by Paige Ludl | 11/28/2022
Automotive cybersecurity is set to become a key feature in software-defined vehicles, with a variety of standards emerging to ensure the safety and security of connected vehicles. Functional safety standards, such as ISO 26262, have been implemented across the automotive industry, but cybersecurity has only recently been addressed. Both safety and security play an important role in securing various imbedded systems, and satisfying different functional safety standards increasingly requires proportional investments in security. Modern vehicles are using increasingly complex software to support various ADAS and infotainment features, which opens up the potential attack surface for bad actors. Engineers across various automotive companies have adopted security-focused standards at different rates depending on their target application, and are using different methods to respond to security requirements (see Exhibit 1).
As advancements in vehicle technology push us further to autonomous vehicles, the risk associated with malicious attacks on connected vehicles is significant and has already been demonstrated long ago (e.g., 2015 Jeep Cherokee Uconnect hack). Although this attack was voluntary to showcase a potential weakness, a malicious attack is entirely possible and has the potential to cause extreme harm to passengers and pedestrians. Preparing for this possibility is a major concern across the automotive industry, and regulating bodies have recently published new standards, such as the ISO/SAE 21434 and UNECE WP.29, to address these concerns. Market demand for pre-certified or certifiable software development tools and stack components will accelerate in automotive for the variety of emerging functional safety and security standards.
Exhibit 1: Actions Respondent’s Organization Has Taken in Response to Security Requirements by Automotive Project Type
(Percentage of Respondents)
ISO 26262 was released in 2011 to address requirements for functional safety, meaning ISO 26262 helps ensure that automotive electronic components are accurate and timely to avoid system failures or unintended behavior. ISO 26262 ensures that safety is incorporated to each stage of automotive component engineering, from the concept phase to service and decommissioning. In addition, ISO 26262 provides risk classes by defining Automotive Safety Integrity Levels (ASIL) and requires Hazard Analysis and Risk Assessment (HARA). Although ISO 26262 provides a comprehensive standard for functional safety, it fails to address cybersecurity concerns hence the creation of new standards.
ISO/SAE 21434, released in 2020, builds upon ISO 26262 and uses a similar approach to address cybersecurity. ISO/SAE 21434 details procedural and organizational requirements to accomplish sufficient vehicle cybersecurity by outlining the security steps required throughout the vehicle’s lifecycle. ISO 21434 defines a Threat Analysis and Risk Assessment (TARA) process to evaluate and assess the methods, treatment, and planning for identifying risks, which is similar to HARA in ISO 26262. Rather than outlining specific cybersecurity technologies or solutions, ISO 21434 emphasizes risk identification processes and established methods to best manage cybersecurity risks. Beyond addressing cybersecurity concerns in a vehicles lifecycle, ISO 21434 lays a framework for a cybersecurity management system (CSMS), a set of systems and process for an organization to produce safe and secure products.
UNECE WP.29 – UN R155 and UN R156
The United Nations Economic Commission on Europe (UNECE) is a major regulatory player in the automotive space, which includes members such as the EU, South Korea, Japan, Turkey, and Russia. There are two main automotive regulations that resulted from the commission, UN R155 and UN R156, both of which will be legally required for vehicle manufacturers selling in UNECE countries past July 2024. R155 describes general requirements for vehicle cybersecurity, while R156 is for software updates and software update management systems.
The WP.29 regulations are complimentary to ISO 21434, as WP.29 defines the requirements and ISO 21434 offers information on how best to satisfy these requirements. R155 goes one step further than ISO 21434 by requiring organizations to create certified CSMS via an audit to manage cyber threats.
Even though WP.29 only legally applies to UNECE countries, it is likely to be widely adopted in the industry meaning US, Canadian, and Chinese auto suppliers and manufacturers will need to incorporate WP.29 practices into their products. Companies that offer automotive cybersecurity software or services solutions that adhere to WP.29 and ISO 21434, such as BlackBerry QNX, Green Hills Software, MathWorks, IBM, ANSYS, dSPACE, ETAS and Vector Informatik, are best positioned to support these emerging compliance requirements moving forward.
ISO 24089 is in development and is set to come out in 2023. ISO 24089 will provide technical requirements for software updates and will be applicable to vehicles, their systems, and vehicle infrastructure. ISO 24089 addresses organizational policy, project planning and management, software infrastructure requirements, and more.
Vehicle manufacturers must adjust their plans accordingly to incorporate these new security standards alongside functional safety standards, as they are both crucial for automotive software development. The standards mentioned above will become requirements for more vehicle manufacturers, even if some regulations do not apply globally. Other regulating bodies such as the NHTSA in the U.S. have already released cybersecurity best practices, and may incorporate ISO 21434 in the future. As we move closer to fully autonomous vehicles, the risk associated with potential attacks will continue to increase. Vehicle manufacturers will need more pre-certified or certifiable software development tools, hardware, and workflows/documentation to maintain safety and security.
Vehicle manufacturers will need more pre-certified or certifiable software development tools, hardware, and workflows/documentation to maintain safety and security.