By Jacob Wilson, Senior Security Consultant, Software Integrity Group
The National Highway Traffic Safety Administration (NHTSA) has updated its guidance to include potential vehicle cybersecurity threats as expected real-world conditions, and to encourage vehicle equipment manufacturers to consider the impacts of a cyber-attack. This not only sets the direction and focus of vehicle safety for the future, but also establishes a standard for the growing prevalence of connected vehicle electronic control units (ECU) and connected features.
These best practices are currently voluntary guidance and require tailoring to apply them to vehicle manufacturer’s unique systems. However, they are based on real-world attack scenarios and upcoming industry cybersecurity standards. The first cybersecurity-related recall in 2015 affected 1.4 million vehicles in the United States—a breach that allowed remote control of the engine, steering, and other safety-critical systems. More recently in early 2020, a joint working group of more than 100 experts from public, private, and government sectors began work on ISO/SAE FDIS 21434 Road Vehicles – Cybersecurity Engineering. This new standard aims to define a framework ensuring cybersecurity is incorporated into the lifecycle of road vehicles, including the design and operation of systems, components software, and external connections to any device or network. NHTSA has offered best practices to provide a solid foundation for developing a risk-based approach to cybersecurity challenges, and describes important processes that can be maintained, refreshed, and updated effectively over time to serve the needs of the automotive industry.
NHTSA has proposed a multi-layered approach to cybersecurity by focusing on a vehicle’s entry points which could be potentially vulnerable to a cyber-attack. These entry points include wired and wireless connections designed for human or machine interfaces at various stages of the lifecycle. Utilizing a layered approach reduces the likelihood of a successful vehicle attack while mitigating the potential impacts, providing protections for the vehicle itself and the vehicle ecosystem.
Leveraging a risk-based prioritization of safety-critical vehicle control systems, more commonly referred to as TARA analysis in the ISO/SAE 21434 standard, vehicle manufacturers and suppliers can address the cybersecurity context of the systems and components of a vehicle during the engineering design process. This process begins with the identification of protections for vehicle architectures, methods, and measures establishing cyber resiliency and facilitating rapid recovery from incidents when they occur. Tangent to the vehicle design process is the operation, maintenance, and decommissioning of vehicle systems. By leveraging the information gathered during the design and engineering processes of the vehicle lifecycle, we can provide cyber-resiliency to the manufacturing process and subsequent vehicle lifecycle phases. This resiliency is aided by effective intelligence-sharing across industry partners, such as the Automotive ISAC and your automotive supplier relationships. And more broadly, the NHTSA cybersecurity best practices point toward emphasizing cybersecurity awareness and collaboration—both internal to your organization and across the automotive industry, expanding upon organizational capabilities in cybersecurity.
Figure 1, above, illustrates the NHTSA cybersecurity best practices from a holistic perspective. In addition to what is pictured above are the details and surrounding risk assessment and processes around risk activities, such as inventorying, penetration testing, and continuous monitoring. For the full context and content, please reference the original document at NHTSA.gov and any subsequent updates.
Two important points that I would like to capture from the Figure 1 illustration are:
A program-level approach to road vehicle cybersecurity is built upon the earlier described, risk-based prioritized identification and protection of safety-critical vehicle control systems. Continuous activities focus on understanding, controlling, transferring, and eliminating sources of risks to safety-critical vehicle systems where possible and feasible. These activities provide for timely detection and rapid response to potential vehicle cybersecurity incidents in the field. These field actions feed back into the design methods and processes to facilitate rapid recovery from incidents when they occur. And finally, the vehicle cybersecurity program institutionalizes methods for accelerated adoption of lessons learned across the industry.
Reflecting upon the recent impact that a giant cargo ship (Ever Given) has made on world trade while blocking the Suez Canal and numerous global ports of entry, it is very relevant to consider aligning your organizational vehicle cybersecurity practices. Much like a single ship, a single vehicle point of entry or security vulnerability may have a domino effect on the vehicle ecosystem globally. This includes vehicle fleets spanning multiple manufacturers and developing vehicle-to-vehicle or vehicle-to-infrastructure communications.
Approaching vehicle cybersecurity with a method derived from author Jim Butcher’s famous quote, “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you,” is a near-sighted and dogmatic view which portrays cybersecurity threats as pursuing the weakest individual. This is problematic because the bear often catches the largest fish, not the slowest fish. All those involved in the industry are protecting cybersecurity together. Cyber-attacks are real-world conditions for road vehicles and not a single bear or single recall event of 1.4 million vehicles.
Using a program-level approach, I recommend that you view vehicle cybersecurity with the lens that the rising tide of capabilities and strategic sharing lifts all boats in the ocean or, in your case, the road vehicle supply chain. Emphasize and advocate for effective intelligence and information-sharing to facilitate adoption of lessons learned industry-wide. View cybersecurity as not a competitive advantage or cost center, but rather a core capability which fuels consumer mobility globally. Much like functional safety leading to a common capability such as safety belts or front and rear-end bumpers, cybersecurity will soon be associated with vehicles themselves. In closing, understand the approach you will take in floating your boat. Stop trying to outrun the bear.
Catch up on our other automotive security-related blog post, “Your Car Is a Smartphone on Wheels–and It Needs Smartphone Security.”