The number of connected vehicles has grown exponentially in the past decade, and with the developments in 5G technology, it does not seem like the trend will slow down any time soon. In fact, it is estimated that there will be more than 125 million connected cars by 2022. But with any connectivity, an essential aspect to consider is cybersecurity. Cars are no exception, and regulatory forums worldwide are catching on.
In June 2020, two new regulations were published by the World Forum of Harmonization of Vehicle Regulations (or “WP.29”) within the United Nations Economic Commission for Europe (UNECE). The WP.29 regulations immediately created a wave of piqued interest as well as an air of urgency for the automotive and cybersecurity industries. However, as much as this is a groundbreaking development for automotive cybersecurity, there is still an air of mystery and confusion when it comes to what the industry should actually be doing to respond to the regulations and how it realistically affects the industries.
To delve a bit into the origins of WP.29, the working party has been established for decades (over 50 years) and has worked to ensure regulations ensure safety for different methods of transport worldwide. WP.29’s work is based around an agreement signed in 1958, formally titled “Agreement concerning the adoption of uniform technical prescriptions for wheeled vehicles, equipment and parts which can be fitted and/or be used on wheeled vehicles and the conditions for reciprocal recognition of approvals granted on the basis of these prescriptions" (E/ECE/TRANS/505/Rev.2, amended on 16 October 1995). 54 countries are signed to the agreement, expanding from the European Union to other OECD countries, though most countries still recognize the regulations within their own national vehicular regulations, even as non-signatories.
As the number of connected vehicles grew and developments began to gain momentum in terms of autonomous driving, WP.29 in 2018 decided to establish a subsidiary working party called GRVA, committed to ensuring the safety and security of automated, autonomous, and connected vehicles. That brings us to June 2020, where the working party officially released two new regulations mandating security for connected vehicles that will go into force in July 2022. The regulations are not only comprehensive in terms of covering the different aspects of cybersecurity in connected vehicles, but additionally, they are groundbreaking for the industry as there is currently no precedent for vehicle regulation for manufacturers or suppliers in regards to cybersecurity – and especially not of this scope.
The road for automotive manufacturers
Many in the automotive industry are particularly concerned with regulation R155. In summary, this regulation applies to cars, vans, trucks, and buses that are equipped with autonomous driving functionalities, meaning that manufacturers must implement a cyber security management system (CSMS), obtain a certificate for CSMS compliance, and then have the vehicles procure type approval in regards to cybersecurity before the vehicle goes on the market. This may sound simple enough in theory, but the reality is a long, complex road ahead for manufacturers.
In the computing world, “system” refers much more specifically to a hardware system or software system (or combination of both), where certain components make up a system structure in order to process and compute certain sets of information. However, in the WP.29 regulations, the “system” in CSMS refers to a general method of mitigating risk and implementing comprehensive cybersecurity protocols to prevent possible cyberattacks. This includes everything from training, to risk assessment, to management of an actual cybersecurity system, and to testing the system to ensure its effectiveness in the pre-production, production, and post-production stages of a vehicle’s lifecycle.
While suppliers or service providers may breathe a sigh of relief because they believe they are excluded from the narrative, it may not be so easy. Suppliers and service providers can also be required to comply with the new regulations so far as they are included within the supply chain and their technologies or software are connected to the vehicle’s cybersecurity dependencies. This effectively means that most of the automotive industry will be involved.
Implementing cybersecurity for vehicles
When it comes to connected and autonomous vehicles, though it may seem like autonomous vehicles are a means of transport for the few any might, connected and autonomous vehicles, in actuality, make up a large percentage of cars on the road today.
