and diverge in others:

• WP.29 is the legal entity form established by ITC and UNECE.
• R155 is the regulation under WP.29 that focuses on automotive hardware and systems cybersecurity of the entire supply chain.
• R156 is the regulation under WP.29 targeting automotive software cybersecurity, including updates.
• ISO/SAE 21434 is an industry standard for automotive cybersecurity, supporting R155/R156. It can be certified.
• ISO 26262 is an industry standard with a focus on automotive safety.

UNECE Regulation R155
R155 requires a certificate of compliance for a cybersecurity management system (CSMS), which refers to a systematic risk-based approach defining organizational processes, responsibilities, and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks.

In other words, UNECE’s regulations mandate that OEMs must manage the cyber risks of the entire supply chain, starting with cybersecurity by design, with the ability to detect and respond to security incidents.

Obtaining a certificate of compliance for CSMS has a formal process. R155 documentation specifies that “contracting parties shall appoint an approval authority to carry out the assessment of the manufacturer and to issue a certificate of compliance for CSMS.” OEMs are required to submit an application by a duly accredited representative, accompanied by specific documents, including documents describing the CSMS and a signed declaration of the use of the model defined by R155. Upon meeting all the requirements, OEMs then are issued a certificate of compliance for CSMS, which is valid for three years. This application documentation package needs to be kept on file by the OEM for at least 10 years. If there are any changes made to the vehicle designs that impact the CSMS, the approval authority will need to be informed, and the assessments of compliance to CSMS will be performed again if required.

While acting in accordance with standards raises awareness of cybersecurity’s importance and can help bolster cybersecurity, it also increases the amount of work required and the amount of resources, and it potentially can increase product development time.

UNECE Regulation R156
In an era of software-defined vehicles, software and software updates will play a key role in automotive development. R156 focuses on both. It requires OEMs to have a certificate of compliance for an in-place software update management system (SUMS). This systematic approach defines organizational processes and procedures to be in compliance with the requirements of R156. The processes for SUMS need to be verifiable, documented, and securely stored by OEMs, and they need to be available upon request. Additionally, an RX Software Identification Number, a dedicated identifier representing information of approved “relevant software of the electronic control system” needs to be provided and managed by the OEMs.

ISO/SAE 21434:2021
Cybersecurity engineering for road vehicles is defined in ISO/SAE 21434, but it is not mandatory. The standard was developed jointly by ISO and SAE. It provides cybersecurity guidelines for automotive design and development, starting from design concept and progressing through development and production all the way to post-production support. The V model (see figure 1) is used to support the development processes. The standard helps OEMs develop cybersecurity processes throughout the organization including cybersecurity awareness, risk assessment and management, verification and validation, and controls.

Fig. 1: Automotive cyber lifecycle. Source: Keysight Technologies

“UN R155/156 are regulations applicable to OEMs, whereas ISO/SAE 21434 is a standard which has implications in the entire supply chain,” said Debojyoti Bhattacharya, principal cybersecurity architect at Arm. “One way to see it is that R155 asks what needs to be done for cybersecurity in vehicles and the establishment of a CSMS to manage cybersecurity risks over the entire vehicle life cycle. ISO/SAE 21434 says how CSMS must be done, essentially providing a process framework which can be used to fulfill requirements outlined by regulations.”

UN R155/156 certification is applicable for vehicles, and therefore only for OEMs. ISO/SAE 21434 is a certification for a cybersecurity process framework, and while it is not mandatory, it is strongly recommended and can be used by the entire supply chain.

Further, it is important to understand that the regulations issued by UNECE WP.29 usually form a legally binding framework that is implemented in local law by the respective UNECE member countries.

