july 2020 preparing for a new automotive cyber reality
TRANSCRIPT
Preparing for a new automotive cyber realityJuly 2020
A Guide to WP.29 Cyber Security and ISO/SAE 21434
Research Portfolio
Consulting Services
ContactUs
About SBD AutomotiveManagement & technology consultants to the automotive industry for over 20 years
Click to find out more
Our expertise:
Connected Autonomous Shared Mobility
EV Cybersecurity Anti-theft
Uncertainty Data Insight Advice
Seeing Beyond DataTurning data into actionable advice
As our industry faces...
We provide our clients with...
Our role:
3
Left side - Design Right side - Test
Marco StorsbergThreat modelling
Anna StylianouThreat intelligence
Simon HalfordE/E architecture
Paul Sanderson21434 & TARA
David McClureHead of Cyber
Jithesh JoshyWireless/SDR
Nik PettasApp & API
Brian ZhouSW & interface
Sam Nelstrope-theft
Paulson MathewHW & IoT
History often repeats itself...In the 1990s car makers struggled to address a sudden growth in vehicle theft, leading to outside bodies introducing tough new requirements. In 2020, the threat of cyber attacks has now led the UNECE and ISO/SAE to introduce new regulations and standards respectively that will have major implications on how cars are designed - and could even limit the launch or sale of cars. Welcome to SBD Automotive’s complimentary guide to WP.29 Cyber Security and ISO/SAE 21434 - two documents that will transform the automotive industry’s approach to cyber security. Here, we have done the hard work for you, condensing hundreds of pages of regulations and standards into an accessible reference guide that provides actionable insights and a quick-start checklist to getting 21434-ready. SBD Automotive’s cyber team
4
Requirements
OEMs will need to have their product cyber management processes audited by a 3rd party every three years.
OEMs will also need to demonstrate that they have followed a risk-baseddevelopment process for every new vehicle type.
OEMs will need to cascade the requirements down through their supply chain and take responsibility for the implementation by their suppliers.
Timing
June 2020 - The final version of WP.29 Cyber Security was adopted by the UN.
January 2021 – The regulation will ‘come into force’, meaning that countries can apply the new regulation from this date.
July 2022 - The regulation will be mandatory for new vehicle types in the EU.
July 2024 – The regulation will be mandatory for all new vehicles sold in the EU.
Coverage
South Korea (in part from 2020), Japan (2021) and Europe (2022) are the early adopters of WP.29 Cyber Security.
The USA was a joint chair of WP.29 Cyber Security and is expected to adopt the requirements.
China has a ‘window’ into WP.29 and ISO/SAE 21434 and will introduce similar requirements from 2021.
Likely to be adopted by Russia, Australia, parts of SE Asia, South Africa etc.
Consequences
In regions such as EU where WP.29 Cyber Security will be part of the Type Approval process, non-compliance would prevent OEMs from launching new models.
In 2024, OEMs could also face the withdrawal of EU Type Approval for non-compliance, meaning that they would have to stop sales of an existing model.
Similar impacts are expected in the other adopting countries.
The big picture view of WP.29 Cyber Security
5
A (brief) 30-year history of automotive cyber security
Mechanical theft Early hacking Security by design
eTheft Pen testing UN WP.29
Early 1990s Mid 2010s Late 2010s
Early-to-mid 2000s 2015 onwards 2020
Rapid increase in cars being stolen using mechanical attacks, resulting in strong push for electronic immobilizers, alarms and tracking systems
First cyber tools (also known as e-theft tools) used to reprogram keys to vehicles and relay attack smart key systems
First widely-publicized white-hat remote hack on Jeep, followed by many other OEMs (BMW, Tesla, Toyota, Nissan etc.)
‘Security by design’ approach guided by numerous standards, guidelines & best practice publications
OEMs start penetration testing of high-risk parts (eg IVI, TCU, GW etc)
First cyber security regulation adopted by the UN WP.29
6
What is WP.29 and how does it relate to ISO?In June 2020, the UN adopted three new regulations aimed at supporting the development of connected and automated vehicles. For the first time, OEMs will need to meet binding requirements on cyber security, software updates and ALKS, a SAE Level 3 automated driving system. This guide will focus on the UN’s cyber security regulation and its impact on OEMs and suppliers.
