Cyber-Security Standards and Regulation – Insight from Industry – Part 5 of 6
What can we expect for automotive cyber-security standardization and regulation? A look at the IT and ICS/SCADA industries and discussion of insights we can draw from the parallels.
We look at what companies have done, and can do, in response to threats. We also look at accountability under national and international law and governments' role in shaping cyber-security for all industries.
Cyber-Security Standards and Regulation
This area is well covered by national and global standards and regulations. These are enforced by authorities to a large extent, and they attempt to minimize damage in a relatively effective fashion.
Nevertheless, no one raises the false hope that this will result in zero successful attacks. The most recent major contribution was the EU’s General Data Protection Regulation (GDPR), that addresses privacy issues.
This area has taken its first steps in standardization and regulation in the past few years. The most notable are the USA’s North American Electric Reliability Corporation (NERC) and Critical Infrastructure Protection (CIP), which are currently at version 6 and aimed at protection of electrical substations.
The more recent EU European Union Agency for Cybersecurity (ENISA) Network and Infrastructure System (NIS) directive (2016/1148) indicates a wide range of organizations (including energy, water, transportation, and health) that should be subject to this new ruling.
Standardization and regulation are long processes. The gradual implementation will spread over many years. Each member state will need to adopt, adapt, and approve national legislation that can differ widely from country to country. The directive approach is one of guidance and education. Fines and sanctions, while present, will only be applied in extreme cases of negligence or if disregard by controlled organizations.
Again, like ICS/SCADA – and one phase behind – the automotive industry is engaged in standards development that includes projects such as:
ISO/TS 16949 (in conjunction with ISO 9001) defines quality management system (QMS) requirements for the design, development, production, installation and service of automotive-related products.
ISO 26262 Road vehicles – Functional safety. This is an international standard for functional safety of Electrical and Electronic (E/E) systems in production automobiles.
ISO/SAE 21434Road Vehicles – Cyber-security Engineering. This working group is developing a new standard for automotive cyber-security and information security. This standard will define common terminology and key aspects of cyber-security. This will help to demonstrate responsible and careful handling of vehicle development and cyber-threat prevention.
This upcoming standard was referenced/utilized during a test phase in collaboration with the UNECE task force forCyber Security and OTA (Over-The-Air) issues (TF CS/OTA – WP.29) which ended in August 2019. A final draft of ISO/SAE 21434 is set to be published in February, with UNECE regulations (see below) set to begin an implementation period in early summer (May) 2020. This implementation will see the proposed UN regulations entering into force by 2022, becoming legally binding by 2024.
A-SPICE (Software processes) stands for Automotive Software Process Improvement & Capability Determination and is based on the original SPICE model, but it is made more applicable for the automotive market.
Further projects include AutoSAR, which is a standardized software framework that offers classic and adaptive architectures, which will likely become mandatory.
Regulatory bodies such as the National Highway Traffic Safety Administration (NHTSA) – that can be regarded as a NERC equivalent (see ICS/SCADA above) – generates USA national safety regulations and best practices, including cyber-security related items.
The USA’s House of Representatives introduced the Security and Privacy in Your Car Study (SPY-Car) Act of 2017, which has, to date, not yet passed due to new congress elections which have reset the process. The US is also attempting to generate global regulations, but with very limited success. Additionally, the UN has introduced the WP29 legal framework, to share its insights on the matter.
UNECE (United Nations Economic Council for Europe) World Forum for Harmonization of Vehicle Regulations (WP.29) oversees TF CS/OTA – WP.29 (see ISO/SAE 21434 above) and is responsible for two proposals which form part of regulations entering implementation in early summer 2020.
ECE/TRANS/WP.29/GRVA/2019/2 Proposal for a Recommendation on Cyber Security.
ECE/TRANS/WP.29/GRVA/2019/3 Draft Recommendation on Software Updates of the Task Force of Cyber Security and Over-the-Air Issues.
EU2019/2144 is currently the most advanced mandatory vehicle safety regulation. The European legislation, published in December 2019, and in place as of January 2020 is set to become a regulatory requirement by 2022. Primarily focused on the needs of vulnerable road users, it also introduces requirements for advanced safety systems. The regulation specifically references UNECE WP.29 (see EU2019/2144 points 23, 26) proposals and recommends their immediate inclusion as mandatory requirements upon publication.
In IT the field of threat intelligence – including measurement and analysis – is well developed. There are many existing tools and platforms, and as such, it is well evolved and information sharing flows well.
This area is evolving, and adaptations of IT concepts are under development. Since many of the installations are critical national infrastructure, some organization are not quite as eager to divulge events they experience. For example, MITREs CVE databasecontains very few SCADA related items. The anticipated trend is that better protection will be achieved as information is shared, but this will take time.
This is brand new to automotive, as such real infrastructure has yet to be laid. The Automotive Information Sharing and Analysis Center (AutoISAC) is a good initiative and represents movement in the right direction. Most of the information available is from academic, research or commercial cyber-security firms who publishing their findings. As in ICS/SCADA, the collection of additional threat intelligence – and analysis of actual attacks (white hat or black hat) – will aid in the evolution of this field.
Reporting, Monitoring, Surveillance and Response
In IT there are well-established processes that use standardized protocols such as Syslog and SNMP. Reporting tools log security events 24/7 for analysis by manned SOCs. CERTs at the organizational and national level have been in operation for many years.
ICS/SCADA reporting, monitoring, surveillance and response are now starting to follow the footsteps of IT. Since, contrary to IT, virtually no events occur during normal operation, a dedicated SoC is not always installed. In some cases, we see the use of IT SoC for OT surveillance. In this case, cyber-security alerts will log as a report on the SCADA HMI and surveillance system, alongside any other alert. Others use a Managed Security Service Provider (MSSP) outsourcing (or backing up) security surveillance.
Currently, there is nothing in place for automotive. There are some sporadic examples, but this process is expected to grow in scale over the coming years as OEMs begin to work more closely with cyber-security providers. This is expected to develop along the same lines as with ISC/SCADA.
Formally the person held accountable in the event of a cyber-security breach is the chief information security officer(CISO), but in severe cases, responsibility and accountability can reach all the way to the chief executive officer (CEO). As such, board members require that CEOs actively support this function. This is in addition to providing a budgeted plan for cyber-defence. Periodic reporting follows the progress of the cyber-security activity, with exceptional events being analyzed to improve efficiency and effectiveness.
This is still an emerging area but probably, in case of a breach associated with damages, the person in charge of the proper operation of the system will need to provide explanations. This persona is the VP of engineering that oversaw the system design and mode of operations. However, this person lacks the expertise required in the cyber-security domain. As already noted, the CISO which is the cyber-security expert knows about IT system but nothing about ICS/SCADA so there is a gap here. Lately, we see the formation of cyber-security teams reporting to VP engineering that is comprised of ICS/SCADA ad cyber-security specialist. This with the target of enabling the organization to provide an effective defence scheme and for the VP of engineering to provide an effective way to answer his responsibilities.
This is brand new and under development. Cyber-security teams are formed to research, conduct beauty contests and POCs with solution providers, specify requirements etc. As the expertise is built up those teams are active in the engineering parts of the organizations. In parallel, the backed part if much more IT like and is under the responsibility of the CISO.
**Cerrado, previously known as Arilou