Full and Systematic Vehicle Cybersecurity

            So, what does systematic automotive cybersecurity look like? Well – first of all, it's a process. In effect,
            the activities within this process satisfy the stated intentions of the standard. The standard imposes five
            global conditions. First, there's the requirement for overall governance, which is stipulated in Clause Five.
            Governance is a general term that describes the coordination of the entire effort. In the case of 21434,
            we are talking about creating a comprehensive framework of cybersecurity policies that both align with
            the organization's business purposes and define the organization's solution. These policies regulate the
            internal and external actions undertaken in the assurance process.

            Procedures are the specific means to implement a governance process. These must be tailored to each
            policy.  These  procedures  represent  the  organization's  management  solution.  The  requirements  are
            itemized in Clause Six of the standard in the form of specific outcomes which will satisfy one of the
            particular criteria of the process.

            Finally,  there  are  the  everyday operations that  must  be  performed  in  an  end-to-end  fashion  in  the
            lifecycle. Requirements for this are specified in Clauses Nine through Fourteen of 21434. They are explicit
            actions that turn a defined procedure into specific activity in the local setting. These practices may differ
            as settings and products vary. But each activity will implement some integral aspect of the process. The
            outcomes of these actions are audited and documented to demonstrate compliance.

            Two significant outside factors are also addressed. These are specified by the final three Clauses of the
            standard.  First,  the risk  management process  identifies  threats,  analyzes  risks,  develops  mitigations
            where necessary, and communicates the findings across the organization. This is specified in Clauses
            Eight and Fifteen of the Standard. Finally, Clause Seven species best practices to address supply chain
            risk issues and is essentially a new feature in any standard for cybersecurity.



            But wait… There's More?


            Still, UNECE R-155 isn't the only regulation the OEMs will need to comply with. The other one is UNECE
            Regulation No. R-156. This regulation accompanies R-155, and it will be enforced in the same fashion.
            UNECE 156 requires the presence of a comprehensive software update management system (SUMS).
            For  what  ought  to  be  obvious  reasons,  over-the-air  (OTA)  updates  are  a  particular target for R-156
            assurance. The SUMS manages in-vehicle software updates under the R-156 criteria. That requirement
            applies to any vehicle that allows software updates, which is essentially every car today.


            In  essence,  R-156  stipulates  the  creation  of  a  documented  baseline  of  software  configuration  items
            (SWCI) for every applicable initial and updated software version utilized by a vehicle type. The items in
            that baseline must be uniquely identified and labeled.












            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         81
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.