This post results from the project “CARSec” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on cybersecurity topics for connected/self-driving cars.
It has been almost four weeks since I began researching with ComCode. If you’ve read my previous two posts, you’ll know that I’ve focused on the basics of vehicle hacking as well as the ins and outs of connected cars. Moving past that, for the past week, my research has focused on the different rules and regulations that I briefly talked about in my first posting. In terms of automotive security and the process of development, two main regulations should be discussed.
The first of these being ISO 26262-3:2018, titled Road Vehicles – Functional Safety, is intended to be applied to all the safety-related systems that include electrical or electronic systems. While not directly related to cybersecurity, it is directly referenced in other automotive standards which means companies must comply with this as well as the main regulations. Overall, the crux of this standard comes in the form of Automotive Safety Integrity Levels, (ASIL), which determine how strict compliance requirements get depending on three factors. These levels are severity, exposure, and controllability. Overall, the goal of this standard is to ensure safety throughout the entire life cycle of a car’s equipment and systems.
As I just mentioned, the prior mentioned regulation doesn’t touch on the cybersecurity of a vehicle, which is left to a new ISO standard currently being developed. Titled Road Vehicles – Cybersecurity Engineering, ISO/SAE 21434 will focus on the cybersecurity risk in road vehicle’s electrical systems. The standard is crucial in creating a more secure connected vehicle. The standard won’t define solutions to mitigate threats but will more so establish criteria for engineering a vehicle to be secure. Includes risk assessment methods, including asset identification, threat analysis, impact assessment, and vulnerability analysis. As well as the methods to manage, monitor, and respond to any incidents during every phase of the automobile’s life cycle.
As we move further and further towards a degree of complete autonomy in vehicles, it’s clear that these standards need to cover every area of cybersecurity completely. Looking back in history, the first reports of computer hacking came in the late 1960s or early 1970s. The first automotive hack came in 2010, and the first fully remote exploit came in 2015. Now it’s 2021, and the main standard for addressing risk within vehicles hasn’t been released yet. With that said, it’s bizarre just how far behind we are in terms of securing vehicles. In my opinion and based on the beginning of the research that I’ve done, if we ever want to achieve levels of autonomy in vehicles the standards need to be developed at a much further rate. Cybersecurity is a fast-moving world, the world of vehicular development needs to follow suit. I certainly understand that rules and regulations aren’t as glamorous or entertaining as remotely hacking a vehicle to drive off the road, but knowing the regulations is critical to understanding how manufacturers will need to change.
Written By: William Alber '22 // Computer & Digital Forensics