A new dimension of safety in the car
Innovations in the automotive industry such as autonomous driving, connectivity, electric engine types and modern mobility concepts are shaping a new understanding of vehicles. Increasingly comprehensive IT systems are enabling the basis for these developments. Today, up to 150 ECUs and around 100 million lines of code can be found in a vehicle. That's four times more than in a fighter jet. And this development is far from over: According to the UNECE (United Nations Economic Commission for Europe), digital systems from OEMs will anticipate 300 million lines of code by 2030.
In this context, the interdependence between ECUs and other vehicle hardware, as well as access to them via external sources, raises security concerns. These concerns have been heightened by demonstrative hacking successes by security professionals, putting the issue of cybersecurity in the focus of OEMs.
Standard against cyber risks in the automotive industry
As a consequence, the call for uniform standards is becoming increasingly louder. The EU Cybersecurity Act initiated in 2019 focused on cybersecurity management systems and Software Management Update Systems in a UNECE working group. This working group is concerned with the global harmonization of vehicle regulations.
One result of this: In collaboration with the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE), the UNECE is creating a certification for Cybersecurity Management Systems (CSMS). The ISO/SAE 21434 standard is currently in "approval status" and is expected to apply to newly registered vehicle types from mid-2022 and to all newly produced vehicles from 2024. The goal is to specify a structured process for CSMS at automakers and in-vehicle cybersecurity that reduces the success rate of hacking attacks and establishes a standard against cyber threats in the automotive industry. The requirement for cybersecurity thus increases from individual features to entire management systems – ergo from project to organizational level. This standard does not specify cybersecurity technologies or concrete methods. Instead, it suggests an approach for prioritizing cybersecurity activities and the recording of measures.
Certified cybersecurity system as basis for approval of new vehicle types
The principles laid down in UN Regulation 155 and the ISO/SAE 21434 standard apply in Germany as a prerequisite for type approval (homologation) by the Federal Motor Transport Authority (Kraftfahrtbundesamt) and by the corresponding bodies in all UNECE member states and recognizing third countries.
Four areas are described in the ISO/SAE 21434 standard:
- The management of cyber risks from the vehicle and its environment
- The inherent safeguarding of a vehicle and its value chain
- Establishing a cybersecurity incident response system to identify and address cybersecurity incidents
- Remote software updates for an up-to-date software status
In practice, this means that a management system for cybersecurity and remote software updates certified by independent auditors is a prerequisite for the approval of new vehicle types. Certification is relevant for OEMs and suppliers alike. The standard differentiates between a CSMS for the organization and the application of the CSMS at product level. In terms of content, companies can use the sections of the standard as a guide when creating a CSMS in the future: These address the creation of a (1) CSMS concept, its (2) management, (3) risk determination methods, the integration of cybersecurity aspects in (4) product development, and (5) production, operation, and maintenance.
Accordingly, a cybersecurity management system comprises various processes at organizational and project level. In detail, it is about the identification, assessment and treatment of cyber risks in an appropriate timeframe over the entire lifecycle of a vehicle. Ultimately, the entire CSMS must be validated alongside a SUMS by an independent third party for type approval clearance. The implementation of UN Regulation 155 covers several areas – from the concept phase, product development, cybersecurity systems management, risk determination methods, production, operation and maintenance, and supporting processes.
The IT, automotive and homologation experts at msg
msg has in-depth IT and industry expertise. Experts in the areas of cybersecurity and software update management systems as well as electrics/electronics support our customers in identifying relevant regulations, in evaluating company-specific processes and homologation procedures up to obtaining type approval. Consulting, conception, functional specification up to the implementation of IT systems – we are ready to help.
