With rapid economic development across Asia Pacific the automotive industry will continue to witness an upward trend in production of vehicles. Asia Pacific is home to some of the largest vehicle manufacturers for passenger cars, with China, Japan, and Korea contributing over 37 million units of production, or 42 percent of the global production market. With that, the automobile industry will continue to place a record number of cars on the roads.
Rising expectations around levels of comfort, navigation assistance, car intelligence, and safety are no longer limited to the realms of luxury cars, but well entrenched in all car segments. To achieve this onboard systems in all cars are now increasing complex, interconnected and all online (IoT of cars) – surfacing the issue of security which has already drawn attention of car manufactures paving the way for the Automotive Cyber Security Industry as a distinct category already estimated to be at around USD 759 million by 2023^ and would probably continue to grow.
Examine what is changing the Cyber Security landscape with the Internet of Cars (IoC) becoming a reality:
1) Internet Connectivity for Navigation system, Entertainment system, Mobile Phone interfaces and access to a host of cloud services. All these with multiple communication channels such as WiFi, 3G, 4G, DSRC, USB, Bluetooth, and the OBD2 protocol.
2) Advanced Driving Systems like Blind sport detection, Adaptive cruise control, Lane keeping, Automatic emergency breaking, Platooning, and now Autonomous driving.
3) Diagnostic Services for remote maintenance and Over–the-Air (OTA) updates.
Virtually everything listed above is potentially a vector for a cyber threat, leading to a potential security compromise. It has been proven years ago that physical access to a vehicle is no longer needed to inject a malicious command into the vehicle system to gain control or alter operating parameters.
Therefore, a complex ecosystem of Automobile Manufactures, OEM Vendors (and consumers) should be increasingly getting more aware of Cyber Security factors. As the number of ECU (Electronics Control Units) to “safely” operate a car has been increasing – virtually every function is being managed through an ECU. For examples: Engine & Transmission, Airbags, Steering and Braking, TPMS, Key-less Entry, and the Telematics Control Unit all interconnected over a CAN bus architecture internally and externally accessing gateways of service providers.
A key technology this highly connected car segment is over-the-air (OTA) software updates. Automobile manufacturers want to securely deploy software-over-the-air (SOTA) patches to vehicles the same way a consumer receives notifications to upgrade the software on his or her smartphone. Over-the-air updates to vehicles can help ensure systems are current with the latest security solutions and provide added convenience and peace of mind for drivers. However, because this new channel can also become an attack vector, they can also introduce new vulnerabilities (30% of vehicles expected to have this within the next couple of years, making it a key cyber threat vector).
As such, the electrical and electronic fabric which forms the central architecture and associated software (in ECU, TCU) estimated to be around 100 million lines of code needs to be resilient to thwart off the exploitation of vulnerabilities that can lead to an attack. Earlier this year, TÜV Rheinland announced a strategic partnership with Visual Threat aimed at helping the automotive industry test, detect and remediate the increasing cyber security threats targeting next generation vehicles. The partnership provides automotive industry and component manufacturers with complete testing services to provide assurance their automotive products are secure from cyberattacks.
But with all of these testing considerations (reactive and post development) there is no single security solution to manage cybersecurity within the automobile operating environment – and therefore it all goes back to the fundamentals of:
1) Security by Design
2) Layered Security of Defense in depth
3) And the discipline of Privacy Engineering
However, first off the block for inbuilt security (or Security by Design) are Infotainment & Telematics Control Units coming into the market with inbuilt firewalls and intrusion detection systems to prevent bad commands from coming into the system acting as the first line of defense or gatekeepers. If you compare this development with the evolution of cyber security 15 years ago where we started from IT Security (tools like ACL, Firewalls, IDS/IPS, Anti Virus) which evolved to Information Security graduating to Cyber Security – the automotive security landscape is also at early stages of development but with a far more compacted evolution timeline.
This would also be applicable to the emergence of standards around Automobile Cyber Security where we do not have a strong standard guiding the overall development of Cyber Security for vehicles. The focus of these standards has always been around achieving functional safety – but there is no safety today without cyber security and that is being well recognized.
What we have today as prevailing industry standards:
1) ISO 26262, which will be likely extended by including (not exhaustive):
- Highly distributed architecture
- Autonomous driving
- Cyber Security
2) SAE J3061/ISO 21433: Cyber Security aligned to ISO 26262
- Lifecycle, Information on tools and methods, principles
- Foundation for standard development (draft)
3) IEC 62443 can be transposed and leveraged for vehicles
- Considers distributed architecture including networks and components
- Convergence of Cyber Security and Functional Safety
4) EU-GDPR’s privacy issues would appear be the dominant standard if we take into consideration collection of driving/driver data for processing.
In summary, all market indicators lead to showing an upward momentum in the ecosystem for addressing cyber security with a far more compacted timeline to attain a state of maturity – be it standards, automotive technology, production technology (more on this next time) or an outlook to managing Automotive Cyber Security.
For more information and help on the topics of safety and/or cyber security of automotive, get in touch with TÜV Rheinland.
^'Automotive Cybersecurity Market to Reach $759 Million in Revenue in 2023', IHS Markit Reports, 26 September 2016, http://news.ihsmarkit.com/press-release/automotive-cybersecurity-market-reach-759-million-revenue-2023-ihs-markit-reports