WP.29 is the UN Working Party responsible for developing new automotive regulations
ISO/SAE 21434 provides one option for meeting WP.29 Cyber Security.
UN WP.29
SAE L3 Automated Vehicle (ALKS)
Note. The driver remains the back-up to L3 systems
UN WP.29
Cyber Security
Includes OTA & ’wired’ updates.
UN WP.29
Software Updates
ISO 26262Functional Safety - Road
Vehicles
ISO/PAS 21448Safety of the Intended
Functionality of road vehicles
ISO/SAE 21434
Cyber Security
ISO/AWI 24089
Road vehicles software update
engineering
Click to open
7
WP.29 non-compliance could prevent OEMs from launching new models and even lead to sales of existing models being halted. This represents a significant threat to an OEM’s business.
8
What’s involved with WP.29 Cyber Security?
OEMs will need to provide detailed documents covering the vehicle development, production and post-production phases:
• High level policy for how cyber security is managed within the organization & throughout the supply chain, roles & responsibilities and overall governance
• Process for identifying risks, including a detailed list of 32 pre-defined threats
• Process to assess and treat these risks• Process to verify that the identified risks have been managed• Process to test the cyber security of the vehicle• Process to keep the risk assessments up to date after production starts• Process to monitor, detect and respond to cyber attacks• Process to judge if the measures are still effective against the latest
threats• Process to provide relevant data to support analysis of actual attacks
In addition, OEMs will need to demonstrate that:• They can mitigate new threats in a ‘reasonable’ timeframe• Monitoring is continual, uses vehicle data & logs and complies with data
privacy legislation (e.g. GDPR in Europe)• They have cascaded the processes and requirements through their supply
chain
For each new model, OEMs will need to provide a detailed technical file with the following information to the Type Approval Authority:
• Valid CSMS certificate• Identify cyber-critical elements, both on-board and external interactions• Perform a risk assessment, including the 32 pre-defined threats• List of planned mitigations, including how they address the identified risks• Details of testing to verify the effectiveness of the cyber measures• Measures to detect and prevent cyber attack• Ability to monitor for such attacks• Data forensics capability to support post-attack analysis• If provided, a secure environment for aftermarket software to sit and
operate
In addition, OEMs will need to:• Use recognised crypto standards for encryption, authentication etc.• Provide an annual report of attacks detected by the monitoring process• Confirm that existing mitigations are still effective against the latest
threats, and if not, details of new measures implemented• Implement new mitigations if the Approval Authority judges that the
current measures are no longer effective
WP.29 Cyber Security requires that OEMs implement a comprehensive risk-based approach to developing new models and provides two tools to enforce compliance: OEMs will need to have their cyber development processes audited and certified by a third party every 3 years; and OEMs will also need to demonstrate that every new model has been developed according to the certified process as part of Type Approval. Failure to meet these requirements will mean that new models cannot be launched.
1. Overall Cyber Security Management System (CSMS) 2. Vehicle-specific Type Approval
Additional notes- WP.29 Cyber Security defines what OEMs need to do, but it does not define how. ISO/SAE 21434 therefore provides a standardized approach to
meeting the WP.29 requirements, but OEMs are free to adopt a different approach if they can demonstrate that it meets the WP.29 requirements- The UN is currently developing an ‘Interpretation document’ that will help OEMs and suppliers to better-understand the WP.29 requirements- ISO is also developing a guideline for third party cyber auditors (ISO PAS 5112) to ensure a consistent application of the WP.29 requirements
9
What’s involved with ISO/SAE 21434?ISO/SAE 21434 provides OEMs with the framework needed to implement a cyber security management system that aligns to WP.29. It is a comprehensive document that covers all aspects of managing product cyber security within an OEM organization. However, despite its completeness, the standard relies on cyber experts to provide the detailed tools, methodologies and knowledge needed to complete each step. The overall structure and contents of ISO/SAE 21434 is summarized below, with numerical references to the document section in brackets:
Governance (5, 6 & 15)• Overall cyber management, including corporate policy, culture, resources, responsibilities, rules and high-level processes• Project-specific cyber management plan to build the cyber ‘case’ for a component and to have the case independently assessed• Supplier management, including a cyber interface agreement with a RASIC to cascade requirements down through the supply chain
Component Development
Concept phase (9) Development phase (10, 11) Post-development phase
