Non-Negotiable Cybersecurity: New Regulations in the Auto Industry

Chances are, your car contains more lines of software code than an F-35 fighter jet, a Boeing 787 and the Mars Curiosity Rover combined. It can find gas, pay for coffee, zero in on parking spots, evade traffic and browse radio stations on every continent. And one day, in the not-too-distant future, 5G networks and artificial intelligence (AI) will enable it to drive on its own with human-like reflexes.

While consumers love the convenience of modern cars, they introduce complexity and increase the attack surface, creating opportunities for malicious hackers not only in the vehicle itself, but along the entire value chain.

A recent cybersecurity report identified 29 potential attack vectors among the millions of endpoints in a connected car’s ecosystem. High-profile hacks such as remote hijacking of vehicle controls are currently considered to be somewhat low risk because they require expert skills. However, five high-risk attacks—including electronically jamming safety systems and launching DDoS attacks—were found to require “limited understanding of the inner workings of a connected car and can be pulled off by a low-skilled attacker.”

With 700 million connected cars, 90 million autonomous vehicles, and 250 million electric and hybrid vehicles expected to be on the roads by 2030, cybersecurity has become a top priority for automakers and their suppliers.

Regulations Paving the Way

Automotive cybersecurity has remained largely unregulated—until now. New regulations and standards are driving the implementation of common cybersecurity practices. Adherence to these practices can not only promote compliance, but also create trust and facilitate contracts between industry players.

UNECE WP.29

This year, two new UN Regulations adopted by UNECE’s World Forum for Harmonization of Vehicle Regulations came into force. One focuses on electronic control unit (ECU) security, and the other on software updates; together, they establish performance and audit requirements for car manufacturers across four distinct disciplines:

• Managing vehicle cyber risks;
• Securing vehicles by design to mitigate risks along the value chain;
• Detecting and responding to security incidents across vehicle fleet;
• Providing secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for so-called “Over-the-Air” (OTA) updates to onboard vehicle software.

The regulations apply to passenger cars, vans, trucks and buses. Broad adoption across the world is expected both among and beyond the 54 Contracting Parties to UNECE’s 1958 Agreement. While the U.S. is not among the signatories, American manufacturers are likely to comply.

“The U.N. regulation is a global standard, and we have to meet global standards.”
-Kevin Tierney, Chief Cybersecurity Officer, General Motors

Since the vehicle development cycle is typically three to four years long, engineers developing new models must now retrofit cybersecurity into their designs.

TISAX

To unify levels of cybersecurity within the industry, the German Association of the Automotive Industry (VDA) developed the Trusted Information Security Assessment Exchange (TISAX)—a catalog of assessment criteria aimed at standardization, quality assurance, and cross-company recognition of information security audits.

“Ensuring security by design is a decisive prerequisite for advancing driver experience while defending against automotive cyber threats. TISAX focuses on the protection of information throughout the automotive industry, including suppliers, logistics and subcontractors.”
–Paul McCormick, Regional Security Expert, North America, MAHLE

TISAX enables the sharing of assessment results among participants by providing security accreditations. It supports organizations seeking to evaluate the information security of their suppliers or other partners as part of third-party risk management efforts. It can also be used—as it has been by companies including Google Cloud, Microsoft, AWS and Alibaba—to demonstrate the maturity of internal controls, which can bolster customer confidence in the security of cloud storage and data sharing techniques.

“We rely on our partners and suppliers to achieve a unified level of information security established by TISAX.”
—Stefan Arnold, Director Technology & Acceleration, Porsche

TISAX MAIN FEATURES

TISAX is operated by the ENX Association, which has defined three assessment levels according to which companies can be audited.

Level 1: Standard suppliers need only to complete the ISA questionnaire and publish this self-assessment in TISAX.
Level 2: In cases of more complex suppliers, self-assessment will be followed by random plausibility checks by an approved audit provider over the phone.
Level 3: Suppliers who handle highly sensitive external data undergo on-site inspection by an approved audit provider based on their self-assessment.

While TISAX currently focuses on European automotive players, experts predict it will soon cross the pond, bringing its specifications and security requirements to bear on the U.S. supply chain.

ISO/SAE 21434

The International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) have jointly published a new standard, “Road vehicles – cybersecurity engineering,” which is currently in the approval phase. It is the first standard that lays out precise organizational, procedural, and technical requirements aimed at systematically developing secure vehicles, and keeping them secure throughout the vehicle lifecycle. It is recommended in the UNECE WP.29 regulations.

The final standard is expected sometime this year. It will not provide specific recommendations of security technologies or countermeasures. Instead, it advises organizations to conduct a structured threat analysis and risk assessment (TARA) to determine the extent to which a given threat scenario may impact a driver. This threat analysis and risk assessment process is described in detail in the ISO/SAE 21434 standard in Sections 8.3-8.9; the UNECE WP.29 regulations also demand it.

