The automotive industry is facing a radical paradigm shift: with the rapid pace of digitalization, more and more electronic control systems, intelligent components, embedded systems and API interfaces are finding their way into vehicles - making them more powerful, safer and smarter than ever before. However, the increasing dependence on electronics also harbors dangers. So it's high time to take a closer look at the new standards - also from an auditor's perspective.
CONTENT
- Why Automotive Cyber Security?
- What does cyber security mean in the automotive industry?
- Practical example: Effects of an attack
- IT security and vehicle software updates
- Who is affected by the new regulations?
- UNECE Cyber Security according to R 155
- What is a cyber security management system (CSMS)?
- What does the UNECE software update according to R 156 regulate?
- Is cyber security certifiable in the automotive industry?
- ISO/SAE 21434 as a reputation booster
- Excursus: Other important automotive regulations
- Checklists for the requirements of UNECE Automotive Security
- Certification with DQS
Why Automotive Cyber Security?
Automotive Cyber Security is the challenge of the moment for car manufacturers. Every additional communication interface and component is a potential point of attack for cyber criminals. The damage potential of manipulation is increasing rapidly, for example with regard to autonomously controlled vehicles or electronically controlled driving and braking functions.
For this reason, the United Nations is now defining the basic framework for automotive cyber security with two new regulations. These are UNECE Cyber Security (UN R 155), which refers directly to the new ISO/SAE 21434 standard, and UNECE Software Updating (UN R 156). The regulations will become mandatory for new vehicle types as early as July 2022. The automotive industry is therefore facing major challenges - especially as many original equipment manufacturers (OEMs) and suppliers criticize the new regulations as being very general. Here, there is a widespread desire for concrete recommendations for action as a binding guard rail.
What does cyber security mean in the automotive industry?
While the international ISO 27001 standard is the cross-industry approach to information security, the term automotive cyber security describes the security of digital systems in the automotive industry. Our motor vehicles are increasingly dependent on networked electronic systems and software applications. As a result, protecting and securing these components is becoming increasingly important - across the entire industry. This starts with the vehicle manufacturer, continues with the suppliers and engineering service providers, and extends to the software and ICT infrastructure service providers. Two new United Nations regulations, directed at manufacturers and their suppliers, are designed to ensure the security of automotive IT.
ISO 27001 - the classic for information security
ISO/IEC 27001 is the leading international standard for the introduction of a holistic management system for information security.
Why do we need automotive cyber security?
Connected vehicles: this means innovative assistance systems, (partially) autonomous driving, networked production involving suppliers, connected cars with connected services - digitization is making itself clearly felt in almost every area of the automotive industry, and it is progressing rapidly. But increasing connectivity ultimately means more and more code, and that code can be compromised in a wide variety of ways. After all, modern cars contain up to 150 electronic control units and around 100 million lines of code, which is expected to triple by 2030. The amount of software in today's vehicles is already four times that of a fighter jet.
It is not only since the Corona pandemic and the associated increase in cyber attacks that special attention should be paid to IT security or automotive cyber security. A vehicle must be able to guarantee its functional safety at all times. The damage potential of cyber attacks on smart cars is enormous. The horror scenarios of large-volume attacks ("All electronic brakes in a manufacturer's vehicles are simultaneously paralyzed by a hacker attack.") must be considered. What is needed here are accurate, effective security concepts.
Practical example: Effects of an attack
In 2015, two American IT experts demonstrated the potential impact of a hack on a Jeep Cherokee. They compromised the Uconnect system, which combines many electronic vehicle functions from infotainment to navigation. It also serves as an interface for mobile devices and opens a WLAN hotspot on request - in other words, it has an IP address. To demonstrate their skills, the two hackers invited a journalist, who a short time later had to watch powerlessly as he lost control of the vehicle.
From a distance of over 1000 kilometers, the hackers first turned up the air conditioning and the radio via their laptop. Then they sprayed wiper water on the windshield and finally simply switched off the engine - in the middle of an interstate highway (the equivalent of a European freeway). After this first proof of serious vulnerabilities in the IT infrastructure of vehicles, they even went a bit further. They demonstrated in an empty parking lot that they could even influence the steering or override the brakes. The consequences of this were a recall of 1.4 million vehicles and a fine of $105 million.
