Automotive Cybersecurity Nagarjuna Gottemukala explains the need for framing of policies to create a cybersecurity culture for the automotive industry. ‘There are dozens of computers in modern cars, and they arent simply for navigation or music. Nearly every system in your vehicle, including steering, brakes, and the engine itself, is monitored and controlled by computers, This is why cybersecurity in the automotive industry is critical Attackers can obtain information or maybe even take control of a car if the computer systems aren't properly protected. As you might expect, this, makes automobile cybersecurity a huge problem for both consumers and automakers. One of the difficulties is the large number of internal subsystems called electronic control units located inside a vehicle's electronic system (ECU) ‘The modern ECU is essentially a computer that collects data from directly connected sensors or indirectly connected buttons, switches, and other bus nodes, processes it, and controls directly connected actuators or indirectly connected bus nodes such as LED Indications. Cea eae ee el Different types of internal bus protocols connect ECUs, allowing them to share vital vehicle state variables in real time, Software and data are essential components of each ECU, enabling not only the flawless operation of the vehicle subsystem to which itis dedicated, but also the organised collaboration of all :CUs so that the vehicle reacts appropriately to all internal and external inputs. The controller area network flexible data- rate (CAN/CAN FD), LIN, MOST, Ethernet, and FlexRay are among the protocols that, accompany the expanded connection of these new autos to facilitate data flow between bus nodes. CAN is notable for being vulnerable to injection attacks. Modern cars have a gateway ECU that connects and separates internal vehicle buses, but it's safe to believe that this, component wasn't designed to operate as a security device. Background CCAvs (Connected and Autonomous Vehicles) are a new technology that has the potential to alter automotive transportation and urban landscapes if handled wisely. in the context of highway transportation, CAVs have been introduced as a subset of Cyber-Physical Systems (CPSs), which include digital software platforms, physical infrastructure, and human components, Its vital to emphasise that this research Is focused on CAV for clarity and consistency, There are many various perspectives on the future of vehicle automation, and there is a propensity to use phrases, like connected car, smart car, autonomous car, driverless car, and self-driving car interchangeably. A CAV, on the other hand, is neither the same as a Connected Vehicle (CV) orTae Infrastructure, and communication technologies to increase transportation efficiency and security ‘Autonomous vehicles (AVs) are vehicles ‘hat can drive themselves without the need for human involvement. This study Uses the International Organization of Motor Vehicle Manufacturers (OICA) definition of levels of automation, which is based on the Society of Automotive Engineers (SAE) International Standard 13016 and refers to six levels of autonomy: 0 refers to no autonomy, 1 to driver assistance, 2 to partial automation, 3 to conditional automation, 4 to high automation, and 5 to full automation. Although the two technologies can be complementary, AVs may not be coupled. Avehicle can be categorised as a CAV fit is both networked and autonomous. CAV refers to any vehicle that can sense its surroundings, move, navigate, and behave responsibly without human Intervention, while also having connectivity functions that allow itto be proactive, cooperative, welkinformed, and coordinated. It reveals professional ‘Automotive cybersecurity (Source - Teledyne LeCroy) ‘An attacker who has taken control of any ECU's execution can travel laterally to any target or place of interest. A basic and innocent in-vehicle infotainment (1) ransom lock, for example, can be used by an attacker. The danger and impact for car users can, however, increase as the attacker can easily move to other components of the vehicle, such as disabling and holding the engine start function for ransom; continuing denial of service (00S) attacks on drivetrain ECUs and forcing them to fall oF initiating dangerous actions such as controlling the brakes, steering, engine, and/or airbag actuators. Controlling 2 connected car to cause a fatal crash is possible with precise planning and timing but impossible to show in formal post-crash examinations, While automobile manufacturers would prefer to see tighter regulations implemented, while car makers would prefer to install more robust security procedures and mechanisms in connected vehicles, the industry's current structure makes defence implementation difficult. ‘Typical difficulties include: 2, Challenges in