Safe and Secure Transportation Systems

The continuous introduction and reliance on communication, sensing and automation technologies within a vehicle make cybersecurity much more than simply a compliance problem.

Internet security
Prostock-studio/stock.adobe.com

Cybersecurity executives in the automotive sector must embrace new organizational and product security standards that drive collaboration across the supply chain. Vehicle communication networks such as the controller area network (CAN) are not designed to authenticate message traffic. Now, rapid shifts in technology have introduced hyper-connectivity and automation that must be securely integrated into vehicles.

Vehicles now include Bluetooth, Wi-Fi, satellite, cellular, NFC and other communication stacks that enable vehicle-to-vehicle, vehicle-to-infrastructure and personal connectivity. Hardware is integrated in support of advanced driver-assistance systems (ADAS) in order to automate functions and safeguard drivers. Without a holistic approach to cybersecurity across the OEMs and myriad tier suppliers, these integrations cannot happen securely.

The automotive industry is now moving toward the adoption of cybersecurity standards that enable OEMs and suppliers to better understand and evaluate customer goals and supplier cybersecurity capabilities. ISO/SAE 21434 defines a set of requirements and associated work products that collectively enable an organization to implement a cybersecurity management system (CSMS). Organization-specific requirements ensure proper policies, procedures and technologies are in place to secure a company's development environment. Product lifecycle requirements ensure that cybersecurity is taken into account during product design all the way through decommissioning. Additionally, UNECE World Forum for Harmonization of Vehicle Regulations WP.29 R156 provides details on the development of a secure software update management system (SUMS) to support post-development updates of components within vehicles.

Enhanced supply chain security capabilities will play a pivotal role in enabling OEMs and suppliers to meet these new requirements. Many organizations today rely on processes that are static and that lack the ability to jointly track and manage cybersecurity threats and mitigations across a customer and a supplier. Automotive cybersecurity executives should begin to explore new methods for transforming these existing supply chain processes into new dynamic and continuous supplier collaboration capabilities.

The first step in this process is the introduction of a software bill of materials (SBOM) and hardware bill of materials (HBOM). SBOM/HBOM allows a supplier to document the software or hardware makeup of a component. A customer can then use it to track and map vulnerabilities to these components at a later time. SBOM/HBOM can be communicated in a number of ways, although machine-readable formats include Software Identification Tagging (SWID) and Software Package Data Exchange (SPDX).

OEMs and Tier 1 suppliers must also be able to clearly communicate their cybersecurity goals and requirements to their supplier base, tailored to the specific component being procured. Goals and requirements are based on the operational context in which the component will operate. Suppliers must be able to understand these goals and communicate the product cybersecurity features that will help their customers meet these goals. Customers and suppliers must also be able to identify cybersecurity gaps and jointly track those gaps to closure. Both customers and suppliers must be able to manage participation in these distributed cybersecurity activities.

Standards such as ISO/SAE 21434 drive the need for enhanced visibility of not only product-specific cybersecurity threats and mitigations but also of the general organizational processes employed by the supplier. This includes maintaining an understanding of the supplier's secure development lifecycle processes, the ability to identify threats using a standardized threat modeling process and the ability to support cybersecurity for post-development activities. Supplier cybersecurity posture can provide insight into the ability of the supplier to guard against sophisticated supply chain attacks such as side-channel attacks targeting embedded chips or backdoors in open-source software.

Automobiles are complex systems that integrate thousands of parts across an ecosystem of tier suppliers. Different components/parts introduce different levels of risk. Customers must be able to differentiate risk levels across their supplier base in order to effectively scale these new supply chain cybersecurity capabilities. For example, Tier 1/2 suppliers of infotainment systems, telemetry control units (TCUs), ADAS equipment and other computational systems should be evaluated to a higher standard than Tier 3 suppliers.

The continuous introduction and reliance on communication, sensing and automation technologies within a vehicle make cybersecurity much more than simply a compliance problem. Passenger safety is paramount. This requires that all participants in the automotive ecosystem invest in increasing their cybersecurity capabilities both internally and in collaboration with their suppliers. OEMs and suppliers should begin now to implement the requirements and processes detailed in ISO/SAE 21434 with the goal of transforming their cybersecurity processes and enabling continuous supplier collaboration.

The Newsweek Expert Forum is an invitation-only network of influential leaders, experts, executives, and entrepreneurs who share their insights with our audience.
What's this?
Content labeled as the Expert Forum is produced and managed by Newsweek Expert Forum, a fee based, invitation only membership community. The opinions expressed in this content do not necessarily reflect the opinion of Newsweek or the Newsweek Expert Forum.