IT security and vehicle software updates
Today, selective measures are no longer sufficient to protect vehicles holistically. Instead, systematic and strategic approaches are required that specify clear requirements for the scope, performance and auditing of a security system. The strategic approach should cover the entire product lifecycle. Here, the focus must be on the long-term availability of software updates, for example, or on the integration of the entire supply chain.
To create an appropriate framework for automotive cyber security, the World Forum for Harmonization of Vehicle Regulations of the United Nations Economic Commission for Europe (UNECE) adopted two binding regulations for the first time in summer 2020. Published under the abbreviations UNECE R 155 and UNECE R 156, the rules concern IT security and software updates in vehicles, and are thus closely related.
The regulations came into force at the beginning of 2021. From July 2022, compliance will be mandatory for new vehicle types. Manufacturers who fail to meet the requirements will then face non-registration of the relevant vehicle types. Finally, from July 2024, the regulations will apply to all newly manufactured vehicles.
The regulations essentially require the implementation of measures in four areas:
- Management of cyber risks to vehicles
- Protecting vehicles according to a security-by-design approach to mitigate risks along the value chain
- Detecting and defending against attacks across the entire vehicle fleet
- Provision of software updates in terms of security and introduction of a legal basis for over-the-air updates (O.T.A.) of vehicle software
Automotive cyber security: Who is affected by the new regulations?
The UN regulations primarily talk about vehicle manufacturers being required to implement the new requirements. However, this includes monitoring and auditing cyber security throughout the supply chain to demonstrate enforcement of the regulations at all times. The manufacturer is therefore obliged to monitor suppliers. And it will therefore very likely require its suppliers to implement the new standards as well.
The two regulations apply to passenger cars, vans, trucks and buses, provided they are equipped with automated driving functions. This category also includes new types of automated pods, shuttles or comparable vehicles. In addition, the regulations also apply to trailers that contain at least one electronic control unit.
What does UNECE cyber security under R 155 cover?
UNECE R 155 defines requirements for the protection of vehicles against cyber attacks. A key point here is the implementation of a Cyber Security Management System (CSMS) in all companies that place vehicles on the market. The exciting thing is that this requirement shifts the manufacturers' perspective. Their development activities no longer end with the start of production (SOP). Instead, there is an ongoing obligation to check the safety systems over the entire life cycle of a vehicle, including any necessary improvements.
In this way, the legislator is taking account of the highly dynamic nature of software development and software assurance. In addition, the management system is intended to ensure compliance with safety requirements along the supply chain. This is no easy task in view of the fact that suppliers currently account for over 70 percent of the software volume.
UN Regulation No. 155 - Uniform provisions concerning the approval of vehicles with regard to cybersecurity and the cybersecurity management system [2021/387]. The text of the regulation can be found here.
To ensure end-to-end security despite these complexities - from development to the finished vehicle on the road - it is important to think of a CSMS holistically. In addition, vehicles must be designed on the basis of a security-by-design approach. The intention is to keep the gateway for attackers as small as possible right from the start.
What is a cyber security management system (CSMS)?
Key features of a CSMS are:
- Risk management: an organization uses processes to identify, assess, and mitigate risks from cyber threats.
- Risk management covers the entire product lifecycle - from development to the operational phase at the end customer.
- Monitoring of new vulnerabilities and known attacks to respond with new updates.
- Enables independent assessment by an accredited testing institute.
Important plus point in practice: the systematization of cyber security that comes with the introduction of a CSMS makes it mandatory for companies to address the issue of information security in a risk-oriented manner.
"Cybersecurity management system (CSMS) refers to a systematic, risk-based approach to establishing organizational processes, responsibilities, and governance in managing risks related to cyber threats to vehicles and protecting vehicles from cyber attacks."
Source: Official Journal of the European Union at R 155
This includes fully defining and evaluating risks, and thinking about how likely they are to occur. This risk assessment provides a robust starting point for reducing the specific potential damage to an acceptable level - a proven and pragmatic approach.
Automotive Cyber Security: What does UNECE R 156 regulate?
