Cybersecurity in the driver’s seat

Thanks to Internet technology, our cars enable us to not only make calls but tell us if we are veering into the wrong lane, give us live traffic updates or tell us where the nearest gas station is. Moving us from A to B is almost secondary. Yet all this functionality increases the risks, which range from stealing your personal information to literally driving you off the road.

In various experiments to test the robustness of cybersecurity systems in vehicles, “white hat hackers” – i.e. computer security experts who deliberately hack into systems to test and assess their security – have demonstrated that it is possible to remotely control cars. For example, as far back as 2015, such hackers demonstrated that they could take control of a Jeep’s braking and acceleration systems, its dashboard and more – a terrifying thought.

In another experiment on a Tesla, computer security experts managed to trick the car’s Autopilot self-driving software and swerve into the oncoming traffic lane. “Other incidents, such as those not involving white hat hackers, would also need to be handled with reasonable care and attention,” says Dr Gido Scharfenberger-Fabian, a project leader in ISO’s expert working group WG 11 that deals with cybersecurity for electrical and electronic components of road vehicles.^[1]

Cybersecurity, therefore, is big business, particularly when it comes to vehicles. Various estimates of the value of the global automotive cybersecurity market put it growing from USD 2.4 billion in 2019 to some USD 6 billion by 2025. But despite this thriving industry, the war on hacking has only just begun.

1. WG 11 operates under technical committee ISO/TC 22, Road vehicles, subcommittee SC 32, Electrical and electronic components and general system aspects.

A long history of data

Data has been collected from our cars as far back as the early 1990s, says Jack Pokrzywa, Director of Global Ground Vehicle Standards for SAE International, a global association for the “mobility” engineering profession and a key ISO partner. Devices such as Event Data Recorders, or the “black box” of a car, provide information about our vehicle’s operations before and after a crash, for example. 

Now, of course, the technology has advanced well beyond that. Capabilities include capturing outside information, such as location, weather and traffic conditions, while sensors inside the vehicle can collect data about the occupants to provide meaningful information in case of an accident. “Let’s not forget about the biometric information, which can also track, for example, eye movement to detect a driver’s attention in order to determine if a driver is falling asleep behind the wheel,” he adds. “And now we have so many apps that connect to a car’s operating system, enabling, for example, the information about your calls made through a car speaker system to be recorded. There are benefits of this related to safety, but there is also concern about data privacy.”

In some jurisdictions, such as Europe, the vehicle identification number (VIN) is seen as personal identifiable information (PII), warns Dr Markus Tschersich, another project leader in ISO’s expert working group. “Therefore, all data generated by vehicle systems and associated to a VIN can be interpreted as PII. This is information that, on its own or combined, can be used to identify, locate or contact an individual. For example, data gathered from braking, steering systems and other car components can be used to derive information about the driver’s skills and behaviour.” And as long as there is a connection between the car and external sources, there is a possibility of hacking.

The race to keep up with hackers

Today’s cars are filled with complex software and they are expected to be even more so in the not-so-distant future. According to management consultancy McKinsey & Company, we have around one hundred million lines of code today, but it is thought that by 2030 there will be three times that number. This is compared to, say, a passenger aircraft, which has approximately 15 million lines of code and your standard PC operating system with up to 40 million lines of code. The more complex the machine, the more opportunities for cyber-attacks along the entire value chain.

As technology becomes more deeply embedded into cars in general, the automotive industry is facing the task of our generation. That is, securing the global automotive infrastructure from those cybercriminals who want to steal data and take control of automated systems for malicious purposes. “Cybersecurity measures need to be adapted from system generation to system generation, but also in systems in the field via updates,” says Dr Scharfenberger-Fabian. “It is a never-ending challenge.”

Pokrzywa points out that any device that runs on software can be hacked. Countering such problems requires a high degree of knowledge sharing in the industry and particularly between car manufacturers and their supply networks. One organization that does that in the US, he says, is the Automotive Information Sharing and Analysis Center (Auto-ISAC). Industry members share and analyse information about any possible risks to vehicles, thus contributing to the strengthening of cybersecurity technologies. But a worldwide holistic approach is also needed.

A global call

Aligning processes and methods along the supply chain as a baseline for considering cybersecurity appropriately in the engineering of automotive systems is the key, says Dr Scharfenberger-Fabian. “There are many established International Standards for IT security (e.g. ISO/IEC 27xxx series) or industry-specific security standards (IEC 62443 series for industrial controls systems),” he says, “but they don’t address the specific needs of the automotive industry.”

