ISO/SAE 21434 & UNECE WP.29 R155/R156: The Future of Automotive Cybersecurity
Everything started a week ago, a beautiful job post that come to my attention and I set my eyes on it. Basically, the job was cybersecurity-related. I can finally change my career path, almost no experience was required, was a management position and all about Regulations and standards…
I remember telling myself “I should get this job”. At the end of the day, it is just a liaison position between stakeholders, management, and the IT department. One significant requirement listed stood out:
you have to be knowledgeable about ISO/SAE 21434 & UNECE WP.29 R155/R156… *crickets*
Working in multiple Internet Service Providers in my country I am experienced with ISO/IEC 27001. Due to the international projects, I’m also slightly familiar with the BSI Kritis Regulation, but never heard of ISO/SAE 21434 & UNECE WP.29 R155/R156. Online resources are extremely limited, two or three companies may be selling services related to this (OTA servers, etc.) So I asked some of my friends they also end up with what I ended up with Google.
In this post, you can find the summary of all the information that I dorked to learn “What these standards are”. I didn’t find this information before the job interview. So, did I get the job? I will answer that at the end of the post :)
It should be pretty obvious that the automotive industry is becoming more connected, with smart vehicles containing more and more software. This connectivity brings new cybersecurity risks. I believe that is called “new attack surface”, as vehicles become more vulnerable to attack by bad actors.
In response to these potential risks, the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) have developed the ISO/SAE 21434 standard for automotive cybersecurity. Apparently, this standard provides guidance on how to manage cybersecurity risks throughout the smart vehicle lifecycle, from design to production to operation.
Meanwhile, the United Nations Economic Commission for Europe (UNECE) has also adopted two new regulations for automotive cybersecurity: UNECE WP.29 R155 and R156. These regulations require automotive manufacturers to implement a certified cybersecurity management system (CSMS) as a prerequisite for vehicle type approval. So no CSMS, no approval! ¯\_(ツ)_/¯
By following these standards, manufacturers are able to demonstrate that they have taken the necessary steps to mitigate cybersecurity risks and protect their customers. However, is this really the case? I should ask this question to the pros in Car Hacking Village at DEFCON if I ever going to be able to visit them. Seems it is a beautiful place to talk about these things with talented people who already know more than me.
After all during Black Hat USA 2015, Chirs Valasek and Charlie Miller demonstrate and explain how to hack the Jeep Cherokee’s WLAN remotely.
That was pretty scary, and an eye-opener for everyone. Even though this demo happened way before these standards come to publication, some may say this was a significant wake-up call for many manufacturers. Automotive cybersecurity risks still exist.
Well, at this point it is better to comply with these standards to reduce that risk.
Let’s take a look at the benefits of complying with ISO/SAE 21434 and UNECE WP.29 R155/R156 :
- Improved operational efficiency: A well-implemented cybersecurity management system can help to improve operational efficiency by reducing the likelihood of downtime and data loss.
- Improved safety features: Well-implemented safety features prevent unauthorized access to the vehicle’s braking system or engine control unit or steering wheel.
- Increased customer confidence: Customers will think the manufacturer has taken the necessary steps to protect their vehicles from cyberattacks. They will feel safer in your cars.
- Positive brand reputation: Customers will think of the manufacturer’s brand reputation as a leader in automotive cybersecurity.
- Prevention of accidents: Some cyberattacks are dangerous, and manufacturers can help to prevent accidents. This can save lives and reduce property damage.
- Reduced risk of liability: Manufacturers can reduce their liability risk in the event of a cyberattack.
Ok, Benefits are good but What’s Next?
There are several steps that automotive manufacturers can take to achieve compliance with ISO/SAE 21434 and UNECE R155/R156.:
- Double-check the current cybersecurity posture of the organization.
- Develop and Implement a cybersecurity management plan.
- Hiring an infosec professional who has specific knowledge of automotive cybersecurity is mandatory under R155
- Monitor and improve the cybersecurity management system.
- OTA-specific regulation: you must have a roll-back option in case of a broken software update.
At this point (2023) cybersecurity is no longer an afterthought, especially for automotive manufacturers. In order to protect their vehicles from cyberattacks, they must comply with the latest standards.
If you are an organization that manufactures or sells vehicles, it is important to start planning for the implementation of UNECE WP.29 R155/R156 and ISO/SAE 21434.
If you are a person who works or planning to work in the Information Security field, it is still a good idea to dig for more information into these new standards, as there is not a large amount of public source information, which I mentioned at the beginning. I, and others, found very little using standard search tools. There are fun parts I believe for pen-testers, especially with interest in OTA Campaign management, rollback solutions, and in-car flashing.
In my case, trying to summarize everything in this post helped me learn better, I hope you get intrigued by it and look deeper for yourself.
Uh-Oh! The Job application, I totally forgot that;