Since fully autonomous vehicles will also participate in traffic in the foreseeable future, it is of central importance to maintain the vehicle software appropriately and to keep it permanently up-to-date, for example, through bug fixes or updates. R 156 therefore prescribes the introduction and operation of a standard-compliant Software Update Management System (SUMS) for all vehicles. It is intended to provide permanent security over the entire life cycle of a vehicle.
Even after many years or decades, it must still be possible to install updates safely and reliably. In addition, R 156 lays the legal foundation for so-called "Over-the-Air" updates (O.T.A.), which enable vehicles to be updated at short notice at any time, regardless of their location.
UN Regulation No. 156 - Uniform provisions concerning the approval of motor vehicles with regard to software update and software update management system [2021/388]. The text of the regulation can be found here.
In comparison, current cell phone manufacturers give little assurance as to how many upcoming software generations they will support or over what time periods older devices will still be provided with security updates. If cell phone manufacturers with an affinity for IT want to avoid the challenges of the life cycle of their products as early as possible, then this clearly shows the IT-related challenges that the automotive industry now faces with its long product life cycles.
Is contemporary cyber security certifiable in the automotive industry?
According to EU regulations, manufacturers must ensure the functionality of their management systems at all times and extensively document the status of all their software.
To provide a certifiable standard for the functionality of a CSMS, the International Organization for Standardization (ISO), together with the Society of Automotive Engineers (SAE), published ISO/SAE 21434 in August 2021. In professional circles, ISO/SAE 21434 is expected to provide a basis recognized by approval authorities for the implementation of a cyber security management system at a vehicle manufacturer.
The German Association of the Automotive Industry (VDA) has created a supplementary test basis to this standard, which a vehicle manufacturer can use to audit the CSMS of its supplier or engineering service provider. In this way, the manufacturer's CSMS can have a positive effect in the sense of the UNECE regulations right down to the supplier level.
For the certification of a software update management system, ISO 24089 is to become the standard. However, the design is still open at this point in time (January 2022).
Differentiation from TISAX®
It is true that TISAX® is also a test procedure for information security in the automotive industry. And similar to a certification, the fulfillment of the requirements can be proven through an assessment. However,TISAX® is primarily aimed at service providers or suppliers in the automotive industry who have to prove to their customers that they meet certain information security requirements. One example is the secure handling of data and information provided to a supplier by the customer for a development and manufacturing process, for example. ISO/SAE 21434, on the other hand, is aimed at vehicle manufacturers, i.e. original equipment manufacturers (OEMs).
ISO/SAE 21434 as a reputation booster
The approach of ISO 21434, analogous to common management systems such as ISO 27001, calls for the implementation of processes and procedures while taking identified risks into account.
The declared aim of the standard is to ensure the safety of all electrical and, above all, data-processing electronic systems throughout the entire product life cycle of a vehicle, right up to its disposal. In doing so, it aims to become an established and binding quality standard for cyber security in the automotive sector.
ISO/SAE 21434:2021 - Road vehicles - Cybersecurity engineering - Issue date 2021-08. The standard is available from the ISO website.
To meet this holistic approach, the standard defines a CSMS for the areas of security design, product development, product maintenance, risk detection, hazard mitigation, product disposal, and related ongoing processes. It also includes regulations for responsibilities in the case of distributed product development between manufacturers and suppliers, without prescribing specific technologies or solutions in concrete terms.
Vehicle manufacturers and suppliers should not regard the implementation of ISO 21434 as an additional burden to their daily business. On the contrary, certifications offer real added value in many areas - key words: cyber insurance, cyber liability and market reputation. As a result, they can sometimes even become a competitive advantage. After all, state-of-the-art IT security confirmed by independent experts and confirmed data protection are increasingly regarded as important quality features in the industry.
Excursus: Other important automotive regulations
IATF 16949
The automotive industry is committed to excellent process quality, continuous improvement processes, the highest standards and innovation. IATF 16949 is the standard for supplier quality management systems in the automotive industry.
Quality in the automotive industry
Are you looking for market access to the automotive industry or would you like to obtain it as a top supplier? Automotive manufacturers expect you to provide meaningful proof of your quality capability: a certificate according to IATF 16949.
TISAX®
TISAX® is a common testing and exchange procedure for the automotive sector. It is based on the "ISA - Information Security Assessment" questionnaire developed by the German Association of the Automotive Industry (VDA). This in turn contains essential aspects of the international standard ISO/IEC 27001 and expands them with a maturity model.