• Use a risk-based approach to develop security goals and high-level technology-agnostic security requirements
See next slide for step-by-step process
• Refine the security requirements to specific SW, HW and interface features
• Security function testing to verify that the requirements have been correctly implemented
• Component testing at the vehicle level to validate its cyber security in its operating environment
• Pen testing for unidentified vulnerabilities
Production (12)
• Ensure that the component leaves the production line in a secure state
Operations & maintenance (13)
• Incident response plan
• Post Job-1 design change management
Decommissioning(14)
• Ensure that secure decommissioning, where needed, is possible
Risk assessment (8)• Step-by-step methods to determine the extent of cyber risk for
a component
On-going activities (7)• Collect cyber intelligence from external & internal sources• Assess if cyber security has been/could be compromised• Identify, analyse and manage vulnerabilities
Cyber Toolbox
10
Example: Step-by-step guide to ISO/SAE 21434’s Concept PhaseConcept phase
step Process
i. Asset definitionIdentify the data and function assets to be protected, including the potential damage scenarios if compromised
ii. Threat scenarios Use a framework such as STRIDE to identify the potential threats to the assets
iii. Impact ratingRate the potential safety, financial, operational and privacy impact of each threat
iv. Attack path analysis
Identify the attack points and sequence of events that can facilitate each threat
v. Attack feasibilityDetermine the feasibility rating of each attack based on required time, expertise, prior knowledge and opportunity
vi. Risk determination
Determine the overall risk of each attack by combining the impact and feasibility ratings
vii. Risk treatment decision
Decide whether to avoid, reduce, share or accept the risk for each attack
viii. Cyber goals Define the top-level cyber requirement for each risk that is to be reduced
ix. Cyber conceptDefine and allocate cyber requirements to specific parts of the system or component under development
Critical success factor 1Avoid missing any assets at the very first step through user stories, stakeholder analysis & checklists
Critical success factor 2Use lessons learned from previous TARA projects & pen tests to complement the WP.29 threat list
Critical success factor 3Use cyber HW, SW & wireless specialists to help identify all possible attack paths
Critical success factor 4Avoid over/under specifying cyber by using judgement and experience to make the risk treatment decision
Critical success factor 5Check and verify the cyber requirements at this stage to avoid costly design changes in the future
While ISO/SAE 21434 provides a comprehensive framework for implementing cyber management processes within an OEM, it is missing some key content.
For example, section 8.3.2 states that the ‘assets should be identified’, but it does not provide a concrete tool for asset identification – instead it lists a number of potential methods without describing them in detail.
Hence, at many stages in implementing WP.29 and ISO/SAE 21434, OEMs will need to call on internal and/or external experts to provide the necessary knowledge, tools and skills to ensure that the critical success factors can be met
11
WP.29 will spread cyber across the OEM organisation
Contribute to international standardsOEM technical standards & manualsIndustry bodiesCollaborative projectsEmerging technologiesSecurity requirements for next gen systems, software platforms etc
Cyber strategy ‘owner’Central pool of experts to support design teamsThreat analysis & risk assessment21434 compliance & cert.Vehicle & E/E level security requirementsSupplier management& document controlInternal cyber promotion & training
Some ‘high risk’ components have dedicated cyber experts (e.g. connected & autonomous)Component & system level security requirementsComponent level verification & validation testingComponent pen test management
Often part of the IT divisionConnected car cloud/ TSP platform security requirementsMNO Mobile app security requirementsPen test management
Vehicle & system level verification & validation testingInternal pen test/ hacking team
PKI & crypto operationsKey managementSecurity Operations Center (SOC)Threat intelligence & sharingIncident response
CEO office
Global cyber VP/director
Product CISO
Enterprise CISO Manufacturing CISO Finance CISO
R&D In-vehicle architecture In-vehicle components Off-board platform Test Operations
21434 governance
21434 expertise & processes 21434 deployment & supplier management on a component-by-component basis
WP.29 will encourage OEMs to implement a top-down approach to cyber security, with board-level support for its implementation and governance. At the working level, many OEMs are making their E/E architecture and/or software platform teams the ‘owners’ of cyber. However, for most OEMs it is still the suppliers who do the very detailed design work, meaning that robust tools and processes will be required to ensure that OEMs retain the necessary end-to-end control and accountability for cyber security.
