ISO21434 Archives

Automotive Cyber Security Management System (CSMS)

by Nada Welker | Aug 7, 2020 | Automotive Cyber Security, Cyber Security Management

The paradigm shift in the automotive industry towards the networked and (partially) autonomous vehicle is in full swing. New technologies with significantly increasing networking possibilities are currently leading to new demands on the regulatory framework. In recent years, legislators and test institutes have already initiated the establishment of corresponding standards. Suppliers of software, sensors and system architectures for the automotive industry must be able to meet these standards already now in order to position themselves successfully in tenders by vehicle manufacturers. In the future, type approval of vehicles will only be possible if a certified Cyber Security Management System (CSMS) is in place.

Which regulations are currently at issue?

The emerging standards on Automotive Cyber Security are new in the automotive industry. The WP.29 working group on the harmonization of vehicle regulations of the UNECE (United Nations Economic Commission for Europe) has drawn up a set of rules that prescribes new requirements for the cyber security of vehicles. The focus of the WP.29 regulations is, firstly, on testing the reliability of autonomous systems and, secondly, on ensuring the cyber security of all components and data connections installed in the vehicle. According to this standard, all manufacturers of vehicles connected to the internet and their suppliers must have implemented a functioning Cyber Security Management System (CSMS). Without such a CSMS the application for the type approval of a vehicle is impossible. At the same time, the ISO (International Organization for Standardization) is developing the two standards ISO/AWI 24089 and ISO/AWI 21434. Both aim to establish a new standard in the automotive industry for all cyber security relevant topics. Hence all companies in the industry are now facing the challenge to prepare themselves and to install a corresponding CSMS as quickly as possible in order to be able to comply with the soon-to-be-released regulations from the outset. This CSMS must also include the administration of suppliers, service providers and other third parties.

What are the technological backgrounds?

Autonomous and smart technologies make vehicles much more vulnerable to cyber attacks. The high number of different data connections as well as the digital and networked components provide gateways for hackers, which in the worst case can be used to influence the vehicle system without authorization. The scenarios that can result are well known. The gateways can be divided into three areas:

Telematics: via WLAN, mobile radio, GNSS data connections such as GPS and the servers connected in the background
V2X Communication: Vehicle-to-Infrastructure (traffic management systems), Vehicle-to-Device (smart phones), Vehicle-to-Home (smart home devices), Vehicle-to-Vehicle (communication between vehicles)
Infotainment: WLAN, music and video streaming, data connections from apps for e.g. weather, restaurant recommendations, games etc.

The listed data connections are potentially vulnerable to hacker attacks. In order to exclude the dangers in advance or at least to mitigate them as far as possible, the establishment and operation of a comprehensive Cyber Security Management System (CSMS) is indispensable and will in future also be required by lawmakers and testing institutes. The UNECE announced to make the operation of a certified CSMS and its application to the vehicle type mandatory from around mid 2022 for all new types of vehicles the time of type approval. From July 2024 it will then apply to all new vehicles. This means that companies will have about 2 years to take the necessary measures and integrate a corresponding CSMS into their business.

Important: Introduction of a Cyber Security Management System

In order to successfully manage the complexity of all risks in the area of cyber security for vehicles, every company must have a CSMS in the future. A company’s cyber security approach must be implemented holistically over the entire product life cycle. This includes both the organizational and technical areas of a company or product. This includes the product development process, production and all service, maintenance and repair work after the commissioning of a component or software. The entire automotive ecosystem must be carefully coordinated in order to comply with the upcoming cyber security requirements. It is therefore important to create the right framework conditions in both the organizational and process structure of the company and to initiate appropriate measures. Certifications according to WP.29 or according to the above-mentioned ISO standards will form the regulatory basis for the future cooperation between vehicle manufacturers and service providers in the automotive industry.

How is a CSMS structured?

The purpose of a CSMS is to preventively identify and eliminate critical weaknesses in the product. Cyber security must be ensured and maintained throughout the entire product life cycle. This includes developing the design of the products under cyber security specifications. The number of hacker intrusion points must be kept as low as possible from the very beginning. This is the only way to reduce the areas of attack and thus the risk of falling victim to a cyber attack. Every company must therefore orient itself to the best practices for effective cyber security. These best practices primarily concern principles to be followed in product development, production, the organization of the company and the assignment of responsibilities.

Possible guide to relevant best practices

The principles in the approach are:

Security by Design, Privacy by Design and the introduction of a risk and threat management. This means the regular execution of analyses of possible threat situations throughout the entire development.

The principles for the organization are as follows:

Inclusion of all suppliers and service providers in the aspects of cyber security. An awareness of cyber security in the company’s own corporate culture across all interfaces must be created through training and consulting. Guidelines for the efficient handling of cyber-relevant security incidents are to be developed and established in the company.

Principles in the technological implementation:

Constant monitoring security gaps and unauthorized access as well as the greatest possible protection of one’s own networks through encryption and strict access controls (human factor). By using Big-Data and AI methods, irregularities in the data flow can be detected early.

The time to act? Right now!

