The ultimate objective of a TARA process is to enable a reduction in a system’s attack
footprint. For a complex system-of-systems, such as the CAV ecosystem, this need to be done efficiently to maximise the benefit from the limited costs (time and resources). Our proposed Security Framework can provide the systematic guidance required for efficient use of
resources. As discussed in the previous section, the nature of cyber security means that certification is unable to be prescriptive with regards to technology. Indeed, the technical organisations that issue standards for interoperability will have their test regimes for equipment compatibility. In the CAV ecosystem, such organisations include:
• ITU - International Telecommunication Union
• ETSI - European Telecommunications Standards Institute • IEEE - Institute for Electrical and Electronics Engineers
• SAE - SAE International (previously Society of Automotive Engineers)
In 2017 the UK Government issued the report The Key Principles of Cyber Security for Connected and Automated Vehicles128. It listed eight high-level principles that organisations
should follow to reduce security issues. This was soon followed by the British Standards Institute's (BSI) PAS 1885:2018124, The fundamental principles of automotive cyber security -
Specification, in 2018. The latter references some of the eight principles listed in the former. These publications are not standards in themselves and involve no certification, they do provide guidelines on the process of managing the security of a CAV throughout its lifetime, highlighting the need to take a proactive approach to security throughout an organisation, from the board to the product designers, where the security considerations are embedded into a CAV's design from the outset of its life cycle. The forthcoming international standard ISO SAE 2143442, Road vehicles – Cybersecurity engineering, currently in draft status, is security
process focused. This new joint ISO/SAE standard supersedes the previous SAE J3061,
128 HM Government (2017) The Key Principles of Cyber Security for Connected and Automated Vehicles.
Cybersecurity Guidebook for Cyber-Physical Vehicle Systems2 which covered security
practices from concept design to decommissioning.
It is not surprising that ISO is developing a standard for cyber security in road vehicles. The ISO standard ISO 26262, Road vehicles - Functional safety129 is the international standard
used by vehicle manufacturers and their supplies to analyse and reduce risks in the functional operation of cars and their components. It is widely used within the automotive industry and has matured through different versions. ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems that are installed in series production road vehicles. The latest 2018 version of ISO 26262 acknowledges the intersection with cyber security and is aware of the need to separately address the topic, it references the forthcoming ISO SAE 21434. This new joint ISO/SAE cyber security engineering standard considers the required cyber security management processes within an organisation: • overall cyber security management - covering governance, culture, risk management,
audits, information sharing and security, and managing tools;
• product cyber security management - covering requirements, recommendations, responsibilities, planning, reuse, components, and assessments;
• continuous cyber security activities - covering monitoring, requirements, recommendations and assessment of events
ISO SAE 21434, thoroughly developed over some years, is likely to become the go-to standard for vehicle manufacturers needing to implement cyber security practices within their
organisation and product development processes, just as ISO 26262 became the go-to standard for functional safety. However, adherence to the ISO standard is not intended to be measured through a certification process. As for ISO 26262, organisations will have personnel trained on the provisions of the standard, who can apply it to the organisations’ processes. An industry exists around ISO 26262 for training to provide personnel with the relevant capabilities to apply the standard. Some of the companies that provide ISO 26262 training do offer exams as a form of competency assessment, it is a form of self-certification. A similar industry is likely to emerge for the ISO SAE 21434 standard. However, the United Nations Economic
Commission for Europe (UNECE) is incorporating certification in its proposed assessment of a manufacturer’s Cyber Security Management System (CSMS).
UNECE hosts the World Forum for Harmonization of Vehicle Regulations, the forum is coded as, and commonly known as, WP.29. The forum is used for provisioning global regulations on vehicle safety and environmental issues. A WP.29 document is "proposing provisions for the approval of cyber security management systems as well as of vehicles with regard to cyber security"130. The UNECE proposals will require vehicle manufacturers to obtain a Certificate of
Compliance for Cyber Security Management System. This will be achieved through the existing vehicle Type Approval processes, in the UK that would be through the VCA. However, it is worth noting that UNECE provisions do not override national regulations and laws.
129 ISO (2018) ISO 26262-2:2018 Road vehicles - Functional safety - Part 2: Management of functional
safety. Geneva
130 Task Force on Cyber Security Issues and Over-The-Air Software (2020) ‘New UN Regulation on uniform
provisions concerning the approval of vehicles with regard to cyber security and of cybersecurity management systems’
The CSMS proposed by UNECE will require a manufacturer to document their cyber security management processes, and the processes used to assess the cyber security of the vehicle which is seeking cyber security type approval. Manufacturers will need to apply for a Certificate of Compliance for CSMS, with the application assessed by the appropriate Approval Authority (AA) (the VCA in the UK). The AA will verify that the CSMS complies with the proposed UNECE regulations, and if approved it will be valid for three years. The CSMS must cover several areas of the organisation's processes and vehicle cyber security testing, including:
• the life cycle of a vehicle - development, production, post-production; • the organisation's cyber security management process;
• risk management identification of risks to a vehicle, their assessment, categorisation and treatment;
• security testing processes; • ongoing risk assessment;
• monitoring, detecting and responding to cyber attacks, threats, and vulnerabilities; • management of dependencies with third parties and other organisational divisions; • handling of aftermarket software, services, and data;
• modifications after being granted type-approval; • conformity in production.
As for ISO 23232 and ISO SAE 21434, the UNECE CSMS is not prescriptive on tools and techniques that need to be used. The UNECE proposal does have an annexe that lists threats, and possible mitigation techniques, but these are at a high descriptive level. This makes sense as they need to allow for changes in technology and testing techniques.
The UNECE proposal on cyber security is still changing and can be viewed on the UNECE W.29 website131, though it can be easier to find the latest version on the website
GlobalAutoRegs.com132.