“For example, 60 years ago the UNECE required that seat belt use should be part of the vehicle,” said Manuel Sandler, partner at CYRES Consulting. “Some countries implemented this into local law as early as the 1970s, while others did not do so until the 1980s or even 1990s. Accordingly, UN R155 and UN R156 should also be considered legally binding and therefore mandatory. Content counterparts also exist in non-UNECE member countries, such as the United States or China. Whereas ISO/SAE 21434, as a standard developed by industry for industry (in this case in the merger of SAE and ISO), is more of a point of reference for proving that one has worked according to the ‘state of the art’, rather than mandatory. Such a point of reference can in some cases be relevant evidence, e.g., in a legal proceeding, to show that the work was performed in the way required by the industry standard in force at the time. This will be of importance sooner or later when it comes to liability matters.”

While R156 focuses on primary software development and updates, R155 and ISO/SAE 21434 cover the entire automotive supply chain.

“If you go a little deeper, the R155 regulation outlines types of threats that your system should mitigate against,” said Lee Harrison, director of product marketing for the Tessent division of Siemens EDA. “This covers not only vehicle-based attacks, but the entire supply chain, including back-end servers and communication channels. In the R155-22 January 2021 release, nine types of mitigation to the threats were specified. These are also addressed in CSMS and cover vehicle communication channels — the update process; unintended human actions facilitating a cyberattack; external connectivity and connections; potential targets of, or motivations for, an attack; potential vulnerabilities that could be exploited if not sufficiently protected or hardened; data loss or data breach from a vehicle; physical manipulation of systems to enable an attack, and back-end servers.”

ISO 26262 – 1:2018
To address functional safety aspects of road vehicles, ISO 26262 and ISO/SAE 21434 have different goals. One emphasizes functional safety, while the other is concerned with cybersecurity. In automotive, these worlds overlap, because achieving vehicle safety requires cybersecurity.

According to ForAllSecure, a software testing firm, ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production passenger cars. ISO 26262 addresses possible hazards caused by malfunctioning behavior of E/E safety-related systems, including the interaction of these systems. ISO 26262-6:2011 specifies the requirements for product development at the software level for automotive applications, including requirements for initiation of product development at the software level, specification of the software safety requirements, software architectural design, software unit design and implementation, software unit testing, software integration and testing, and verification of software safety requirements.

The ISO/SAE 21434 certification, meanwhile, provides OEMs with knowledge and preparations for R155/156 compliance, proof of continuous improvement of cybersecurity readiness, and requires internal organization/process audits. Ultimately, proper risk management — including identification of security gaps — would reduce long-term, overall operational costs. There are many third-party certification agencies available to perform certifications including TUV and SGS.

“Effective July 2022, the UN R155 regulation required vehicle manufacturers to apply a security-by-design approach to their products and processes,” explained Bill Stewart, vice president of automotive marketing for the Americas at Infineon Technologies. A valid certificate of compliance for the CSMS is applied to each vehicle type. To achieve the certification, vehicle OEMs must implement cybersecurity practices across the supply chain to reduce the overall risk of attack throughout the vehicle lifecycle, from initial concept to end-of-life.

OEMs can save design time by selecting components that are already deemed secure, such as certain microcontrollers from Infineon and others, secure flash memories, and hardware security modules with ISO/SAE 21434-compliant CSMS, as outlined in the UN R155 regulation, supporting automotive cybersecurity. Stewart advises OEMs to look for components with built-in threat monitoring capabilities that actively analyze relevant vulnerability disclosures and potential threats in order to help mitigate product security risks in compliance with risk management programs and relevant regulations.

Risk mitigation
The ultimate goal for all of the regulations and standards is to help the automotive industry and the supply chain achieve safety and security by managing and mitigating risks. These regulations and standards help OEMs identify the cybersecurity gaps so they can be proactive and address them in system designs in both hardware and software.

