The automotive industry took up cybersecurity in earnest about six years ago and began investing in the design and deployment of cybersecurity solutions. In the automotive industry today, cybersecurity is provided by both hardware and software solutions, but there is a long way to go before every single ECU (electronic control unit) in a car is protected from cyberattacks that escalate.
Cybersecurity in the automotive industry is much more difficult than on smartphones and PCs for two main reasons:
- Dozens of ECUs in each car, connected by many electronic buses and responsible for different speeds and characteristics, and
- , , , , OBDII, USB SD-, , Bluetooth Wi-Fi, , , , , .
The reason for optimism is that in the field of automotive cybersecurity, more is being done to equip the car with its own hardware and software, as well as to develop cloud platforms that ensure cybersecurity. Several cybersecurity standards and regulations are emerging, further facilitating the deployment of cybersecurity solutions to all connected vehicles.
The following table summarizes the cybersecurity aspects covered in this column. Additional information will be provided in another author's column on this topic.
| Automotive Cybersecurity: Current State | ||
| Subject | Key information | other information |
| Cybersecurity threat status |
|
|
| , |
|
|
|
|
|
| WP.29 , |
|
|
|
|
||
|
|
|
| Cybersecurity market potential |
|
Read more in another column on cybersecurity |
Table Source: Egil Juliussen, May 2021
Status of Cyber Threats
Upstream Security has published several annual reports analyzing cyber attacks on vehicles. The newest of these reports, released in early 2021 (available at: https://upstream.auto/2021report/), covers data from 2010 to 2020 and looks at over 200 cyber car incidents around the world.
The report includes information on deep networks and the dark web, where car cybercriminals can communicate while maintaining significant anonymity. There are forums that discuss in detail attacks on connected vehicles, access to sensitive data, interception of vehicle control, and ways to steal a car. Even on the “shallow” web, cybercriminals often find online stores selling hacking tools, services that disable immobilizers, code grabbers, and guides to stealing cars.
| Directions of attacks in the automotive industry: 2010-2020 | |
| Hardware or software component | Share of the whole |
| Cloud servers | 32.9% |
| Keyless entry / key fob | 25.3% |
| Mobile app | 9.9% |
| Vehicle computer diagnostics port | 7.0% |
| Infotainment system | 8.4% |
| IT system | 7.0% |
| Sensors | 4.8% |
| (ECU-TCU) | 4,3% |
| 3,8% | |
| Wi-Fi | 3,8% |
| Bluetooth | 3,6% |
| 3,1% | |
| 2,4% | |
| USB SD- | 2,1% |
| : Upstream Security | |
In this case, it is interesting to consider the attack vectors, also called vectors. It clearly follows from this table that there are two most popular targets: cloud servers are the gateway for nearly 33% of all cyber attacks, as hackers try to gain access to valuable data that can be used to hack a car's cyber defense. Unprotected keyless entry or electronic key fobs are also often used for vehicle entry and theft. Mobile applications round out the top three: almost 10% of cyberattacks are carried out through them.
Interestingly, the total share of remote attacks is almost 80%, while the share of physical attacks is about 20%.
Upstream also categorizes cyberattack sources into white hat and black hat categories. The white hat is the sign of a hacker with no criminal intentions. These are mainly researchers who hack into systems to assess the degree of their reliability and identify vulnerabilities. Such researchers often receive job offers and / or rewards from the company they have hacked. A black hat is an attribute of a hacker who breaks into systems for mercenary or other criminal motives. In 2020, the black hat category accounted for 54.6% of all cyberattacks, up from 49.3% for the period from 2010 to 2020.
Research hackers also discover new vulnerabilities, independently or through bug bounty programs. Participants in such programs are rewarded if they find vulnerabilities in vehicles and services connected to them. The list of auto companies conducting such programs is only growing: there is already Tesla, as well as General Motors, Ford, Fiat-Chrysler, Daimler and others. They participate in bug bounty programs on specialized platforms, for example, BugCrowd, HackerOne, or run them on their own sites.
