An overview of the automotive cybersecurity standards landscape

The advent of numerous wireless connections and telemetry services has extended the attack surface of a modern vehicle far beyond its physical boundary. What’s more, as automakers strive to meet the expectations of a fully autonomous driving experience, future cars will need to rely even more heavily on the data around them – adding to the number of potential entry points for bad actors.

Connected future: vehicles are relying more heavily on the data around them.

Details provided by onboard sensors, V2X sources such as nearby vehicles and road infrastructure, and data centres in the cloud will need to be validated, for example, as studies have shown that systems can be vulnerable to spoofed information. The proliferation of new interfaces, external connections, protocols and technologies increases the attack surface and multiplies the potential number of exploitable vulnerabilities substantially.

Guidelines must adapt to protect drivers, passengers and other road users against new vehicle attacks. And, over time, the automotive industry has augmented its standards landscape – most recently with the publication of ISO SAE 21434 “Road Vehicles – Cybersecurity engineering” in 2021 and before that the adoption of UNECE WP29 (World Forum for Harmonization of Vehicle Regulations) proposals covering the management of automotive cybersecurity (R155) and software updates (R156) – with a number of security requirements.

These include establishing a baseline for threats, vulnerabilities and attack methods, and a requirement for OEMs and their suppliers to consider their impact.

As part of our contributions to the Secure-CAV project, which included threat modelling and security testing activities, we have taken a look at the automotive cybersecurity standards landscape to give developers an overview of recommendations that aim to keep attack surfaces in check.

Standards summary

We identified a long list (see: Automotive cybersecurity standards – a living list) of documents either supporting or directly related to automotive cybersecurity, which can be broadly classified into the following groups –  

  • Recommendations directly addressing automotive security  
  • Extensions to safety considerations  
  • Coding and software standards  
  • General foundations

The list we’ve identified is non-exhaustive – it is important to remember that there are new recommendations and technology-specific standards that also include security considerations, as well as pre-existing internet and telecoms standards and protocols which future automotive implementations will rely on. This emphasises the general need to improve cyber security across the board, as there are multiple cross-dependencies between sectors and industries.

Snapshot: a visual summary of the relationships between some of the automotive standards and recommendations, grouped into four categories. The abbreviations are described in full at the bottom of the post.

Timeline

While there are many established international standards for IT security and industrial control systems, these recommendations don’t address the needs of vehicle makers directly. In response, the automotive sector has issued a number of security guidelines. 

1994

MISRA publishes development guidelines for vehicle-based software.

2015

SAE formed Vehicle Cybersecurity Systems Engineering Committee to address automotive-specific threats and vulnerabilities in the US market.

2016

SAE published J3061, Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. Recommendations cover the complete vehicle lifecycle from concept phase through production, operation, service and decommissioning. The standard is a precursor to ISO 21434 and calls for a lifecycle approach to cybersecurity engineering.

2018

ISO 26262 (second edition) is published. The final version includes comments on the interaction between safety and security (Annex E), but participants agreed that safety and cybersecurity will be treated in separate standards.

2019

MISRA and AUTOSAR announced that their industry standard for best practice in C++ will be integrated into one publication.

2021

The final version of ISO 21434 is published. The standard supersedes SAE J3061 and provides a framework for implementing a cybersecurity management system (CSMS) – in line with WP.29 UNECE recommendations – and managing road vehicle cybersecurity risk.

Efforts are underway to re-work SAE J3061 and it has been reported that the new version will be in three parts. Part 1 will describe a threat and risk analysis method for classifying threats within an Automotive cybersecurity Integrity Level (AcSIL) framework. Part 2 will give an overview of security testing methods for software and hardware. And part 3 will discuss security tools. The document set should provide a more technical companion to ISO 21434.

ISO/DPAS 5112 is moving through the committee stages and has been voted on ahead of future registration as a DIS. The document is based on ISO 21434 and provides guidelines for auditing the cybersecurity engineering of road vehicles, a function that is mandated through the recently adopted WP.29 UNECE regulations.

2022

July – WP.29 UNECE regulations (R155) come into force for ‘new vehicle types’ (vehicles in development) due to be sold in the EU.

2024

July – WP.29 UNECE regulations come into force for all new vehicles being sold in the EU.

