LHP Engineering Solutions has announced strategic cybersecurity partnerships with PCAutomotive and Rustic Security, strengthening their efforts to enhance automotive cybersecurity. Read the full press release here.
Ten years ago, major architectural and system flaws existed in connected vehicles. In the 2010s, OEMs were just beginning to hook up vehicles to cellular networks in mass, and engineering processes had not adjusted to manage cybersecurity risk. After the Miller and Valasek Jeep1 hack in 2015, it was apparent that engineering processes needed to adjust to consider cybersecurity throughout the entire development lifecycle of the vehicle. The solution is a system called the ‘Cybersecurity Management System’ (CSMS).
A Cybersecurity Management System or CSMS for short is what an automotive company will use to engineer secure products. It incorporates 2 main areas:
Consisting of the people, culture, financial support, and policies that will manage cybersecurity risk within an organization.
Consisting of specific work products that manage cybersecurity risk for a project. The end goal of Project Dependent Cybersecurity Management is to follow specific steps in each phase of a product’s development lifecycle to create secure products.
The largest reason is that to stay in business, OEMs must harden their vehicles against cyber attacks. A fleetwide hack against an OEM’s connected vehicle platform could have safety impacts on road users, massively impact the OEM’s brand image, and even lead to bankruptcy.
Not to mention, OEMs are regulated around the world to show they invest and build a proper CSMS. The most famous and wide-reaching regulation is the UNR 155 - ‘Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system.’2 To date, 59 countries around the world require that OEMs follow UNR 155 to be able to sell vehicles in those countries.
UNR 155 was released in 2021 and gave OEMs until July of 2024 to create fully functioning CSMS processes. With that deadline recently passing, OEMs must show that CSMS processes have been used to adequately handle the cybersecurity risk that goes along with developing modern connected vehicles. Already a few older vehicle models from major OEMs like Porsche and Audi have been discontinued because they were engineered with older processes and did not comply with UNR 155.3
UNR 155 directly applies to vehicle OEMs wanting to sell vehicles in the 59 countries that are currently contacting parties to the regulation. And gives the responsibility of cybersecurity risk management across the supply chain to the OEMs. An OEM must give a “description of the consideration of the supply chain concerning cyber security.”2 This requirement for OEMs means they must monitor their supply chain downstream. When picking a Tier-1 supplier for vehicle components, OEMs will audit a Tier-1's CSMS process maturity and give certain cybersecurity requirements that must be met for the supplied product. If a Tier-1 supplier is unable to pass the OEM cybersecurity requirements, they will not be supplying products to the OEM. Therefore, OEMs and Tier-1 Suppliers must continue to refine and improve their CSMS processes.
OEMs and Tier-1s use ISO/SAE 21434 - “Road vehicles — Cybersecurity engineering”4 to build a CSMS. In 2021, this standard was released by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). Audits of an ISO/SAE 21434-based CSMS are done by following ISO/PAS 5112 which was released in 2022.5 Tier-1 Suppliers can receive audits to certify their CSMS meets ISO/SAE 21434. The purpose of this certification is to provide evidence up the chain to OEMs that they are a supplier who takes product cybersecurity seriously. And shows that the Tier-1 Supplier has the necessary elements to operate and maintain their ECUs in the presence of malicious attackers after the product has been manufactured and enters service. In consultations over the last year, some Tier-1s have stated they have lost business to OEMs because of insufficiently developed CSMS processes.
For OEMs selling to the 59 nation-states where UNR 155 is required, they must receive a “Certificate of Compliance for Cyber Security Management System” showing that an Approval Authority has assessed their CSMS for its maturity and compliance with the regulation.
A strong business case can be seen for OEMs and Tier-1s to invest in product cybersecurity and maintain and improve their processes related to cybersecurity engineering in all phases of the development lifecycle.
During the “Concept Phase”, a Threat Analysis and Risk Assessment (TARA) is started to identify major cybersecurity threats and qualitatively sort them into levels from 1-5. Risks with a value of 1 are considered low risk. And identified risks with a value of 5 are high risk.
After an initial TARA has been performed, cybersecurity goals and cybersecurity claims are generated for the product. Cybersecurity goals are high-level requirements that must be followed for the product. For example, a goal may state, “All firmware must be checked that its integrity and authenticity is not compromised before being allowed to be executed.” A cybersecurity claim is a statement on an accepted risk that the organization has identified in the TARA but will not attempt to reduce the risk for. For example, a claim may be made about vehicle connectivity stating, “The residual risk related to connected vehicle services is retained by our organization given the applied cybersecurity controls to maintain endpoint authenticity, data integrity, confidentiality, and availability, and preserve non-repudiation for any cyber incidents that take place via the cellular modem.”