Vulnerabilities found in software components are published in reports on "Commonly Known Information Security Vulnerabilities" (CVE) under the program launched by MITER Corporation in 1999. There are 110 such reports related to the auto industry, in 2020, 33 were received, and for 2019 - 24.
ISAC in the automotive industry
Most industries have formed organizations to fight for cybersecurity; they are commonly referred to as "Clearinghouse and Analysis Centers" (ISACs). Auto-ISAC was founded in August 2015; it operates a central hub for the exchange, tracking and analysis of identified data on cyber threats, vulnerabilities and incidents related to connected vehicles. Its headquarters are located in Washington, DC, website on the Internet: Auto-ISAC - Automotive Information Sharing & Analysis Center (automotiveisac.com) .
Auto-ISAC affiliates account for over 99% of passenger cars sold in North America; it also includes over 45 global OEMs and suppliers. Auto-ISAC's membership has expanded to include heavy truck parts manufacturers and suppliers, as well as the commercial vehicle sector, in particular taxi companies. Suppliers include top-tier companies such as Argo, Intel, Motional, and Waymo.
There is also cooperation with other organizations. Auto-ISAC coordinates with 23 other ISACs overseeing key infrastructure areas such as healthcare, aviation, telecommunications and financial services.
ENISA
The European Union's Network and Information Security Agency (ENISA) is the EU's cybersecurity authority across Europe. ENISA participates in the formation of EU cyber policy, contributes to increasing confidence in ICT products, services and processes related to cyber security certification. ENISA is active in the cyber defense of vehicles and has issued several important reports.
In February 2021, ENISA published the document “Cybersecurity Challenges Related to the Implementation of Artificial Intelligence in Autonomous Driving”. The report provides an insight into the cybersecurity challenges posed by AI in vehicles. The problem is described in the context of policies implemented both at the European and wider international level.
In November 2019, ENISA published the document “Recommendations for ensuring information security of smart cars”. This report identifies good practices for the safety of connected cars and semi-autonomous vehicles. In 2017, ENISA published the Cybersecurity and Reliability of Smart Cars document, which focuses on recommended practices for auto parts manufacturers and suppliers to protect embedded automotive systems from cyberattacks.
The main requirement for cybersecurity standards and regulations is to protect the vehicle throughout its entire life cycle, from design to production and then to customer use.
After two years of preparation and editing, the UN adopted the ECE cybersecurity document WP.29 on 24 June 2020. WP.29 operates in 54 countries including the EU, UK, Japan and South Korea. These 54 countries account for about 35% of the world's car production. Many other countries accept UN vehicles. The United States is not among these 54 countries. All manufacturers, including US automakers selling vehicles in these markets, must follow the cybersecurity requirements of WP.29 for all their products and processes.
UN regulations are legally enforceable. If a country or region adopts the WP.29 regulation, then all component manufacturers operating in it need proof of conformity in order to undergo compulsory certification and further eligibility to operate on the market. In Europe, compulsory certification requires mutual recognition of compliance with the regulations at the level of the entire vehicle. If a manufacturer obtains a certificate for a certain type of vehicle in one EU country, then it can sell such a model in all EU countries without further verification.
The WP.29 regulation consists of two main cybersecurity directives for vehicles. More on them in the next section.
ISO / SAE 21434 develops a new cybersecurity standard for vehicles, with a focus on complementary cybersecurity during the vehicle engineering phase. This standard describes the requirements for managing cybersecurity risks, with an emphasis on building a process and common terminology for communicating and addressing such risks. The standard does not contain descriptions of specific technologies or proposals for specific solutions related to cybersecurity.
This standard was developed by a joint working group from ISO and SAE organizations and will be published by both. More than 25 automakers and 20 top-tier suppliers are involved in the development of the standard. A clean version of ISO / SAE 21434 was prepared in March 2021. Probably, the publication of the standard is postponed until 2022.
The standardization work carried out by ISO / SAE 21434 is linked and developed in coordination with the activities of the EU and ECE on WP.29.
