Solving the Cybersecurity Challenge for Software-Defined Vehicles
Written by Raul Gomez / Pedro López Estepa
November 9, 2022
Often, the terms functional safety and cybersecurity are not well understood. We like to define functional safety as preventing the unacceptable risk of harm to humans in the unlikely event of a failure. Mitigating safety risks is therefore related to reducing the probability of unexpected events, as well as reducing the chances for an unexpected event to propagate. This is addressed by increasing the level of rigor while designing, implementing and testing.
On the other hand, security refers to protecting your system against deliberate attacks aimed at modifying the system’s way of functioning, and cybersecurity refers to security in those cyber components that include electronics, computation and communication. As one may understand, cybersecurity can have a huge impact on safety. Moreover, a cybersecurity incident can also impact financial, operational and privacy domains.
For years, cybersecurity incidents have been on the rise. Recent studies show that the number of publicly-reported cyber incidents increases more than 50% year over year. And while a large portion of these incidents are being shared by both public and private research institutions and attributed to “white hat hackers,” about half of all recent cyber attacks were perpetrated by malicious organizations. As one may speculate, these cybersecurity incidents have driven an entire set of standardization and regulatory efforts worldwide to address the issue.
Among the different efforts to regulate cybersecurity in the automotive market, the UNECE WP 29 R155 regulation has been gaining key importance in the industry. Both OEMs and EV startups will have to comply with it in order to operate in any of the countries that are shown in blue in Figure 1. UNECE WP 29 R155 describes what a vehicle manufacturer has to do to mitigate cybersecurity risks along the life cycle of a vehicle (design and development, production and post-production).
The UNECE WP 29 R 155 took effect in July 2022 for new production vehicles, and will apply to any vehicle after July 2024.
In parallel to UNECE WP 29 R155, the ISO/SAE 21434 standard describes how to mitigate cybersecurity risks along the vehicle lifecycle. This standard puts most of its emphasis on securing the supply chain. The cybersecurity community understands that a system is only as secure as its weakest link, and cars are no exception to this rule. A holistic approach for cybersecurity is a must, where high-level security concepts are propagated as security requirements for each and every subcomponent of a vehicle. Suppliers and manufacturers are expected to work together to ensure that there is no weak link.
The ISO/SAE 21434 standard focuses mainly on processes, such as:
- How to deal with cybersecurity at a corporate level: Processes to be implemented at a corporate level to ensure cyber hygiene and cybersecurity best practices
- How to build the product: Processes during design and development stages to minimize cybersecurity risks. This includes the definition of security requirements and security testing
- How to deliver the product: Processes to ensure that cybersecurity is taken into consideration when negotiating between customers and suppliers. This includes processes to ensure that a security concept is propagated as cybersecurity requirements down to the different components (this is often referred to as the TARA), and processes to assign cybersecurity roles and responsibilities when integrating and contextualizing the product
Who can help you navigate the transition towards vehicle communication with cybersecurity and functional safety capabilities? At RTI, we understand the importance of developing the foundational components of the software-defined vehicle by focusing on safety and cybersecurity needs at the core, paired with a strong ecosystem for industry support.
RTI Connext Drive® is the first automotive-grade, safety-certified data-centric communications framework for next-generation vehicles. Built on the Data Distribution Service (DDS™) standard, Connext Drive delivers the automotive software components, development tools and runtime applications to accelerate the development and deployment of autonomous vehicles, including safety and cybersecurity designs.
RTI is part of the major automotive ecosystem, working closely with many of the leading suppliers. RTI is also active in many of the leading consortia such as AUTOSAR, AVCC, ROS and SOAFEE to help solve critical obstacles to accelerating safety and cybersecurity requirements.
Software-defined vehicles represent the automotive future. However, without a clear safety and cybersecurity strategy, the chances of failure increase exponentially. In this unchartered territory, OEMs have come to rely on experienced suppliers and cohesive ecosystems for guidance and best practice approaches to mitigating risk. To learn more about how Connext Drive can help, please click here.
More to come!
About the authors
Pedro López Estepa is Director of Automotive for RTI. In this position he manages RTI’s global automotive business. Pedro has over 10 years of market strategy and engineering experience, working extensively within the global automotive industry. Pedro holds a MSc in Telecommunications Engineering from the University of Granada and an International Master of Business Administration degree from the Politecnico di Milano. He is based in Granada, Spain.
Raul Gomez Cid Fuentes is the Group Product Manager of RTI Connext Secure. Raul has developed his entire career in the IoT space, working as researcher, architect and product manager. In the last 4 years, he has focused his activity in Security for IoT and Autonomous systems. He is a PhD in Electrical Engineering and MsC in Electrical and Computer Engineering from Politechnical University of Catalunya. Raul is based in Granada, Spain.