“Why on earth would you invest in secure boot or removing debug interfaces for a lightbulb? Let’s threat model folks.” – Charlie Miller on X
Momentum
As I return home from the Auto-ISAC’s European Summit—a convening of some of the most intelligent folks in vehicle cybersecurity—I can’t help but reflect on how far this space has come.
For those of you bearing the burden of securing moving projectiles, you’re doing great. Whether you’re coming from functional safety, engineering, infosec, government, or management, I’ve met so many people who found themselves in this position, drinking from the same firehose we all are, each bringing a unique perspective on a problem space with so many facets. I’ve always said that vehicle cybersecurity is not a cybersecurity problem at all—it’s an engineering problem. It’s a supply chain problem. It’s a cost decision-making problem. It reminds me of getting a rocket to space: it relies on every single part doing its job, or else it might not even make it to space. Once out there, that system’s mission-critical resilience determines its fate as it roams into new unknowns of the solar system. (I don’t know anything about rockets, but I sure do admire them.)
The automotive supply chain has put tremendous effort into ensuring the product is secure. We know how it’s done. We’ve passed the type approvals and have a clear vision on compliance. But the real question remains: as vehicles become more connected and dynamic with growing threats, how do we align compliance and cybersecurity in a way that enables that incredibly exciting future we all know is ahead? After all, a compliant vehicle is not a secure vehicle—and frankly, a secure vehicle isn’t necessarily a compliant vehicle either.
Background
For those who know me — I’m obsessed with cars. I love knowing about how they work, I love modifying (hacking) them, I love racing them. I have since I was 5 when I started saving up for my first fast car. Back in 2014, I was an intern at FCA in cybersecurity. The advice a mentor gave me was this: “I don’t know what the future of vehicle cybersecurity holds, but I do know that it’s not going away any time soon.” In that same year, researchers demonstrated that you could, in fact, exploit connected vehicles. You can imagine how this spark ignited my obsession with the cybersecurity of cars — I got to combine these two great interests of mine. When I set off for college at Brown University in Rhode Island, I set my course for Computer Engineering with a research focus on Vehicle Cybersecurity. At the same time, I founded Block Harbor to deliver on the mission of building great solutions to keep the future of mobility safe.
Back then was very different from today. It was all white space. Those customers we worked with at BH in the early days didn’t have any guidance. There was no standard. There was no regulation. In fact, it was some of the most interesting and innovative work we’ve ever done — our objective was purely to ensure that the vehicle systems we were working on were secure. It was a reactionary moment in the automotive industry as they concerned themselves with the fear of researchers — or worse — targeting their products next. At the time, as a university student trying to figure out what to research, a key question always sat at the core of what I was doing: What are we protecting from?
- Researchers trying to maximize their publicity?
- Competitors looking for an edge?
- Car hackers that want to tune their car?
- Nation state entities that have unknown objectives?
- Illicit groups trying to run an illegal business?
- A bad actor trying to hurt someone?
- Script kiddies…just ‘cause they can?
One of those sticks out for me — the one that has the most motivation and the most resources. As a threat actor, the biggest barrier to hacking vehicle systems is the resources. Unlike hacking my phone–where breaking it means I can’t call my mom–breaking my car means I can’t go get my Chipotle. State-sponsored entities, on the other hand, have all the money and the time in the world to find vulnerabilities.
Now this was a fascinating topic to me. As my research at Brown unfolded, I spent a lot of time looking at the attack surfaces in and around the vehicle — diagnostic systems, mobile apps, APIs, cloud systems, aftermarket systems. Papers like “Comprehensive Experimental Analyses of Automotive Attack Surfaces” gave me so many different areas to look at — wondering, what would a nation state actor do with this? And why would they do it?
The summary? Nothing good. Cyber warfare. Influencing regional economies. Targeting individuals. Finding advantage for the next economic revolution. I mean — think about it — a bad actor could shut a city down by crashing one car. They could shut a highway meant for transporting troops down with one car. It’s critical infrastructure, just like the chaos that would ensue if the energy grid was attacked.
