An overview of the automotive cybersecurity standards landscape

The advent of numerous wireless connections and telemetry services has extended the attack surface of a modern vehicle far beyond its physical boundary. What’s more, as automakers strive to meet the expectations of a fully autonomous driving experience, future cars will need to rely even more heavily on the data around them – adding to the number of potential entry points for bad actors.

Connected future: vehicles are relying more heavily on the data around them.

Details provided by onboard sensors, V2X sources such as nearby vehicles and road infrastructure, and data centres in the cloud will need to be validated, for example, as studies have shown that systems can be vulnerable to spoofed information. The proliferation of new interfaces, external connections, protocols and technologies increases the attack surface and multiplies the potential number of exploitable vulnerabilities substantially.

Guidelines must adapt to protect drivers, passengers and other road users against new vehicle attacks. And, over time, the automotive industry has augmented its standards landscape – most recently with the publication of ISO SAE 21434 “Road Vehicles – Cybersecurity engineering” in 2021 and before that the adoption of UNECE WP29 (World Forum for Harmonization of Vehicle Regulations) proposals covering the management of automotive cybersecurity (R155) and software updates (R156) – with a number of security requirements.

These include establishing a baseline for threats, vulnerabilities and attack methods, and a requirement for OEMs and their suppliers to consider their impact.

As part of our contributions to the Secure-CAV project, which included threat modelling and security testing activities, we have taken a look at the automotive cybersecurity standards landscape to give developers an overview of recommendations that aim to keep attack surfaces in check.

Standards summary

We identified a long list (see: Automotive cybersecurity standards – a living list) of documents either supporting or directly related to automotive cybersecurity, which can be broadly classified into the following groups –  

  • Recommendations directly addressing automotive security  
  • Extensions to safety considerations  
  • Coding and software standards  
  • General foundations

The list we’ve identified is non-exhaustive – it is important to remember that there are new recommendations and technology-specific standards that also include security considerations, as well as pre-existing internet and telecoms standards and protocols which future automotive implementations will rely on. This emphasises the general need to improve cyber security across the board, as there are multiple cross-dependencies between sectors and industries.

Snapshot: a visual summary of the relationships between some of the automotive standards and recommendations, grouped into four categories. The abbreviations are described in full at the bottom of the post.

Timeline

While there are many established international standards for IT security and industrial control systems, these recommendations don’t address the needs of vehicle makers directly. In response, the automotive sector has issued a number of security guidelines. 

1994

MISRA publishes development guidelines for vehicle-based software.

2015

SAE formed Vehicle Cybersecurity Systems Engineering Committee to address automotive-specific threats and vulnerabilities in the US market.

2016

SAE published J3061, Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. Recommendations cover the complete vehicle lifecycle from concept phase through production, operation, service and decommissioning. The standard is a precursor to ISO 21434 and calls for a lifecycle approach to cybersecurity engineering.

2018

ISO 26262 (second edition) is published. The final version includes comments on the interaction between safety and security (Annex E), but participants agreed that safety and cybersecurity will be treated in separate standards.

2019

MISRA and AUTOSAR announced that their industry standard for best practice in C++ will be integrated into one publication.

2021

The final version of ISO 21434 is published. The standard supersedes SAE J3061 and provides a framework for implementing a cybersecurity management system (CSMS) – in line with WP.29 UNECE recommendations – and managing road vehicle cybersecurity risk.

Efforts are underway to re-work SAE J3061 and it has been reported that the new version will be in three parts. Part 1 will describe a threat and risk analysis method for classifying threats within an Automotive cybersecurity Integrity Level (AcSIL) framework. Part 2 will give an overview of security testing methods for software and hardware. And part 3 will discuss security tools. The document set should provide a more technical companion to ISO 21434.

ISO/DPAS 5112 is moving through the committee stages and has been voted on ahead of future registration as a DIS. The document is based on ISO 21434 and provides guidelines for auditing the cybersecurity engineering of road vehicles, a function that is mandated through the recently adopted WP.29 UNECE regulations.

2022

July – WP.29 UNECE regulations (R155) come into force for ‘new vehicle types’ (vehicles in development) due to be sold in the EU.

2024

July – WP.29 UNECE regulations come into force for all new vehicles being sold in the EU.

>> To navigate to the latest version of the living list, please visit: Automotive cybersecurity standards – a living list

Abbreviations
AEC – Automotive Electronics Council (US body establishing electronic components standards for use in harsh automotive environments).
ASPICE – Automotive Software Performance Improvement and Capability dEtermination.
BSI – British Standards Institution (UK national standards body).
GSMA – Industry organisation represents the interests of mobile network operators worldwide.
ETSI – European Telecommunications Standards Institute.
IATF – International Automotive Task Force (alternative to ASPICE).
IEC – International Electrotechnical Commission (standards organisation).
ISO – International organisation for standardisation.
ITF – International Transport Forum (intergovernmental organisation with 63 member countries).
ITU – International Telecommunication Union (United Nations agency for information and communication technologies).
MISRA – Motor Industry Reliability Association (consortium focused on safe and secure application of embedded control systems and standalone software).
NTIA – US National Telecommunications and Information Administration.
PAS – Publicly available specification (a fast-track standardisation document).
SAE – Association of engineers and technical experts in aerospace, automotive and commercial vehicle industries.
SEI – (Carnegie Mellon) Software Engineering Institute, US.
UNECE WP.29 – United Nations Economic Commission for Europe World Forum for Harmonization of Vehicle Regulations.
US DoT NHTSA – United States Department of Transportation National Highway Traffic Safety Administration.

About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.