Understanding Automotive Cybersecurity, its challenges, and ISO/SAE-21434

Understanding Automotive Cybersecurity

Automotive industry is heading towards digital transformation, where the vehicle will communicate with the external environment and use V2V, V2I, and V2X data to take autonomous driving decisions. This expanded capability in a vehicle introduces cybersecurity risks, which can be threatening to the vehicle and its owner. This blog explains automotive cybersecurity, its challenges, and a new standard ISO/SAE-21434 for the cybersecurity of on-road vehicles.

According to Markets and Markets, the Global Automotive Cybersecurity Market size is projected to grow from USD 1.9 billion in 2020 to USD 4.0 billion by 2025.

Recent advances and increased use of electronics in the manufacturing of connected, autonomous, and electric vehicles have made vehicle E&E architecture very complex. As the vehicles are getting connected with outside networks via V2I, V2X, V2V, or V2G, it becomes more vulnerable to cyber-attacks. And these attacks are serious threats to the functional safety of the vehicle and may cause financial damage.

Automotive Cybersecurity protocols play a crucial role in protecting vehicles from malicious attacks. Automotive cybersecurity secures in-vehicle and external communication networks, electronic systems, software, and data of the connected vehicles.

In this blog, we will discuss about automotive security, cybersecurity, its challenges, and ISO/SAE 21434 – the standard for automotive cybersecurity. Let’s talk about these topics one by one.

Understanding Automotive Security

Before directly jumping into automotive cybersecurity, it is very important to understand what kind of security we will be discussing, and which generation of vehicles will fall under automotive security matrices.

The automotive security landscape can be divided into four major categories: Vehicle Network Security, Vehicle Backend Security, Backend Security (Ensures Infrastructural Security), and Vehicle to Everything security.

Vehicle Network Security is applying automotive security measures to ECU-to-ECU communication in a vehicle, whether that vehicle network is based on CANbus CAN FD, or Automotive Ethernet. Vehicle to Backend Security is like sending a secured message from ECU to the backend. Backend Security ensures infrastructural security and V2X security deals with the security of the vehicle when it is communicating with external environment.

When we talk about automotive cybersecurity, we must ensure which generation of connected vehicles we need to make cyber secure. In the history of automotive technology, connected vehicle technology is bifurcated into four generations.

Generation 1 of connected vehicles is connected via mobile devices, Bluetooth, or physical cables. Gen 2 connected vehicles are connected at the backend and these vehicles have infotainment and OBD – II ports and receive GPS signals. Gen 3 vehicles have smart infrastructure, get connected to on-road systems, and support V2X communication. And, Finally, fourth-generation connected vehicles are Level-4 and Level 5 of autonomous vehicles / electric vehicles which will seamlessly interact with the environment and have the potential to accept automotive cybersecurity measures. Gen 4 of connected vehicles will not only interact with the outside environment, but it will absorb tons of data and make a decision based on it.

So, it becomes extremely important to define the cybersecurity measures and generation of connected vehicles to which it shall be implemented.

What is Automotive Cybersecurity?

With the evolution of the automotive segment from delivering level 1 autonomous vehicles to delivering Level 4/ level 5 autonomous vehicles, there has been a tremendous amount of R&D, innovation, and investment have gone. Modern-day vehicles have super-advanced ADAS features, HD infotainment systems, highspeed networking protocols, and many other devices and sensors to support autonomy, connectivity, shared mobility, and electric vehicle features. All this is backed by more than 100 ECUs with millions of lines of source codes in a vehicle.

So, every ECU node, every part, sensor, network, and interface in a vehicle is vulnerable to cyber threats and these cyber threats can be very hazardous when it comes to autonomous and connected vehicles.

Automotive cybersecurity can be defined as a set of practices and principles which are designed to protect automotive electronic systems, communication networks, software, control algorithms, vehicle data, and information, from malicious attacks, damage, unauthorized access, or manipulation.

Designing cybersecurity solutions for automobiles may include threat analysis to security strategies and architectures to the implementation and testing of all the security functions.

Automotive cybersecurity in the future will be a stack of different blocks such as cybersecurity management, security mechanisms, and security processes. Cybersecurity Management is very important from the organizational front and will define the security policies, documents, and lifecycle of the entire process. Along with security management, security mechanisms will play a key role in placing the technologies and tools to protect the automotive systems of respective layers against cyber-attacks. Security processes will help in enabling the implementation of cybersecurity measures as mentioned in ISO 21434.