We at magility accompany our customers from the automotive sector future-oriented and therefore have developed a CSMS years ago, which is continuously adapted to the newly emerging regulations. We act as a system integrator for CSMS for medium-sized companies in the German and European market and are optimally positioned thanks to our partnerships with technology companies such as Argus Cyber Security, internationally one of the most renowned companies for automotive cyber security, and the independent certification service provider DEKRA. This enables us to provide our customers with comprehensive support in the implementation of a Cyber Security Management System. In recent years, we have established ourselves as experts for all questions and solutions relating to automotive cyber security on the market and have implemented numerous projects with well-known companies from the automotive industry.

How do you see your company currently positioned with regard to cyber security? Please contact us for a professional exchange, we will support you with an initial assessment of your risk situation. We will support your company in the implementation of a CSMS, which takes into account the newly emerging regulations from the beginning.

Cyber Hacks 2020 – How Big Is The Real Danger?

by Nada Welker | Aug 3, 2020 | Automotive Cyber Security

A woman races downhill and wants to brake, but the car accelerates, the brake is out of action. Elsewhere, drops of sweat are beading on a man’s forehead as he presses the accelerator pedal all the way down and still stops in the fast lane of a motorway. “Cyber Hacks 2020” could be the title of a video game with the horror scenarios described above. But in fact, there is a real danger behind it. The UNECE initiative, which recently issued binding new regulations on the Cyber Security of motor vehicles and software updates for the automotive industry, shows how real it is. We have already reported on the new UNECE WP.29 regulations in our magility blog.

The Fear of Hackers Takes Hold

While thriller criminals à la Hitchcock still had to crawl under the car in person to cut the brake and fuel hoses, nowadays a perfidious hacker software and a comfortable office chair somewhere in the world are enough to turn an autonomous vehicle into a remote-controlled one. In 2015 the two security researchers Charlie Miller and Chris Valasek proved that they could hack into the software of vehicles, and since then fear is widespread among manufacturers and users.

Infotainment Ban Become a Trap in the Future

Infotainment in a networked car is currently regarded as the biggest gateway for a possible hacker attack. According to the ADAC, SD card readers, USB interfaces, diagnostic interfaces (OBD), Bluetooth modules, keyless key systems or even the wirelessly operated tyre pressure monitoring system offer welcome opportunities for hackers and other cyber criminals to attack. But also the cloud technology shows more and more gaps in the security system.

Company Fleets and Company Cars Targeted by Cybercriminals

If you own a luxury class vehicle that is to be “kidnapped” and sold, you as a private person can also become the victim of a hacker attack. However, cyber criminals tend to target entire company fleets and company cars, because they appear to hackers to be a self-service paradise: Motion profiles can be created via GPS and sensitive company data can be accessed via WLAN. And phone calls are practically public anyway. For example, unprotected Bluetooth connections offer about as much privacy protection as a postcard.

Smart Cities Endangered by Connected Cars

But the infrastructure of cities can also be blocked. Incorrect traffic light circuits could lead to traffic jams, accidents and disruptions. Every interface offers a safety and security risk. Since 2018, every newly registered vehicle in Europe has had at least one of these, as manufacturers have been obliged to install the automatic emergency call system E-Call ever since.

Blackmail as a Business Model on the Internet of Things

And what’s the point? To make demands. Networking makes you vulnerable to blackmail. According to the Kaspersky DdoS Report, the total number of all DdoS attacks in the first quarter of 2020 has doubled compared to the previous year. According to the report, educational institutions and local authorities are mainly affected. This is also shown by a warning from the German Association of Cities and Towns to its members. A report in the Handelsblatt also shows that the hacker profession is flourishing as a service enterprise. According to the report, the German Cyber Security Council estimates the damage caused by cyber attacks up to 50 billion euros annually.

Real Cyber Hacks 2020 – A Selection

In May, Fresenius Medical Care, the world’s leading provider of products and services for individuals with kidney disease, confirmed a hacker attack followed by the illegal publication of patient data in Serbia.
Presumably commissioned by China, the German chemical company Lanxess was spied on.
The car companies BMW and Hyundai were probably spied on by cyber hackers on behalf of the Vietnamese state.
A security hole in the locking system made Tesla vulnerable.

Best Protection: Be one Step Ahead even of Artificial Intelligence

Cyber criminals depend on keeping up with new developments, so it is to be expected that they will as well use artificial intelligence (AI) for their attacks in the future. Hence the race between manufacturers, users and hackers to uncover vulnerabilities is gaining momentum once again. The winner is the one who is one step ahead. A quick change of security updates and a short “lifetime” of software keys are barriers that are difficult for hackers to overcome. Magility’s security specialists help identify weak points before they can become a problem.

Cyber Security Management Systems (CSMS) – Holistic Cyber Security

Together with our partner network, which includes technology companies such as Argus Cyber Security and the certification service provider DEKRA, we act as a System Integrator for Cyber Security Management Systems (CSMS) in the European market. Now that the new UNECE regulations have been published, an integrated CSMS will be mandatory for all OEM’s. In future, there will be no type approval for a vehicle without a certified CSMS. Years ago, we developed a CSMS for the automotive industry which is continuously updated and therefore includes all UNECE WP.29 regulations and is also based on the upcoming ISO/SAE 21434 and ISO/AWI 24089. We would be pleased to advise you on this topic and support you in implementing a CSMS in your company across all process stages along the supply chain and throughout the entire life cycle of the vehicle. For more information please contact our magility Cyber Security experts.