Most vehicles are fitted with basic Advanced Driver-Assistance Systems (ADAS) features like cruise control to more advanced features like automatic lane centering. There are five distinct levels of autonomous driving, and many vehicles veer on the side of Level 2, which based on the Society of Automotive Engineers (SAE), means that the ADAS system can assist with some functions like steering, maintaining speed or braking, but drivers still need to have both hands on the wheel and take over if necessary. A few vehicles on the market are beginning to lean towards Level 3, meaning that the Automated Driving System (ADS) is the primary driver while the human driver stands by, expected to override if the system is unable to function effectively. While this is exciting for the industry, security risk only increases with increasing levels of automation as more power is given to the system (and the system’s connections) rather than the human being. If the connections are not secured properly, then it could lead to more traffic congestion, collisions, and in the worst-case scenario, loss of human life both in and out of the vehicle.
To combat this risk, there are two major points to look at when starting to implement cybersecurity measures: ECUs and the CAN bus. A car’s communications system is made up of around 80-100 Electronic Control Units, or ECUs, which control the myriad of functions a car must be able to perform through software programmed for the specific action. Whether it’s GPS, infotainment, lighting systems, vehicle access systems, remote links, or ADAS – everything is controlled by ECUs. Therefore, securing the ECUs through an in-vehicle automotive security solution that includes encryption of data, monitoring, an automotive firewall, access control, secure storage and booting, and OS hardening should be implemented.
However, this only covers the ECUs on their own. We then need to look at the Controller Area Network (CAN) bus, a vehicle omnibus standard, which allows the ECUs utilize to communicate with each other as well as outside networks. This is where systems like an Intrusion Detection and Prevention System (IDS/IPS) come in, monitoring messages and analyzing network packets for any signs of abnormal behavior or attacks for both internal and external communications. It can be an ominous visual if one imagines a scenario in which the CAN bus was infiltrated, as it is literally the gateway to the car’s most core operations. We have seen countless hacking incidents by both hackers as well as security specialists, and one thing we can be certain of is that securing the vehicle itself should be the first step in implementing security.
It would be remiss of myself to imply that security is complete when the internal system is secured, because of course, that is not the case at all. What makes the WP.29 regulations so intriguing is that it is basically getting all vehicles on the starting line for cybersecurity implementation. As technology continues to develop, it will most likely change the security needs for the vehicles as well. However, with the foundation of vehicle security, it opens up avenues for more security solutions to be implemented: secure V2D (Vehicle-to-Device) , V2G (Vehicle-to-Grid) security for electric vehicles utilizing Plug&Charge, V2I (Vehicle-to-Infrastructure), and so much more.
What this means for automotive cybersecurity
Although it will likely be a complicated road to compliance, it’s good news for cybersecurity companies, as governments and manufacturers will finally be giving cybersecurity the attention that it truly requires. With decades of experience in the cybersecurity field, I have seen and tested firsthand the kind of damage a cyberattack on a vehicle does. Much like a domino effect, one vehicle can affect another, and another – and soon all traffic throughout a city can be placed in gridlock. And most importantly, when human lives are at stake, the obvious answer is to secure at all costs.
However, while those of us in cybersecurity can emphasize the dangers of unsecure connections in a vehicular environment repeatedly, it often falls on deaf ears as there is no universal baseline. Some manufacturers may choose to be adamant regarding security, but it may be difficult to continue to keep it updated or enhanced when other manufacturers do not seem to prioritize it in quite the same way. Self-regulation ends up becoming the norm, but it is not sufficient when it comes to autonomous vehicles as risk will only increase as development continues.
With regulations from the WP.29 mandating a comprehensive cyber security approach as well a set structure for requirements for compliance and type approval, the industry is finally setting up the universal cybersecurity starting-point vehicles, paving way for more connections and technologies for the automotive industry to be secured as well. Security is so much more than just a firewall or an antivirus – it encompasses all communications, all devices, in the design and development process of software, and in any kind of circumstance. As an automotive cybersecurity enthusiast, I look forward to seeing how governments implement WP.29 compliance standards into their own legislations, and how manufacturers plan for a CSMS that will secure their vehicles but furthermore, my hope is that it will start conversations between the automotive industry and the cybersecurity industry and seeing what other technologies and developments they can collaborate on and secure.
Daniel ES Kim, CEO and co-Founder, AUTOCRYPT