NX Automotive

Understanding Automotive Cybersecurity, its challenges and ISO/SAE-21434

Automotive Cybersecurity

Automotive industry is heading towards digital transformation, where vehicle will communicate with external environment and use V2V, V2I, and V2X data to take autonomous driving decisions. This expanded capability in a vehicle introduces cybersecurity risks, which can be threatening for the vehicle and its owner. This blog explains automotive cybersecurity, its challenges and a new standard ISO/SAE-21434 for cybersecurity of on-road vehicles.

According to Markets and Markets, the Global Automotive Cybersecurity Market size is projected to grow from USD 1.9 billion in 2020 to USD 4.0 billion by 2025.

Recent advances and increased used of electronics in manufacturing of connected, autonomous, and electric vehicles have made the vehicle E&E architecture very complex. As the vehicles are getting connected with outside network via V2I, V2X, V2V, or V2G, it becomes more vulnerable to cyber-attacks. And these attacks are serious threat to the functional safety of the vehicle and may cause financial damage.

Automotive Cybersecurity protocols play a crucial role in protecting the vehicles from malicious attacks. Automotive cybersecurity secures in-vehicle and external communication networks, electronic systems, software, and data of the connected vehicles.

In this blog, we will discuss abut automotive security, cybersecurity, its challenges, and ISO/SAE 21434 – the standard for automotive cybersecurity. Lets talk about these topics one-by-one.

Understanding Automotive Security

Before directly jumping into the Automotive cybersecurity, it is very important to understand that what kind of security we will be discussing, and which generation of vehicle will fall under automotive security metrices.

The automotive security landscape can be divided into four major categories: Vehicle Network Security, Vehicle to Backend Security, Backend Security (Ensures Infrastructural Security), and Vehicle to Everything security.

Vehicle Network Security is applying automotive security measures into ECU-to-ECU communication in a vehicle, whether that vehicle network is based on CANbus CAN FD, or Automotive Ethernet. Vehicle to Backend Security is like sending a secured message from ECU to backend. Backend Security ensures infrastructural security and V2X security deals with security of the vehicle when it is communicating with external environment.

When we talk about automotive cybersecurity, we must ensure which generation of connected vehicle we need to make cyber secure. In the history of automotive technology, the connected vehicle technology is bifurcated into four generation.

Generation 1 of connected vehicles are connected via mobile devices, Bluetooth, or physical cables. Gen 2 connected vehicle are connected at backend and these vehicles has infotainment and OBD – II ports and receives GPS signals. Gen 3 vehicles have smart infrastructure, gets connected to on-road systems and supports V2X communication. And, Finally fourth generation connected vehicles are Level-4 and Level 5 of autonomous vehicles / electric vehicles which will seamlessly interact with the environment and have potential to accept automotive cybersecurity measures. Gen 4 of connected vehicles will not only interact with the outside environment, but it will absorb tons of data and make decision based on it.

So, it becomes extremely important to define the cybersecurity measures and generation of connected vehicle to which it shall be implemented.

What is Automotive Cybersecurity?

With the evolution of the automotive segment from delivering level 1 autonomous vehicles to delivering the Level 4/ level 5 of autonomous vehicles, there has been a tremendous amount of R&D, innovation and investment has gone. Modern-day vehicles have super-advanced ADAS features, HD infotainment systems, highspeed networking protocols, and many other devices and sensors to support autonomous, connectivity, shared mobility, and electric vehicle features. All this is backed by more than 100 ECUs with million lines of source codes in a vehicle.

So, every ECU node, every part, sensor, network, interface in a vehicle is vulnerable to cyber threats and these cyber threats can really be very hazardous when it comes to autonomous and connected vehicles.

Automotive cybersecurity can be defined as a set of practices and principles which are designed to protect automotive electronic systems, communication networks, software, control algorithms, vehicle data, and information, from malicious attacks, damage, unauthorized access, or manipulation.

Designing cybersecurity solutions for automobiles may include threat analysis to security strategies and architectures to the implementation and testing of all the security functions.

Automotive cybersecurity in future will be a stack of different blocks such as, cybersecurity management, security mechanisms, and security processes. Cybersecurity Management is very important from organizational front and will define the security policies, documents, and lifecycle of the entire process. Along with security management, security mechanisms will play a key role in placing the technologies and tools to protect the automotive systems of respective layers against cyber-attacks. Security processes will help in enabling the implementation of cybersecurity measures as mentioned in ISO 21434.

