Page 81 - Cyber Defense eMagazine September 2022
P. 81
Full and Systematic Vehicle Cybersecurity
So, what does systematic automotive cybersecurity look like? Well – first of all, it's a process. In effect,
the activities within this process satisfy the stated intentions of the standard. The standard imposes five
global conditions. First, there's the requirement for overall governance, which is stipulated in Clause Five.
Governance is a general term that describes the coordination of the entire effort. In the case of 21434,
we are talking about creating a comprehensive framework of cybersecurity policies that both align with
the organization's business purposes and define the organization's solution. These policies regulate the
internal and external actions undertaken in the assurance process.
Procedures are the specific means to implement a governance process. These must be tailored to each
policy. These procedures represent the organization's management solution. The requirements are
itemized in Clause Six of the standard in the form of specific outcomes which will satisfy one of the
particular criteria of the process.
Finally, there are the everyday operations that must be performed in an end-to-end fashion in the
lifecycle. Requirements for this are specified in Clauses Nine through Fourteen of 21434. They are explicit
actions that turn a defined procedure into specific activity in the local setting. These practices may differ
as settings and products vary. But each activity will implement some integral aspect of the process. The
outcomes of these actions are audited and documented to demonstrate compliance.
Two significant outside factors are also addressed. These are specified by the final three Clauses of the
standard. First, the risk management process identifies threats, analyzes risks, develops mitigations
where necessary, and communicates the findings across the organization. This is specified in Clauses
Eight and Fifteen of the Standard. Finally, Clause Seven species best practices to address supply chain
risk issues and is essentially a new feature in any standard for cybersecurity.
But wait… There's More?
Still, UNECE R-155 isn't the only regulation the OEMs will need to comply with. The other one is UNECE
Regulation No. R-156. This regulation accompanies R-155, and it will be enforced in the same fashion.
UNECE 156 requires the presence of a comprehensive software update management system (SUMS).
For what ought to be obvious reasons, over-the-air (OTA) updates are a particular target for R-156
assurance. The SUMS manages in-vehicle software updates under the R-156 criteria. That requirement
applies to any vehicle that allows software updates, which is essentially every car today.
In essence, R-156 stipulates the creation of a documented baseline of software configuration items
(SWCI) for every applicable initial and updated software version utilized by a vehicle type. The items in
that baseline must be uniquely identified and labeled.
Cyber Defense eMagazine – September 2022 Edition 81
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.