Last week, the 5StarS organization published its draft of the “Roadmap to Resilience,” which describes the route to realizing cybersecurity scoring.
To summarize, the 5StarS organization was established to meet the demand from the automotive ecosystem to understand vehicles’ cybersecurity posture. It has therefore set a goal for itself to create an NCAP cybersecurity equivalent.
Providing the end consumer with transparency, whether their car is secured or not, is a key element to create a cyber-secured ecosystem.
A recent poll published in PC Magazine revealed that 45 percent of consumers reported safety concerns and technological failures being their biggest fears with autonomous vehicles. The cost of the vehicles and hacking threats took the next spots on the list with 16 percent and 15 percent of consumers reporting those concerns, respectively.
22 years ago, when the first safety ratings were published, consumers didn’t care about airbags, ABS systems, or any other safety measures for that matter. Fast forward 30 years later, and no consumer would dare to purchase a car without air bags. The automotive ecosystem understands that it now needs to create a cybersecurity scoring system.
However, cybersecurity scoring might end up being a much more complicated process than the standard safety procedure.
Today, insurance companies investigate cars relating to several categories, including:
- Maintenance (ongoing, post-accident auto repair, etc.)
- Safety
Security — both physical and cyber.
For most of the above, in addition to other categories not listed, the tests can be performed by a third-party tester/auditor independently from the OEM/manufacturer.
Furthermore, for most of these categories, the test results are both valid and relevant for the majority of the product’s lifetime. In other words, a car’s safety rating, which takes into account safety measures like airbags, the ABS system, etc. mostly doesn’t change throughout the car’s lifetime.
However, one score stands out: that of cybersecurity. The way to achieve it is quite complex and has revealed new requirements.
The draft of the “Roadmap to Resilience” paper emphasizes two main security elements that are strongly needed to realize the security score:
- Security assessment (Risk Audit)
- Security management throughout the vehicle’s lifetime (ongoing Risk Assessment and incident handling)
Risk Audit and Risk Assessment are the building blocks of the insurance world. In any industry, when a company decides to get cybersecurity insurance coverage, it first needs to perform a Risk Audit. This consists of filling out a questionnaire, providing the insurer with information about the company’s overall security posture, and allowing the insurer to assess the level of protection and security applied within the company. When the coverage needed is high enough, the insurer will then request a more thorough investigation be conducted, allowing them to ensure that they have all of the required inputs to precisely assess the company’s potential cybersecurity risk. After the company security posture risk is calculated, then an insurance policy will result with specific terms. Later, when requesting to renew the policy, the client will need to report any deviations or changes from what they indicated on the original questionnaire, in addition to reporting any incidents that occurred and their impacts. Sometimes, the company may even need to fill out the questionnaire from scratch again. This allows the insurer to re-assess the risk and set the premium and coverage accordingly.
The problem with automotive cybersecurity is that the following two elements behave very differently than in other aspects of vehicular safety:
- Testing (Risk Audit) — independently pentesting an entire vehicle — which today is comprised of multiple networks sometimes connected to more than 200 ECUs without any inputs from the vehicle manufacturer — will be extremely expensive and time-consuming if it is to be conducted as thoroughly as traditional safety assessments. In addition, due to the nature of sophisticated cyber-attacks, it might not be possible to standardize the penetration testing required to assess a vehicle’s security level because every vehicle behaves differently.
- Relevance as a factor of time (ongoing Risk Assessment) — even if the auditor managed to conduct a thorough Risk Assessment and generate a sufficiently detailed report for a specific vehicle, the results are not going to be relevant several years, months, or even days after production. A vehicle’s cybersecurity posture is very fluid and might worsen after the discovery of a serious vulnerability. In contrast, it could improve after a significant security update. Considering a vehicle’s longevity, the first assessment will be irrelevant for the majority of the product’s lifecycle. How do you re-assess the vehicle’s security posture during its entire lifecycle? Is it feasible?
In order to successfully and feasibly perform both a Risk Audit and Risk Assessment throughout a vehicle’s lifecycle, two things are needed:
- OEMs must increase the visibility of their car models, including the HW & SW BOM, models’ architecture and topology. Such visibility will allow for the Risk Audit and Risk Assessment processes to proceed.
- OEMs and their partners (insurance companies, certification institutes, etc.) must find a way to share some of their data or conclusions.
Currently, both requirements have not been widely implemented. OEMs find it difficult to increase the visibility across their car models, and there is a lack of transparency between the OEMs and their partners throughout the product lifecycle with regards to cybersecurity.
There are essentially two sides to the equation — the auditors and the auditees.
If we want to implement cybersecurity scoring, which is definitely a common goal for both the industry and consumers, then we need to find a way to allow both sides to collaborate while still keeping everyone’s interests intact, and to provide consumers with the most accurate scoring possible.