Can automakers and regulators beat hackers at their own game? Thatโs the goal in the world of automotive cybersecurity โ where connected cars have put OEMs in cybercriminalsโ crosshairs.
SOURCE: Keysight Technologies
DESCRIPTION:
By Mike Hodge
If I were to ask you to imagine someone hacking a car, whatโs the first thing that comes to mind?
Let me guess. Youโre picturing someone wearing a black hoodie and a Guy Fawkes mask. Theyโre sitting in front of a state-of-the-art computer rig in an otherwise unkempt basement, as a โ90s-era techno soundtrack bumps with pulsating energy. Following some cloak-and-dagger coding wizardry, they hijack a cellular signal, take control of someoneโs vehicle, and run it off the road.
Just like the movies, right?
Okay, so maybe thatโs a little over the top. But for original equipment manufacturers (OEMs), cybersecurity is anything but a trivial matter. In fact, a single cyberattack can cost an automaker as much as $1.1 billion.
But sheer monetary impact isnโt the only thing keeping business leaders up at night. The effects of a cyberattack extend far and wide โ including potential legal / compliance fines, brand reputation impact, and crippling market capitalization losses.
Cybercriminals set their sights on connected cars
These days, if something is connected to an information stream, itโs vulnerable to cyberattacks. And since modern cars are essentially data centers on wheels, itโs easy to understand why theyโve piqued the interest of hackers. From infotainment systems and engine control units all the way down to steering columns and brake lines, almost everything in a vehicle is tied into an array of computer-based subsystems.
The trouble is that each of those systems offers multiple footholds for attackers to work their way in. But thatโs only half the problem. Cars connect over a number of different interfaces โ including USB, CAN bus, Wi-Fi, Bluetooth, cellular, and automotive ethernet. This doesnโt just give cybercriminals a veritable smorgasbord of attack options, itโs a nightmare for your engineering and testing teams to secure.
But regulators and standards bodies arenโt waving a white flag. In fact, theyโve outlined a blueprint to fight back. ย ย
Recent standards and regulations making big impact on automakers
Over the last year or two, youโve probably heard a lot about standards like ISO / SAE 21434 and regulations like UNECE WP.29 and UN R155. But what do they actually mean โ and what kind of practical impact do they have on automakers?
UNECE WP.29: The Big Picture
The World Forum for Harmonization of Vehicle Regulations, UNECE WP.29 is a wide-ranging strategic initiative to bring OEMs into lockstep on a variety of vehicle regulations, all the way from the headlights to the exhaust pipe. In June 2020, WP.29 adopted a new framework to combat cybersecurity risks on passenger vehicles. The groupโs work resulted in a pair of regulations โ instructing automakers to implement measures to:
- Manage vehicle cybersecurity risks.
- Secure vehicles by design to mitigate risks along the supply chain.
- Detect and respond to security incidents across the vehicle fleet.
- Provide safe, secure software updates that do not compromise vehicle security.
Think of this high-level guidance as the proverbial carrot, while the included regulations are the stick.
UN R155: The Forcing Function
The chief regulation to come out of WP.29โs cybersecurity framework in June 2020, UN R155 mandates OEMs build cybersecurity into the full lifecycle of their vehicle engineering processes. In laymanโs terms, it boils down to two key details:
- OEMs must establish and implement a cybersecurity management system (CSMS) that implements risk-driven engineering processes for vehicular components, subsystems, and assemblies.
- Automakers must demonstrate compliance within their CSMS to secure โtype approvalโ from the UN. Without approval, a vehicle wonโt be allowed to operate on public roads.
UN R155 begins enforcement in major markets like the EU, UK, and Korea on July 1 โ affecting all new vehicle types produced from that point onward. Beginning on July 1, 2024, all vehicles in production will need to comply.
ISO / SAE 21434: The Key to Compliance
If you imagine UN R155 as a lock, then ISO / SAE 21434 is the key. Unlike UN R155, this isnโt a regulation โ itโs a standard. Whereas UN R155 mandates the deployment of a CSMS, ISO / SAE 21434 explains how to actually implement one.