Vulnerability Mitigation b. Software tampering and aftermarket goods, and ¢. Invehicle interconnection techniques that are not secure. ‘The automotive industry has recognised these needs and has invested in the development of an industry standard to address cybersecurity challenges and safeguard assets. A committee draft of the ‘ASO/SAE DIS 21434 Road Vehicles Cybersecurity Engineering’ standard was recently produced by the joint working group of the standardisation organisations ISO and SAE. This standard achieves @ consistent understanding of security by design in product development and ‘throughout the supply chain, according to the automobile industry. ISO/SAE DIS 21434 Structure and Sections ‘The first guideline for cyber-physical vehicle systems cybersecurity, SAE 3061, was published in January 2016, marking. the start of ISO and SAE's collaboration on the creation of a cybersecurity standard for road vehicles which was completed in September 2016, The goal of the first standard (ISO/SAE 21434) was to: (a) define a structured procedure for ensuring cyber secure design (0) reduce the likelinood of a successful attack and losses (0 give explicit methods for responding to cybersecurity threats consistently throughout global industry. As previously stated, ISO/SAE DIS 21434 is intended for use in road vehicles and focuses on establishing minimal cybersecurity engineering criteria. Neither cybersecurity technology, solutions, nor remedial procedures are mentioned in the standard. There are no special criteria for self-driving vehicles or road infrastructure.Tablet A risk-based strategy to action prioritisation and systematic elicitation of cybersecurity measures is recommended. The ISO/SAE DIS 21434 focuses on cybersecurity efforts across the vehicle life cycle, from design to production, operation and maintenance, and decommissioning. ‘The structure of the ISO/SAE DIS 21434 draft, as illustrated in Table 1 is examined and briefly discussed in this section before being more thoroughly described in the subsequent sections of ‘his work, 1. The scope of the norm is defined in Section 1 2. The second section contains normative references. 3, Abbreviated terminology and definitions of terms used in the document are defined in Section 3, 4. The car ecosystem, organisational cybersecurity management, and the linked automotive lifecycle are all described in Section 4, 5, The organisational cybersecurity strategy, policy and objectives are described in Section 5, 6, Section 6 defines risk management requirements, which include a plan and technique for determining the amount Een eo Sn) to which a potential scenario or incident poses a threat to a road user. 7. Section 7 covers the idea phase and defines cybersecurity goals based on a threat analysis and risk assessmer well as cybersecurity needs definition to meet the goals. 8, Section 8 outlines the implementation and verification of cybersecurity requirements relevant to the product development stage. 9. Section 9 focuses on the production, ‘operation, and maintenance phases, as well as the requirements for ensuring that cybersecurity specifications are Implemented in the manufactured item, as well as in-field cybersecurity, 10. Supporting processes, such as ‘organisational procedures, are described in Section 10, More than 80 entities from the automobile industry, cybersecurity, ‘electronic parts manufacturing businesses, and other sectors contributed to the creation of ISO/SAE 21434 as a new baseline standard, This, explains why automotive companies need to create a cybersecurity culture ‘employing governance, policies, processes, and tools in order to stay up with developing technology and attack June 2022 Editon |] INDUSTRIAL AUTOMATION MAGAZINE. tactics when designing electrical parts for automobiles. As some of the world's mast powerful firms anticipate Its impact on their customers and the rules that will result from i, they are expected to plan thelr future models and designs around the standards in the next few years, Because the sector Is highly tiered, every change, regardless of supply chain direct necessitates coordinated management, These changes will have an impact on the security of freshly manufactured vehicles. In the meanwhile, stakeholders who use cars that do not meet the standards should be protected by using adhoc remedies. ‘Automotive manufacturers can collaborate with independent and commercial researchers to develop solutions tallored to the industry. Nagarjunareddy Gottemukkala recently completed his Master's degree in ‘mechatronics and cyber-physical systems in Germany and will shortly begin working for DEKRA DIGITAL GmbH as an ‘Automotive cybersecurity engineer. He has studied advanced robotics, autonomous systems, cyber-physical systems, artificial intelligence, and ‘machine learning, among other subjects.