Published on : Wednesday 08-06-2022
Nagarjuna Gottemukala explains the need for framing of policies to create a cybersecurity culture for the automotive industry.
There are dozens of computers in modern cars, and they aren't simply for navigation or music. Nearly every system in your vehicle, including steering, brakes, and the engine itself, is monitored and controlled by computers. This is why cybersecurity in the automotive industry is critical.
Attackers can obtain information or maybe even take control of a car if the computer systems aren't properly protected. As you might expect, this makes automobile cybersecurity a huge problem for both consumers and automakers.
One of the difficulties is the large number of internal subsystems called electronic control units located inside a vehicle's electronic system (ECUs). The modern ECU is essentially a computer that collects data from directly connected sensors or indirectly connected buttons, switches, and other bus nodes, processes it, and controls directly connected actuators or indirectly connected bus nodes such as LED indications.
Different types of internal bus protocols connect ECUs, allowing them to share vital vehicle state variables in real time. Software and data are essential components of each ECU, enabling not only the flawless operation of the vehicle subsystem to which it is dedicated, but also the organised collaboration of all ECUs so that the vehicle reacts appropriately to all internal and external inputs.
The controller area network flexible data-rate (CAN/CAN FD), LIN, MOST, Ethernet, and FlexRay are among the protocols that accompany the expanded connection of these new autos to facilitate data flow between bus nodes. CAN is notable for being vulnerable to injection attacks. Modern cars have a gateway ECU that connects and separates internal vehicle buses, but it's safe to believe that this component wasn't designed to operate as a security device.
CAVs (Connected and Autonomous Vehicles) are a new technology that has the potential to alter automotive transportation and urban landscapes if handled wisely. In the context of highway transportation, CAVs have been introduced as a subset of Cyber-Physical Systems (CPSs), which include digital software platforms, physical infrastructure, and human components.
It's vital to emphasise that this research is focused on CAVs for clarity and consistency. There are many various perspectives on the future of vehicle automation, and there is a propensity to use phrases like connected car, smart car, autonomous car, driverless car, and self-driving car interchangeably. A CAV, on the other hand, is neither the same as a Connected Vehicle (CV) or an Autonomous Vehicle (AV); the two are distinct.
CVs can communicate and exchange information wirelessly with other vehicles, external networks, and infrastructure using Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I), Vehicle-to-Network (V2N), and Vehicle-to-Everything (V2X) technologies, but this does not necessarily imply that they can drive themselves. End-users of the CV would benefit from a suite of services that integrate information, infrastructure, and communication technologies to increase transportation efficiency and security.
Autonomous vehicles (AVs) are vehicles that can drive themselves without the need for human involvement. This study uses the International Organization of Motor Vehicle Manufacturers (OICA) definition of levels of automation, which is based on the Society of Automotive Engineers (SAE) International Standard J3016 and refers to six levels of autonomy: 0 refers to no autonomy, 1 to driver assistance, 2 to partial automation, 3 to conditional automation, 4 to high automation, and 5 to full automation. Although the two technologies can be complementary, AVs may not be coupled.
A vehicle can be categorised as a CAV if it is both networked and autonomous. CAV refers to any vehicle that can sense its surroundings, move, navigate, and behave responsibly without human intervention, while also having connectivity functions that allow it to be proactive, cooperative, well-informed, and coordinated. It reveals professional opinions on fully empowered CAVs' privacy and cyber security concerns.
Common security challenges of current vehicle technologies
A large number of ports on systems are accessible online, all of which could be exploited by cybercriminals. It's critical to have a well-implemented and security-first hardware and software design that makes hostile assaults difficult to launch. However, in the automotive business, a systematic approach to security is now unusual.
An attacker who has taken control of any ECU’s execution can travel laterally to any target or place of interest. A basic and innocent in-vehicle infotainment (IVI) ransom lock, for example, can be used by an attacker. The danger and impact for car users can, however, increase as the attacker can easily move to other components of the vehicle, such as disabling and holding the engine start function for ransom; continuing denial of service (DoS) attacks on drivetrain ECUs and forcing them to fail; or initiating dangerous actions such as controlling the brakes, steering, engine, and/or airbag actuators. Controlling a connected car to cause a fatal crash is possible with precise planning and timing but impossible to show in formal post-crash examinations.
