Addressing the challenges of a sector in transformation and preparing to meet new cyber compliance burdens (ISO/SAE 21434)
The world of connected vehicles is no longer a far fetched utopia of self-driving cars. Fast-forward from 1996, when GM launched what would be considered as the first connected car, the world of connected automotive has changed dramatically in the last century and this is only the beginning.
Computerized systems in automotive, originally aimed at enhancing a vehicle’s performance, have now expanded to areas such as personalization or AI-based autonomous vehicles. But, why has this shift been so prevalent in today’s world? The answer is simple, to place the consumer first. The ‘connected car’ era has directed manufactures to implement and adapt to digitalization in order to deliver outstanding customer experience that builds loyalty and creates value for the consumer and their changing business. This shift has led manufacturers to focus on 4 key strategic areas:
- Optimizing the online and digital purchase journey: by providing a seamless experience from initial research through to aftersales
- Building partnerships and collaborating establishing strong, trusted partners that position manufacturers as leaders
- Creating loyalty through next generation consumer service: a win or lose factor based on the level of trusted customer experience provided
- Turning car data into value: data coming in and out of vehicles can support numerous touch points towards a positive customer experience, for example, infotainment, remote diagnostic and repair or even improved navigation
This has resulted in a drastically changed landscape where automakers are no longer hardware makers but are evolving into tech companies. Effective cybersecurity is a strategic enabler on all 4 business aims described above. Cyber branches in connect cars will undermine consumer trust and therefore inhibit successful realization of these organizational goals.
Connected automotive threat vectors
With the rise of connected vehicles, and data becoming a commodity, the automotive sector has seen an increased volume of vulnerabilities as well as new entry points for hackers to leverage.
In 2020, Tesla filed a lawsuit against a former employee after it emerged the employee made changes to company source code and exported gigabytes of proprietary data to unknown third parties. This, as with many other similar examples, illustrates a new wave of cyber-attacks where hackers can gain access to a vehicle’s main information system through multiple vectors such as a car USB port, keyless entries, key fobs or mobile apps, among others.
The biggest challenge our clients see is how to stay protected against the ubiquitous threat vectors that circle a vehicle that are omnipresent and malicious in nature. According to recent research by Upstream Auto[1] that analysed incidents since 2010, the three most common attack vectors are – servers (32.9 per cent); keyless entry systems (26.6 per cent) and mobile apps (9.9 per cent).
Man-in-the-middle (MATM) attacks, where the attacker covertly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, like eavesdropping, are also prevalent. These attacks can be resolved in numerous ways by authentication, like key-agreement protocols, tamper detection, where a normal process might take a bit longer than normally, and digital forensics. The latter is obviously by advanced means. It allows a suspected attack to be checked and monitored using incident forensics, identifying if data was comprised, where the attack happened and provides threat intelligence to remediate the situation.
Until the advent of ISO/SAE 21434, no formal connected automotive cybersecurity standard existed in the marketplace.
The ISO standard establishes “cybersecurity by design” and provides the model for developing a risk assessment system and specifies details on processes and work products. Crucially, it has been designed to support implementation of the new UNECE Automotive Cyber security regulations and may be used to demonstrate compliance with the regulations by OEMs and relevant authorities (nationally).
ISO/SAE 21434 overview
ISO/SAE 21434 covers all stages of a vehicle’s life-cycle from design through to manufacturing, to decommissioning by the application of cybersecurity engineering. The standard applies to all electronic systems, components, and software in the vehicle, plus any external connectivity. Moreover, the standard will provide developers with an overarching approach to implementing security safeguards that span the entire supply chain and protect the life-cycle of the vehicle.
The importance of the standard is unequivocal and a first for the industry. With the increase in connectivity in vehicles, such as Wi-Fi, Bluetooth and future 5G connectivity as well as the development of autonomous cars, the risk of cyberattacks and subsequent damage also rise. To cover this type of risk and therefore new guidelines and standards needed to be established.
