Log in to the online community

Want to post a reply? You'll need to log in
Automotive Cyber Security
Question
Connected vehicles have numerous potential benefits for convenience, safety, travel time and access to mobility, and the features that deliver these have become essential selling points. Advances in autonomy will increase the number and types of connections and travellers’ reliance upon them. In 2020, most new vehicles are connected vehicles and many have online connections to safety-critical systems, putting them at risk of deadly hacks. It’s not clear that the automotive industry is fully equipped to deal with this and they may even be deceiving the public about their lack of preparedness.

In response to these challenges, the new UNECE WP.29 type approval regulations for cybersecurity and over-the-air (OTA) updates enter into force in January 2021. The cybersecurity management standard ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering” is also hotly anticipated next year. But is the industry ready?
Stepping up in this connected world is a major challenge for the established automotive industry and Intelligent Transport Systems (ITS) providers. A number of these challenges can’t be solved without addressing deep-rooted issues such as reluctance to collaborate, a lack of specialised security talent, and engineering processes that don’t consider security throughout the lifecycle.

The ARTS TN have organised a webinar on Automotive Cyber Security on 21 October 2020 at 11.00hrs BST. Ahead of the webinar we’d like to hear your views on the following questions:

•    How well are automotive and ITS businesses positioned to deal with security in their products and services? 
•    What do the various industries need to do to create conditions where security can be assured by design throughout the lifecycle of their products and services? 
•    What are the gaps, how big are they, and what capabilities are needed to address them?

If you have other questions that you’d like to post here, we will also consider these for discussion by our experts in the Q&A panel during the webinar.
 
4 Replies
I'm looking forward to hosting this event next week and the discussion here in the meantime.
Please do let us know how you see the industry responding to the challenges of security, and if you're not sure then why not propose a question for the panel?
Andy Millar
1799 Posts
As an outsider to the automotive industry, it's appeared to me that one of the big issues may be that the very high focus on commercial confidentiality could prevent effective independent review of, e.g., cyber security measures. This is not to suggest negligence or a lack of competence in the companies concerned, just that as the issues become more complex and the risks higher that a cross industry collaborative and open approach is needed - as all safety critical industries have found over the last 30-40 years. I'd be interested to know whether this is actually an issue, and if so whether the automotive industry accepts that it is an issue (two slightly but critically different points!) This equally relates to autonomous automotive systems.

Thanks,

Andy

 
It's a very good point to make, Andy. From my observations, it's not only independent review that is an issue, it's also a problem between companies working together. It's very difficult to build the big picture. There's an interesting paper by one of my fellow PhD students at Coventry "Cybersecurity threats in the auto industry: Tensions in the knowledge environment" https://www.researchgate.net/publication/341610540_Cybersecurity_threats_in_the_auto_industry_Tensions_in_the_knowledge_environment which has some revealing insights about the lack of a collaboration culture.
The UNECE WP.29 regs, supported by ISO/SAE 21434 will be a much needed focal point, as industry has been desperate for something to coalesce around on these issues. 21434 will specifically require that "A cybersecurity audit shall be performed to independently judge whether the organizational processes achieve the objectives of this document" and the DIS has been out since February, but I suspect this won't hit home until the standard is in force. It's going to be a steep learning curve for the manufacturers, the independent reviewers and the regulators. I'm involved in the development of ISO PAS 5112 currently, which is an auditing standard tied to 21434, but it's early days for that and it won't be a full standard. One of our speakers, Paul Wooderson, will be talking more about this at the webinar.
We had a wonderful response to this webinar, many thanks to our speakers and the 381 people who joined us live from 32 different countries. The recording will be available on demand soon and we'll post a link once available.

There were lots of questions from the audience that prompted a lively discussion. We didn't have time to answer everyone's questions live, but our speakers have kindly agreed to answer some more here. First up we have some answers from Paul Wooderson of HORIBA MIRA.

Q: What framework will UNECE WP.29 use (for compliance demonstration) before 21434 is issued?
Paul: 
ISO/SAE 21434 is widely seen as a key way of implementing the requirements of the regulation and demonstrate that they are met. However there is no formal reference to ISO/SAE 21434 or any other standard or framework in the regulation itself; rather it allows any appropriate means to demonstrate compliance. Therefore vehicle manufacturers can use evidence of following ISO/SAE 21434 or appropriate combinations of other standards to demonstrate that they meet the regulation's requirements.

Q: Should ResiCav software be installed in the car? Or does it run on a PC?
Paul:
ResiCAV is not software specifically but the project looked holistically at the challenge of achieving cybersecurity resilience. This included examining the technical and economic feasibility of solutions and methods that involve both in-vehicle and off-board aspects, as well as the capabilities and facilities that are required for the UK to develop, validate and operate these solutions.

Q: I am "lucky" enough to own a top USA brand of car that is leading autonomous driving. I am not sure the frequent updates have appropriate quality control since they fix one thing and break another. As a driver Im not sure I would know my car was secure or indeed had been compromised? THe pace and drive for commercial advantage feels way in advance of regulation. Who is holding suppliers to account?
Paul:
This is indeed a challenging area in which the pace of technological change is greater than the speed at which regulation can keep up. The introduction of the new UNECE regulations for cybersecurity and software updates mean that adequate cybersecurity and safe and secure software updates are now a condition for getting new vehicles type approved for use in regions that adopt the regulations. This is an important step, although the pace differential of course still remains. Within the constraints of current regulatory frameworks, the new regulations do require ongoing monitoring, detection and response to emerging threats, although in the future more dynamic forms of assurance and regulation are likely to be required.

Share:

Log in

Want to post a reply? You'll need to log in