While automobile manufacturers would prefer to see tighter regulations implemented, while car makers would prefer to install more robust security procedures and mechanisms in connected vehicles, the industry's current structure makes defence implementation difficult.
Typical difficulties include:
a. Challenges in Vulnerability Mitigation
b. Software tampering and aftermarket goods, and
c. In-vehicle interconnection techniques that are not secure.
The automotive industry has recognised these needs and has invested in the development of an industry standard to address cybersecurity challenges and safeguard assets. A committee draft of the ‘ISO/SAE DIS 21434 Road Vehicles Cybersecurity Engineering’ standard was recently produced by the joint working group of the standardisation organisations ISO and SAE. This standard achieves a consistent understanding of security by design in product development and throughout the supply chain, according to the automobile industry.
ISO/SAE DIS 21434 Structure and Sections
The first guideline for cyber-physical vehicle systems cybersecurity, SAE J3061, was published in January 2016, marking the start of ISO and SAE's collaboration on the creation of a cybersecurity standard for road vehicles which was completed in September 2016. The goal of the first standard (ISO/SAE 21434) was to:
(a) define a structured procedure for ensuring cyber secure design
(b) reduce the likelihood of a successful attack and losses
(c) give explicit methods for responding to cybersecurity threats consistently throughout global industry.
As previously stated, ISO/SAE DIS 21434 is intended for use in road vehicles and focuses on establishing minimal cybersecurity engineering criteria. Neither cybersecurity technology, solutions, nor remedial procedures are mentioned in the standard. There are no special criteria for self-driving vehicles or road infrastructure. A risk-based strategy to action prioritisation and systematic elicitation of cybersecurity measures is recommended.
The ISO/SAE DIS 21434 focuses on cybersecurity efforts across the vehicle life cycle, from design to production, operation and maintenance, and decommissioning. The structure of the ISO/SAE DIS 21434 draft, as illustrated in Table 1 is examined and briefly discussed in this section before being more thoroughly described in the subsequent sections of this work.
1. The scope of the norm is defined in Section 1.
2. The second section contains normative references.
3. Abbreviated terminology and definitions of terms used in the document are defined in Section 3.
4. The car ecosystem, organisational cybersecurity management, and the linked automotive lifecycle are all described in Section 4.
5. The organisational cybersecurity strategy, policy and objectives are described in Section 5.
6. Section 6 defines risk management requirements, which include a plan and technique for determining the amount to which a potential scenario or incident poses a threat to a road user.
7. Section 7 covers the idea phase and defines cybersecurity goals based on a threat analysis and risk assessment, as well as cybersecurity needs definition to meet the goals.
8. Section 8 outlines the implementation and verification of cybersecurity requirements relevant to the product development stage.
9. Section 9 focuses on the production, operation, and maintenance phases, as well as the requirements for ensuring that cybersecurity specifications are implemented in the manufactured item, as well as in-field cybersecurity actions.
10. Supporting processes, such as organisational procedures, are described in Section 10.
More than 80 entities from the automobile industry, cybersecurity, electronic parts manufacturing businesses, and other sectors contributed to the creation of ISO/SAE 21434 as a new baseline standard. This explains why automotive companies need to create a cybersecurity culture employing governance, policies, processes, and tools in order to stay up with developing technology and attack tactics when designing electrical parts for automobiles. As some of the world's most powerful firms anticipate its impact on their customers and the rules that will result from it, they are expected to plan their future models and designs around the standards in the next few years. Because the sector is highly tiered, every change, regardless of supply chain direction, necessitates coordinated management.
These changes will have an impact on the security of freshly manufactured vehicles. In the meanwhile, stakeholders who use cars that do not meet the standards should be protected by using adhoc remedies. Automotive manufacturers can collaborate with independent and commercial researchers to develop solutions tailored to the industry.
Nagarjunareddy Gottemukkala recently completed his Master's degree in mechatronics and cyber-physical systems in Germany and will shortly begin working for DEKRA DIGITAL GmbH as an Automotive cybersecurity engineer. He has studied advanced robotics, autonomous systems, cyber-physical systems, artificial intelligence, and machine learning, among other subjects.
Nagarjunareddy has an upbeat mindset and passion for new technology that makes life easier to complete tasks in a far more efficient and timely manner. Because the world is evolving at a breakneck pace, keeping up is more important than ever, and by implementing new technologies, the desired goal can be achieved more clearly and with more quality.