Exploring Continual Automotive Cybersecurity Activities

Shah Alam & Sebastian Baba

Continual cybersecurity activities refer to the ongoing cybersecurity monitoring, cybersecurity event evaluation, vulnerability analysis and vulnerability mitigation during each phase of the product development lifecycle. UNECE Regulation No.155 mandated ongoing cybersecurity activities for the vehicle manufacturers (OEMs) within their cybersecurity management system. To comply with the regulatory requirements, the OEMs and their suppliers often follow the continual cybersecurity activities laid out in Clause 8 of the ISO 21434 standard.

The first step of these activities is automotive cybersecurity monitoring which refers to the continuous surveillance and analysis of digital systems within vehicles to detect and prevent cyber threats. It involves monitoring the electrical and electronic (E/E) components that contribute to the operation of a vehicle, collecting or processing user-related data, and implementing functions based on networked components within a vehicle to identify suspicious activity or potential vulnerabilities that could be exploited by threat actors. This is achieved through the deployment of specialized monitoring tools and software that continuously monitor and analyze data traffic, system logs, and behavioral patterns within a vehicle’s digital ecosystem. Cybersecurity monitoring is an ongoing process that operates in near-real-time, providing rapid alerting and response to any detected security incidents or anomalies. It opens the door for further activities like cybersecurity event evaluation, vulnerability analysis and mitigation.

Primary Functions of Continual Cybersecurity Activities

The primary functions of continual cybersecurity activities are as follows:

Information Source: Gathering data from both external and internal sources.
- Internal: Examples of internal information sources for cybersecurity monitoring include item/system architecture, item definition, cybersecurity specifications, threat scenarios, and past vulnerability analysis. Clause 9, 10, 15 of ISO/SAE 21434 guides the OEMs/Suppliers on how to collect the above information.
- External: Examples of external cybersecurity information sources include research papers, news articles, dark web forums, and organizational supply chains.
Trigger: The triage criteria that filters relevant information from the information source. This could be names of components used in your products, by your suppliers, or other keywords and rule sets (e.g. OEMs may set a formula-based trigger from their VSOC data stream to identify if a vehicle’s odometer has experienced tampering).
Triage: Prioritizing and categorizing detected triggers/events based on their severity and potential impact. The triage process involves analyzing various factors such as, the nature of the detected triggers/events, the criticality of the affected vehicle components, and the potential consequences of a cybersecurity event.
Cybersecurity Event: In automotive cybersecurity, if the triggers are related to specific items/components, they are considered cybersecurity events. For example, if a security monitoring solution detects anomalous behavior targeting the engine control unit (ECU) or braking system, these triggers are categorized as cybersecurity events due to their direct impact on vehicle safety and operation.
Weakness/Vulnerability Analysis and Risk Management: Each cybersecurity event must be analyzed closely to evaluate the weaknesses in the respective item/component. Based on this analysis, the cybersecurity team may proceed with vulnerability analysis and risk management. Performing a Threat Analysis and Risk Assessment (TARA) is helpful to manage risks identified through vulnerability analysis. ISO 21434 Clauses 9 and 15 provide detailed guidelines for conducting a step-by-step TARA.

OEMs Role in Cybersecurity Monitoring

OEMs (Original Equipment Manufacturers) utilize sophisticated cybersecurity monitoring systems, often built on platforms like Splunk, to monitor their vehicles’ digital systems. These systems employ advanced algorithms and machine learning techniques to analyze vast amounts of data generated by sensors, ECUs, and network traffic in real-time. When anomalous behavior is detected, alerts are triggered, prompting further analysis and incident response. Incident response teams collaborate across departments to formulate and execute a targeted response strategy. This may involve isolating affected items/components from the vehicle network and deploying security updates to manage vulnerabilities.

