Fortunately, that reality has prompted an increasing focus on vehicle cybersecurity. There are now multiple frameworks and standards aimed at improving it. One of the most recent is the National Highway Traffic Safety Administration’s (NHTSA’s) draft of “Cybersecurity Best Practices for the Safety of Modern Vehicles.” And while the timing of the draft (it was released in mid-December) was a bit earlier than Chris Clark expected, it did not come as a surprise. Clark, senior manager, automotive software and security, with the Synopsys Automotive Group, declared in a blog post he coauthored earlier this year that he expected 2021 to be “the year of automotive standards.”
Not that standards are new. ISO 26262, from the International Organization for Standardization (ISO), addresses safety-related systems that include one or more electrical and/or electronic (E/E) systems. It has been around for a decade and was updated in 2018.
As a Synopsys blog post puts it, the focus of that standard is on “ensuring that automotive components do what they’re supposed to do, precisely when they’re supposed to do it.”
More recently, ISO/SAE 21434, created by ISO and the Society of Automotive Engineers, calls for “OEMs and all participants in the supply chain (to) have structured processes in place that support a ‘Security by Design’ process” covering the development and entire lifecycle of a vehicle. Those include requirements engineering, design, specification, implementation, test, and operations. A first draft of ISO/SAE 21434 was released a year ago, with the final standard expected by the middle of this year.
But those two are private-sector, industry initiatives. ISO is “an independent, non-governmental international organization with a membership of 165 national standards bodies.” That, as Clark puts it, illustrates that “the automotive industry has historically been very strong proponents of self-regulation.”
And while in the past that self-regulation had more to do with physical functionality and safety, more recently the industry has also been proactive in looking at how it can address cybersecurity. But the NHTSA best-practices document means government is going to play a more direct role. “It’s a good starting point for automotive organizations to say this is a real thing,” Clark said. “NHTSA isn’t just saying, ‘Do something about cybersecurity.’ It’s outlining explicit items that have to be addressed.”
And he thinks NHTSA’s best practices along with ISO/SAE “are going to provide the automotive industry a good sounding board to look at how we address cybersecurity from a risk-based perspective. I think everybody could agree that the biggest concern is the risk of autonomous driving.” The goal isn’t perfection. “We’re not building a space shuttle, we’re building a car,” Clark said. “If we wanted to have every single security feature to ensure that a vehicle never failed, we couldn’t afford it.”
But that doesn’t mean vehicle cybersecurity can’t improve—a lot.