Preparing for a new automotive cyber realityJuly 2020

A Guide to WP.29 Cyber Security and ISO/SAE 21434

Research Portfolio

Consulting Services

ContactUs

About SBD AutomotiveManagement & technology consultants to the automotive industry for over 20 years

Click to find out more

Our expertise:

Connected Autonomous Shared Mobility

EV Cybersecurity Anti-theft

Uncertainty Data Insight Advice

Seeing Beyond DataTurning data into actionable advice

As our industry faces...

We provide our clients with...

Our role:

3

Left side - Design Right side - Test

Marco StorsbergThreat modelling

Anna StylianouThreat intelligence

Simon HalfordE/E architecture

Paul Sanderson21434 & TARA

David McClureHead of Cyber

Jithesh JoshyWireless/SDR

Nik PettasApp & API

Brian ZhouSW & interface

Sam Nelstrope-theft

Paulson MathewHW & IoT

History often repeats itself...In the 1990s car makers struggled to address a sudden growth in vehicle theft, leading to outside bodies introducing tough new requirements. In 2020, the threat of cyber attacks has now led the UNECE and ISO/SAE to introduce new regulations and standards respectively that will have major implications on how cars are designed - and could even limit the launch or sale of cars. Welcome to SBD Automotive’s complimentary guide to WP.29 Cyber Security and ISO/SAE 21434 - two documents that will transform the automotive industry’s approach to cyber security. Here, we have done the hard work for you, condensing hundreds of pages of regulations and standards into an accessible reference guide that provides actionable insights and a quick-start checklist to getting 21434-ready. SBD Automotive’s cyber team

4

Requirements

OEMs will need to have their product cyber management processes audited by a 3rd party every three years.

OEMs will also need to demonstrate that they have followed a risk-baseddevelopment process for every new vehicle type.

OEMs will need to cascade the requirements down through their supply chain and take responsibility for the implementation by their suppliers.

Timing

June 2020 - The final version of WP.29 Cyber Security was adopted by the UN.

January 2021 – The regulation will ‘come into force’, meaning that countries can apply the new regulation from this date.

July 2022 - The regulation will be mandatory for new vehicle types in the EU.

July 2024 – The regulation will be mandatory for all new vehicles sold in the EU.

Coverage

South Korea (in part from 2020), Japan (2021) and Europe (2022) are the early adopters of WP.29 Cyber Security.

The USA was a joint chair of WP.29 Cyber Security and is expected to adopt the requirements.

China has a ‘window’ into WP.29 and ISO/SAE 21434 and will introduce similar requirements from 2021.

Likely to be adopted by Russia, Australia, parts of SE Asia, South Africa etc.

Consequences

In regions such as EU where WP.29 Cyber Security will be part of the Type Approval process, non-compliance would prevent OEMs from launching new models.

In 2024, OEMs could also face the withdrawal of EU Type Approval for non-compliance, meaning that they would have to stop sales of an existing model.

Similar impacts are expected in the other adopting countries.

The big picture view of WP.29 Cyber Security

5

A (brief) 30-year history of automotive cyber security

Mechanical theft Early hacking Security by design

eTheft Pen testing UN WP.29

Early 1990s Mid 2010s Late 2010s

Early-to-mid 2000s 2015 onwards 2020

Rapid increase in cars being stolen using mechanical attacks, resulting in strong push for electronic immobilizers, alarms and tracking systems

First cyber tools (also known as e-theft tools) used to reprogram keys to vehicles and relay attack smart key systems

First widely-publicized white-hat remote hack on Jeep, followed by many other OEMs (BMW, Tesla, Toyota, Nissan etc.)

‘Security by design’ approach guided by numerous standards, guidelines & best practice publications

OEMs start penetration testing of high-risk parts (eg IVI, TCU, GW etc)

First cyber security regulation adopted by the UN WP.29

6

What is WP.29 and how does it relate to ISO?In June 2020, the UN adopted three new regulations aimed at supporting the development of connected and automated vehicles. For the first time, OEMs will need to meet binding requirements on cyber security, software updates and ALKS, a SAE Level 3 automated driving system. This guide will focus on the UN’s cyber security regulation and its impact on OEMs and suppliers.

WP.29 is the UN Working Party responsible for developing new automotive regulations

ISO/SAE 21434 provides one option for meeting WP.29 Cyber Security.