Another important standard is Uptane, developed for OTA software updates. Uptane was officially launched in January 2017. The Uptane Alliance was formed in 2018. It is a non-profit organization under the auspices of the IEEE Industry Standards and Technology Organization (ISTO). Uptane was formalized as the IEEE / ISTO 6100 standard in July 2019, then version 1.0 was released. The Uptane Alliance will provide oversight of the new Uptane standards, as Uptane 1.1 was introduced in January 2021. Many companies offer software products that comply with the Uptane standard. software products.
ECE Cybersecurity Paper WP.29
In June 2020, two new UN cybersecurity regulations were adopted through WP.29. Both regulations are applicable to all types of vehicles, updated in March 2021. The implementation of these regulations in some countries will begin in 2021 and 2022, wider implementation in 2023 and 2024.
The first document focuses on cybersecurity and cybersecurity management systems (CSMS). The latest update of the CSMS document is available at E / ECE / TRANS / 505 / Rev.3 / Add.151 (unece.org) .
WP.29 Definition of CSMS: CSMS refers to a systematic risk-based approach that defines the organizational processes, responsibilities and governance to properly understand the risks associated with cyber threats to vehicles and protecting vehicles from cyber attacks.
The CSMS document provides an excellent overview of cybersecurity threats and an extensive list of vulnerabilities and attack methods. Appendix 5 contains 10 pages of vulnerabilities, categorized into multiple categories. The first of the tables below summarizes the threats and vulnerabilities. There are 6 types of threats and many types of vulnerabilities (29) with many examples (67) listed in the CSMS document.
| Cybersecurity Threats and Vulnerabilities Summary from WP.29 | ||
| Table no. | Threat type | Examples and types of vulnerabilities |
| A1 |
|
|
| Data source: E / ECE / TRANS / 505 / Rev.3 / Add.151 (unece.org) | ||
The following table summarizes the cybersecurity threat mitigation measures described in the CSMS document. The data from table B describe the threats arising on board the car, the data from table C - the threats arising outside the car.
| Summary of WP.29 Cyber Threat Prevention Techniques | |||
| Table no. | , | ||
| B1 | 20 | ||
| B2 | 5 | ||
| B3 | , | 2 | |
| B4 | 7 | ||
| B5 | 14 | ||
| B6 | , | 8 | |
| B7 | 1 | ||
| B8 | 1 | ||
| C1 | 6 | ||
| C2 | 2 | ||
| C3 | 3 | ||
| : E/ECE/TRANS/505/Rev.3/Add.151 (unece.org) | |||
If you are interested in the topic of automotive safety, we recommend that you study the original document with all the data.
The second regulatory document deals with software update processes and update management systems (SUMS). The SUMS document is available at E / ECE / TRANS / 505 / Rev.3 / Add.151 (unece.org) .
WP.29 SUMS Definition: Software Update Management System is a systematic approach that defines which organizational processes and procedures must comply with the requirements for the delivery of software updates according to this regulation.
A new UN regulation on universal prerequisites for software updates and software update management systems applies to vehicles that are dependent on software updates. This regulation also applies to trailers and agricultural machinery, as well as passenger vehicles, vans, trucks and buses.
When updating programs on WP.29 from the component manufacturer it is required:
- Record software and hardware versions for each vehicle type.
- Document the software update procedure
- Identify programs important for mandatory certification
- Make sure the software for this component is working correctly
- Identify software component interdependencies for future updates
- Identify target vehicles and make sure they are compatible with the update
- Determine if the update affects safety, in particular driving safety
- Evaluate whether the software update affects the passage of mandatory certification
- Inform car owners about updates
The manufacturer of vehicle components must meet the following requirements:
- Develop a software update management system for all of its vehicles in service.
- Protect the software update procedure by ensuring its integrity and authenticity.
- Protect software identification numbers
- Ensure that the software identification number is affixed to the vehicle in a legible manner.
- When updating programs online, you must:
Macleod VPS servers are fast and secure.
Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!
