This is Part 3 of a three-part blog series on automotive cybersecurity. If you have not yet read Part 1: Automotive cybersecurity and trustworthiness, and Part 2: Cybersecurity and the automotive supply chain, we highly recommend that you do so before continuing with Part 3.
Part 3 explores the dire need for standardization and the development of a maturity model for automotive cybersecurity.
The automotive industry is desperately in need of guidance that will propel it toward viable cybersecurity — both for the supply chain and vehicle platforms. We propose that the way forward is to develop a framework that takes the form of a cybersecurity maturity model.
IT cybersecurity standards have been in existence for several decades, as providers and users have found it necessary to collaborate toward the production of capabilities, policies, and practices. There are several major IT cybersecurity standards, including ISO/IEC 27001 & 27002, NIST, and NERC/CIP. To date, there are no such standards that pertain to the automotive world.
Many professionals refer to the putative similarities between automotive and IT cybersecurity. Perhaps this is because they both contain essential networks of connected devices. Since there is similarity at this basic conceptual level, the question is often put forward: Why not simply map cybersecurity solutions over from the IT world to the automotive world? As one might expect, it’s not that simple. Many companies have gone down this path, with very little to show for the effort.
Automotive and IT cybersecurity differ in many critical ways:
Since most vehicle OEMs focus on mechanicals, the Tier 1 suppliers typically make all of the electronic design decisions. The OEMs develop the functional requirements, add a few general recommendations, and dump in all of the automotive industry regulations. The key advantage for the Tier 1 supplier is nearly full responsibility for a component without any blame to assign to any other company for any defects or problems. The primary disadvantage is the inability to maintain a big-picture view of the system. None of the Tier 1 suppliers has a view of the entire vehicle, and none of the OEMs has a clear understanding of the ECU internals. This result is merely an integration of independent parts, rather than a unified architecture. Without question, this is a huge security problem that persists throughout the entire industry.
There is essentially no automotive cybersecurity model currently available for guidance. Both the National Institute of Standards and Technology (NIST) and the Industrial Internet Consortium (IIC) have cybersecurity frameworks, but neither addresses automotive security. ISO 26262, the automotive functional safety standard, merely stipulates that a manufacturer is responsible for ensuring that the vehicle is secure.
When considering models to provide cybersecurity guidance, it is essential that the model does not define the implementation nor specify which industry players are winners and losers. A suitable automotive cybersecurity model should outline a path toward the maturation of security techniques. The cybersecurity guidelines must be testable and applicable to design, implementation, and manufacturing.
The Security Maturity Model (SMM) published by the IIC is a security framework that defines context, goals, and requirements. It helps manufacturers understand their security objectives and determine how best to invest in tools and practices that meet their needs and requirements. The SMM does not define what the appropriate security level should be. Instead, it provides guidance and structure for companies to consider maturity levels appropriate for their industry and product. Though the SMM does not directly address automotive security, it has many good characteristics that can be adopted and converted into a model for the automotive industry.
The IIC SMM defines measures of product effectiveness in meeting the requirements. It also defines:
The core of the SMM consists of many practices grouped into three domains: governance, enablement, and hardening.
Security governance addresses:
Security enablement addresses:
Security hardening addresses:
In crafting an automotive cybersecurity maturity model, each of the domains and subdomains above could be mapped to the automotive safety integrity levels (ASIL) functionality and safety levels in the ISO 26262 standard.
We expect most organizations to first establish a maturity target. Business level stakeholders define the target using some form of a business objectives questionnaire. Technical level stakeholders then take such objectives and translate them into more detailed security requirements based on their understanding of the system.
Once a target has been created or a relevant industry profile identified, organizations would conduct an assessment to capture the current maturity state. The security maturity of the target state and current state can be compared to identify gaps and opportunities for improvement. Based on the gap analysis, business and technical stakeholders can establish a roadmap, take action, and measure progress.
After implementing enhancements, organizations can perform another assessment. The cycle repeats to ensure that the appropriate security target is always maintained in an ever-changing threat landscape.
Automotive trustworthiness is built upon a solid foundation of robust cybersecurity. In this three-part series, it has been shown that the industry is woefully behind in security standardization and regulation. Surprisingly, many new vehicle features lack adequate protection. Worse, the automotive supply chain has many points of exposure to malicious actors. Clearly, automotive cybersecurity is a problem that urgently requires standardization. The way forward is to develop an automotive security safety model that meets the needs of the entire industry.