UN WP.29

SAE L3 Automated Vehicle (ALKS)

Note. The driver remains the back-up to L3 systems

UN WP.29

Cyber Security

Includes OTA & ’wired’ updates.

UN WP.29

Software Updates

ISO 26262Functional Safety - Road

Vehicles

ISO/PAS 21448Safety of the Intended

Functionality of road vehicles

ISO/SAE 21434

Cyber Security

ISO/AWI 24089

Road vehicles software update

engineering

Click to open

7

WP.29 non-compliance could prevent OEMs from launching new models and even lead to sales of existing models being halted. This represents a significant threat to an OEM’s business.

8

What’s involved with WP.29 Cyber Security?

OEMs will need to provide detailed documents covering the vehicle development, production and post-production phases:

• High level policy for how cyber security is managed within the organization & throughout the supply chain, roles & responsibilities and overall governance

• Process for identifying risks, including a detailed list of 32 pre-defined threats

• Process to assess and treat these risks• Process to verify that the identified risks have been managed• Process to test the cyber security of the vehicle• Process to keep the risk assessments up to date after production starts• Process to monitor, detect and respond to cyber attacks• Process to judge if the measures are still effective against the latest

threats• Process to provide relevant data to support analysis of actual attacks

In addition, OEMs will need to demonstrate that:• They can mitigate new threats in a ‘reasonable’ timeframe• Monitoring is continual, uses vehicle data & logs and complies with data

privacy legislation (e.g. GDPR in Europe)• They have cascaded the processes and requirements through their supply

chain

For each new model, OEMs will need to provide a detailed technical file with the following information to the Type Approval Authority:

• Valid CSMS certificate• Identify cyber-critical elements, both on-board and external interactions• Perform a risk assessment, including the 32 pre-defined threats• List of planned mitigations, including how they address the identified risks• Details of testing to verify the effectiveness of the cyber measures• Measures to detect and prevent cyber attack• Ability to monitor for such attacks• Data forensics capability to support post-attack analysis• If provided, a secure environment for aftermarket software to sit and

operate

In addition, OEMs will need to:• Use recognised crypto standards for encryption, authentication etc.• Provide an annual report of attacks detected by the monitoring process• Confirm that existing mitigations are still effective against the latest

threats, and if not, details of new measures implemented• Implement new mitigations if the Approval Authority judges that the

current measures are no longer effective

WP.29 Cyber Security requires that OEMs implement a comprehensive risk-based approach to developing new models and provides two tools to enforce compliance: OEMs will need to have their cyber development processes audited and certified by a third party every 3 years; and OEMs will also need to demonstrate that every new model has been developed according to the certified process as part of Type Approval. Failure to meet these requirements will mean that new models cannot be launched.

1. Overall Cyber Security Management System (CSMS) 2. Vehicle-specific Type Approval

Additional notes- WP.29 Cyber Security defines what OEMs need to do, but it does not define how. ISO/SAE 21434 therefore provides a standardized approach to

meeting the WP.29 requirements, but OEMs are free to adopt a different approach if they can demonstrate that it meets the WP.29 requirements- The UN is currently developing an ‘Interpretation document’ that will help OEMs and suppliers to better-understand the WP.29 requirements- ISO is also developing a guideline for third party cyber auditors (ISO PAS 5112) to ensure a consistent application of the WP.29 requirements

9

What’s involved with ISO/SAE 21434?ISO/SAE 21434 provides OEMs with the framework needed to implement a cyber security management system that aligns to WP.29. It is a comprehensive document that covers all aspects of managing product cyber security within an OEM organization. However, despite its completeness, the standard relies on cyber experts to provide the detailed tools, methodologies and knowledge needed to complete each step. The overall structure and contents of ISO/SAE 21434 is summarized below, with numerical references to the document section in brackets:

Governance (5, 6 & 15)• Overall cyber management, including corporate policy, culture, resources, responsibilities, rules and high-level processes• Project-specific cyber management plan to build the cyber ‘case’ for a component and to have the case independently assessed• Supplier management, including a cyber interface agreement with a RASIC to cascade requirements down through the supply chain

Component Development

Concept phase (9) Development phase (10, 11) Post-development phase

• Use a risk-based approach to develop security goals and high-level technology-agnostic security requirements