…Yeah, I was fun at parties.
Fast forward a bit through the formation of the Auto-ISAC, the growth of security teams (and budget), the release of J3061 that evolved into ISO/SAE 21434, the enforcement through UNR 155, and the tremendous journey that Block Harbor has been on through all of this. We work with so many different companies throughout the supply chain — automakers, suppliers, chipmakers, auditors — helping them solve this issue of cybersecurity and compliance. I am grateful to have solved so many challenges with so many smart people.
Regional regulation: is it working?
Governments recognize what we all see: mobility is becoming highly connected and is now part of critical infrastructure, with cybersecurity threats continually increasing. If we leave cybersecurity decisions solely to the market, companies will focus on delivering value to shareholders, which might not address all threats to critical infrastructure. We can’t secure the future of connected vehicles without regulatory oversight. The stakes are too high—international stability, passenger safety, and global economies depend on it. The government has to intervene.
So, here we are in July 2024. Cybersecurity type approvals are now mandatory for all new vehicles sold in UNECE participating nations, covering a significant portion of the world. Let’s examine the incentives for the key players: Auditors, Automakers, and Suppliers.
Auditors
Let’s start with the auditors (known as technical services)—companies that built a brand that relies on their approvals and certifications being robust. The automaker shows them around their CSMS and provides evidence that it’s applied to a vehicle type, and they provide a stamp of approval. Auditors live or die by rigor and consistency. The problem? The cybersecurity devils are in the details. The auditors are businesses too—they have competitors that keep their costs in check. They can’t spend months penetration testing each vehicle type to find indicators that the vehicle is not secure, and they can’t check to ensure everything was implemented correctly. Rather, they have to make a judgment on whether they believe the automaker did their best. Obviously, a type approval is not a guarantee—but it means someone has peeked under the cybersecurity hood.
Incentives? Low cost.
Automakers
The great gatherers of evidence, the automaker has to make a strong case that they’ve done effective cybersecurity for a vehicle going through type approval. They build a robust CSMS to ensure the production and collection of that evidence is done efficiently and effectively—not just among the different teams across the automaker but from their suppliers and their suppliers’ suppliers.
Incentives? Show the bare minimum to pass the audit and focus the rest of their resources on protecting business priorities.
After all, if an automaker becomes known for “weak cybersecurity,” they will lose customers.
Suppliers
Suppliers meet the contractual requirements of the automaker. Because they own a huge amount of the hardware and software of the vehicle, suppliers are responsible for technically addressing the risk that the automaker owns. After all, in an automotive cybersecurity event, a supplier won’t make the headlines nearly as much as the car brand that the module is in. Automakers ensure this is done through contractual requirements. Suppliers receive many cybersecurity requirements from their customers and it’s not competitive or sustainable to charge each customer for cybersecurity evidence development. Instead, they build internal teams to ensure consistent work product development across their product line.
Incentives? Do enough to win business efficiently and focus the rest of their resources on protecting business priorities. After all, if a supplier becomes known for “weak cybersecurity,” they will lose business.
Meet the regulation. Meet the regulation. Meet the regulation.
So, the government stepped in and implemented a regulatory incentive structure. Automakers rallied to meet the regulation (with a few exceptions), and the supply base followed. Time to go home? Critical infrastructure cybersecurity solved? Nation-states and other bad actors thwarted? Charlie Miller asks another important question on X: “If you have a device that keeps out everyone but state-sponsored hackers, and nobody can keep them out, maybe it’s pointless to add more security at that point?”
Here’s the thing: everything I said until now is fundamentally focused on making sure the evidence is in place to ensure type approval is met so we can keep selling cars. That’s what the industry had to do to get where we are today. But UNR 155 doesn’t say “vehicles should be secure.” It says you should have a cybersecurity management system so that you can maintain the cybersecurity of the vehicle throughout its lifetime. The type approval is just a “gate check” before releasing the thing to know that you have your house in order. It’s the process framework that enables consistent cybersecurity processes throughout the supply chain.