12
ISO/SAE 21434 quick-start checklists for OEMs and suppliersTime is short for getting 21434-ready. Some early adopter OEMs and suppliers have already implemented a cyber security management system and only require small changes to make it compliant to WP.29. For the majority, however, awareness is only now starting to grow and fast action is needed...
Steps OEMs Suppliers
1Raise
awareness
Get the organisation committed to cyber
Establish a 21434 center of excellence
Start briefing your suppliers
Brief the technical teams
Reach-out proactively to your customers
Add a cyber focus to your sales material
2Perform a gap
analysis
Benchmark your existing cyber processes
Start updating your documents & manuals
Prepare a draft supplier interface agreement
Benchmark your existing processes
Develop core documents and templates
Update your contracts and service agreements
3Start a POC
Start using the processes on a live project
Work with a small number of suppliers
Report the results up to the Board
Start preparing draft reports
Start building threat knowledge and intelligence
Develop tools to share best practice
13
SBD’s holistic cyber support
Recent design & test projects
• IVI & DA• TCU• GW• CAN IDS• Dashcam• OBD dongle• Mobile app• TSP• FOTA• Ethernet switch• Power distribution box• ADAS, AD & HD map• Remote parking • TPMS• Aftermarket tuning tools• Fully active suspension• Smartphone as a Key• Smart key• EV & charging interface
Recent technical deep-dives
• HSM• UDS diagnostics• Bluetooth & BLE• USB• Host IDS • Network IDS• JTAG/debug interfaces• AUTOSAR SecOC• MAC key pairing• APN• Immobiliser key
reprogramming• Smart key relay attack• UWB• Automotive Ethernet /
BroadR-Reach• Secure gateway• Vehicle SOC• Software Defined Radio
Design
Test
Strategy
Reports
Cyber Guide - Quarterly (901)
Securing the CAN Bus(704)
Security Beyond the CAN Bus (705)
Relay Attack Countermeasures (706)
Anti-theft Guide(533)
SBD is not just another pen testing company or generic consulting firm that claims to cover cyber. Instead, we provide our customers with the holistic support they need to embed the latest cyber principles into their components, systems and vehicles.
• Threat modelling (TARA) with proprietary threat database• Concept phase security requirements• ISO/SAE 21434 training & documentation• Legislation requirements & WP.29 readiness audit• Document design review
• Penetration testing (HW, SW, wireless & diagnostics)• Firmware extraction, analysis & code review• Fuzz testing• Security function testing (including scripts)• Reverse engineering & competitor teardown
• Competitor benchmarking & market trends• Cyber feature adoption trends by OEM• Cyber product & vendor market analysis• Cyber roadmap planning • Public hack analysis
14
SBD case studies for ISO/SAE 21434 projects
21434 promotion & awareness training for a Chinese OEM
SBD was asked to prepare an entry-level 21434 training workshop and guidebook for the OEM’s fledgling cyber engineering team. The aim was to translate the requirements from ‘standard-speak’ to plain English that was easy to understand and implement.
Cyber document pack for a Tier 1 electronics supplier
SBD was asked to prepare all documents needed to comply with an OEM’s newly-introduced cyber assurance process. SBD also led briefings to the OEM and helped ensure that the supplier passed all project milestones and checkpoints.
Process audit & gap analysis for a global OEM
SBD was asked to benchmark the OEM’s existing product cyber management system against ISO/SAE 21434 and to recommend an improvement plan. SBD delivered a detailed gap analysis report and is currently preparing new process guides and supplier templates.
Concept phase document pack1. Interface agreement2. Cyber assurance plan3. OEM spec review4. Item definition5. Crypto key management6. Lifecycle plan7. Asset definition8. Threat model (TARA)9. Risk assessment10. Security requirements11. Remediation plan12. Implementation plan
17
North AmericaHailey [email protected]+1 734 619 7969
Germany + North/Central/East EU Andrea [email protected]+49 (0) 211 9753153-1
West & South EUAlessio Ballatore [email protected]+44 74 71 03 86 22
ChinaVictor [email protected]+86 18516653761
JapanSBD Japan Sales [email protected]+81 52 253 6201
Contact information
www.sbdautomotive.com