See next slide for step-by-step process

• Refine the security requirements to specific SW, HW and interface features

• Security function testing to verify that the requirements have been correctly implemented

• Component testing at the vehicle level to validate its cyber security in its operating environment

• Pen testing for unidentified vulnerabilities

Production (12)

• Ensure that the component leaves the production line in a secure state

Operations & maintenance (13)

• Incident response plan

• Post Job-1 design change management

Decommissioning(14)

• Ensure that secure decommissioning, where needed, is possible

Risk assessment (8)• Step-by-step methods to determine the extent of cyber risk for

a component

On-going activities (7)• Collect cyber intelligence from external & internal sources• Assess if cyber security has been/could be compromised• Identify, analyse and manage vulnerabilities

Cyber Toolbox

10

Example: Step-by-step guide to ISO/SAE 21434’s Concept PhaseConcept phase

step Process

i. Asset definitionIdentify the data and function assets to be protected, including the potential damage scenarios if compromised

ii. Threat scenarios Use a framework such as STRIDE to identify the potential threats to the assets

iii. Impact ratingRate the potential safety, financial, operational and privacy impact of each threat

iv. Attack path analysis

Identify the attack points and sequence of events that can facilitate each threat

v. Attack feasibilityDetermine the feasibility rating of each attack based on required time, expertise, prior knowledge and opportunity

vi. Risk determination

Determine the overall risk of each attack by combining the impact and feasibility ratings

vii. Risk treatment decision

Decide whether to avoid, reduce, share or accept the risk for each attack

viii. Cyber goals Define the top-level cyber requirement for each risk that is to be reduced

ix. Cyber conceptDefine and allocate cyber requirements to specific parts of the system or component under development

Critical success factor 1Avoid missing any assets at the very first step through user stories, stakeholder analysis & checklists

Critical success factor 2Use lessons learned from previous TARA projects & pen tests to complement the WP.29 threat list

Critical success factor 3Use cyber HW, SW & wireless specialists to help identify all possible attack paths

Critical success factor 4Avoid over/under specifying cyber by using judgement and experience to make the risk treatment decision

Critical success factor 5Check and verify the cyber requirements at this stage to avoid costly design changes in the future

While ISO/SAE 21434 provides a comprehensive framework for implementing cyber management processes within an OEM, it is missing some key content.

For example, section 8.3.2 states that the ‘assets should be identified’, but it does not provide a concrete tool for asset identification – instead it lists a number of potential methods without describing them in detail.

Hence, at many stages in implementing WP.29 and ISO/SAE 21434, OEMs will need to call on internal and/or external experts to provide the necessary knowledge, tools and skills to ensure that the critical success factors can be met

11

WP.29 will spread cyber across the OEM organisation

Contribute to international standardsOEM technical standards & manualsIndustry bodiesCollaborative projectsEmerging technologiesSecurity requirements for next gen systems, software platforms etc

Cyber strategy ‘owner’Central pool of experts to support design teamsThreat analysis & risk assessment21434 compliance & cert.Vehicle & E/E level security requirementsSupplier management& document controlInternal cyber promotion & training

Some ‘high risk’ components have dedicated cyber experts (e.g. connected & autonomous)Component & system level security requirementsComponent level verification & validation testingComponent pen test management

Often part of the IT divisionConnected car cloud/ TSP platform security requirementsMNO Mobile app security requirementsPen test management

Vehicle & system level verification & validation testingInternal pen test/ hacking team

PKI & crypto operationsKey managementSecurity Operations Center (SOC)Threat intelligence & sharingIncident response

CEO office

Global cyber VP/director

Product CISO

Enterprise CISO Manufacturing CISO Finance CISO

R&D In-vehicle architecture In-vehicle components Off-board platform Test Operations

21434 governance

21434 expertise & processes 21434 deployment & supplier management on a component-by-component basis

WP.29 will encourage OEMs to implement a top-down approach to cyber security, with board-level support for its implementation and governance. At the working level, many OEMs are making their E/E architecture and/or software platform teams the ‘owners’ of cyber. However, for most OEMs it is still the suppliers who do the very detailed design work, meaning that robust tools and processes will be required to ensure that OEMs retain the necessary end-to-end control and accountability for cyber security.

