Today’s connected vehicles mean that cyber threats are a part of everyday life. And now the regulatory aspects are about to catch up with reality. Soon, every car rolling off the production line will have to meet new cyber security requirements if it is to be sold globally.
“The entire industry is working frantically, essentially against the clock,” says Tomas Bodeklint, a research and business developer at RISE.
It all boils down to the new requirements for type-approval in compliance with regulation UNECE R155. The regulation is already in use to some extent but comes into force in its entirety on 1 July 2024.
Tomas Bodeklint sees the new regulation as part of a more overarching trend in global efforts to counter cyber threats. In recent years, the EU in particular has begun regulating data protection, AI use, cyber security and more.
“Previously, responsibility has been left to the manufacturers within the industry to make secure systems. Now, however, it’s considered sufficiently important to ensuring a functioning society to take it to the next level.”
A good grasp of all cyber security processes
In concrete terms, a cyber security management system, or CSMS for short, needs to be put in place. As a manufacturer, a CSMS provides you with an overview of all cyber security processes within your company as well as inside the vehicle.
“From the early design processes to develop a new vehicle and the necessary software, through the entire service life of the vehicle, to its decommissioning or scrapping,” says Bodeklint.
The regulation also includes requirements for forensic capabilities, a bit like the equivalent to the black boxes found in aircraft. The vehicle’s systems shall be able to detect and log cyber attacks, manage them, timestamp them … and it shall be possible to analyse all of this after the event.
“It’s a cat-and-mouse game between the people building the systems and the people trying to hack them. And, on occasion, the hackers exhibit exceptional ingenuity. What we often see in major attacks is the use of a back door, gaining access via a software component that a single firm delivers to multiple companies, resulting in very many end users being affected.”
New cyber threat regulation unknown territory for manufacturers and subcontractors
Since the regulation is new with relatively broadly formulated requirements, manufacturers and subcontractors are facing quite a bit of unknown territory. The industry is used to setting requirements, but how should you document, say, a subcontractor delivering a technology device based on various software packages from multiple sources?
Nothing is given.
Proof, not just a declaration, is needed to meet the requirements. This demands the testing and validation of individual components, systems of components and entire vehicles.
“All manufacturers are working frantically with this. We’re just one-and-a-half years away from the introduction and the vehicles due to be launched in 2024 are already being planned and designed. If you haven’t resolved these matters by then, you won’t be allowed to sell the vehicles. The industry really is up against the wall.”
Bodeklint says that the way forward usually involves a standard that has already been developed. As is the case here, too, in the shape of ISO 21434, which aims to protect a vehicle from cyber attacks throughout its service life. One hope is that setting requirements in line with this standard will also meet the requirements of the regulation.
Getting all this in place will be a learning process for manufacturers and authorities alike
ISO standard still a learning process
“It describes in a little more detail what you need to do to get your systems in order. However, some of it is recently developed and doesn’t specify exactly what a vehicle manufacturer needs to test,” says Bodeklint, who has noted that many companies are now engaging certification bodies for pre-certification of compliance with the coming regulation.
“It’s all a bit of a dress rehearsal, a bit of dry run. Getting all this in place will be a learning process for manufacturers and authorities alike,” he says, comparing the situation to a trial that is yet to determine how convincing the evidence needs to be.
New cyber security educational programme
One major issue in the field of cyber security is the general lack of expertise. Here and now, RISE can help out with testing and validation, Bodeklint explains. In the longer term, he is pinning a lot of hope on Cybercampus Sweden, which RISE is involved in starting up together with the KTH Royal Institute of Technology and the Swedish Armed Forces.
“Among other things, they’ll offer a master’s programme with a focus on cyber security to provide more graduate engineers with cutting-edge expertise.”