UNECE WP.29 audits are set to begin in 2022 and many automakers are in the midst of implementing processes in alignment with ISO/SAE 21434: Road Vehicles – Cybersecurity Engineering. One of the largest arising challenges is understanding how cybersecurity work products and management systems for vehicles will flow through the automotive supply chain.
To address this challenge, Block Harbor will adopt and support Motional’s recently released “Autonomous Vehicle Cybersecurity Development Lifecycle (AVCDL),” a free and open cybersecurity development lifecycle (including document templates) using it as a starting point for any player in the automotive supply chain to start on their cybersecurity efforts. It’s available for download at: https://github.com/nutonomy/AVCDL.
In this article, I’ll walk through the benefits we see in supporting a free and open starting point for vehicle cybersecurity development.
- Born at Motional. You may ask yourself why “AV” in “AVCDL.” That’s because it is primarily driven by an autonomous vehicle company that takes cybersecurity seriously. Motional’s interest in making AVCDL public was driven by a need for their suppliers to do cybersecurity well and consistently in order for Motional to be successful. While it has AV in the name, it applies to anybody performing vehicle cybersecurity management. Further, Motional gets feedback on the AVCDL from parties like Block Harbor that are interested in growing a free and open set of knowledge that helps make mobility more secure — at BH, we don’t believe there should be a paywall in front of critical support to keep vehicles safe.
- Document Templates. Each automaker is taking a slightly different approach to develop their cybersecurity management system for UNECE WP.29 and ISO/SAE 21434. In turn, they each have differing demands, with many of the automakers providing templates to return cybersecurity work products back to the automaker. AVCDL provides a set of free and open document templates to allow the automotive supply chain to get ahead of reactively responding to each automakers requests. They can develop their own CSMS and CDL using free and open document templates, and then simply tune those to each automaker’s requests.
- Multiple Standard and Regulation Considerations. For anybody needing to address cybersecurity in the automotive industry, be prepared to have a hundred regulations and standards thrown at you: GDPR, CCPA, ISO/SAE 21434, UNECE WP.29, UNR 155, UNR 156, TISAX, ISO 27001, ISO 26262, ASPICE-SEC, and the list goes on. Each of them have different purposes, and depending on a given party’s responsibilities, they’ll only need to focus on a subset. AVCDL provides a framework that is considerate of the broad landscape of standards and regulations as they apply to vehicle cybersecurity development.
- Refined over Time. Vehicle cybersecurity is new to all of us. With everybody taking different approaches, each party is independently learning through their own costly mistakes. AVCDL gives us the opportunity to build something that we can learn together with and make better through multi-party contributions into AVCDL. As more parties get involved, AVCDL will grow in capability to benefit everyone and make vehicles safer.
Block Harbor is an automotive security solutions provider. We’re contributing to AVCDL because we’re building it into our services to help our customers build effective cybersecurity management systems, ranging from automakers with big security teams to suppliers with no security team. Vehicle cybersecurity depends highly on the ability for everyone with their hand in the pot of vehicle development to do their job well. We believe AVCDL helps us, and in turn, our customers, toward that end.