Continual cybersecurity activities refer to the ongoing cybersecurity monitoring, cybersecurity event evaluation, vulnerability analysis and vulnerability mitigation during each phase of the product development lifecycle. UNECE Regulation No.155 mandated ongoing cybersecurity activities for the vehicle manufacturers (OEMs) within their cybersecurity management system. To comply with the regulatory requirements, the OEMs and their suppliers often follow the continual cybersecurity activities laid out in Clause 8 of the ISO 21434 standard.
The first step of these activities is automotive cybersecurity monitoring which refers to the continuous surveillance and analysis of digital systems within vehicles to detect and prevent cyber threats. It involves monitoring the electrical and electronic (E/E) components that contribute to the operation of a vehicle, collecting or processing user-related data, and implementing functions based on networked components within a vehicle to identify suspicious activity or potential vulnerabilities that could be exploited by threat actors. This is achieved through the deployment of specialized monitoring tools and software that continuously monitor and analyze data traffic, system logs, and behavioral patterns within a vehicle’s digital ecosystem. Cybersecurity monitoring is an ongoing process that operates in near-real-time, providing rapid alerting and response to any detected security incidents or anomalies. It opens the door for further activities like cybersecurity event evaluation, vulnerability analysis and mitigation.
The primary functions of continual cybersecurity activities are as follows:
OEMs (Original Equipment Manufacturers) utilize sophisticated cybersecurity monitoring systems, often built on platforms like Splunk, to monitor their vehicles’ digital systems. These systems employ advanced algorithms and machine learning techniques to analyze vast amounts of data generated by sensors, ECUs, and network traffic in real-time. When anomalous behavior is detected, alerts are triggered, prompting further analysis and incident response. Incident response teams collaborate across departments to formulate and execute a targeted response strategy. This may involve isolating affected items/components from the vehicle network and deploying security updates to manage vulnerabilities.
In the automotive industry, suppliers are typically responsible for ensuring the security of the components, software, and systems they provide to OEMs. This includes implementing cybersecurity measures within their products and providing relevant data and insights to support OEMs’ monitoring efforts; suppliers may also have their own PSIRT/VSOC/PSOC for monitoring product vulnerabilities. In the event of a cybersecurity incident or breach, suppliers collaborate closely with OEMs to support incident response efforts. This may involve providing technical expertise, forensic analysis capabilities, and assistance in identifying the root cause of the incident. By working together, suppliers and OEMs can expedite the response and recovery process, minimize the impact of the incident, and prevent future occurrences.
Clause 8 of ISO 21434 provides guidelines for ongoing risk assessment and vulnerability management of Electrical/Electronic (E/E) systems until the end of cybersecurity support. Given the lifespan of a typical vehicle, that’s a long time to be responsible for the cybersecurity of every item you manufacture. The table below shows the breakdown of work products (WPs) per requirement (RQs).
Clause 8: Continual Cybersecurity Activities | ||
RQ-08-01 | Cybersecurity monitoring sources | [WP-08-01] Sources for cybersecurity information |
RQ-08-02 | Cybersecurity triage triggers | [WP-08-02] Triggers |
RQ-08-03 | Cybersecurity event triage | [WP-08-03] Cybersecurity events |
RQ-08-04 | Cybersecurity event assessment | [WP-08-04] Weaknesses from cybersecurity events |
RQ-08-05 | Identified weakness analysis | [WP-08-05] Vulnerability analysis |
RQ-08-06 | Weakness rejection rationale | |
RQ-08-07 | Vulnerability management | [WP-08-06] Evidence of managed vulnerabilities |
RQ-08-08 | Apply incident response protocols | None |
Activities from Clause 8 of ISO 21434 are also closely related to Clause 13 which deals with operation and maintenance-related cybersecurity activities. Clause 13 has only one work product requirement but three provisions/requirements (RQs).
Clause 13: Operations and Maintenance | ||
RQ-13-01 | incident response plan | [WP-13-01] Cybersecurity incident response plan |
RQ-13-02 | Incident response plan implementation | None |
RQ-13-03 | Update plan | None |
The Vehicle Security Operation Center (VSOC) and Cybersecurity Management System (CSMS) are two teams at Block Harbor that work closely with their clients (OEMs/Suppliers) to help them achieve compliance with ongoing cybersecurity activities, including Clauses 8 and 13 of ISO 21434. The VSOC team develops customized monitoring capabilities by offering strategies that leverage existing industry-standard Security Information and Event Management (SIEM) technologies as the foundation for vehicle-centric cybersecurity monitoring and incident response. The bullet points below summarize how the VSOC team assists the industry in maintaining compliance with continual cybersecurity activities:
Cybersecurity Monitoring: The fundamental role of a VSOC is to ingest data from the mobility ecosystem, monitor that data, and detect any anomalous activity.
Cybersecurity Event Evaluation: Upon detection, it is the duty of VSOC personnel to investigate, validate, and respond to any cybersecurity events.
Vulnerability Analysis: As part of the incident response process, VSOC personnel work with cross-team stakeholders to scope the severity and impact of any cybersecurity incident.
Vulnerability Management: VSOC personnel often work closely with partner teams to report, contain, and remediate any vulnerabilities identified during the cybersecurity incident.
Incident Response Plans: VSOC team’s responsibility is to develop incident response plans, playbooks, and other essential documentation to ensure organizational preparedness.
On the other hand, the CSMS team supports OEMs and suppliers in achieving compliance with ISO/SAE 21434 and other standards by identifying existing cybersecurity gaps in their processes, including continual automotive cybersecurity activities, and recommends the best solutions to remediate these gaps. This article sheds light on how the automotive industry can assess cybersecurity compliance for all the ISO/SAE 21434 clauses and achieve cybersecurity management system (CSMS) certification.
[1] ISO/SAE 21434: 2021 – Road Vehicles – Cybersecurity Engineering
[2] Automotive Cybersecurity Engineering Handbook: The automotive engineer’s roadmap to cyber-resilient vehicles by Dr. Ahmad MK Nasser
[3] AVCDL