New cybersecurity frontier

Cybersecurity is not new, and many technologies, processes, and solutions are available from other industries to address cybersecurity risks for decades. However, the automotive industry has unique characteristics. Automotive cybersecurity vulnerabilities likely lead to safety and privacy risks; automotive systems are complex since they typically consist of a large number of ECUs (Electric Control Unit) that operate specialized software on different embedded controllers, and these ECUs are typically manufactured from different suppliers in a tier system; automotive product lifecycles are longer than consumer electronics and high-tech products.

Automotive new cybersecurity frontier

While connectivity and digitalization in automotive industry trigger innovations by enabling many modern features and services in the connected world, they also bring cybersecurity challenges, threats, and vulnerabilities from sophisticated and organized attackers due to the high-value automotive assets and the public visibility of the safety impacts.

If cyber attackers exploit automotive cybersecurity vulnerabilities successfully, they can impose severe safety risks for drivers and the public. Successful cybersecurity attacks will have heavy financial impacts and can damage a company’s brand and reputation.

Unfortunately, the automotive industry is not ready since most of the existing systems do not have sufficient cybersecurity countermeasures built in the design, and many automotive companies do not have the capacities. It is a monumental task to address the new cybersecurity risks that the automotive industry faces, and it requires the whole industry to work together to develop the technologies, solutions, and processes to ensure the cybersecurity can protect the most critical assets and safety.

Automotive cybersecurity standards

Cybersecurity must be a core foundation of the new automotive architecture, and must be defined and designed from concept to release throughout the entire development life cycle, and continues even after production. However, the weakest point of the system is typically the most vulnerable, so all players in the automotive industry, including the supply chain, and even consumers must participate.

Automotive cybersecurity standards are essential to ensure that the whole automotive industry follows the necessary guidelines for cybersecurity processes and organization. The automotive industry calls for comprehensive cybersecurity standards to address unique challenges as well as common best practices and processes.

In 2016, SAE (Society of Automotive Engineers) and ISO (International Organization for Standardization) decided to work together to develop an automotive cybersecurity standard for the automotive industry ISO/SAE 21434 “Road vehicles: Cybersecurity Engineering.” The current standardization stage is at Committee Draft (CD) and planned to release in 2020.

ISO/SAE 21434 is designed to allow OEMs and suppliers to perform “due diligence” to ensure reasonable secure vehicles and systems by using cybersecurity activities/processes for all phases of the vehicle lifecycle.

Cybersecurity Framework and Design

Although the automotive cybersecurity ecosystem is quite different and complex, the fundamental cybersecurity design should still follow the basic security principles:

• Confidentiality – ensure systems and data are securely protected
• Integrity – ensure systems and data are not tampered or altered by untheorized users
• Authenticity – ensure systems and data are available to only authorized users

The standard cybersecurity framework ensures that cybersecurity is diligently designed, managed, and maintained in every step of the product lifecycle from the business requirements to the product release. During system development, security architect shall cover the risks associated with typical to extreme attacks by identifying, reducing, and hardening attack surfaces.

The automotive industry should build the cybersecurity in the product design, and follow the cybersecurity framework rigorously to identify, assess, and evaluate the risks.

It then should use the latest technologies, practices, and countermeasures to protect important assets and mitigate risks so that it won’t jeopardize safety and availability.

Also, it is important to maintain digital resilience to detect, respond, and recover from cybersecurity incidences. The automotive industry must design detailed plans and appropriate activities in anticipation of cybersecurity attacks.

CTSA consulting has a comprehensive and holistic automotive cybersecurity framework based on the standards and best practices. With experience and knowledge in automotive EE (Electrical and Electronic) architecture, we have developed a unique layered approach (SAFE) to help our clients to protect the most vulnerable components in their system.

• Secure Embedded Systems – review components with embedded systems, identify the system and software risks, and provide extensive embedded solutions to protect and detect core embedded systems and applications.
• Adaptive Threat Modeling – analyze the client’s architecture and system to identify threats and prioritize risks with an adaptive threat model.
• Fortified External Interfaces – minimize the attack surface and provide temporal and spatial isolations to fortify the critically vulnerable interfaces to protect, detect, and respond to cyber attacks.
• Elevated Network Security – elevate the network security within the system for an additional layer of detection and protection.

We can help our clients to establish the cybersecurity processes and associated organization to address the cybersecurity challenges throughout the lifecycle of the vehicles.