SAE is the standards development organization for the USA, with many of their standards being cited in both US and global regulations, particularly related to safety. For the last several years both automotive OEMs and Tier 1 suppliers, as well as many additional stakeholders in the automotive supply chain have teamed with industry experts in security to develop requirements for automotive cybersecurity. Recently this work culminated in the ratification of the SAE J3061 standard titled the Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, issued by the Vehicle Electric System Security Committee. This was the result of extensive collaboration, and the work towards accelerating the ratification of this document was undoubtedly driven by the mandated recall of 1.4 million vehicles by Fiat Chrysler Automobiles do to the very public hacking incident of a Jeep Grand Cherokee exposed by security researchers Dr. Charlie Miller and Chris Valasek in the summer of 2015.
Soon after this incident occurred Synopsys was asked by members of the automotive industry to provide a draft procurement language document that they could drive through the supply chain to provide the industry with a means of ascertaining a level of cyber assurance that the industry could use to sign off on security. We quickly produced this document and freely distributed to the industry, and it was very well received. Additionally, members of the automotive industry began to coalesce around the notion of developing cybersecurity testing requirements that the industry could use to provide a consistent methodology for determining the cybersecurity assurance level for all systems and devices throughout the entire automotive supply chain. In March of 2016 (this month) the task force was formed under the J3061 working group, and Mike Ahmadi, Global Director of Critical Systems Security for the Synopsys Software Integrity Group (and author of the aforementioned procurement language) was offered the chairmanship of the working group, which he graciously accepted.
Prior to the creation of the SAE working group interest throughout the automotive industry for creating cybersecurity testing standards was so high that Mike Ahmadi led a grass roots working group known as the Featherstone working group (so named because the first meeting took place on Featherstone road at Fiat Chrysler Automobiles in Michigan), which was well attended, and formed the basis of the work that has been carried forward to the SAE task force.
Now the real work begins, but Synopsys remains confident that progress will be made rapidly, due to the precipitous interest, and overwhelming support from the automotive industry, and SAE. Stay tuned as we continue on this quest to create a cybersecurity sign off process.