With new standards and regulations at play, security teams are abandoning outdated practices and implementing a more methodical, systematic approach to cybersecurity across all organizations. Following our review of ISO 21434 and WP.29 R155 Regulation, C2A Security reviews industry best practice, and how these can be seamlessly adopted across the automotive supply chain.
As the automotive industry evolves to adopt emerging vehicle architecture, so must the cybersecurity practices that keep them safe. Already, OEMs and Tier 1s are grappling with adopting new ISO 21434 standards and WP.29 R155 regulation without impacting vehicle development timelines. But there are best practices from regulatory bodies to consider as well — the United States’ NHTSA, ENISA in Europe, and member trade association AutoISAC have all issued guidelines for industry leaders to follow. This week, C2A Security explains the different areas of impact for security professionals – what does this mean for your organization, and how do these best practices fit in with existing standards and regulations?
Best Practice Areas: NHTSA, ENISA, AutoISAC
The National Highway Traffic Safety Association (NHTSA) issued new recommendations for the automotive industry to consider. The first port of call is the information technology (IT) security suite of standards, such as the ISO 27000 series standards and the Center for Internet Security’s (CIS) “Critical Security Controls for Effective Cyber Defense (CIS CSC),18. Both are broadly used in other sectors with great success — including the Financial Sector, Energy, Communications, and Information Technology.
NHTSA takes a “risk-based approach to cybersecurity challenges” as the best solution, with product cybersecurity critical to its best practice recommendations. By placing an emphasis on penetration tests, pen testing, CSMS and network protection, NHTSA a thorough automotive cybersecurity approach should:
- Be built upon risk-based prioritized identification and protection of safety-critical vehicle control systems;
- Eliminate sources of risks to safety-critical vehicle control systems where possible and feasible;
- Provide for timely detection and rapid response to potential vehicle cybersecurity incidents in the field;
- Design-in methods and processes to facilitate rapid recovery from incidents when they occur; and
- Institutionalize methods for accelerated adoption of lessons learned (e.g. vulnerability sharing) across the industry through effective information sharing, such as participation in the AutoISAC.
Meanwhile, ENISA’s Good Practices for the Security of Smart Cars, issued in 2019, took stock of all existing standards, legislation and policy initiatives to serve as a centralized reference point for manufacturers looking to develop connected and automated vehicle technology. It aims to emphasize “cybersecurity for safety”, with the following core recommendations:
- TM-01: Deploy Intrusion Detection Systems (IDSs) both at vehicle and back-end levels to enable the detection of malicious activities or policy violations;
- TM-21: Ensure that vulnerabilities and limitations of software dependencies, especially open source libraries, are mitigated or addressed in a risk assessment;
- TM-38: Apply a hardening approach on the different levels (i.e. devices, network, back-end, etc.) to reduce the attack surface;
- Conduct security evaluations (e.g. penetrations tests) during the development phase and then on a regular basis following an event driven approach;
- Place an emphasis on leveraging CSMS, IDS, vulnerability management, Device Hardening, Pen-Testing, Network Protection for cybersecurity best practice.
Similarly, AutoISAC member organizations can benefit from their cybersecurity best practice regulations. Organizations may implement these techniques and others to detect threat presence within a vehicle ecosystem, based on defined priorities for monitoring threats and gathered intelligence. It reminds organizations to continue to monitor diagnostic error codes, back office SYSOPS operations and connections to the vehicle, and always use intrusion or anomaly detection systems.
No matter the best practice recommendation, AutoSec can help.
Designed to meet automotive-relevant, industry-specific needs, AutoSec is an automated Cyber Security Management System (CSMS) that opens up new possibilities for vehicle cybersecurity: information flows seamlessly between different security tools and processes throughout the vehicle lifecycle. While companies look to grapple with best practices, regulations and standards they’re confronted with — AutoSec’s automated capabilities will help to ease stress and alleviate pressure from security teams, creating room for more thorough implementation. Now, several services can be replaced with a single, unique, fully-customizable and centralized platform, all built with automotive-specific needs in mind.
Best practices exist to help level-up automotive cybersecurity. How do they fit alongside standards and regulations?
Though none of these are binding, they provide critical support for the automotive industry, ushering a new era of safety-first cybersecurity. Best practices fit seamlessly with new standards and regulations, continually emphasizing the importance of methodical, systematic approaches to cybersecurity throughout the supply chain. As a Cybersecurity Management System (CSMS), AutoSec can help every step of the way, empowering industry stakeholders with the automation and centralization required to meet the needs of today’s challenging environment. Emboldened by visibility, control and protection, OEMs and suppliers can seamlessly scale cybersecurity across vehicle programs in a way not possible before. Ultimately, new regulation, standards and best practices mean one thing: minimized risk of cyber threat to the public, creating safer roads for all. With automation, protection is more efficient and scalable than ever before.