UNECE WP.29 and ISO/SAE 21434: Automotive cybersecurity faces new challenges
It’s been just five years since Charlie Miller and Chris Valasek brought vehicle IT security to public attention in spectacular fashion. Via the entertainment system’s internet connection, the two American IT experts gained control of a Jeep Cherokee’s multimedia systems, windshield wipers, air-conditioning system, brakes, and speed. They then remotely stopped the car, whose driver had been hired as a tester, in the middle of the highway. As a result, Chrysler had to recall and patch around 1.4 million vehicles. Since then, there have been regular reports of new attacks that have exploited the growing vulnerability caused by the increasing digitalization and connectivity of vehicles. And what risk that poses for manufacturers, owners, and road users has long been clear.
Figure 1: The number of attack vectors for potential cyberattacks is growing dramatically as the vehicle and its ecosystem become increasingly connected.
This is why efforts are underway worldwide to establish binding regulations and standards for cybersecurity. For instance, there are corresponding legislative initiatives in the U.S. Congress, the Cybersecurity Act in the EU, the Chinese ICV program, and new guidelines from JASPAR in Japan. All these regulations share three main trends:
- a stronger focus on the specifics of the automotive industry when addressing cybersecurity,
- the requirement to uphold vehicle security in the field, and
- the increasingly compulsory nature of regulations and of their testing at the time of type approval.
These developments are currently particularly conspicuous in two regulatory initiatives, which define explicit management systems for the protection of vehicles for the first time: UNECE WP.29 TF-CS/OTA and the upcoming ISO/SAE 21434 standard.
The United Nations World Forum for Harmonization of Vehicle Regulations (UNECE WP.29) is currently drafting a regulation that makes cybersecurity relevant for the approval of new vehicle types. The proposal made by the Task Force on cybersecurity and over-the-air issues (TF-CS/OTA) is made up of two core demands: the running of a certified cybersecurity management system (CSMS); and the application of the CSMS to the specific vehicle type at the time of type approval. The EU is planning to make the observation of these requirements mandatory for new vehicle types as of the first half of 2022 and subsequently to extend it to existing architectures.
Considering typical development times in the automotive sector, manufacturers and suppliers need to start grappling with these cybersecurity requirements today if they want to ensure their next products receive type approvals. To do this, they must follow a risk-based approach that can consistently determine, reach, and maintain a suitable risk level for the vehicle type, its external interfaces, and its subsystems. This explicitly calls for security-relevant dependencies and information from suppliers, service providers, and other third parties to be taken into account as well. In view of a constantly changing threat environment and the length of vehicle life cycles, the requisite CSMS focuses in particular on the phase after the start of production and on continuous risk management during vehicle operation.
Figure 2: Certified cybersecurity management system (CSMS) and type approval according to UNECE draft regulation WP.29 TF-CS/OTA.
Alongside TF-CS/OTA, the automotive industry is also developing the ISO/SAE 21434 standard for the cybersecurity of vehicles within the framework of the International Organization for Standardization (ISO) and SAE International. Just like the CSMS defined by WP.29, this standard puts the focus on requisite organization and having the right processes to protect the vehicle from cyberattacks over its entire life cycle. Given that an accompanying document to the UN draft regulation refers consistently to this standard for the implementation of CSMS requirements, ISO/SAE 21434 warrants particular attention. Here, common terminology and defined measures will create an industry-wide basis upon which manufacturers and suppliers can build their interfaces, shared responsibilities, and processes. The final version is expected at the end of 2020.