In 2015, SAE International created the Vehicle Cybersecurity Systems Engineering Committee to address these threats and vulnerabilities in the US market. A year later, the committee published SAE J3061, Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, which defines a complete life-cycle process framework that can be tailored and utilized within each organization’s development processes to incorporate cybersecurity into cyber-physical vehicle systems, from concept phase through production, operation, service and decommissioning.

The new International Standard will draw on the SAE guidance and build a comprehensive cybersecurity tool that addresses all the needs and challenges of the industry at a global level. Currently in development, ISO/SAE 21434, Road vehicles – Cybersecurity engineering, is due to be published in 2021 and aims to address cybersecurity in the engineering of electrical and electronic (E/E) systems within road vehicles. Use of the standard is thus intended to help manufacturers keep up with changing technologies and cyber-attack methods.

Involved in the project are Dr Scharfenberger-Fabian and Dr Tschersich, who explain that the standard is intended to supersede SAE J3061 recommended practice. It will enable organizations to define cybersecurity policies and processes, manage cybersecurity risk and foster a cybersecurity culture. It can also be used to implement a cybersecurity management system, including a proper management of road vehicle cybersecurity risk.

The security question

For an industry used to breaking down complex challenges and standardizing responses, cybersecurity remains an unstandardized anomaly. So can the standard promise true cybersecurity? “Alas, there is no such thing as a ‘secure technology’ that could be standardized,” says Dr Tschersich, “so following ISO/SAE 21434 alone would not make the cars secure. But the processes described therein can most definitely build the baseline for a good cybersecurity engineering and help to tighten things up.”

These processes, he says, include the assessment of cybersecurity risks and approaches to identify and align on cybersecurity solutions for the systems, and to communicate them along the supply chain. This includes the concept, development, production, operation, maintenance and decommissioning of road vehicle electrical and electronic systems, including their components and interfaces.

The standard establishes a cybersecurity framework for automotive companies and features a common language for communicating and managing cybersecurity risk. “While ISO/SAE 21434 does not address or push technologies directly, the framework provided will enhance the collaboration on cybersecurity within the industry and thereby lead to technology and solutions that better meet today’s and tomorrow’s cybersecurity problems.” It will help consider cybersecurity issues at every stage of the development process and in the field, creating a checklist for engineers that includes scanning for bugs, increasing the vehicle’s own cybersecurity defences and creating a risk analysis of potential vulnerabilities for every component.

ISO/SAE 21434 is already in demand to support existing regulations, he says. For example, it is seen as a reference document for the implementation of a cybersecurity management system (CSMS) demanded by recently introduced United Nations (UN) regulations related to cybersecurity in vehicles. “This is due to a tight collaboration between the ISO/SAE joint working group and the respective UN Task Force based on a liaison,” he explains.

To further improve the relationship between the UN regulation and standardization, work has recently started on a publicly available specification, ISO/PAS 5112, that gives guidance on organizational audits with respect to cybersecurity engineering. It will be based on ISO/SAE 21434 and is intended to be used to audit a CSMS as defined by the UN regulation. The end goal is widespread implementation of the standard into the industry’s daily engineering practices, along with increased awareness achieved by including the standard in the training curriculum of engineers.

“If the product development is based on solid principles included in ISO/SAE 21434, vehicle security could be further increased,” adds Dr Scharfenberger-Fabian. The future standard is designed to improve automotive cybersecurity and risk mitigation across the entire supply chain – from vehicle design and engineering through to decommissioning. Many in the industry are already making plans to ensure its integration.

And so the battle continues

While still relatively new, the in-car cybersecurity threat will remain an ongoing concern. As such, automakers must now consider cybersecurity as an integral part of their core business functions and development efforts. “I don’t think we can ever prevent attempts to breach the system,” says Jack Pokrzywa, “but by raising the security barriers higher, we can certainly reduce the risk.” This will also keep development and maintenance costs under control – a win-win for all industry players.

In addition to ISO/SAE 21434, the automotive industry will continue to develop common cybersecurity standards to ensure manageable end-to-end secure solutions, including the upcoming standard for the auditing of cybersecurity engineering. The work is just beginning, but with an industry dedicated to securing automotive systems at every step of the process, the wheels will keep on turning as the cars we drive get safer and safer.