Automotive Cybersecurity Challenges

Cybersecurity in Automotive industry is completely different from what we see in IT. New age automotive technologies majorly in autonomous and vehicle connectivity rely on the data from the surroundings or from the network. And data received by vehicle from any external source can be tampered or spoofed to get unauthorized access to the secured information of the vehicle or the owner. Data driven features of the smart cars possess complex infrastructure of the ECUs, networks, sensors, and applying cybersecurity on such a complex structure brings unprecedented challenges to new age automotive functions. Some of them are as follows:

  • Growing Connected Vehicles: The global connected car market is expected to reach USD 166.00 bn by 2025 and this will significantly increase number of connected cars on road and consequently the probability of cyber-attacks. The number of connected cars is growing fast but at the same time there is a lack of cybersecurity awareness and active management of cybersecurity policies in the organizations, which results in slower adoption of cybersecurity measures in cars.
  • System Complexity and Big Data: Now a days, vehicles are more digitalized and interconnected and with more than 100 ECUs in a vehicle is like dealing with smart computer running on wheels. All the networking devices, ports, computers, servers, are densely packed in a vehicle and mitigating cybersecurity risks for all these millions of networks is a big challenge. Imagine the scale of data to manage when OEMs need to manage millions of vehicles are on road.

Despite of such a large volume of data and challenge to secure all the vulnerable ports, OEMs are embedding cybersecurity measures into design and manufacturing stage of the vehicle.

  • Automotive Supply Chain: Supply chains in the automotive industry are very complex. They include integration of third-party software, components, communications, and application protocols, which makes the automotive systems more vulnerable to cybersecurity threats. It is very difficult to ensure automotive cybersecurity with multiple players involved in designing and developing the automotive systems.Each player must deal with their own set of specifications complying with different standards to design automotive systems and software. Interconnected systems provided by multiple distinct suppliers increases the possibility of weak cybersecurity measures and results in a vulnerable network.
  • Time to Market: It takes approximately four to five years to bring a vehicle into production setup from concept design. Four long years encapsulates all the major decision about vehicle architecture, connectivity, physical and virtual security, and operating systems security. Though all the testing has been done to maintain the software before vehicle hits the production line, but many times system bugs, fixes, vulnerabilities, cybersecurity practices are not scrutinized and results in delayed production. Delayed production in the vehicle compels OEMs to use a legacy system rather than rising a new one.

To overcome all the above discussed automotive cybersecurity challenges all the industry suppliers must embrace proper security controls of their automotive systems and solutions.

Other automotive challenges such as safety, security, cost durability and use of modern embedded system controllers, and ECUs, must be addressed diligently. And to have proper automotive cybersecurity standards is much required. One of such automotive cybersecurity standards is ISO 21434, which is exclusively designed for road vehicles to address all the security challenges and ensure appropriate cybersecurity. ISO 21434 is a well-defined standard which has guidelines to mitigate the security risks and organization level risks in a vehicle across entire supply chain. Let’s discuss ISO 21434 and understand that why we need to be ready for ISO 21434 for automotive cybersecurity.

ISO/SAE-21434 for Automotive Cybersecurity

ISO 21434 “Road vehicles — cybersecurity engineering” is an automotive standard. It focuses on the cybersecurity risk in automotive electronic systems. ISO 21434 compliance covers all the automotive electronic systems, components, vehicle software and in-vehicle and external connectivity. ISO 21434 will provide a structured process and ensure that automotive cybersecurity practices are properly followed and implemented in in-vehicle products and systems throughout their lifetime.

In future this standard will also create a culture of designing and producing all automotive systems and solutions (either it is on hardware side or on the software side) keeping cybersecurity in forefront.

The structure of ISO 21434 is very wide, and it contains modules like continuous cybersecurity activities, risk assessment methodologies, Product design and development phases (concept phase, development phase and post development phase), and distributed cybersecurity activities.

Cybersecurity activities in ISO21434 structure will cover all the aspect of cybersecurity with respect of automotive solutions such as cyber security monitoring, event management, vulnerability analysis and vulnerability management.

On the other hand, risk analysis which is one of the prime modules of this standard will cover asset identification, attack path analysis, threat scenario identification, risk determination and treatment decision.

All these cybersecurity practices should be implemented while developing digital applications and connected systems for level 3 and level 4 of connected vehicles. Even the programming languages to design supporting applications must include secure design and coding techniques and must include explicit syntax and semantic definitions.

Final Thoughts

Automotive Cybersecurity is a new concept, but it will create a huge impact on the systems and solutions which are being developed for new age connected vehicles. Automotive solution providers must investigate the nitty-gritties of the new standard “ISO21434” and include them in their cyber-security plan.