Frankly — I think that’s where we are as an industry. We got through the gate check. But now we actually have to manage cybersecurity for the lifetime of every single vehicle type. Why? Because cybersecurity is business critical and securing products is a lifecycle-long process! Oh…and the regulations require checking again and again every couple years. And if you make a big change, they’re going to check again!
So, while we can all pat ourselves on the back for effectively implementing cybersecurity standard processes to yield a secure vehicle, we now have to keep it secure. We have to keep them all secure. In this way, the real work begins. I just hope compliance and cybersecurity for the business find strong alignment.
Murmurs on the street.
Now that we have the first type approvals for R155 rolling around the streets, we just need to think about scaling that, right? Well – I think we’re about to see this space become a lot more complex. The reason? Vehicles are becoming more than vehicles. Remember when cell phones just managed calls and texts? Imagine only using your phone for that today. Today’s vehicles are:
- IoT devices
- Critical infrastructure (and connecting to other critical infrastructure, like the grid!)
- Data producers
- Data processors
- Globally developed and manufactured
- Safety critical
- Artificially intelligent
- Payment handlers
Just because the industry developed its own product cybersecurity standard and regulatory framework doesn’t mean it won’t need to answer to other topics as well. For example, if an IoT regulation requires all “devices with a cellular modem” to be certified for cybersecurity (mostly talking about connected toasters) — where does this leave cars which have multiple cellular modems? Data privacy is increasingly a major concern in automotive and many OEM’s have already been publicly scrutinized. Other critical infrastructures will have their own requirements. Will ISO 21434 and R155 kill all these birds? And most importantly, will the sum of these regulations yield a secure vehicle? Not sure. But here are a few adjacent topics that are becoming rather obviously intertwined:
- US Department of Commerce proposed rule for ICT systems
- Chinese GB Standards
- GDPR/CCPA
- ISO 27001
- European Union ENISA requirements/NIS 2.
- European Union Radio Equipment Directive (RED).
- US CISA Requirements.
Oh, and attackers are supercharged with AI. So while we’re over here fumbling with our TARA drop downs in excel hoping we’ve documented the attack paths we did think about, attackers are using AI to generate new attack paths in real time.
Outlook: from first principles.
Until now, there are a few things happening together, all at once:
- We need to scale the CSMS efforts for the life of all vehicle types.
- We need our efforts to interplay with sibling cybersecurity regulations in an easy-to-document kind of way.
- Cybersecurity is becoming a critical business enabler for trends like SDV.
- Attacks are increasing while also being enabled by AI.
Like always, the challenge for any company is to access budget to deliver solutions for the above trends. In vehicle cybersecurity, it was really UNR 155 that gave a dead-simple business case. No basic cybersecurity enabling process = no car sales. Now, however, risk and complexity are growing faster than the ability to generate business cases and we can’t rely on regulatory pressure alone to protect the safety of our passengers and the integrity of our brand.
So what?
As we’ve been in the trenches with different companies, there are a few common threads that we see over and over again as companies rethink their vehicle cybersecurity strategy.
- Major trends provide a clear business case for product cybersecurity.
- Your product security team isn’t big enough and it never will be.
- Your detailed processes to meet the regulation slow down your ability to respond to actual cybersecurity needs.
- Compliance is a stepping stone for robust cybersecurity.
- You likely have a secure vehicle connected to insecure systems.
- Let the metrics speak.
So, what can you do?
- Build a roadmap.
- Choose the right technology (easier said than done, but know your problem before looking for solutions; we have our own mentioned below).
- Collaborate and solve problems with your entire supply chain in mind.
Block Harbor has been working on automotive’s deepest cybersecurity challenges for a decade now. While our Vehicle Security Engineering Cloud (VSEC) platform doesn’t solve all the problems, it solves some core issues and is the very system we’ve used to scale the efforts of our small cybersecurity engineering team.
There are many advanced features that are only available to strategic partners and beta users. While our product roadmap is set to make many of these available to the larger community later this year and even free in years to come, please contact us for more information or reach out to me or our team directly on LinkedIn, our website, or one of our events!