automotive cyber security

Automotive cybersecurity is a complex and evolving field, and it requires collaboration between the automotive industry, governments, and the cybersecurity community to develop and implement effective security measures. This is especially important as the industry shifts towards increased connectivity and autonomy, which makes cars more vulnerable to cyber attacks.

As automotive technology advances, so too do the cybersecurity measures used to protect vehicles from hackers and other malicious actors. Automotive cybersecurity secures communication networks, electronic systems, software and data collected by the new generation of intelligent cars. By implementing strict automotive cybersecurity protocols, we can help keep our cars safe from attacks that could jeopardize our safety on the road.

According to a report by the Software Engineering Institute at Carnegie Mellon University, there were more than 50 different types of cyber attacks against vehicles in 2019. The majority of these attacks were focused on stealing personal information and gaining unauthorized access to the vehicle’s systems, but there were also a number of attacks that aimed to disrupt or disable the vehicle’s operation.

Another report by KPMG found that the number of cyber attacks on the automotive industry increased by 300% between 2017 and 2019. The report also found that the average cost of a cyber attack on a car manufacturer is around $11.5 million.

The trend of increasing attacks on the automotive industry is expected to continue in the future. The Cybersecurity Ventures research estimates that the annual cost of cybercrime will reach $10.5 trillion globally by 2021, and the automotive industry will be one of the most affected sectors.

In terms of regional statistics, a study by the European Union Agency for Cybersecurity (ENISA) states that in 2020, the highest number of reported cyber incidents in the transport sector (including automotive) came from Germany, the United Kingdom and France, with the majority of incidents being related to phishing and malware.

These statistics highlight the importance of automotive cybersecurity and the need for companies in the industry to take proactive measures to protect their vehicles from cyber attacks. It’s clear that the number of attacks on the automotive industry is increasing, and the cost of these attacks can be significant. Therefore, it’s vital for companies in the industry to invest in cybersecurity measures to protect their vehicles and the personal information of their customers.

What makes cars more vulnerable to cyber attacks?

Cars are becoming more vulnerable to cyber attacks as they are increasingly being equipped with advanced technologies such as:

Connected car cybersecurity System

Cars are becoming increasingly connected to other vehicles, infrastructure, and the cloud, which allows for the exchange of data and commands. This also means that cars have more entry points for cyber attackers to exploit.

Autonomous driving

Autonomous driving systems rely on a large amount of sensor data, such as cameras, lidar, and radar, to make decisions about the vehicle’s movement. Cyber attackers could potentially manipulate this data to cause the vehicle to make dangerous decisions.

Electric powertrains

Electric vehicles (EVs) have a battery management system (BMS) and charging infrastructure that need to be protected from cyber attacks. Attackers could potentially disrupt the charging process or damage the battery.

Advanced driver-assistance systems (ADAS)

ADAS systems, such as lane departure warning, adaptive cruise control, and automatic emergency braking, rely on sensor data and software algorithms to function. Cyber attackers could potentially manipulate this data to cause the system to malfunction.

In-vehicle entertainment systems and third-party applications

Cars are now being equipped with internet-connected infotainment systems and third-party applications, which increases the potential attack surface. Attackers could potentially use these systems as a way to gain access to the car’s internal network and control systems.

All these technologies are interconnected and are controlled by complex software systems that are difficult to secure. Additionally, car manufacturers have to take into consideration the long life cycle of a car and the software updates that will be needed in the future to keep the car protected. This makes cars more vulnerable to cyber attacks and requires a more proactive approach to security from the automotive industry.

What are the Risks of cyber attacks on cars or vehicles? An Explanation

The risk of cyber attacks on cars can be significant, as it can compromise the safety and security of the vehicle and its occupants, as well as the data stored on the car. Data security risks demonstrate the importance of automotive cybersecurity and the need for car manufacturers and other stakeholders to take proactive measures to protect vehicles and their systems from cyber attacks. Some of the main risks of cyber attacks on cars include:

  1. Physical harm: Cyber attacks on cars can lead to the manipulation of the vehicle’s systems, which can cause accidents or other dangerous situations. For example, an attacker could take control of the car’s steering, braking, or accelerator, which could lead to a crash.
  2. Data breaches: Cars are equipped with a large amount of data, such as personal information, location data, and driving habits. Cyber attacks on cars can lead to the theft of this data, which can be used for identity theft, fraud, or other malicious activities.
  3. Disruption of service: Cyber attacks on cars can disrupt the normal functioning of the vehicle, leading to inconvenience and additional expenses for the owner. For example, an attacker could disable the car’s engine, causing it to stop running, or disrupt the charging of an electric vehicle.
  4. Reputation damage: If a cyber attack on a car is successful and leads to a data breach, it could cause damage to the car manufacturer’s reputation and result in financial losses.
  5. Privacy breaches: Cars are equipped with a variety of sensors and cameras that can collect personal data about the driver and passengers. An attacker could access this data and use it for unwanted surveillance, or even blackmail.
  6. Supply chain attack: Cyber attacks on cars could also target the supply chain of the car manufacturer, for example, by compromising the software of a third-party supplier, which could then be used to introduce malware into the car system
  7. Infrastructure disruption: Cars are becoming increasingly connected to other vehicles and infrastructure, such as traffic lights and navigation systems. A successful cyber attack on a car could disrupt the normal functioning of these systems, causing inconvenience and even safety hazards for other drivers and pedestrians.

Automotive cyber security standards List

There are several automotive cyber security standards that have been developed to ensure the safety and security of vehicles and their systems.

Some of the most notable five automotive cyber security standards include:

  1. ISO/SAE 21434
  2. UL 4600
  3. NIST SP 800-193
  4. SAE J3061
  5. ISO/IEC 15408

ISO/SAE 21434 – standard for cyber security in automotive

ISO/SAE 21434 is an international standard for automotive cyber security management systems that was developed by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). It provides guidelines for identifying, assessing, and managing cyber security risks in the development, production, and operation of vehicles.

The standard is divided into several sections, including:

  1. General requirements: This section provides an overview of the standard and defines its scope and objectives. It also establishes the requirements for a cyber security management system (CSMS) and defines the roles and responsibilities of various stakeholders.
  2. Risk management: This section provides guidelines for identifying, assessing, and managing cyber security risks throughout the lifecycle of a vehicle. It covers everything from the initial design and development of the vehicle to its operation and disposal.
  3. Secure development: This section provides guidelines for ensuring the secure development of vehicles and their systems. It covers topics such as secure coding practices, threat modeling, and testing and validation.
  4. Secure production: This section provides guidelines for ensuring the secure production of vehicles and their systems. It covers topics such as supply chain management, secure configuration, and incident response.
  5. Secure operation: This section provides guidelines for ensuring the secure operation of vehicles and their systems. It covers topics such as secure communications, secure data storage, and incident response.
  6. Compliance: This section provides guidelines for demonstrating compliance with the standard, including self-assessment and third-party assessment.

ISO/SAE 21434 is intended to be used in conjunction with other relevant standards and regulations, such as ISO 27001 and UL 4600. The goal of the standard is to provide a comprehensive and consistent approach to managing cyber security risks in the automotive industry and ensure the safe and secure operation of vehicles.

It is important to note that the standard is not mandatory and it is not enforced by any regulatory body. However, it is widely recognized and adopted by automotive industry and it’s expected to be widely adopted in the coming years.

Why is ISO 21434 important?

ISO/SAE 21434 is an important standard because it provides a comprehensive framework for identifying, assessing, and managing cyber security risks in the automotive industry. This is particularly important as vehicles become increasingly connected and autonomous, which introduces new cyber security risks and challenges.

Some specific reasons why ISO/SAE 21434 is important include:
  1. Comprehensive Coverage: The standard covers all aspects of the lifecycle of a vehicle, from the initial design and development to the production and operation. This ensures that cyber security risks are considered and managed throughout the entire process.
  2. Industry Recognition: ISO/SAE 21434 is an internationally recognized standard, developed by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). This means that organizations can demonstrate their compliance with the standard to customers, partners, and regulators, and it is widely recognized and adopted by the automotive industry.
  3. Risk Management: The standard provides guidelines for identifying, assessing, and managing cyber security risks throughout the lifecycle of a vehicle. This includes the development of a comprehensive cyber security management system (CSMS) and a risk management plan, which are critical for ensuring the safety and security of vehicles and their systems.
  4. Compliance: The standard provides guidelines for demonstrating compliance with the standard, including self-assessment and third-party assessment. This helps organizations to prove that they have taken the necessary steps to protect against cyber security risks and to comply with regulatory requirements.
  5. Flexibility: The standard is flexible and can be adapted to the specific needs of an organization. It can be used in conjunction with other standards and regulations, such as ISO 27001 and UL 4600, to provide a comprehensive approach to managing cyber security risks.

