New standards driving for better security in autonomous vehicles

Computers have already made vehicles safer in multiple ways. While there is no way to guarantee that people in a car will never get hurt or killed in a crash, relatively recent features like antilock brakes, lane assist, smart cruise control, and the sensors that deploy airbags make it much less likely.

But, as is true with anything connected to the internet, all those added technological benefits come with added technological risks — vulnerabilities that cyber attackers are always looking to exploit.

The modern vehicle is a connected computer on wheels — actually hundreds of computers on wheels. Even in the wheels — what do you think prompts the warning light on your dashboard to come on if your tire pressure is low?

And computers don’t just run the infotainment system, backup camera, dashboard warning lights, and the bell or beep that harasses you if you don’t buckle your seatbelt. They direct fundamental vehicle functions too — acceleration, braking, and steering.

The Synopsys automotive group has coined a term for it: the “SmartPhonezation” of the car.

In other words, it’s part of the vast Internet of Things (IoT). It has enabled convenience, luxury, efficiency, safety and the march toward autonomous driving, but it also makes it part of the equally vast IoT attack surface. If hackers get control of a connected car, they could take over those core functions — acceleration, steering and brakes — demand a ransom from an owner simply to start the car, disable the locks and steal it, and more.

Indeed, just one recent example was a demonstration by researchers in November 2020 that vulnerabilities in the Tesla X keyless entry system could allow an attacker to unlock and steal the car in minutes.

They can do that through vulnerabilities in the software that powers the sensors in vehicles. And that makes software security a fundamental component of physical safety in a car. If it’s not secure, it’s not safe.

Autonomous is within sight

Of course, we are still a long way from fully autonomous vehicles (AV) being mainstream. But they are on the horizon. Just last week AV startup Argo, along with Ford, and Walmart announced plans to start last-mile deliveries from Walmart stores in Austin, Texas; Miami, Florida; and Washington, DC.

And most newer vehicles are semiautonomous now, with multiple driver-assist features.

All of which means the need for better cyber security in those vehicles could be a matter of life and death. So with the stakes that high, the encouraging news is that both the private and public sectors are working to make the cars of today and the AVs of tomorrow both secure and safe.

The growth in cyber security investments was documented by Market Research Future, which predicted recently that the automotive cyber security market will increase from $2.16 billion in 2020 to $8.94 billion by 2028.

And one major example of that is the ISO/SAE 21434 automotive security standard, created by the International Organization for Standardization and the Society of Automotive Engineers, which took effect last month after more than a year in development.

Chris Clark, senior manager of automotive software and security, with the Synopsys automotive group, calls the release “very exciting. It’s the first step toward an industry standard that can align cyber security discussion and normalize activities across the industry.”

Clark was among more than 100 experts from 14 nations in a joint development group that participated in crafting the standard.

There is no way to make vehicles perfectly secure, of course. Clark acknowledges that the goal can’t be perfection. “We’re not building a space shuttle, we’re building a car,” he said. “If we wanted to have every single security feature to ensure that a vehicle never failed, we couldn’t afford it.”

The year of (better) standards

But that doesn’t mean vehicle cybersecurity can’t improve — a lot. And Clark predicted at the beginning of this year that 2021 would be “the year of automotive standards.”

ISO/SAE 21434 calls for “OEMs and all participants in the supply chain (to) have structured processes in place that support a ‘security by design’ process” covering the development and entire life cycle of a vehicle.” Those include requirements engineering, design, specification, implementation, test, and operations.

According to Green Car Congress, the new standard focuses on the “fundamentals of cyber security including requirements, process, and goals in business disciplines including product development, production, operations, and maintenance.”

Another significant element of the standard comes in a single sentence. ISO/SAE pointedly says that the standard “does not prescribe specific technology or solutions related to cyber security.”

Clark enthusiastically supports that philosophy. It’s much better, he said, for standards to mandate the results an industry must achieve, rather than prescribe how to achieve them. “Standards organizations are trying to minimize the impact on innovation and eliminate a check-box mentality,” he said.

Indeed, the reality of human nature is that if any standards body, public or private, sets out a list of rules or specific requirements, “then everybody in the industry would do those things and nothing more,” he said.

“But if we say organizations must design a security program that focuses on the cyber security of hardware and software to meet the needs of both the customer and the organization, then everybody’s [programs] will be a little bit different, and some are going to be better than others. It starts to create the competitive landscape that we are really interested in.”

Not the last word

The 21434 standard will evolve as well — it’s not even close to the final word on automotive cyber security. Clark said he is chairing an effort under the SAE that is “actively working on expanding and supporting content created out of 21434. This ranges from the development of cybersecurity assurance levels to measuring maturity and how organizations can map different maturity models to 21434.”

“It’s great the document is released but we are far from the finish line,” he said.

Meanwhile, another new standard from Singapore is expected to affect the cyber security components of AVs worldwide.

TR 68–3:2021 was “prepared by the Working Group on Cybersecurity Principles and Assessment Framework set up by the Technical Committee on Automotive under the direction of MSC [Manufacturing Standards Committee],” according to the website of the Singapore Standardisation Programme.

The technical reference (TR) is intended to set security standards for the development and deployment of AVs with four main areas of focus: basic behavior, safety, cybersecurity principles and assessment, and vehicular data types and formats.

But the website notes that the Singapore program also seeks to “extend” existing cybersecurity safeguards for AVs due to “increased security threat potential which is present for vehicles … where a human operator is not present in the vehicle to intervene in the event that an attack has compromised it.”

Dennis Kengo Oka, principal automotive security strategist with the Synopsys automotive group, was the team leader of the cybersecurity assessment framework group that participated in the crafting of the TR.

He said that, more specifically, the TR “covers the vehicle intelligence zone with considerations to automated driving system, operational design domain, dynamic driving task, and external communications such as GNSS [Global Navigation Satellite System].”

“There are two tiers of cyber security safeguards presented in the TR,” he said. “First are cybersecurity principles to help with a secure-by-design lifecycle, including design, development, operations, maintenance, and decommissioning. Second is a framework for independent cybersecurity assessment of AV systems, including system review, threat risk assessment and cyber security testing.”

And he said that even though this TR applies to AVs deployed in Singapore, “many AV developers worldwide would use Singapore as a testing bed for AVs. So its impact will go beyond Singapore, since after AV testing is completed there, the same AVs would be deployed in other countries and regions.”

Is all this going to change the world of automotive cyber security? Given that those standards have just recently taken effect, Clark acknowledges that “the challenge is how organizations interpret what has been released. This will tell us how successful we have been.”

But in the interim, he is bullish on the overall response of the industry to cyber threats that will both grow and become more sophisticated as vehicles become more fully autonomous, and therefore loaded with millions more lines of software code.

“Even today, drivers should be confident in their vehicles’ cyber security posture,” he said. “The rapid influx of safety and security standards will quickly fill the gap of both yesterday’s vehicles and tomorrow’s.”