This post results from the project “Automotive Cybersecurity”(ACS) within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on cybersecurity topics for connected cars.
I’m currently at the halfway point in my internship for COM|CODE through the Munich Cybersecurity Program– although this has been a remote experience, the opportunity to better understand a growing subsection of the cybersecurity and automotive industry is incredibly rewarding. The automotive industry has changed drastically over the past few years, especially considering the advancement in electric vehicles and semi-autonomous technologies. Automotive technology continues to grow and evolve, and so does the threat to cybersecurity.
This year’s research and development work builds off of last summer’s findings as well as new content. In 2021, the automotive cybersecurity project focused on vehicle hacking and regulations. Since then, ISO/SAE 21434 has been published, supply chain attacks have exploded, and UNECE WP.29 became effective earlier this month. Additionally, COM|CODE presented about automotive cybersecurity at Automatica (a technology convention in Munich, Germany) back in June, and I’ve worked on both an attack timeline and threat surface that has been developed from recent research.
I initially began my research by collecting information pertaining to recent events and reviewing the work done last summer, building a foundation to understand a complex and growing industry. Since the work done in 2021 was completed, developments such as the ones mentioned above occurred that have further changed the cybersecurity landscape. This landscape needs to be continuously evaluated, especially due to the skills shortage and increase in cyberattacks.
ISO/SAE 21434 was a high priority this summer since it was published shortly after last summer’s program completed. The standard acts as an up-to-date overview of automotive cybersecurity. Comparing this standard to previous standards, as well as the new United Nations regulation (UN-R-155/6) was a significant portion of my early research.
Beyond the regulations and certifications pertaining to automotive cybersecurity, understanding the threat landscape and the associated vulnerabilities is an effective strategy to develop proper practices and establish guidelines for involved parties. I utilized the initial background research in addition to further research to develop a threat landscape, both in a mapped-out form and a visual graphic. As a follow-up, I used a series of news resources to generate an attack timeline that included supply chain attacks, white hat hacks, and related software vulnerabilities that were identified.
In preparation for Automatica 2022, COM|CODE reserved a booth to present at and share findings with manufacturing equipment companies and other interested parties. This presentation included regulation and standard overviews, an attack timeline overview, and a breakdown of the vehicle threat surface. All of these topics were tied to the relevancy of companies hosting other booths at Automatica, and why automotive cybersecurity and the associated regulations and standards affect such a large portion of the international market.
The most recent project this summer has been focused on addressing regulations, standards and relevancy—who should be adhering to parts of or all of ISO/SAE 21434 in particular. This standard addresses the entire vehicle lifecycle, and therefore has a massive impact on numerous companies. By breaking down the responsibilities of involved parties it clarifies what needs to be addressed, and by whom. This process is intended to assist those who may not know what their role in automotive cybersecurity is, or at least to what extent.
This is only the halfway point, and so far, there has been emphasis on research and analysis. Moving forward, my work will focus on the market and outreach to directly affected parties.
–Written by Parker Soares ‘24 //Computer Networking & CybersecurityFollow Us!