ISO/SAE 21434 is an important automotive security standard because it provides a comprehensive framework for identifying, assessing, and managing cyber security risks in the automotive industry, which is critical for ensuring the safety and security of vehicles and their systems. It is widely recognized and adopted by the automotive industry and it provides guidelines for demonstrating compliance with the standard which is important for customers, partners, and regulators.

UL 4600 Automotive Cyber Security Standard

UL 4600 is a standard developed by Underwriters Laboratories (UL) for evaluating the cyber security of autonomous vehicles. The standard provides a framework for developing and testing the cyber security of autonomous vehicles and it is intended to be used by manufacturers, suppliers, and other stakeholders involved in the development, production, and operation of autonomous vehicles.

From the perspective of a CISO, some key aspects of UL 4600 include:

  1. Cybersecurity Plan: UL 4600 requires the development of a comprehensive cyber security plan that outlines the approach and processes for identifying, assessing, and mitigating cyber security risks throughout the lifecycle of the autonomous vehicle. This includes the identification of potential threats, vulnerabilities, and impacts, as well as the development of countermeasures and incident response plans.
  2. Risk Assessment: UL 4600 requires the assessment of cyber security risks to the autonomous vehicle and its systems, including both internal and external threats. This includes the identification of potential vulnerabilities, such as software bugs, as well as the evaluation of the likelihood and impact of potential attacks.
  3. Secure Design and Development: UL 4600 requires the use of secure design and development practices, such as secure coding practices, threat modeling, and testing and validation. This includes code review, penetration testing, and fuzz testing, to identify and fix vulnerabilities in the autonomous vehicle’s systems.
  4. Secure Production: UL 4600 requires the implementation of secure production practices, including supply chain management, secure configuration, and incident response. This includes the implementation of security controls to protect against unauthorized access or tampering of the autonomous vehicle’s systems during production and distribution.
  5. Compliance: UL 4600 requires the demonstration of compliance with the standard, including self-assessment and third-party assessment. The standard also includes a testing and validation process to ensure that the autonomous vehicle’s systems meet the requirements of the standard.

Overall, UL 4600 provides a comprehensive framework for evaluating the cyber security of autonomous vehicles, from the initial design and development phase to the production and operation phase. This standard is intended to help organizations ensure the safety and security of autonomous vehicles and the protection of personal data.

NIST SP 800-193 Automotive Cyber Security Standard

NIST SP 800-193 provides a comprehensive framework for securing connected vehicles. It covers the various aspects of security, such as risk management, secure communications, secure data storage, secure development, incident response, and compliance, that organizations should consider when protecting connected vehicles and personal data. NIST SP 800-193 is a standard developed by the National Institute of Standards and Technology (NIST) that provides guidelines for securing connected vehicles. From the perspective of a CISO, some key aspects of NIST SP 800-193 include:

  1. Risk Management: NIST SP 800-193 requires the implementation of a risk management process to identify and assess cyber security risks to the connected vehicle and its systems. This includes the identification of potential threats, vulnerabilities, and impacts, as well as the development of countermeasures and incident response plans.
  2. Secure Communications: NIST SP 800-193 requires the implementation of secure communications for the connected vehicle, including the use of secure protocols, encryption, and authentication. This includes the use of secure communication channels between the vehicle and other systems, such as the cloud, as well as the use of secure protocols for vehicle-to-vehicle communication.
  3. Secure Data Storage: NIST SP 800-193 requires the implementation of secure data storage for the connected vehicle, including the use of secure storage devices and the encryption of sensitive data. This includes the storage of personal data and the protection of data at rest and in transit.
  4. Secure Development: NIST SP 800-193 requires the use of secure development practices, such as secure coding practices, threat modeling, and testing and validation. This includes code review, penetration testing, and fuzz testing, to identify and fix vulnerabilities in the connected vehicle’s systems.
  5. Incident Response: NIST SP 800-193 requires the implementation of an incident response plan for the connected vehicle, including the identification and reporting of security incidents, the containment of incidents, and the recovery from incidents. This includes incident handling procedures and the reporting of security incidents to authorities.
  6. Compliance: NIST SP 800-193 requires the demonstration of compliance with the standard, including self-assessment and third-party assessment. The standard also includes a testing and validation process to ensure that the connected vehicle’s systems meet the requirements of the standard.