Much like functional safety, automotive cybersecurity follows the traditional โV Modelโ of engineering. That means all component and system testing are covered by verification and validation processes โ which take place on the right side of the model.
But thereโs a catch. โSecurityโ is a constantly moving target. You only need to test functional safety once per component. But with new threats, exploits, and vulnerabilities emerging every day, cybersecurity testing is anything but a โone and doneโ proposition.
Thatโs where a CSMS comes in. A good CSMS requires applicable threats to be evaluated extensively โ which is accomplished via a Threat Analysis and Risk Assessment (TARA). Following a TARA, OEMs can identify, implement, and verify mitigations, before pushing them out to components and systems via software update. With an efficient CSMS, OEMs can reevaluate and mitigate emerging threats in a timely manner โ all while ensuring their fixes donโt inadvertently expose other components or systems to attack.
How can automakers fight back against cybercriminals?
Now that the standards have been written and regulations have been adopted, the next question seems all too obvious.
โWhere do we go from here?โ
Given the state of the threat landscape and the incoming regulations, itโs easy to understand the uncertainty. But ISO / SAE 21434, WP. 29, and UN R155 arenโt a threat. Theyโre a playbook to beating cybercriminals at their own game.
But what does that mean? Well, for automakers, that means attacking your own vehicles โ before someone else gets the chance.
It all comes down to thinking like the enemy. Where a cybercriminal would seek to exploit system and component vulnerabilities, automakers can perform controlled cyberattacks to accurately test vehicular security in accordance with their CSMS. Sometimes referred to as automotive penetration testing, this practice encompasses multiple test types โ including functional cybersecurity testing, fuzz testing, and vulnerability testing.
Not only do these tests need to cover a comprehensive suite of potential threat vectors, they also need to account for the various points of ingress an attacker can take. That means testing across all the interfaces a modern car uses โ including cellular, Wi-Fi, Bluetooth, CAN, automotive ethernet, and more.
But thatโs only half the battle. Software updates โthe preferred method to mitigate vulnerabilities across automotive components and systems โ require extensive reverification. This process is painstakingly iterative, and automation is key to making this a reality. Think about how often your phone updates. If you had to pay a tester to verify all the mitigations you think are in place for every release, it would cost an exorbitant amount of time and money to execute.
At the end of the day, compliance with UN R155 demands a repeatable, scalable, and well-documented testing approach. And between sprawling attack surfaces, emerging threats, and mandatory compliance processes, integration and automation arenโt luxuries โ theyโre table stakes. While itโs possible to cobble individual hardware and software components together into an automotive cybersecurity test platform, the time commitment of managing a homegrown system can easily outweigh any potential benefits.
Protect what matters most
By its very nature, the world of cybersecurity is in a near-continuous state of change. In the coming years, weโll likely see a mass proliferation of new attack vectors, component threats, and system vulnerabilities. It should come as no surprise, then, that the automakers who respond the swiftest will emerge as the most protected, the most secure, and the safest choice for discerning customers.
Thatโs why itโs so important to get in front of attackers. And with an automated, integrated, and intelligent approach to cybersecurity, itโs never been easier to stay a step ahead. No matter what the future holds, you can rest assured knowing your systems are shielded, your vehicles are secure, and โ most importantly โ your passengers are safe.
About the Author
Mike is a Cybersecurity Solutions Lead at Keysight. A self-professed geek, he enjoys making technology accessible to everyone by stripping complex topics down to laymanโs terms. Over the last decade, heโs spun stories on a wide variety of topics โ including aerospace and defense, software development, and the multifaceted world of cybersecurity.
When heโs not working, you'll typically find Mike in the mountains of Colorado with his wife and floppy-eared hounds.
KEYWORDS: NYSE: KEYS, Keysight Technologies, cybersecurity
