Hey there, Bay Area friends! You know how security in our digital world has become a hotter topic than a cup of Philz Coffee, right? Well, lately the automobile industry has been feeling the heat too. Just a short time ago, car manufacturers all around the globe were a bit hesitant to implement cybersecurity measures. Despite understanding their importance, the costs were a major deterrent.
But then, the European Union decided it was high time to up the game in 2022 and brought in stringent cybersecurity regulations. With no option to enter the European market without these measures, carmakers had to hit the gas pedal on cybersecurity!
With software continually advancing and becoming more ingrained in vehicle functionality and communication, having a car that is essentially defined by its software (SDVs) is a reality we’re facing. So, our vehicle’s cybersecurity is as integral as the engine that powers it.
Now, let’s briefly touch on the UN R155, a regulation by UNECE WP.29 that practically laid the groundwork for this need for cybersecurity in the auto world. It insists that carmakers must have a Cybersecurity Management System (CSMS) along with vehicle type approval. What does it mean exactly? CSMS is all about developing processes and systems to protect your sweet ride from nasty cyber-attacks and risk management. ISO/SAE 21434, on the other hand, is the international standard governing vehicle cybersecurity policies and implementation processes throughout a vehicle’s lifecycle.
Vehicle Type Approval (VTA) has its purpose and is essential to ensure the ride on the road is safe from cyber threats. When a vehicle is up for VTA, it undergoes initial tests and an reviews of all its technical docs. Once it clears this stage, it gets the CSMS certificate post more reviews from an approval authority.
The VTA process includes risk assessment, implementation of cybersecurity measures and validation testing. Whether an avoidance or acceptance of risks, or their removal or improvement, these strategies form a part of this process. All these specifics are described in detail in the UN R155 Descriptions 5 and 7 while ISO/SAE 21434 outlines the testing protocols.
Validation of cybersecurity measures to get VTA involves four steps – functional testing, vulnerability scanning, fuzzing testing and penetration testing. Yes, sounds intense! Each step has an vital part to play in ensuring your car is cyber-secure, from assessing the efficacy of cybersecurity elements to mimicking attacks to find vulnerabilities.
Of course, it all boils down to how these safety measures are setup. That’s when specialized teams of cybersecurity experts come to play, helping detect and solve critical issues that could potentially escalate to major problems. Imagine driving your electric car and suddenly, the drivetrain fails leaving you with an unresponsive gas pedal. Not pretty, right? Thanks to the cybersecurity pros, such issues are detected and amended.
VTA’s essence is the meticulous and ongoing verification and validation of cybersecurity measures. The testing is exhaustive, and the application of technology has to be consistent – everything from extensive ECU testing, real vehicle trials, intricate VTA evaluation checklists and integration of cybersecurity testing with existing IT infrastructure.
Hey, I hope you got a gist of what’s happening in automobile cybersecurity. I’ll be back soon with another article discussing the final stretch in vehicle cybersecurity certification. Stay tuned!
by Morgan Phisher | HEAL Security