This standard is intended to help organizations ensure the safety and security of connected vehicles and the protection of personal data.

SAE J3061 Automotive Cyber Security Standard

SAE J3061 is a standard developed by the Society of Automotive Engineers (SAE) for developing a cyber security program for automotive systems. SAE J3061 provides a comprehensive framework for developing and managing cyber security programs for automotive systems. The standard is intended to be used by manufacturers, suppliers, and other stakeholders involved in the development, production, and operation of automotive systems and it covers both vehicle and non-vehicle systems.

From the perspective of a CISO, some key aspects of SAE J3061 include:

  1. Cybersecurity Management System (CSMS): SAE J3061 requires the development and implementation of a CSMS, which is a framework for identifying, assessing, and managing cyber security risks throughout the lifecycle of the automotive systems. This includes the development of policies, procedures, and guidelines for cyber security, as well as the assignment of roles and responsibilities for cyber security within the organization.
  2. Risk Management: SAE J3061 requires the assessment of cyber security risks to the automotive systems and the development of a risk management plan. This includes the identification of potential threats, vulnerabilities, and impacts, as well as the development of countermeasures and incident response plans.
  3. Secure Development: SAE J3061 requires the use of secure development practices, such as secure coding practices, threat modeling, and testing and validation. This includes code review, penetration testing, and fuzz testing, to identify and fix vulnerabilities in the automotive systems.
  4. Secure Production: SAE J3061 requires the implementation of secure production practices, including supply chain management, secure configuration, and incident response. This includes the implementation of security controls to protect against unauthorized access or tampering of the automotive systems during production and distribution.
  5. Secure Operation: SAE J3061 requires the implementation of secure operation practices, including secure communications, secure data storage, and incident response. This includes the implementation of security controls to protect against unauthorized access or tampering of the automotive systems during operation and maintenance.
  6. Compliance: SAE J3061 requires the demonstration of compliance with the standard, including self-assessment and third-party assessment.

This standard is intended to help organizations ensure the safety and security of automotive systems and the protection of personal data, by providing best practices and guidelines for identifying and mitigating cyber security risks.

ISO/IEC 15408 Automotive Cyber Security Standard

ISO/IEC 15408, also known as Common Criteria (CC), is an international standard for evaluating the security of IT products and systems, including vehicles. The standard provides a framework for testing and certifying the security features of IT products and systems, and it is intended to be used by manufacturers, suppliers, and other stakeholders involved in the development, production, and operation of IT products and systems.

From the perspective of a technical implementation point of view, some key aspects of ISO/IEC 15408 include:

  1. Security Target: ISO/IEC 15408 requires the development of a security target, which is a document that describes the security features of the IT product or system and the security requirements that it must meet.
  2. Evaluation: ISO/IEC 15408 requires the evaluation of the IT product or system against the security requirements specified in the security target. This includes the testing of the security features of the product or system and the assessment of the design and development processes used to create the product or system.
  3. Certification: ISO/IEC 15408 requires the certification of the IT product or system by an independent evaluation facility, if the product or system meets the security requirements specified in the security target.
  4. Protection Profiles: ISO/IEC 15408 provides a set of protection profiles that define the security requirements for specific types of IT products and systems. These protection profiles can be used as a starting point for the development of a security target for a particular IT product or system.
  5. Evaluation Assurance Level (EAL): ISO/IEC 15408 defines a set of evaluation assurance levels (EALs) that indicate the level of rigor used in the evaluation of an IT product or system. The higher the EAL, the more extensive the evaluation and testing required.
  6. Security functionality: ISO/IEC 15408 provides a set of standard security functionality that IT products and systems should have, such as access control, identification and authentication, and audit.

Overall, ISO/IEC 15408 provides a comprehensive framework for evaluating the security of IT products and systems, including vehicles. This standard is intended to help organizations ensure the safety and security of their IT products and systems by providing a means for testing and certifying the security features of those products and systems.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top