In my previous blog, following the first meeting of our Secure-CAV Advisory Panel, I touched on the issues of defending against unknown, future potential threats and what has to be done to form a robust Defense in Depth.
One of the key factors in maintaining a secure vehicle (ie roadworthy) in the face of evolving cybersecurity threats is keeping up to date with evolving international automotive and electronics industry standards and regulations. These are already developing rapidly to ensure connected and autonomous vehicles (CAVs) are designed (and, importantly, maintained) with robust safety and cybersecurity systems.
The issues raised by James Keen in his insightful July 2020 blog very much apply. The car OEM is obliged to ensure safety and security throughout the life of the vehicle.
ISO 26262 is well established as a standard for functional safety of automotive systems. The more recent ISO 21434 cybersecurity standard is explicit about the need for security to be ‘designed in’ to automotive systems at the component level. But the new UN-ECE WP.29/GRVA regulation goes even further and places responsibility squarely on the shoulder of the automotive OEMs: an approach that will continue with the forthcoming UN-ECE WP.29 R155 governing obligations surrounding over-the-air updates.
Beyond the responsibility and compliance issues, there are hard commercial realities. The UN-ECE regulations make it clear that non-compliance will mean automotive OEMs lose access to strategically important global markets. Additionally, James’ blog reminded us of the costly task of recalls: “Recent years have demonstrated the potentially ruinous costs associated with vehicle recalls (both to balance sheets and to corporate reputations): US recalls alone cost the industry $22 billion in 2016.”
Discussions with the Secure-CAV Advisory Panel have made it clear how important it is that automotive OEMs adapt their thinking to handle these new ‘responsibilities’ and how the industry, the automotive supply chain and connected ecosystems can support this shift.
It’s not only a question of responsibility and the commercial implications of non-compliance, it’s also a question of shifting a traditional and well-established model. The automotive industry’s traditional approach needs to adapt if it’s to respond to the requirements and threats as quickly as it will need to.
Automotive OEMs already realise that, as part of adapting to this new reality, they will need to start thinking like big technology companies in making strategic plans for long-term threats and the responsibility this brings with it.
Additionally, it’s crucial that the support comes from the entire ecosystem, no one company can do this on its own. At Siemens EDA, we’re supporting this from a silicon perspective with Silicon Lifecycle Solutions, embedded analytics and monitoring solutions that support the cybersecurity of an automotive system throughout its lifetime.