During the “Product Development Phase”, cybersecurity specifications are created to meet the cybersecurity goals identified from the Concept Phase. For the example cybersecurity goal above, a cybersecurity architect would create a detailed cybersecurity specification outlining specific requirements for the Secure Boot process to achieve the goal.
Detailed cybersecurity specifications are then implemented in the firmware and software while making use of dedicated hardware like a Hardware Security Module (HSM). An HSM is a dedicated processing environment for security and forms the system's root of trust. HSM modules are common in many Tier-II Supplied Systems on a Chip (SoC) but require firmware team resources to configure and operate in a product.
Test cases are then drafted to verify that the requirements have been met from the cybersecurity specification. A dedicated cybersecurity V&V engineer often works with the cybersecurity architect/engineer to craft these verification tests. It is important to note that an organization should heavily invest in automating security V&V tests to save time and money when new firmware releases are built.
One of the final parts of the “Product Development Phase” is to draft requirements guiding the “Post-Development” phases. These security-related requirements will be specific to the “Production Phase”, “Operations & Maintenance Phase”, and “End of Life Phase”.
Cybersecurity validation also takes place in the product development phase. Validation happens at the vehicle level and confirms the adequacy of the cyber goals that were taken from the “Concept Phase”. Validation also confirms that these cybersecurity goals were achieved, and the product is ready to be manufactured.
A Production Control Plan is created to guide cybersecurity-related activities during manufacturing. Details are coordinated about the security of flashing the firmware, calibrating any software parameters, injecting or generating cryptographic key material, and performing security-related manufacturing tests on the product while it is still on the production line. Then, the product can be used in a vehicle during the “Operations and Maintenance” lifecycle phase.
The product is now out in the field and must be monitored for new vulnerabilities that may have affected its firmware and software. A Product Security Incident Response Team (PSIRT) will support the product as vulnerabilities are identified. Vulnerabilities may be mitigated through an Over-the-Air (OTA) patch if they affect areas of the firmware and software that can be updated in that manner. If vulnerabilities are found in the underlying product hardware, they most likely will not be able to be fixed.
Many organizations have built out CSMS processes but may wonder how to measure their success. Metrics related to CSMS processes can be tracked and compared yearly to see how an organization matures its CSMS. The following metrics are a good start to help an organization measure its CSMS process maturity:
Organizational CSMS:
Project Dependent CSMS:
LHP’s partnership with Rustic Security will allow clients to receive expert-level guidance on product security and CSMS development. ISO/SAE 21434 requires that organizations continuously improve their CSMS processes.
There are synergies between many work products related to Function Safety and Cybersecurity. For example, the item definition guides the scope of assessment for the Hazard Analysis and Risk Assessment (HARA) and the Threat Analysis and Risk Assessment (TARA).
As seen from this article, there are many elements of a CSMS. Since the release of ISO/SAE 21434 in 2021 many organizations have invested time to develop a CSMS. They may have set up processes for the first time to accomplish a CSMS. However, this does not mean that these CSMS processes are the most efficient and cannot benefit from outside help. OEMs and Tier-1s can benefit from an audit of their CSMS processes to identify areas for improvement. In particular, it is recommended that organizations refine Threat Analysis and Risk Assessment (TARA) processes and cyber-related Verification and Validation processes.
Organizations will also need to address and respond to these upcoming publications from the Society of Automotive Engineers (SAE) and the International Organization for Standardization (ISO)6:
Lastly, LHP and Rustic Security have partnered to provide a new 16-hour Automotive Cybersecurity Power Up Training to educate engineers and management from all backgrounds on the core concepts of cybersecurity engineering and CSMS processes.
Cybersecurity Management Systems (CSMS) are excellent for considering cybersecurity threats and managing risk for an organization and its products. As this is a new area of engineering, many organizations in the automotive industry have created a functioning CSMS since the release of ISO/SAE 21434 in 2021. However, a CSMS must be constantly improved and refined. Executives and engineers at large OEM and Tier-1 organizations will benefit from learning about cybersecurity engineering. It is an important new area of engineering that cannot be ignored and often engineers from other disciplines lack basic knowledge of cybersecurity. Automotive organizations that continually invest in cybersecurity training and refinement of their CSMS will develop secure products, which will have lasting impacts on an organization’s reputation and the safety of road users. Please reach out to LHP/Rustic Security for any questions related to Cybersecurity Management Systems and your needs in this area.