Suppliers' Role in Cybersecurity Monitoring

In the automotive industry, suppliers are typically responsible for ensuring the security of the components, software, and systems they provide to OEMs. This includes implementing cybersecurity measures within their products and providing relevant data and insights to support OEMs’ monitoring efforts; suppliers may also have their own PSIRT/VSOC/PSOC for monitoring product vulnerabilities. In the event of a cybersecurity incident or breach, suppliers collaborate closely with OEMs to support incident response efforts. This may involve providing technical expertise, forensic analysis capabilities, and assistance in identifying the root cause of the incident. By working together, suppliers and OEMs can expedite the response and recovery process, minimize the impact of the incident, and prevent future occurrences.

How Can Block Harbor Support You in Achieving ISO/SAE 21434 Compliance for Continual Cybersecurity Activities?

Clause 8 of ISO 21434 provides guidelines for ongoing risk assessment and vulnerability management of Electrical/Electronic (E/E) systems until the end of cybersecurity support. Given the lifespan of a typical vehicle, that’s a long time to be responsible for the cybersecurity of every item you manufacture. The table below shows the breakdown of work products (WPs) per requirement (RQs).

Clause 8: Continual Cybersecurity Activities
RQ-08-01	Cybersecurity monitoring sources	[WP-08-01] Sources for cybersecurity information
RQ-08-02	Cybersecurity triage triggers	[WP-08-02] Triggers
RQ-08-03	Cybersecurity event triage	[WP-08-03] Cybersecurity events
RQ-08-04	Cybersecurity event assessment	[WP-08-04] Weaknesses from cybersecurity events
RQ-08-05	Identified weakness analysis	[WP-08-05] Vulnerability analysis
RQ-08-06	Weakness rejection rationale	[WP-08-05] Vulnerability analysis
RQ-08-07	Vulnerability management	[WP-08-06] Evidence of managed vulnerabilities
RQ-08-08	Apply incident response protocols	None

Activities from Clause 8 of ISO 21434 are also closely related to Clause 13 which deals with operation and maintenance-related cybersecurity activities. Clause 13 has only one work product requirement but three provisions/requirements (RQs).

Clause 13: Operations and Maintenance
RQ-13-01	incident response plan	[WP-13-01] Cybersecurity incident response plan
RQ-13-02	Incident response plan implementation	None
RQ-13-03	Update plan	None

The Vehicle Security Operation Center (VSOC) and Cybersecurity Management System (CSMS) are two teams at Block Harbor that work closely with their clients (OEMs/Suppliers) to help them achieve compliance with ongoing cybersecurity activities, including Clauses 8 and 13 of ISO 21434. The VSOC team develops customized monitoring capabilities by offering strategies that leverage existing industry-standard Security Information and Event Management (SIEM) technologies as the foundation for vehicle-centric cybersecurity monitoring and incident response. The bullet points below summarize how the VSOC team assists the industry in maintaining compliance with continual cybersecurity activities:

Cybersecurity Monitoring: The fundamental role of a VSOC is to ingest data from the mobility ecosystem, monitor that data, and detect any anomalous activity.
Cybersecurity Event Evaluation: Upon detection, it is the duty of VSOC personnel to investigate, validate, and respond to any cybersecurity events.
Vulnerability Analysis: As part of the incident response process, VSOC personnel work with cross-team stakeholders to scope the severity and impact of any cybersecurity incident.
Vulnerability Management: VSOC personnel often work closely with partner teams to report, contain, and remediate any vulnerabilities identified during the cybersecurity incident.
Incident Response Plans: VSOC team’s responsibility is to develop incident response plans, playbooks, and other essential documentation to ensure organizational preparedness.

On the other hand, the CSMS team supports OEMs and suppliers in achieving compliance with ISO/SAE 21434 and other standards by identifying existing cybersecurity gaps in their processes, including continual automotive cybersecurity activities, and recommends the best solutions to remediate these gaps. This article sheds light on how the automotive industry can assess cybersecurity compliance for all the ISO/SAE 21434 clauses and achieve cybersecurity management system (CSMS) certification.

References

[1] ISO/SAE 21434: 2021 – Road Vehicles – Cybersecurity Engineering

[2] Automotive Cybersecurity Engineering Handbook: The automotive engineer’s roadmap to cyber-resilient vehicles by Dr. Ahmad MK Nasser

[3] AVCDL