With more and more connected cars on the roads these days, the issue of automotive cybersecurity is increasingly making its way into industrial and governmental awareness as a critical priority. With cybersecurity expected to become a clear requirement for automotive stakeholders in the near future, it’s not surprising that a wave of relevant standards, regulations, rules and best practice guidelines has recently emerged, and is expected to take over the automotive industry in the upcoming months.
Existing Automotive Cybersecurity Initiatives
Several automotive cybersecurity projects have been established over the past few years with the goal of bringing unison to the penetrable world of connected vehicles. Frameworks such as the Global Auto Alliance’s Framework for Automotive Cybersecurity Best Practices and ENISA’s Good Practices For the Security of Smart Cars provided a much needed foundation for developing a consensus around industry best practices from the point of view of the OEMs and manufacturers. Another comes from Auto-ISAC which published a best practices document several years ago that addressed incident response, collaboration and engagement with appropriate third parties, governance, risk assessment and management, awareness and training, threat detection, monitoring and analysis, and the security development lifecycle.
Additional initiatives worldwide include the Society of Automotive Engineers’ SAE J3061, the UK government’s Key Principles of Cybersecurity for Connected and Autonomous Vehicles and BSI Standard PAS 1885:2018, ENISA’s Cyber Security and Resilience of smart cars, the NHTSA’s Cybersecurity Best Practices for Modern Vehicles, and the US Congress’s SPY Car Act of 2019. Then, of course, there is the famous ISO/SAE 21434 which, while still in the drafting stage, has the entire industry (me included) holding its collective breath. All these budding semi-regulatory quasi-technical documents bear considerable significance as they signal at the heavier mandated regulations that are anticipated to take shape in 2020 and beyond.
Yet while these may all seem like promising developments, it is important to note that to this day no significant security standards regarding automotive cybersecurity have so far been officially regulated. Hopefully, this is all going to change in mid-2020 thanks to two promising regulatory papers expected to be issued by the World Forum for Harmonization of Vehicle Regulations under the United Nations Economic Commission for Europe (UNECE). Their WP.29 Task Force’s Regulation on Cyber Security and Regulation on Software Update Processes are currently being drafted under the supervision and guidance of the Working Party on Autonomous/Automated and Connected Vehicles (GRVA).
GRVA and the First Automotive Cybersecurity Regulations
GRVA’s main goal is “to deliver technical provisions for the safety performance assessment of automated and connected vehicles… GRVA is working on Cyber Security provisions and software updates (including Over-the-Air Software updates)”. The Task Force, which reports to the GRVA, consists of global contracting parties and non-governmental organizations, such as the European Association of Automotive Suppliers (CLEPA), the International Motor Vehicle Inspection Committee (CITA), la Fédération Internationale de l’Automobile (FIA), the International Telecommunication Union – Telecommunication Standardization Sector (ITU-T), and the International Organization of Motor Vehicle Manufacturers (OICA).
The regulations brought forward by this task force will likely be the first in a large wave of technical compliance regulations in the automotive sector, with associated regulations expected to affect more than 60 countries overall. These countries are led by Japan, Germany, the UK, France and Italy, with the United States and Canada as the two significant exceptions.
New UN Regulation Concerning Vehicle Cybersecurity
ECE/TRANS/WP.29/GRVA/2020/2 is a new draft UN regulation on “uniform provisions concerning the approval of vehicles with regard to cyber security and of their cybersecurity management systems.” It is, in large part, reliant upon other relevant standards, practices, directives and regulations concerning cyber security (both existing ones and some that are still under development such as ISO/SAE 21434).
The proposal is overtly neutral in terms of technology as it meant to encourage manufacturers to maintain flexibility and a creative, disruptive free market approach. UNECE maintains that “a rigid definition of technical measures could be counterproductive, since the cyber security environment is a very dynamic one. The risk is that any detailed technologies which are mandated could become outdated/vulnerable and may block alternative, innovative approaches and therefore limit or counter the possibilities to ensure cyber security. There is also a risk that a given solution may not be applicable to all vehicle designs.”
Certification for Cyber Security Management Systems (CSMS)
The proposal stipulates in detail a regulated process of certification for Cyber Security Management Systems (CSMS). UNECE Task Force TF-CS/OTA (Task Force on Cyber Security and Over the Air Updates) requires that automotive manufacturers maintain a certified cybersecurity management system and renew its certification every three years. OEMs will be subject to an assessment which will determine whether their CSMS is eligible for certification.
In the context of the assessment, the manufacturer will be required to demonstrate to the satisfaction of the Approval Authority or its Technical Service that “they have the necessary processes to comply with all the requirements for cyber security according to this Regulation” throughout the Development, Production, and Post-Production phases. The regulation emphasizes the word ‘processes’ over and over in a clear attempt to provide guidance for cyber security posture and structure without mandating low-level technical specifications. Large segments of the automotive industry currently expect ISO/SAE 21434, which is expected to be published in late 2020, to form the key basis for an exemplary automotive CSMS.
Threat Detection and Mitigation
Within the scope of the CSMS, the regulation defines principles for addressing key cyber threats and vulnerabilities meant to ensure vehicle safety in the case of cyberattacks, including processes, procedures and best practices for threat detection and mitigation. The OEM is required to demonstrate that the processes used in the CSMS include identification and management of risks, as well as clear measures which “monitor for, detect, and respond to cyber-attacks, cyber threats and vulnerabilities on vehicle types”. These processes need to be scalable and effective considering the ever-changing threat landscape and the emergence of new threats.
The draft then adds detailed guidance on how to meet these principles, including examples of processes and technical approaches for implementation. The regulation draft also considers what evidence may be required in order to demonstrate compliance or certification with the identified requirements.
Vehicle Typing
The rest of the regulation deals with vehicle typing and the various steps a manufacturer must carry out for type approval, modification, extension of a vehicle type, etc. This includes the riveting topic of marking. There’s not much to report on this subject so I will skip a detailed analysis of these sections to ensure that my readers remain engaged. You’ll just have to trust me on this one!
Automotive Cybersecurity Regulations Are (Almost) Here
According to a recent report by McKinsey, “regulators are preparing minimum standards for vehicle software and cybersecurity that will affect the entire value chain”. This statement seems to elegantly recap the general trend in automotive cybersecurity regulations coming into 2020. Regarding timeline and maturation, we expect that the first regulation regarding automotive cybersecurity will be finalized this year by the UNECE. Its formal adoption and entry into force (i.e., availability for application according to internal national legislation) is predicted to occur during the second quarter of 2020, although the final deadlines have yet to be disclosed.
As mentioned above, UNECE is currently working on another equally important paper: ECE/TRANS/WP.29/GRVA/2019/3 Regulation on Software Update Processes. This second draft, as indicated by the title, deals with cyber-securing the process of Software updates – specifically OTA, naturally. This second regulation will be covered in a dedicated blog post so stay tuned!
It seems that for now, the strongest, most technical standard to soon come into effect is actually ISO/SEA 21434. This standard, together with SAE J3061, is expected to shape the entire landscape for future regulation which is the reason that people in the industry have probably heard its name mentioned over the past few months.
UNECE’s WP.29 is a prime example of how organizations can heavily rely on technical standards, which are legally non-binding, to build their own legally-binding yet loose-fitting regulations. In other words, UNECE is trying to appease as many stakeholders as possible by leaving much to interpretation and providing very little actual technical cybersecurity guidelines. If OEMs and other manufacturers want to make sure that they really provide comprehensive security, ISO/SAE 21434 and SAE J3061 seem to be the “read between the lines” subtext of the UN drafts.