The intent behind the standard is to provide a structured process to ensure that cybersecurity considerations are incorporated into automotive products throughout their lifetime. Furthermore, the standard will require automotive OEMs and suppliers alike to demonstrate due diligence in the implementation of cybersecurity engineering and that cybersecurity management is applied throughout the supply chain to support it, including the all-important aftermarket.
Security by design is encouraged as part of an organizations culture so that everything is designed with security considerations in mind from the start.
BSI E2E connected automotive cybersecurity model
At BSI, we have a large team of highly experienced, industry leading consultants that support clients to ensure they have all the connected automotive security requirements they need for their organization. BSI has constructed an E2E connected automotive cybersecurity model across three key pillars:
- Strategic consulting: through a holistic consulting model, using the team’s experience, we begin by conducting a threat modelling framework with risk matrices and design. Then, we look at the security model, design the relevant roadmap, and look at areas such as trust and identity, supply chain integration, controls and assurance through product certification. We can then create an ISO/SAE 21434 aligned and compliant security architecture, operation integration, third party risk and compliance on controls and checks.
- Security engineering and assurance: our consultants look at the life-cycle of the Security Bill of Materials (Sec BoM) and analyse it through a series of security tests using purple and red teaming engagement across the vehicles full production cycle and beyond. . This includes testing with adversary and attack simulations to defence and protection techniques, as well asin the event of a data breach or vector attack, along the cycle pathway to verify that it is robust and secure, ensuring information resilience.
- Compliance services: lastly, on the E2E model we examine the controls and methodologies used against leading standards from IACS to CC-ITSE as well as regulations like the EU GDPR on data protection and privacy management and FIPS compliance. As a final step we review them against best in class security test models such as OWASP’s ASVS and embedded controls and MITRE‘s ATT&CK framework among others. This iterative approach is proven to simplify achieving ISO/SAE 21434 compliance.
The BSI team has years of industry relevant and multi sector experience, providing cutting edge and leading consultation and insights to ensure IoT infrastructure and connected assets are secure and are information resilient all backed by leading edge innovative alliances specializing in IoT, connected systems and automotive security.
BSI is also a part of Project Endeavour, a collaborative project that will enable us to apply our expertise in Standards and Certification to help ensure and support the safe and secure trialling and development testing of automated and autonomous vehicles on our roads and on test tracks. Project Endeavour is part-funded by the Centre for Connected and Autonomous Vehicles (CCAV), delivered in partnership with Innovate UK. It is part of the government’s £100 million Intelligent Mobility Fund, supporting the Future of Mobility Grand Challenge. We’re committed to working together with the team and industry to help accelerate innovation whilst ensuring safety.
To find out more about BSI’s Cybersecurity solutions approach to the automotive sector, download our insights paper on: www.bsigroup.com/automotive
[1] Upstream Security: Global Automotive Cybersecurity Report 2021
About the author:
Mark Brown is BSI Cybersecurity and Information Resilience Global Managing Director. He joined BSI in February 2021 and has overall responsibility for driving the growth of the Consulting Services business stream – Cybersecurity and Information Resilience – at a global level, harnessing a key focus on the Internet of Things (IoT) strategy and how BSI can help clients bridge their cybersecurity and data governance challenges.
Mark has more than 25 years of expertise in cybersecurity, data privacy and business resilience consultancy. He has previously held leadership roles at Wipro and Ernst & Young (EY), amongst others and brings a wealth of knowledge including extensive proficiency on the Internet of Things (IoT) and the expanding cybersecurity marketplace having worked for Fortune 10 and Fortune 500 firms as Global CISO and Global CIO/CTO respectively. Marks experience spans across numerous sectors from consumer products, retail and eCommerce, legal, oil and gas, mining, technology, media, manufacturing, IT and real estate.
To connect with Mark, follow the links below:
Email: mark.brown@bsigroup.com
Website: bsigroup.com/cyber-uk
LinkedIn: linkedin.com/in/markofsecurity
Twitter: twitter.com/@markofsecurity