The recent hack that brought down Facebook and Instagram is just the latest high-profile incident demonstrating the importance of digital security. While the temporary loss of those social media sites may have felt like a life-and-death issue to the teens who feel like they live and die by every post, the issue of digital security for cars is potentially literally a matter of life and death.
That why the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) have teamed up to issue a joint standard for automotive digital security that aims to prevent hackers from gaining control of peoples’ cars.
ISO/SAE 21434, which was announced in September, takes effect for new models introduced in Europe, Japan, and Korea starting in June 2022, which makes this a front-burner item for car manufacturers and their suppliers alike. These countries account for one-third of new car sales, and this requirement applies initially only to all-new models. Eventually, other countries will join the program and it will be expanded to include all cars.
Chipmaker NXP has come out of the gates with the first certification of compliance. This isn’t for any individual product. The nature of digital security demands that the entire organization producing the products also be compliant.
That’s why the standard requires OEMs and their supply chains to apply a security-by-design approach to their components, servers, and processes to reduce the risk of being vulnerable to attacks at any point in the vehicle lifetime, from the initial concept and design phases to end of life.
This is necessary because of the increasing interconnectedness of modern vehicles. “The core of the whole thing is that we have few isolated networks today,” observed Daniel Angermeier, deputy head of the department Product Protection & Industrial Security at the Fraunhofer Institute for Applied and Integrated Security for a post on security-analyst.org. “Especially through embedded products we experience an ever-stronger connection to the electronics of customers, this means one is more strongly networked externally and internally and all this with devices that are potentially vulnerable.”
Not only could such networked systems be used to control vehicles directly, but they could also be used to pass bad information to drivers. “There are other scenarios, such as cyber-physical attacks, which can also be used to control actuators by means of received messages,” he said. Therefore, in addition to communication, the integrity of the systems used is also very important. To be able to react to such scenarios, it is important that systems are not only functionally safe, but also secure against such attacks. Because a lack of security can also compromise safety.”
The ISO/SAE 21434 standard is the work of more than 100 industry experts from 14 countries who specialize in engineering, product development, and cybersecurity. "ISO/SAE 21434 will help consider cybersecurity issues at every stage of the development process and in the field, increasing the vehicle’s own cybersecurity defenses and managing the risk of potential vulnerabilities for every component,” explained Dr. Gido Scharfenberger-Fabian, who convened the panel.
“The framework provided in this standard will enhance the collaboration on cybersecurity within the industry and thereby lead to technology and solutions that better meet today and tomorrow’s cybersecurity challenges,” he added.
NXP has been certified by Germany’s TÜV SÜD Division Mobility, which has partnered with SAE on the practical aspects of training and certifying companies when they’ve met the standard. “Cybersecurity must play a critical role in the automotive life cycle if drivers are to place their trust in vehicles,” noted Jörg Schemat, CEO TÜV SÜD Akademie. “Our partnership with SAE will enable us to provide our customers with high-caliber training that draws on the latest state of the art as well as on our company’s wealth of consulting and audit experience.”
Carmakers and suppliers will find this is a necessarily rigorous process, and one that they should have started on early reports NXP director of automotive security Timo van Roermund. He likens this new standard to the previous ISO 26262 standard for functional safety analysis from a decade ago. “I would say that’s an established standard that had an impact on the industry,” he said. “Now they’re doing it for cyber security.”
The important thing here is that ISO/SAE 21434 is not a single specification, but rather an adaptable framework that can change as the threat environment evolves, said van Roermund. “For security, hackers get smarter, they find new ways of breaking systems,” he said. “There is always a changing landscape.”
In response, ISO/SAE 21434 provides an engineering framework with requirements for the entire supply chain, not just for the OEM. “You have to address security at the organizational level,” van Roermund continued. “You must have a security culture and assign competent people to projects. You better have someone with decent security know how-to architect and implement the security, and then you need a second pair or or third pair of eyes to challenge it. That’s the kind of thing the standard requires.”
And while this is true of the OEMs, if they tap non-compliant suppliers then the whole system would be undermined. “The regulation applies to vehicles,” van Roermund explained. “The regulation requires a certified security management system at the OEM. But you also need to make sure that supply-related risks are being taken care of.”
That’s where NXP’s certification comes in. “Anyone can claim compliance. We work with a credible third party to audit us,” he said.
Because it is hard to prove a negative, it will be difficult to document the future success of ISO/SAE 21434. At best, it will be like the once-feared Year 2000 date bug, which turned out to not be a problem on January 1, 2000, because of the hard work that went into addressing the problem in advance.
“I hope [success] will be noticeable by the lack of incidents,” said van Roermund. This standard should create much more cooperation and maturity in the supply chain to reduce the chance of incidents,” he continued. “The best possible outcome will be for drivers to not notice it due to the absence of issues.”
That seems to be the aim of carmakers, who have been requiring compliance in requests for proposals and requests for quotes since 2020, according to van Roermund. “That’s really significantly increased, and we see the standard referred to very often. This leads to the conclusion that this is top of mind for our customers.”