Automotive Cybersecurity
Nagarjuna Gottemukala
explains the need for
framing of policies to
create a cybersecurity
culture for the
automotive industry.
‘There are dozens of computers in
modern cars, and they arent simply
for navigation or music. Nearly every
system in your vehicle, including
steering, brakes, and the engine
itself, is monitored and controlled by
computers, This is why cybersecurity
in the automotive industry is critical
Attackers can obtain information or
maybe even take control of a car if
the computer systems aren't properly
protected. As you might expect, this,
makes automobile cybersecurity a
huge problem for both consumers
and automakers.
One of the difficulties is the large
number of internal subsystems called
electronic control units located inside
a vehicle's electronic system (ECU)
‘The modern ECU is essentially a
computer that collects data from
directly connected sensors or
indirectly connected buttons,
switches, and other bus nodes,
processes it, and controls directly
connected actuators or indirectly
connected bus nodes such as LED
Indications.
Cea eae ee el
Different types of internal bus protocols
connect ECUs, allowing them to share
vital vehicle state variables in real time,
Software and data are essential
components of each ECU, enabling not
only the flawless operation of the vehicle
subsystem to which itis dedicated, but
also the organised collaboration of all
:CUs so that the vehicle reacts
appropriately to all internal and external
inputs.
The controller area network flexible data-
rate (CAN/CAN FD), LIN, MOST, Ethernet,
and FlexRay are among the protocols that,
accompany the expanded connection of
these new autos to facilitate data flow
between bus nodes. CAN is notable for
being vulnerable to injection attacks.
Modern cars have a gateway ECU that
connects and separates internal vehicle
buses, but it's safe to believe that this,
component wasn't designed to operate
as a security device.
Background
CCAvs (Connected and Autonomous
Vehicles) are a new technology that
has the potential to alter automotive
transportation and urban landscapes
if handled wisely. in the context of
highway transportation, CAVs have
been introduced as a subset of
Cyber-Physical Systems (CPSs), which
include digital software platforms,
physical infrastructure, and human
components,
Its vital to emphasise that this
research Is focused on CAV for
clarity and consistency, There are
many various perspectives on the
future of vehicle automation, and
there is a propensity to use phrases,
like connected car, smart car,
autonomous car, driverless car, and
self-driving car interchangeably. A
CAV, on the other hand, is neither the
same as a Connected Vehicle (CV) orTae
Infrastructure, and communication
technologies to increase transportation
efficiency and security
‘Autonomous vehicles (AVs) are vehicles
‘hat can drive themselves without the
need for human involvement. This study
Uses the International Organization of
Motor Vehicle Manufacturers (OICA)
definition of levels of automation, which
is based on the Society of Automotive
Engineers (SAE) International Standard
13016 and refers to six levels of
autonomy: 0 refers to no autonomy, 1 to
driver assistance, 2 to partial
automation, 3 to conditional automation,
4 to high automation, and 5 to full
automation. Although the two
technologies can be complementary, AVs
may not be coupled.
Avehicle can be categorised as a CAV fit
is both networked and autonomous. CAV
refers to any vehicle that can sense its
surroundings, move, navigate, and
behave responsibly without human
Intervention, while also having
connectivity functions that allow itto be
proactive, cooperative, welkinformed,
and coordinated. It reveals professional
‘Automotive cybersecurity (Source - Teledyne LeCroy)
‘An attacker who has taken control of
any ECU's execution can travel laterally
to any target or place of interest. A
basic and innocent in-vehicle
infotainment (1) ransom lock, for
example, can be used by an attacker.
The danger and impact for car users
can, however, increase as the attacker
can easily move to other components
of the vehicle, such as disabling and
holding the engine start function for
ransom; continuing denial of service
(00S) attacks on drivetrain ECUs and
forcing them to fall oF initiating
dangerous actions such as controlling
the brakes, steering, engine, and/or
airbag actuators. Controlling 2
connected car to cause a fatal crash is
possible with precise planning and
timing but impossible to show in formal
post-crash examinations,
While automobile manufacturers would
prefer to see tighter regulations
implemented, while car makers would
prefer to install more robust security
procedures and mechanisms in
connected vehicles, the industry's
current structure makes defence
implementation difficult.
‘Typical difficulties include:
2, Challenges in Vulnerability Mitigation
b. Software tampering and aftermarket
goods, and
¢. Invehicle interconnection techniques
that are not secure.