TISAX® - Information security in the automotive industry
As a service provider or supplier in the automotive industry, you need to prove to your customers that you comply with information security requirements.
ISO 26262
The implementation of the standard is intended to ensure the functional safety of a system with electrical or electronic components in a motor vehicle. The standard consists of twelve parts. Part 1: Vocabulary, Part 2: Functional safety management, Part 3: Concept phase, Part 4: System-level product development, Part 5: Hardware-level product development, Part 6: Software-level product development, Part 7: Production, operation, service and decommissioning, Part 8: Supporting processes, Part 9: Automotive safety integrity level (ASIL)-oriented and safety-oriented analysis, Part 10: Guidelines on ISO 26262, Part 11: Guidelines on application of ISO 26262 to semiconductors and Part 12: Adaptation for motorcycles.
ISO 26262-1(bis 12):2018-12 - Road vehicles - Functional safety. The standards are available from the ISO website.
Checklists: do you meet the requirements of UNECE Automotive Security?
The UNECE catalog of requirements is broad and can be overwhelming at first glance. The following three checklists should give you a compact overview of the regulations - and a first impression of whether your existing management systems already comply with the UNECE regulations.
According to the UNECE Regulation on Cybersecurity and Cyber-Security Management Systems, in order to obtain type approval, manufacturers must meet the following requirements.
Requirements Cyber Security Management Systems.
- A CSMS is in place and can be applied to the development, production and post-production phases of road vehicles.
- Risk assessment analyses are performed and serve their purpose.
- Risk mitigation measures are identified.
- Functionality of risk mitigation is verifiable through testing.
- Measures are in place to identify and defend against cyberattacks.
- Methodical data forensics enables analysis of successful attacks.
- Measures are in place to support monitoring capacity for relevant threats, vulnerabilities, and cyber attacks.
- The vehicle manufacturer reports to the approval authority at least once a year.
According to the UNECE Regulation on Software Updates and Software Update Management Systems, in order to obtain type approval, manufacturers must meet the following requirements.
Requirements Software Update Management Systems
- A software update management system is in place and it can be applied to road vehicles.
- The manufacturer fully documents updates.
- The update delivery mechanism is protected from tampering and integrity and authenticity of updates can be assured.
- Software identification numbers or software versions are protected from unauthorized modification.
- The software identification number is readable from the vehicle via an interface.
Requirements for over-the-air software updates
- A recovery function exists if the update fails.
- The software is only updated when sufficient power is available.
- The secure execution of updates can be guaranteed.
- Users are notified of each update and when it is completed.
- Updates are only executed when the vehicle is capable of doing so (for example, some updates cannot be done while driving).
- Users are informed when a mechanic is needed.
Set the course for successful certification with DQS
Information security and data protection are complex issues that go far beyond IT security. They encompass technical, organizational and infrastructural aspects and touch on legislative requirements. An information security management system (ISMS) in accordance with ISO/IEC 27001 is suitable for effective protective measures, and this can be ideally supplemented by a privacy information management system (PIMS) in accordance with ISO/IEC 27701. ISO 21434, in turn, could become the basis for the Cyber Security Management System (CSMS) soon to be required by licensing authorities.
DQS is your specialist for audits and certifications of management systems and processes. With our products for the automotive industry, such as quality management according to IATF 16949 or prototype protection at suppliers according to TISAX®, we and our auditors have already gained extensive industry knowledge. With the experience of more than 35 years and the know-how of 2,500 auditors worldwide, we are your competent certification partner and provide answers to all questions relating to data protection and information security.
We will gladly answer your questions
What are the requirements for certification to ISO 27001, ISO 27701, IATF 16949 or a TISAX® assessment? And how much effort do you have to expect? Find out. Free of charge and without obligation.
DQS Newsletter
Holger Schmeken
Product Manager for TISAX® and VCS, Auditor for ISO/IEC 27001, Expert for Software Engineering with more than 30 years of experience, and Deputy Information Security Officer. Holger Schmeken holds a Master's in Business Informatics and has extended audit competence for Critical Infrastructures in Germany (KRITIS).