The challenge of securing cars from cyberattack is growing due to changes in the way they are designed, made and used. These include:
- Complexity: a modern vehicle may include more than 100 microcontrollers, whose functions are closely coupled and strongly connected
- A strong requirement for systems to analyze and act in real time
- A requirement to enable secure firmware updates in the field – for years after sale
- A Requirement to support multiple interfaces, ranging from the automotive CANbus standard right through to consumer Bluetooth, cellular, and Wi-Fi links
- The uptake of ‘drive by wire’ strategies, which replace a direct mechanical linkage between driver input and vehicle response with sensors and actuators
- Electrification, which has increased the complexity of onboard electronics, boosted competition and so shrunk the time to market for new models
- The push for vehicle autonomy, which further increases system complexity while making the costs of security breaches much higher
- V2X strategies, which involve vehicles becoming connected to other vehicles, roadside infrastructure, home energy systems, the power grid, infotainment service providers, etc.
As in many other markets, car makers must abide by, and respond to, a wide variety of standards, codes of practice, and regulations, which, together, seek to protect users from cybersecurity breaches. These documents offer advice which ranges in detail from outlining an ambition to providing hard advice about achieving and sustaining vehicle cybersecurity.
ISO 26262
ISO 26262 is a standard that requires car makers to think about the functional safety of their vehicles, i.e. how they will respond if something goes wrong. It defines the extent to which functional safety has been considered and addressed through a set of four Automotive Safety Integrity Levels. Properly applied, meeting the requirements of ISO 26262 means embedding consideration of the risks of failure throughout the entire automotive lifecycle, from design to decommissioning.
SAE J3061_202112
SAE International’s J3061_202112 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems is a handbook of best practices for establishing and maintaining cybersecurity in what it calls ‘cyber-physical vehicle systems’. This includes:
- Defining a lifecycle framework that can be tailored to an organization’s development processes to incorporate cybersecurity measures throughout a vehicle’s conceptualization, design, production, operation, service, and decommissioning.
- Providing information on common tools and methods used when designing, verifying and validating cyber-physical vehicle systems.
- Providing basic principles on cybersecurity for vehicle systems.
- Providing the foundation for further standards development activities in vehicle cybersecurity.
ISO 21434
ISO 21434 takes the story on from J3061, focusing on communications within the vehicle, such as between its engine control units. The standard aims to encourage car makers to define cybersecurity policies and processes, manage cybersecurity risk, and foster a cybersecurity culture that understands and controls cyber risks.
US NHTSA Cybersecurity Best Practices for the Safety of Modern Vehicles
The US Department of Transportation’s National Highway Traffic Safety Administration has published a document entitled Cybersecurity Best Practices for the Safety of Modern Vehicles, which covers similar ground. In a brief section on cybersecurity (8.2) it says:
“Cryptographic techniques should be current and non-obsolescent for the intended
application.”
“While the selection of appropriate cryptographic techniques is an important design criterion, it should be noted that implementation issues often determine any system’s security.
“Cryptographic credentials help mediate access to vehicle computing resources and back-end servers. Examples include passwords, PKI certificates, and encryption keys.
“Cryptographic credentials that provide an authorized, elevated level of access to
vehicle computing platforms should be protected from unauthorized disclosure or
modification.”
In a further section on software updates (8.8) it recommends:
“Automotive manufacturers should employ state-of-the-art techniques for limiting the ability to modify firmware to authorized and appropriately authenticated parties.”
It goes on to comment that “firmware updating systems which employ signing techniques could prevent the installation of a damaging software update that did not originate from an authorized source.”
The document’s emphasis on using modern cybersecurity techniques, and the importance of how they are implemented, is a reminder that cybersecurity strategies are only as good as their weakest link. Hardware roots of trust, which provide a connected device with a unique and immutable identity, can provide the firmest of foundations for an automotive cybersecurity strategy.
UNECE R155 & R156
The United Nations Economic Commission for Europe (UNECE) working party #29 (WP.29) has also put forward regulations R155 and R156, which focus on automotive cyber security and cyber security management systems. They are meant to protect vehicles against cybersecurity threats and require countermeasures that underpinned by effective cryptographic protections.
For example, in R155, Table A1 in Annex 5 lists cyber threats and corresponding mitigations. Among these threats are ‘4.3.7 – Potential vulnerabilities that could be exploited if not sufficiently protected or hardened’. It lists the related attack methods as:
- Combination of short encryption keys and long period of validity enables attacker to break encryption
- Insufficient use of cryptographic algorithms to protect sensitive systems
- Using already or soon to be deprecated cryptographic algorithms
In Table B1, the regulation lists threats and mitigation related to vehicle communication channels. In section 4.2 of the table, it outlines the charmingly named ‘Sybil attack’, in which a threat actor spoofs the appearance of multiple other vehicles on the road to overwhelm a vehicle’s systems. As mitigation it says, ‘Security controls shall be implemented for storing cryptographic keys (e.g., use of Hardware Security Modules)’. There are similar calls to use strong cryptographic functions to protect the integrity of software providers that are providing software updates, and to prevent the extraction of cryptographic keys.
UNECE Regulation R156 focuses on protecting software updates and software update management systems. In the lengthy list of general specifications that a vehicle maker must meet to gain approval to R156, the regulation says:
“Security – the vehicle manufacturer shall demonstrate:
- The process they will use to ensure that software updates will be protected to reasonably prevent manipulation before the update process is initiated
- The update processes used are protected to reasonably prevent them being compromised, including development of the update delivery system
- The processes used to verify and validate software functionality and code for the software used in the vehicle are appropriate.”