‘The automotive industry has recognised
these needs and has invested in the
development of an industry standard to
address cybersecurity challenges and
safeguard assets. A committee draft of the
‘ASO/SAE DIS 21434 Road Vehicles
Cybersecurity Engineering’ standard was
recently produced by the joint working
group of the standardisation organisations
ISO and SAE. This standard achieves @
consistent understanding of security by
design in product development and
‘throughout the supply chain, according to
the automobile industry.
ISO/SAE DIS 21434 Structure and
Sections
‘The first guideline for cyber-physical
vehicle systems cybersecurity, SAE 3061,
was published in January 2016, marking.
the start of ISO and SAE's collaboration on
the creation of a cybersecurity standard for
road vehicles which was completed in
September 2016, The goal of the first
standard (ISO/SAE 21434) was to:
(a) define a structured procedure for
ensuring cyber secure design
(0) reduce the likelinood of a successful
attack and losses
(0 give explicit methods for responding to
cybersecurity threats consistently
throughout global industry.
As previously stated, ISO/SAE DIS 21434 is
intended for use in road vehicles and
focuses on establishing minimal
cybersecurity engineering criteria. Neither
cybersecurity technology, solutions, nor
remedial procedures are mentioned in the
standard. There are no special criteria for
self-driving vehicles or road infrastructure.Tablet
A risk-based strategy to action
prioritisation and systematic elicitation
of cybersecurity measures is
recommended. The ISO/SAE DIS 21434
focuses on cybersecurity efforts across
the vehicle life cycle, from design to
production, operation and
maintenance, and decommissioning.
‘The structure of the ISO/SAE DIS 21434
draft, as illustrated in Table 1 is
examined and briefly discussed in this
section before being more thoroughly
described in the subsequent sections of
‘his work,
1. The scope of the norm is defined in
Section 1
2. The second section contains
normative references.
3, Abbreviated terminology and
definitions of terms used in the
document are defined in Section 3,
4. The car ecosystem, organisational
cybersecurity management, and the
linked automotive lifecycle are all
described in Section 4,
5, The organisational cybersecurity
strategy, policy and objectives are
described in Section 5,
6, Section 6 defines risk management
requirements, which include a plan and
technique for determining the amount
Een eo
Sn)
to which a potential scenario or
incident poses a threat to a road user.
7. Section 7 covers the idea phase and
defines cybersecurity goals based on a
threat analysis and risk assessmer
well as cybersecurity needs definition
to meet the goals.
8, Section 8 outlines the
implementation and verification of
cybersecurity requirements relevant to
the product development stage.
9. Section 9 focuses on the production,
‘operation, and maintenance phases, as
well as the requirements for ensuring
that cybersecurity specifications are
Implemented in the manufactured
item, as well as in-field cybersecurity,
10. Supporting processes, such as
‘organisational procedures, are
described in Section 10,
More than 80 entities from the
automobile industry, cybersecurity,
‘electronic parts manufacturing
businesses, and other sectors
contributed to the creation of ISO/SAE
21434 as a new baseline standard, This,
explains why automotive companies
need to create a cybersecurity culture
‘employing governance, policies,
processes, and tools in order to stay up
with developing technology and attack
June 2022 Editon |] INDUSTRIAL AUTOMATION MAGAZINE.
tactics when designing electrical parts
for automobiles. As some of the
world's mast powerful firms anticipate
Its impact on their customers and the
rules that will result from i, they are
expected to plan thelr future models
and designs around the standards in
the next few years, Because the sector
Is highly tiered, every change,
regardless of supply chain direct
necessitates coordinated
management,
These changes will have an impact on
the security of freshly manufactured
vehicles. In the meanwhile,
stakeholders who use cars that do not
meet the standards should be
protected by using adhoc remedies.
‘Automotive manufacturers can
collaborate with independent and
commercial researchers to develop
solutions tallored to the industry.
Nagarjunareddy Gottemukkala recently
completed his Master's degree in
‘mechatronics and cyber-physical systems
in Germany and will shortly begin
working for DEKRA DIGITAL GmbH as an
‘Automotive cybersecurity engineer. He
has studied advanced robotics,
autonomous systems, cyber-physical
systems, artificial intelligence, and
‘machine learning, among other subjects.