>> To navigate to the latest version of the living list, please visit: Automotive cybersecurity standards – a living list

Abbreviations
AEC – Automotive Electronics Council (US body establishing electronic components standards for use in harsh automotive environments).
ASPICE – Automotive Software Performance Improvement and Capability dEtermination.
BSI – British Standards Institution (UK national standards body).
GSMA – Industry organisation represents the interests of mobile network operators worldwide.
ETSI – European Telecommunications Standards Institute.
IATF – International Automotive Task Force (alternative to ASPICE).
IEC – International Electrotechnical Commission (standards organisation).
ISO – International organisation for standardisation.
ITF – International Transport Forum (intergovernmental organisation with 63 member countries).
ITU – International Telecommunication Union (United Nations agency for information and communication technologies).
MISRA – Motor Industry Reliability Association (consortium focused on safe and secure application of embedded control systems and standalone software).
NTIA – US National Telecommunications and Information Administration.
PAS – Publicly available specification (a fast-track standardisation document).
SAE – Association of engineers and technical experts in aerospace, automotive and commercial vehicle industries.
SEI – (Carnegie Mellon) Software Engineering Institute, US.
UNECE WP.29 – United Nations Economic Commission for Europe World Forum for Harmonization of Vehicle Regulations.
US DoT NHTSA – United States Department of Transportation National Highway Traffic Safety Administration.

About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Mapping IoT Security and Privacy Recommendations and Guidance to the Consumer IoT Standard ETSI EN 303 645

In 2018 we took on the task of mapping the IoT security standards and recommendations space to the UK government’s Code of Practice for Consumer IoT Security. This was done with the hopes of garnering a better understanding of the heavily fragmented space. Now that we are seeing worldwide adoption of ETSI EN 303 645, an international, European standard, we have refocused our mapping so that you can understand how different recommendations, standards and compliance schemes map to that standard.  

We are pleased to launch iotsecuritymapping.com, realigned to focus on the ETSI EN including all previously mapped documents from the existing site, including the UK Code of Practice itself (with the older versions of this work still available here). As well as the EN provision 5.1-5.13 maps and open data, there is a high-level relationship map mapping all the referenced organisations within the documents we reviewed. This provides an excellent high-level view on which organisations and material are frequently referenced. 

Once again, we’re making all the data available to use as open data as we really want to help people to use this information in their own organisations. 

Similar to our approach to the Code of Practice mapping site, we aim to update this regularly. As inevitably there were standards released during or after our research, and others we hope to include. However, for now at least, we are satisfied that this mapping helps people and organisations understand the commonalities between the numerous bodies and organisations creating standards and recommendations in this area, during a period of defragmentation and harmonisation. With legislation being pushed over the line in many countries, this is an exciting time for the space and we are hoping for even greater harmonisation than ever. The next steps for IoT security will be focused on conformance and compliance, so we’ll keep track of progress in that space too.  

Considering the Future 

Comment from David Rogers: When we tweeted about the new site, we had a comment from Art Manion “I’m concerned that IoT security will sink under the weight and complexity. Any chance of avoiding this common compliance failure?”. It’s a view and concern that we share and goes back to our original rationale for creating the site. As an aside – one of the greatest moves in the UK work was to have the Code of Practice translated into the world’s major languages. It instantly removed barriers and friction to understanding and ultimately, adoption. In this space, we started out with massive fragmentation and no real common view on how to move forward – we had some approaches which were really deeply implementation specific versus super high-level guidance and even some that said we should just educate users. There were a lot of voices however saying the same thing and I’d spoken to a lot of those people and also worked on the technologies that had already been developed in the mobile industry to tackle these issues already. Where we are now is that we do have a harmonised view, we’ve successfully defragmented in a big way such that the major regions and countries of the world are looking at only a couple of (very similar) ways forward now in the consumer IoT space. The devil however is in the detail, as companies implement these standards they will want to do so in different ways. This is perfect because the last thing we wanted to do was to stifle innovation. However, that could (in theory) make compliance processes really cumbersome and complicated – or worse – useless and not worth the paper they’re written on. There has been a lot of work to try and break this down. ETSI’s conformance work for EN 303 645 is this standard – TS 103 701. It is prescriptive to a point and crucially doesn’t ultimately rely on a decision by a company not to implement the measures via a risk assessment. A risky approach but a necessary one in my view – for too long companies have not been doing any risk assessments or threat analysis and even if they have done, they’ve missed the real threats by a country mile. We really need a new approach that is more prescriptive in the short term. If this evolves over time beyond these baseline measures, I have no problem with that, but it is an effective solution for the problems we face today and in the near-term. Another final thing is that we haven’t bitten off more than we can chew when it comes to being tempted into looking at other IoT verticals such as industrial which has a lot of existing standards and safety concerns. 

There is no doubt we’ll get some edge cases. I’ve had to think about them a lot – in fact I painfully missed out on a day’s skiing on holiday while diving deep into the Bluetooth specifications and thinking about Smart TV child locks, while trying to find a way through the ‘default credentials’ problem. None of this stuff is easy, but I don’t think we need to be afraid of playing hard ball on the basics. We’ve had a few decades of this stuff not being designed properly and we have technical solutions that can fix those. 

Visit the new site here