Page 80 - Cyber Defense eMagazine September 2022
P. 80
Controlling access to your vehicle's internal systems is vital to driving safety because your car depends
on tiny electronic control units (ECUs). These ECUs are nothing more than embedded logic installed to
perform a single operation, like braking. A controller area network bus (CAN-bus) ties the car's ECUs into
a complex system. That system enables every aspect of your automobile's digital functionality, from
entertainment to throttle control. It should be clear that explicitly designed and implemented
countermeasures are necessary to protect these digital components from unauthorized access.
Otherwise, a malicious third party could take remote control of your car. That would be a dangerous
condition in a parked vehicle. It is a subject of extreme concern if the car is doing seventy miles an hour
down a local freeway.
Accordingly, adopting a standard, systematic approach to monitoring and controlling the interactions
between the vehicle and its digital ecosystem is vital. There have been whack-a-mole attempts at
addressing the problem, such as immobilizers and discussions of purpose-built PKI for authentication.
But the fact is that the industry has always concentrated more on spreading the net to enable greater
access rather than devising ways to control it. That's because features sell cars. So dangerous
functionality, like onboard internet, has always gotten precedence over implementing a proven set of best
practices for stopping cyberattacks.
But that is going to change. In January of 2021, the International Standards Organization (ISO)
promulgated a comprehensive set of standard best practices for Road Vehicle Cybersecurity Engineering
(ISO/SAE 21434). These practices establish a formal and systematic cyber security management system
(CSMS). Specifically, ISO/SAE 21434 describes a systematic way to protect the vehicle from design,
development, production, operation, maintenance, and decommissioning risks. That advice
encompasses all internal connections, embedded systems, and external interfaces.
Realistically, the prospect of an OEM adopting an organization-wide CSMS wouldn't be worth discussing.
Because in a world of profit, the requirements of ISO 21434 are far too costly. However, compliance with
21434 is tied to a United Nations Economic Commission for Europe (UNECE) regulation called UNECE
R-155, "Uniform Provisions Concerning the Approval of Vehicles with Regarding Cyber Security and
Cyber Security Management Systems." Cyber security management systems involve practical control
behaviors that ensure that all known cyber threats are addressed. R-155 mandates that every OEM must
provide audited proof that they have implemented a functioning Cyber Security Management System
(CSMS).
UNECE R-155 comes into effect in July of 2024. After that date, the countries that make up the UNECE
will require certification of a correctly configured CSMS to grant vehicle type approvals. Those approvals
are critical because the OEM would not be able to sell their cars if they didn't have them. Of course, this
deadline could change as the OEMs jockey with the UNECE, and It should also be noted that this
mandate is for Europe only. Still, this initiative provides a commonly accepted standard definition of what
each OEM needs to do to safeguard their products in this digital age.
Cyber Defense eMagazine – September 2022 Edition 80
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.