Automotive Cybersecurity Challenges

Cybersecurity in the Automotive industry is completely different from what we see in IT. New-age automotive technologies majorly in autonomous and vehicle connectivity rely on data from the surroundings or the network. And data received by the vehicle from any external source can be tampered with or spoofed to get unauthorized access to the secured information of the vehicle or the owner. Data-driven features of smart cars possess complex infrastructure of the ECUs, networks, and sensors, and applying cybersecurity on such a complex structure brings unprecedented challenges to new-age automotive functions. Some of them are as follows:

  • Growing Connected Vehicles: The globally connected car market is expected to reach USD 166.00 bn by 2025 and this will significantly increase the number of connected cars on road and consequently the probability of cyber-attacks. The number of connected cars is growing fast but at the same time, there is a lack of cybersecurity awareness and active management of cybersecurity policies in the organizations, which results in slower adoption of cybersecurity measures in cars.
  • System Complexity and Big Data: Nowadays, vehicles are more digitalized and interconnected, and with more than 100 ECUs in a vehicle is like dealing with a smart computer running on wheels. All the networking devices, ports, computers, and servers, are densely packed in a vehicle and mitigating cybersecurity risks for all these millions of networks is a big challenge. Imagine the scale of data to manage when OEMs need to manage millions of vehicles on road.

Despite such a large volume of data and the challenge to secure all the vulnerable ports, OEMs are embedding cybersecurity measures into the design and manufacturing stage of the vehicle.

  • Automotive Supply Chain: Supply chains in the automotive industry are very complex. They include the integration of third-party software, components, communications, and application protocols, which makes automotive systems more vulnerable to cybersecurity threats. It is very difficult to ensure automotive cybersecurity with multiple players involved in designing and developing automotive systems.Each player must deal with their own set of specifications complying with different standards to design automotive systems and software. Interconnected systems provided by multiple distinct suppliers increase the possibility of weak cybersecurity measures and result in a vulnerable network.
  • Time to Market: It takes approximately four to five years to bring a vehicle into production setup from a concept design. Four long years encapsulate all the major decisions about vehicle architecture, connectivity, physical and virtual security, and operating systems security. Though all the testing has been done to maintain the software before the vehicle hits the production line, many times system bugs, fixes, vulnerabilities, cybersecurity practices are not scrutinized and resulting in delayed production. Delayed production in the vehicle compels OEMs to use a legacy system rather than rising a new one.

To overcome all the above-discussed automotive cybersecurity challenges all the industry suppliers must embrace proper security controls of their automotive systems and solutions.

Other automotive challenges such as safety, security, cost durability, and use of modern embedded system controllers, and ECUs, must be addressed diligently. And having proper automotive cybersecurity standards is much required. One such automotive cybersecurity standard is ISO 21434, which is exclusively designed for road vehicles to address all security challenges and ensure appropriate cybersecurity. ISO 21434 is a well-defined standard that has guidelines to mitigate the security risks and organization-level risks in a vehicle across the entire supply chain.

Let’s discuss ISO 21434 and understand why we need to be ready for ISO 21434 for automotive cybersecurity.

ISO/SAE-21434 for Automotive Cybersecurity

ISO 21434 “Road vehicles — cybersecurity engineering” is an automotive standard. It focuses on cybersecurity risks in automotive electronic systems. ISO 21434 compliance covers all automotive electronic systems, components, vehicle software, and in-vehicle and external connectivity. ISO 21434 will provide a structured process and ensure that automotive cybersecurity practices are properly followed and implemented in in-vehicle products and systems throughout their lifetime.

In the future, this standard will also create a culture of designing and producing all automotive systems and solutions (either it is on the hardware side or the software side) keeping cybersecurity at the forefront.

The structure of ISO 21434 is very wide, and it contains modules like continuous cybersecurity activities, risk assessment methodologies, Product design and development phases (concept phase, development phase, and post-development phase), and distributed cybersecurity activities.

Cybersecurity activities in the ISO21434 structure will cover all the aspects of cybersecurity concerning automotive solutions such as cyber security monitoring, event management, vulnerability analysis, and vulnerability management.

On the other hand, risk analysis which is one of the prime modules of this standard will cover asset identification, attack path analysis, threat scenario identification, risk determination, and treatment decision.

All these cybersecurity practices should be implemented while developing digital applications and connected systems for level 3 and level 4 of connected vehicles. Even the programming languages to design supporting applications must include secure design and coding techniques and must include explicit syntax and semantic definitions.

Final Thoughts

So, Automotive Cybersecurity is a new concept, but it will create a huge impact on the systems and solutions which are being developed for new-age connected vehicles. Automotive solution providers must investigate the nitty-gritty of the new standard “ISO21434” and include them in their cyber-security plan.