Understanding the challenge of cybersecurity management

With connectivity and IoT being an integral part of the modern automotive ecosystem, big data management and analytics using artificial intelligence or other tools are of utmost importance.

This data type can be either personal or public and may have financial, operational, social implications etc. As we are reminded quite often nowadays regarding the possibilities of theft or misuse of this data by unauthorised users, information security becomes a priority. Information security in automotive context encompasses periphery protection, securing data against unauthorised access (through encryption) and data recovery in the event of loss. All this can be generally accomplished with an appropriate cyber security management framework in-place. These frameworks can be implemented in three ways: through ad hoc approach, through risk approach or through compliance approach. Out of these three approaches, ad hoc approach is an unsystematic methodology. Whereas risk and compliance based approach are more organised in nature. Off these, the latter is recommended as it is most systematic and holistic. In this article, the focus is on a compliance-based approach where along with risk management, emphasis is on managing compliances, cyber laws and regulations, certification and type approval. 

Cybersecurity framework is essentially an ensemble of processes, best practices, guidelines and tools followed to protect the digital assets. It is a skeleton that holds the overall cyber security compliance architecture in and around a digital biome (e.g. modern automotive domain), if deployed aptly. An automotive cybersecurity framework shall ensure safety and security of the drivers, road users, electronic systems, control strategies, software and communication networks against counterfeiting, unauthorised access, misuse, attacks etc. This is usually achieved by determining the risks levels involved and appropriate cyber security measures are implemented based on the associated impacts.

Overview
Regulations, standards and frameworks are required for an effective cybersecurity management for vehicles. Standards define specific methods that need to be performed for a well-managed cybersecurity system. Regulations in essence define legal compliances. Violation can invite penalties, litigations etc. The framework is a well-established documentation process that defines policies, guidelines, processes and procedures around implementation of cyber risk management and mitigation. It helps to identify and prioritise actions to manage overall security and helps in readiness for audits and compliances. Cybersecurity frameworks are generally designed to exercise controls, program management or to mitigate risks.  Following are some of the best rated cybersecurity frameworks are:

• NIST cybersecurity framework: It was designed to protect the critical infrastructure against internal and external attack. The process starts with identification which in turn helps in detection of security risk functions in the work environment. Subsequent to the risk detection, security controls are defined for data and information protection.  The next step is detection of irregularities in security, privacy, network etc. to identify security breaches. Following the detection, response or action need to be made by the way of setting up procedures and processes to improve security resilience. As a last step, it helps to recover from the attacks.
• ISO/IEC 27001 cybersecurity framework: It mandates on setting up an ‘Information Security Management System’ to systematically manage the information security risks considering the possible threats and vulnerabilities. It is a high-level implementation guide based out of industry best practices. The origin of the ISO/IEC framework is British standard BS 7799. 
• Center for Information Security (CIS) framework:  In this case, there is a 20-point actionable cybersecurity measures to enhance the overall security. It also classifies the implementing organisations into three categories with low, moderate and high level of cybersecurity implementation requirements and resources.

Need for automotive cybersecurity framework
Cybersecurity-related measures are new for automotive domain. It was rather done in bits and pieces and in an unstructured manner, primarily either at the component or at the system/sub-system level only. Moreover, no standard criteria was available to address such concerns at the vehicle level. Different definitions and terminology were being followed across the industry. Though there had been some matured standards in the non-automotive domain, the same were lacking for automotive. Also, a reference standard was badly needed to facilitate cyber security certification to ensure safe and secure vehicles. A typical automotive cybersecurity frameworks may generally have varying degree of complexities, depending upon the product type, technology levels, size, and location of the company.

International framework
In 2016, these experts from SAE and ISO drafted a dedicated cybersecurity standard for automotive with SAE J3061 as the foundation standard. The standardisation committee also had participation from stakeholders like OEMs, electronic sub-assembly manufacturers, organisations with background of cyber security, government representatives etc. With four working groups focusing on product development cycle, risk management, product development and processes, ISO/SAE 21434 was formulated.  This standard is aimed at development of a framework for advance risk assessment and management. The risk assessment as per ISO/SAE 21434 is conducted over the complete lifecycle of vehicle and individual parts throughout the design, development, production, maintenance and end-of-life of the vehicle. In this case, problems can be identified in the design stage itself. The standard has universal terminology and is technology-agnostic by design. 

Based on the ISO/IEC 21434, UNECE WP.29 has also published two important regulations in the year 2021. There are namely R155 and R156. R155 covers provision related to approval of vehicles for cybersecurity and cyber security management system (CSMS). The scope of the standards defines the category of vehicles this standard is applicable. The regulation indicates the way documentation shall be submitted by the vehicle manufacturer for approval while making an application and the minimum retention period.  It also specifies guidelines to safeguards the intellectual property in case vehicle manufacturer may have some challenge in doing so while making submissions for approval. Based upon the documents submitted by the OEM for approval, approval agencies are required to verify the cybersecurity robustness across the supply chain, document risk assessment, mitigation right from design and development stage, to ascertain of the cybersecurity is inherent in the design and the systems capability to detect and respond.

The approval agencies must also validate through testing to establish the performance of the vehicle with regard to cybersecurity as mentioned in the submitted documents. The regulation also requires to approval agencies to check the competence and skills of the personnel working at the end of vehicle manufacturer, related to cybersecurity and cyber risk management. Constitution of an authority to issue a certificate of compliance (CoC) for CSMS and its procedure is also indicated in the regulation. In addition, the regulation also specifies the criteria for extension in case of modifications made to the vehicle and procedure for conformity of production (CoP). R.156 however is concerning the provisions for vehicle approval with regard to software update and management systems (SUMS). Besides scope and definitions, the regulation explains the approval process and need for a CoC for SUMS which is required to be submitted by the vehicle manufacturer to the agency. The certificate shall be issued by an approval authority for a fixed duration and re-certification upon its expiry. The regulation also specifies requirement of mandatory unique identification number for a given software version and tracking in case of any updates. The extension criteria and procedure for CoP also form part of the regulation. 

Conclusion
The cybersecurity framework is the backbone of a safe and secure digital ecosystem. Irrespective of approach, the end objective of an effective cybersecurity framework is to ensure that all the facets of digital ecosystem are safe and secure.

Dr Madhusudan Joshi is the head of Electronics and the Electrical Group at ICAT Manesar.

The column was first published in Autocar Professional's April 15, 2022 issue.