“There are two major aspects of cybersecurity, prevention and response,” said Ron DiGiuseppe, automotive IP segment manager, Solutions at Synopsys. “As the standards call out, the automotive designs need to be secure in systems hardware (UNR 155) and software (UNR 156). From a cyberattack prevention perspective, it is important to minimize or eliminate vulnerabilities to prevent cyber incidents from occurring in the first place. Developers would want to use IPs with security capabilities built-in, such as true random number generators to develop keys, encryption, and decryption IP for different protocols, root of trust, etc. SAE 21434 looks at it from a different angle. When a cyber incident occurs, do you have the expertise and the systematic processes in place to respond to that incident? The regulations require a CSMS, including a vulnerabilities assessment and incident response team to respond to cybersecurity incidents.”

The response team will work with the R&D team, but they are two independent teams. “The R&D team focuses on prevention by designing the most secure hardware and software products for the vehicles, while the response team focuses on addressing cybersecurity incidents should they occur,” DiGiuseppe noted.

And even though SAE 21434 is very clear on the process to identify where the risks are, it doesn’t give any guidance on how to mitigate against those risks.

Siemens’ Harrison said developers that have been through the process of third-party auditing, produced all the appropriate documents identifying the risks and security gaps in the designs, only to ask “Now what do we do?” In these cases, companies such as Siemens and others step in with consulting, security technology and IP to solve the problem.

Fig. 2: Identifying the risks and security gaps in automotive designs requires data collection and analysis. An analytics engine will speed up the process. Source: Siemens

Software-defined vehicles
With the advancement of software-defined vehicles, the software aspect including design updates, as well as OTA, is becoming increasingly important.

Yi Zheng, product management director at BlackBerry QNX, said many mechanisms are available to protect software from hackers, and these are widely understood and often deployed in vehicles. “Some mechanisms kick in at the stage where software is being built,” he said. “An example of that is address space layout randomization. Others kick in while the system is running. An example of that is mandatory access control. Still others are additional monitoring techniques independent from the system’s main functions. An example of that is an intrusion detection system. All of these mechanisms aim to protect the most important part of the software asset, but it is not exactly redundancy. In a way, this is related to the functional safety of a vehicle. Usually, the most critical parts of the software in the vehicle have a high safety rating. The design safe state of a vehicle, if a malfunction happens, would always be to protect those most critical parts and ensure they can still function properly. Safety and security are intimately intertwined.”

Testing essential
Testing is an important part of the certification and regulation compliance process. Many OEMs will do in-house self-tests, while others engage consultants to ensure proper validation and verification tests have been conducted to save time and efforts in the long run.

Thomas Leifert, business development manager, automotive and energy solutions at Keysight Technologies, said modern vehicles are under constant threat from remote hijacking, ransomware, denial-of-service attacks, illegal access, and change of ECUs, among other things. “Since July 2022, the UNECE WP.29 UN-R 155 regulation mandates OEMs to mitigate the risks and implement a CSMS, as described in ISO/SAE 21434, as a basis to achieve type approval for new vehicles. The mandate will be extended to existing architectures by July 2024 for vehicles that stay in production beyond this date. This affects OEMs who want to sell their vehicles into UNECE countries. It includes large markets like the European Union, Japan, and Korea, but also Australia, South Africa, and more. The process begins with breaking up a vehicle or device into cybersecurity relevant items on which a threat analysis and risk assessment will be applied.”

And to comply with the requirements of UN-R 155 and ISO/SAE 21434 throughout the cybersecurity life cycle of a vehicle, OEMs need to conduct multiple tests. “Every time a new exploit affects a vehicle, or a new software update is introduced, you want to retest to ensure no new vulnerability is introduced,” Leifert said. “Validation and verification tests need to cover the solutions designed on the left side of the automotive V model. Finally, by automating the test process, OEMs can improve reliability and efficiency.”

Conclusion
Understanding of WP.29, R155, R156, ISO 26262, and ISO/SAE 21434 will help OEMs develop products in compliance with the UNECE regulations. Even though the process of getting there will require additional effort, in the long run the increase in cybersecurity will save the automotive industry development costs by fending off dangerous cyberattacks.