On July 6, 2022, UN R155 entered into force in Europe. And exactly one year
ago, the first edition of the standard ISO/SAE 21434 was published. These were
landmarks for the automotive industry, accelerating the shift from
security-through-obscurity to security-by-design.
This is terrific news for consumers because it offers a high degree of
confidence that hackers won’t be able to wreak havoc on their increasingly
connected cars. However, for the auto industry it presents massive challenges,
not the least of which is meeting the mandated tight deadlines.
In this blog, I’ll recap the history of R155 and ISO/SAE 21434 and explain how
NXP managed to
achieve compliance
with the standard soon after it was published. In a second part, I’ll will
delve into some of the challenges faced by the industry as it begins to apply
the requirements in the development of new vehicles and their components.
What is vehicle type approval?
Europe, like many other regions, follows a system of type approval for
vehicles. This means that all vehicles can only be registered with the local
authorities for use on public roads after the vehicle successfully passes
compliance tests carried out by designated testing bodies and laboratories
(‘technical services’). And since July 6 of this year, these tests will also
assess compliance with the new cybersecurity regulation UN R155, making
cybersecurity a mandatory requirement for new vehicle types.
The ISO/SAE 21434 standard provides clear security requirements for vehicles
and their components to protect them against hacks. The standard also supports
the implementation of the R155 requirements in organizations across the supply
chain. So, compliance with this standard is de-facto a requirement for
automotive suppliers like NXP.
Why was this needed?
Cars today connect over many different interfaces, from USB, CAN bus, Wi-Fi,
Bluetooth, cellular, and Ethernet, so the attack vectors for bad actors make a
vehicle an appealing attack target. These risks have grown dramatically as
hackers have become extremely proficient in finding entry points to vehicle
components and systems and exploit them to their advantage.
To address these new challenges, parallel efforts were initiated in 2016 to
create both a new regulation, as well as an associated standard for automotive
cybersecurity. These initiatives were spearheaded by the World Forum for
Harmonization of Vehicle Regulations (UNECE WP.29), the auto industry, the
Society of Automotive Engineering (SAE) and the International Organization for
Standardization (ISO). UN R155 and ISO/SAE 21434 are the results of those
efforts.
Both are different, so it’s important to explain how they work together. UN
R155 is a regulation, a binding directive that must be followed to obtain type
approval and with that, market access in the more than 60 countries that are
in the process of adopting the regulation UN R155.
In contrast, ISO/SAE 21434 is a standard created by SAE and ISO. Initially,
both groups worked separately on security standards but ultimately joined
forces and collaborated with automakers, component and system suppliers,
cybersecurity vendors, governing organizations and more than 100 experts from
more than 82 companies in 16 countries. The standard supports the
implementation of the R155 requirements in organizations across the supply
chain. Hence, UN R155 and ISO/SAE are complementary and together they
prescribe the requirements for cybersecurity in future vehicles.
What are the new requirements?
ISO/SAE 21434 establishes cybersecurity engineering baselines for connected
vehicles and addresses the engineering of electrical and electronic systems.
The standard lays out clear organizational and procedural requirements
throughout the entire vehicle lifecycle, from concept and development to
production, operations, maintenance and decommissioning.
It calls for effective methods for fostering a cybersecurity culture,
including cybersecurity awareness management, competence management and
continuous improvement, as well as close collaboration throughout the supply
chain. It also specifies a threat analysis and risk assessment (TARA)
methodology to identify and determine potential threats, feasibility and
impact.
UN R155 requires OEMs to have a certified cybersecurity management system
(CSMS) in place. A CSMS is a systematic risk-based approach defining
organizational processes and policies, responsibilities, and governance to
treat risk associated with cyber threats to vehicles and protect them from
cyber-attacks. It requires measures to be implemented for managing vehicle
cyber risks, for securing vehicles by design to mitigate risks throughout the
value chain, and for detecting and responding to security incidents.
In short, while UN R155 mandates the deployment of a CSMS, ISO/SAE 21434
explains how to implement one. Further details on the history of UN R155 and
ISO/SAE 21434 can be found in my
previous blog.
What about certification?
Every comprehensive set of requirements requires a means of verification, and
for this purpose R155 mandates that the OEM’s CSMS be reassessed at least
every three years to verify that it is compliant with R155. It is a
prerequisite for achieving vehicles type approval. After a successful audit by
the approval authority or its technical service, the OEM receives a
certificate of compliance for its CSMS.
Suppliers will need to support the OEMs. R155 requires OEMs to demonstrate
that supplier-related risks are identified and managed under the CSMS. As a
result, suppliers must provide OEMS with appropriate evidence. A practical way
to do so is by achieving compliance with ISO/SAE 21434 and performing
applicable cybersecurity activities and generating applicable work products as
defined in the standard.
How NXP Achieved Compliance
Building on its expertise in security, and on its existing security and safety
certifications (Common Criteria, GSMA, IEC 62443-4-1, ISO 262626, ISO 27001,
TISAX to name a few), NXP has refined and extended its existing policies and
processes to also meet the requirements of ISO/SAE 21434. An independent third
party confirmed this compliance through an audit and certification in
mid-2022.
This did not come overnight. In fact, our efforts to achieve compliance
started in June 2019, when the "intermediate baseline of ISO/SAE 21434" became
available. Although the standard was far from being stable at that time, we
knew that the timelines of R155 would be very tight, and we anticipated that
compliance with ISO/SAE 21434 would soon become a market requirement.
With this in mind, we identified gaps and addressed them. In 2020, the first
official draft (DIS) became available and TÜV SÜD performed a pre-audit
(conformity assessment) based on it. In the months that followed, we further
tweaked our processes and policies based on the findings from this pre-audit.
The final draft was published in February 2021 after which TÜV SÜD performed
an audit that was successful and a certificate was issued only a few days
after the standard was released, verifying that NXP’s cybersecurity
engineering processes were compliant with ISO/SAE 21434. NXP was the first
semiconductor supplier to be so certified. Since then, at least one other
large automotive supplier has also been certified and other suppliers are
working hard to achieve compliance as well.
But, of course, this is only the beginning, and in the last 12 months we have
applied those certified processes in the development of new semiconductor
solutions. We’re preparing for the first re-audit in which TÜV SÜD will
inspect a few of our development projects.
A Helping Hand
As should surprise no one, achieving the goals set forth in the new
cybersecurity requirements is a massive undertaking, that when combined with
eye-watering deadlines, makes for an engineering nightmare. But companies do
not need to address this alone. In fact, the industry recognized early on that
collaboration was key to address common challenges related to automotive
security and in 2015 established an organization called the Automotive
Information Sharing and Analysis Center (Auto-ISAC). Members of this
industry-driven community share and analyze intelligence about emerging
cybersecurity risks to the vehicle, and collectively enhance vehicle
cybersecurity capabilities across the global automotive industry.
Between 2016 and 2019, this community developed seven best practices guides on
topics that are also covered by the standard. This, in combination with a
trusted network of peers, helps members ramp up their cybersecurity
capabilities faster than they could alone. It also helps the industry achieve
compliance with R155 and ISO/SAE 21434.
My next blog in this series will delve into some of the challenges faced by
the automotive industry as it begins to put the requirements of UN R155 and
ISO/SAE 21434 in practice. It will describe how to deal with legacy
components, customization, some of the ambiguities within the requirements and
how the semiconductor industry must deal with them. Stay tuned!
Also see:
