Navigating the road ahead for automotive cybersecurity

For security teams in the automotive industry, 2021 was an extremely busy year. Cybersecurity became a requirement for market access and compliance, so the entire industry faced a challenging timetable.

• The United Nations Regulation WP.29 R155 states, “In the European Union, the new regulation on cyber security will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024.”
• On August 31, 2021, the official version of ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" was released. This document defines a framework for cybersecurity process requirements and cybersecurity risk management for the entire life cycle of vehicle products.
• In China (the world’s largest automotive market), on September 14, 2021, the Equipment Industry Development Center of the Ministry of Industry and Information Technology issued the "Opinions on Strengthening the Management of Intelligent Networked Automotive Manufacturers and Product Access." This requires automotive original equipment manufacturers (OEMs) to conduct self-assessments for vehicle data security, cybersecurity, software over-the-air (OTA) upgrades, and driving assistance functions. The results were required to be reported before October 12, 2021.

The security groups in automotive companies are experiencing "forced growth" brought about by rigorous cybersecurity compliance requirements. Although each standard specifies detailed and clear requirements, security groups must sort through these complicated checklists to formulate a work action plan that can be implemented within the limitations of each organization’s abilities.

On the one hand, individual security activities have been transformed into a process-based cybersecurity management system (CSMS). On the other hand, automotive firms must focus limited resources quickly to efficiently establish enterprise security capabilities that meet compliance requirements. That these are two very different approaches (single-point vs. landscape, depth vs. breadth) is the crux of the issue facing automotive OEM security teams. How other companies solved this problem is a very valuable reference.

Governance-led efforts

UN R155 stipulates that vehicle OEMs need to first prove the basic capabilities of their cybersecurity systems and processes. Each model produced requires a type approval to prove that specific products have specific implementations that were made in accordance with the requirements of the certified cybersecurity system and process. However, many vehicle OEMs have adopted the opposite approach. The regulations and standards themselves are used as the cybersecurity requirements of the project. That makes it possible for the work products to serve as evidence of compliance across the whole enterprise.

The BSIMM12 report notes that companies have two paths to achieve a mature security system. One is to construct a security system from top to bottom through compliance requirements. The other is to improve security capabilities through the engineering team. 

Because BSIMM is a descriptive model, it describes and compares these two approaches but it doesn’t evaluate the pros and cons of them. Organizations that choose a governance-led approach usually start by defining a software security initiative, which is an organization-wide program to instill, measure, manage, and evolve software security activities in a coordinated fashion. The leader of such an initiative first establishes a centralized team structure. This might not involve immediately hiring employees, but it may be necessary to form a full-time team to implement key activities to support the further definition and institutionalization of software security-related policies, standards, and procedures at the organizational level. 

The BSIMM12 report defines three key security activities.

• Policy: Create policy
• Standards: Create security standards
• Process: Publish process and evolve as necessary

However, in the current organizational structure of many automotive OEMs, security teams often come from engineering research and development teams, and they are not sufficiently empowered to implement security-related policies, standards, and procedures at the enterprise level. Further, it’s often the case that security groups don’t have adequate support and budget. Therefore, security teams should limit the focus of these key activities to a specific project, using the project budget. 

BSIMM also observed that governance-led and emerging engineering-led approaches to software security improvement embody different perspectives on risk management that might not correlate. Governance-led groups often focus on rules, gates, and compliance, while emerging engineering-led efforts usually focus on feature velocity, error avoidance through automation, and software resilience.

Success does not require identical viewpoints, but collectively the viewpoints need to converge in order to keep the firm safe. That means the teams must collaborate on risk management concerns to build on their strengths and minimize their weaknesses. Although many automotive OEMs construct their cybersecurity systems through engineering projects, this approach still requires the security group to understand the overall framework. So it’s vital that the security team gets sufficient support within the enterprise, not just limited to specific projects.

Assess risks with the TARA method

In the official release of ISO/SAE 21434, an entire chapter was dedicated to threat analysis and risk assessment (TARA) activities and related requirements. This reflects the importance of TARA activities in the automotive industry. 

Some regard TARA merely as a prework for developing product security requirements, and many automotive OEMs and component suppliers still implement TARA by hiring external security experts and consultants.  Of course, it is now necessary to implement TARA in accordance with the detailed requirements defined in ISO/SAE 21434. Although security teams have a good understanding of the security protection mechanism (cybersecurity controls), the challenge is communicating the cybersecurity requirements to the engineering team.

TARA activities rationalize and optimize cybersecurity requirements by identifying potential threats and assessing the risks posed by these threats. Another important purpose of these activities is tracing the relationship between external threats and risks and security countermeasures, so organizations can determine the priority of subsequent cybersecurity developing and testing activities based on different risk levels. This will enable security teams to focus on responding to high-risk threats. If we refer to ISO/SAE 21434, Cybersecurity Assurance Level (CAL) is used for such traceability. A successful TARA activity should help the security group understand where to put the (very limited) budget to improve security in important areas.

BSIMM's security framework also emphasizes the practice of attack models in the domain of intelligence. These attack models help the security team think about security issues from the perspective of an attacker, so they can collect threat modeling inputs, abuse cases, data classification, and technology-specific attack patterns. BSIMM12 notes 11 observed security activities related to attack modeling that can be used as references to help the security group fill in any shortcomings in this area.

Create an incident response plan

There is no 100% secure system or product, so the main goals of security are to respond to security incidents in a timely and effective manner and to perform risk management well. The software security framework in BSIMM12 specifically defines configuration management and vulnerability management as important security practices, and details 12 related security activities. For example, 84% of BSIMM12 participants have their software security team work closely with the organization’s incident response team to keep critical security information flowing in both directions. Opening communication channels with infrastructure and software vendors is also a very important task for software security groups. Furthermore, BSIMM also includes security activities that illustrate how to use a security incident response to improve existing security processes.