Chances are, your car contains more lines of software code than an F-35 fighter jet, a Boeing 787 and the Mars Curiosity Rover combined. It can find gas, pay for coffee, zero in on parking spots, evade traffic and browse radio stations on every continent. And one day, in the not-too-distant future, 5G networks and artificial intelligence (AI) will enable it to drive on its own with human-like reflexes.
While consumers love the convenience of modern cars, they introduce complexity and increase the attack surface, creating opportunities for malicious hackers not only in the vehicle itself, but along the entire value chain.
A recent cybersecurity report identified 29 potential attack vectors among the millions of endpoints in a connected car’s ecosystem. High-profile hacks such as remote hijacking of vehicle controls are currently considered to be somewhat low risk because they require expert skills. However, five high-risk attacks—including electronically jamming safety systems and launching DDoS attacks—were found to require “limited understanding of the inner workings of a connected car and can be pulled off by a low-skilled attacker.”
With 700 million connected cars, 90 million autonomous vehicles, and 250 million electric and hybrid vehicles expected to be on the roads by 2030, cybersecurity has become a top priority for automakers and their suppliers.
Automotive cybersecurity has remained largely unregulated—until now. New regulations and standards are driving the implementation of common cybersecurity practices. Adherence to these practices can not only promote compliance, but also create trust and facilitate contracts between industry players.
This year, two new UN Regulations adopted by UNECE’s World Forum for Harmonization of Vehicle Regulations came into force. One focuses on electronic control unit (ECU) security, and the other on software updates; together, they establish performance and audit requirements for car manufacturers across four distinct disciplines:
The regulations apply to passenger cars, vans, trucks and buses. Broad adoption across the world is expected both among and beyond the 54 Contracting Parties to UNECE’s 1958 Agreement. While the U.S. is not among the signatories, American manufacturers are likely to comply.
Since the vehicle development cycle is typically three to four years long, engineers developing new models must now retrofit cybersecurity into their designs.
To unify levels of cybersecurity within the industry, the German Association of the Automotive Industry (VDA) developed the Trusted Information Security Assessment Exchange (TISAX)—a catalog of assessment criteria aimed at standardization, quality assurance, and cross-company recognition of information security audits.
TISAX enables the sharing of assessment results among participants by providing security accreditations. It supports organizations seeking to evaluate the information security of their suppliers or other partners as part of third-party risk management efforts. It can also be used—as it has been by companies including Google Cloud, Microsoft, AWS and Alibaba—to demonstrate the maturity of internal controls, which can bolster customer confidence in the security of cloud storage and data sharing techniques.
|Utilization at eye level:||Recognition:|
|Each participant decides for himself to whom results will be revealed and to what degree of detail. At the same time, the participating company can also use the results for its own Risk Management.||Recognition of TISAX assessments and their regular three-year validity help to avoid efforts as well as duplicate assessments.|
|Standardized exchange mechanism:||Free choice of audit provider:|
|Central exchange processes provide uniform proof of information security.||TISAX creates competition among audit providers and allows a joint recognition of assessment results between TISAX participants.|
TISAX is operated by the ENX Association, which has defined three assessment levels according to which companies can be audited.
Level 1: Standard suppliers need only to complete the ISA questionnaire and publish this self-assessment in TISAX.
Level 2: In cases of more complex suppliers, self-assessment will be followed by random plausibility checks by an approved audit provider over the phone.
Level 3: Suppliers who handle highly sensitive external data undergo on-site inspection by an approved audit provider based on their self-assessment.
While TISAX currently focuses on European automotive players, experts predict it will soon cross the pond, bringing its specifications and security requirements to bear on the U.S. supply chain.
The International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) have jointly published a new standard, “Road vehicles – cybersecurity engineering,” which is currently in the approval phase. It is the first standard that lays out precise organizational, procedural, and technical requirements aimed at systematically developing secure vehicles, and keeping them secure throughout the vehicle lifecycle. It is recommended in the UNECE WP.29 regulations.
The final standard is expected sometime this year. It will not provide specific recommendations of security technologies or countermeasures. Instead, it advises organizations to conduct a structured threat analysis and risk assessment (TARA) to determine the extent to which a given threat scenario may impact a driver. This threat analysis and risk assessment process is described in detail in the ISO/SAE 21434 standard in Sections 8.3-8.9; the UNECE WP.29 regulations also demand it.
The Automotive Industry Action Group (AIAG) has been working with automakers to build a standardized set of minimal security guidelines called Third-Party Information Security Requirements (TPISR). TPISR can be thought of as a sort of U.S. variant of TISAX; it is aimed at suppliers who wish to partner with original equipment manufacturers such as GM, Mercedes, Chrysler, Ford, Honda, Toyota and BMW . It contains “General Computing Controls that apply to all third parties who create, collect, store, transmit, manage, and process an OEM’s data and information in an environment external to the OEM’s.”
TPISR is influenced by the ISO/IEC 27001 standard, the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF), and NIST Special Publication 800-171, a general-purpose standard for safeguarding controlled information. It will impact the way automotive suppliers earn the trust of OEMs, and how they handle OEM data.
In January, the National Highway Traffic Safety Administration (NHTSA) published a request for public comment on its draft, “Cybersecurity Best Practices for the Safety of Modern Vehicles (2020 Best Practices).” It is an update to the existing best practices document published in 2016 and describes NHTSA’s nonbinding guidance to improve vehicle cybersecurity.
The 2020 update builds upon research, emerging voluntary industry standards such as ISO/SAE 21434, and a series of industry best practice guides developed by the Automotive Information Sharing and Analysis Center (Auto-ISAC) through its members.
It covers safety-related cybersecurity issues for all motor vehicles and motor vehicle equipment, and applies to all organizations involved in the design, manufacture, and assembly of motor vehicles and their electronic systems and software.
An assessment is the best way to start leveraging the guidance these standards provide and prepare for compliance. Automakers and suppliers need to evaluate the impact that UNECE WP.29, TISAX and TPISR will have on their processes and business, as well as the current state of their security program in order to prioritize gaps and opportunities for improvement. CISOs responsible for both OT and IT security should conduct a comprehensive vulnerability assessment across all aspects of their environment.
Gaining a clear understanding of regulatory and contractual requirements, assessing risks, and optimizing security operations can be difficult for understaffed teams. Many companies leverage a vendor-independent cybersecurity firm to provide an objective view of their security and help them build a cohesive plan of action.
With the average car expected to contain 300 million lines of code by 2030, vulnerabilities will continue to grow. The automotive sector needs standard procedures and international regulations to strengthen the collective security practices of everyone in the supply chain, and protect against determined hackers. While cybersecurity is a relatively new consideration in the industry, UNECE WP.29, TISAX, TPISR and ISO/SAE 21434 represent an important step forward in the effort to make it non-negotiable.
For more information on cybersecurity for automotive, manufacturing, or suppliers, visit Automotive Cybersecurity Network.
Kurt is also co-founder and Managing Director of the Automotive Cyber Security Network (ACSN), a forum for automotive industry professionals to connect, exchange knowledge and engage in a community focused on securing the automotive sector. Kurt has more than 25 years of management experience, including 13 years leading global teams in the automotive industry.