TPISR

The Automotive Industry Action Group (AIAG) has been working with automakers to build a standardized set of minimal security guidelines called Third-Party Information Security Requirements (TPISR). TPISR can be thought of as a sort of U.S. variant of TISAX; it is aimed at suppliers who wish to partner with original equipment manufacturers such as GM, Mercedes, Chrysler, Ford, Honda, Toyota and BMW . It contains “General Computing Controls that apply to all third parties who create, collect, store, transmit, manage, and process an OEM’s data and information in an environment external to the OEM’s.”

TPISR is influenced by the ISO/IEC 27001 standard, the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF), and NIST Special Publication 800-171, a general-purpose standard for safeguarding controlled information. It will impact the way automotive suppliers earn the trust of OEMs, and how they handle OEM data.

NHTSA

In January, the National Highway Traffic Safety Administration (NHTSA) published a request for public comment on its draft, “Cybersecurity Best Practices for the Safety of Modern Vehicles (2020 Best Practices).” It is an update to the existing best practices document published in 2016 and describes NHTSA’s nonbinding guidance to improve vehicle cybersecurity.

The 2020 update builds upon research, emerging voluntary industry standards such as ISO/SAE 21434, and a series of industry best practice guides developed by the Automotive Information Sharing and Analysis Center (Auto-ISAC) through its members.

It covers safety-related cybersecurity issues for all motor vehicles and motor vehicle equipment, and applies to all organizations involved in the design, manufacture, and assembly of motor vehicles and their electronic systems and software.

Getting Started

An assessment is the best way to start leveraging the guidance these standards provide and prepare for compliance. Automakers and suppliers need to evaluate the impact that UNECE WP.29, TISAX and TPISR will have on their processes and business, as well as the current state of their security program in order to prioritize gaps and opportunities for improvement. CISOs responsible for both OT and IT security should conduct a comprehensive vulnerability assessment across all aspects of their environment.

Gaining a clear understanding of regulatory and contractual requirements, assessing risks, and optimizing security operations can be difficult for understaffed teams. Many companies leverage a vendor-independent cybersecurity firm to provide an objective view of their security and help them build a cohesive plan of action.

Protecting Against Automotive Cyber Risks

With the average car expected to contain 300 million lines of code by 2030, vulnerabilities will continue to grow. The automotive sector needs standard procedures and international regulations to strengthen the collective security practices of everyone in the supply chain, and protect against determined hackers. While cybersecurity is a relatively new consideration in the industry, UNECE WP.29, TISAX, TPISR and ISO/SAE 21434 represent an important step forward in the effort to make it non-negotiable.

For more information on cybersecurity for automotive, manufacturing, or suppliers, visit Automotive Cybersecurity Network.

References

1. “Cybersecurity for Connected Cars: Exploring Risks in 5G, Cloud, and Other Connected Technologies,” Trend Micro, 2021 https://documents.trendmicro.com/assets/white_papers/wp-cybersecurity-for-connected-cars-exploring-risks-in-5g-cloud-and-other-connected-technologies.pdf
2. “Hackers Remotely Kill a Jeep on the Highway—With Me in It,” Wired, Greenberg, A. July 2015 https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
3. “Connected & Autonomous Cars Have Arrived, And They Are Forcing Car Companies To Build New Vehicle Architectures,” Forbes, Sing, S., November 2019 https://www.forbes.com/sites/sarwantsingh/2019/11/11/connected–autonomous-cars-have-arrived-and-they-are-forcing-car-companies-to-build-new-vehicle-architectures/?sh=f868c12cb14b
4. “UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll out of ‎connected vehicles, ” UNECE, June 2020: https://unece.org/press/un-regulations-cybersecurity-and-software-updates-pave-way-mass-roll-out-connected-vehicles
5. “TISAX Trusted Information Security Assessment Exchange,” ENX Association https://portal.enx.com/en-US/TISAX/
6. “TISAX Scope Broadened,” AWS Security Blog, Quaid K. September 2020 https://aws.amazon.com/blogs/security/tisax-scope-broadened/
7. “ISO/SAE 21434 – a field report,” SEC https://www.security-analyst.org/iso-sae-21434-a-field-report/
8. “Cybersecurity Best Practices for the Safety of Modern Vehicles,” NHTSA, 2020 https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/vehicle_cybersecurity_best_practices_01072021.pdf
9. “How To Secure Your Factories: Cybersecurity On The Production Floor,” CBI Insights, Gollinger, K. February 2020 https://cbisecure.com/insights/how-to-secure-your-factories-cybersecurity-on-the-production-floor/
10. “Cybersecurity in automotive: Mastering the challenge,” McKinsey & Company, June 2020 https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/cybersecurity-in-automotive-mastering-the-challenge#:~:text=Based%20on%20external%20expert%20interviews,7%20percent%20(Exhibit%203).
11. “Vehicle cybersecurity: control the code, control the road,” Vehicle Dynamics International, Martin A. March 2020 https://www.vehicledynamicsinternational.com/features/vehicle-cybersecurity-control-the-code-control-the-road.html