12

ISO/SAE 21434 quick-start checklists for OEMs and suppliersTime is short for getting 21434-ready. Some early adopter OEMs and suppliers have already implemented a cyber security management system and only require small changes to make it compliant to WP.29. For the majority, however, awareness is only now starting to grow and fast action is needed...

Steps OEMs Suppliers

1Raise

awareness

Get the organisation committed to cyber

Establish a 21434 center of excellence

Start briefing your suppliers

Brief the technical teams

Reach-out proactively to your customers

Add a cyber focus to your sales material

2Perform a gap

analysis

Benchmark your existing cyber processes

Start updating your documents & manuals

Prepare a draft supplier interface agreement

Benchmark your existing processes

Develop core documents and templates

Update your contracts and service agreements

3Start a POC

Start using the processes on a live project

Work with a small number of suppliers

Report the results up to the Board

Start preparing draft reports

Start building threat knowledge and intelligence

Develop tools to share best practice

13

SBD’s holistic cyber support

Recent design & test projects

• IVI & DA• TCU• GW• CAN IDS• Dashcam• OBD dongle• Mobile app• TSP• FOTA• Ethernet switch• Power distribution box• ADAS, AD & HD map• Remote parking • TPMS• Aftermarket tuning tools• Fully active suspension• Smartphone as a Key• Smart key• EV & charging interface

Recent technical deep-dives

• HSM• UDS diagnostics• Bluetooth & BLE• USB• Host IDS • Network IDS• JTAG/debug interfaces• AUTOSAR SecOC• MAC key pairing• APN• Immobiliser key

reprogramming• Smart key relay attack• UWB• Automotive Ethernet /

BroadR-Reach• Secure gateway• Vehicle SOC• Software Defined Radio

Design

Test

Strategy

Reports

Cyber Guide - Quarterly (901)

Securing the CAN Bus(704)

Security Beyond the CAN Bus (705)

Relay Attack Countermeasures (706)

Anti-theft Guide(533)

SBD is not just another pen testing company or generic consulting firm that claims to cover cyber. Instead, we provide our customers with the holistic support they need to embed the latest cyber principles into their components, systems and vehicles.

• Threat modelling (TARA) with proprietary threat database• Concept phase security requirements• ISO/SAE 21434 training & documentation• Legislation requirements & WP.29 readiness audit• Document design review

• Penetration testing (HW, SW, wireless & diagnostics)• Firmware extraction, analysis & code review• Fuzz testing• Security function testing (including scripts)• Reverse engineering & competitor teardown

• Competitor benchmarking & market trends• Cyber feature adoption trends by OEM• Cyber product & vendor market analysis• Cyber roadmap planning • Public hack analysis

14

SBD case studies for ISO/SAE 21434 projects

21434 promotion & awareness training for a Chinese OEM

SBD was asked to prepare an entry-level 21434 training workshop and guidebook for the OEM’s fledgling cyber engineering team. The aim was to translate the requirements from ‘standard-speak’ to plain English that was easy to understand and implement.

Cyber document pack for a Tier 1 electronics supplier

SBD was asked to prepare all documents needed to comply with an OEM’s newly-introduced cyber assurance process. SBD also led briefings to the OEM and helped ensure that the supplier passed all project milestones and checkpoints.

Process audit & gap analysis for a global OEM

SBD was asked to benchmark the OEM’s existing product cyber management system against ISO/SAE 21434 and to recommend an improvement plan. SBD delivered a detailed gap analysis report and is currently preparing new process guides and supplier templates.

Concept phase document pack1. Interface agreement2. Cyber assurance plan3. OEM spec review4. Item definition5. Crypto key management6. Lifecycle plan7. Asset definition8. Threat model (TARA)9. Risk assessment10. Security requirements11. Remediation plan12. Implementation plan

17

North AmericaHailey Lueckhaileylueck@sbdautomotive.com+1 734 619 7969

Germany + North/Central/East EU Andrea Sroczynskiandreasroczynski@sbdautomotive.com+49 (0) 211 9753153-1

West & South EUAlessio Ballatore aballatore@sbdautomotive.com+44 74 71 03 86 22

ChinaVictor ZhangsalesChina@sbdautomotive.com+86 18516653761

JapanSBD Japan Sales Teampostbox@sbdautomotive.com+81 52 253 6201

Contact information

www.sbdautomotive.com