Cybersecurity in automotive - who can help you secure your business

Posted: 2023-04-19
Written by: Krzysztof Labuda

It may seem odd to those without much experience in the automotive industry that international bodies like the UN Economic Commission for Europe influence car companies’ market and safety regulations.

Here I am referring to two guidelines already known from our blog and labelled R155 and R156. My role as a Certified Ethical Hacker is to facilitate companies’ compliance with these regulations. So, today I’ll share a few pointers as to who can support your business in adapting to these regulations.


R155/R156 and automotive IT security

Regulation R155 introduces and imposes mandatory changes on automotive manufacturers. All parts of the supply chain are affected, and requirements emphasize cybersecurity and the effort required to achieve it. Cybersecurity is not a commodity we walk to the store and buy by the piece; it is usually (though not exclusively) driven by a well-run machine – a process that is not blindsided.

Even the use of the word process can get across as a bit misleading since these activities require a substantial amount of work. The trick is to approach them from an industry perspective, lege artis. A telling fact about the regulation is that the organizations subject to it have until the end of 2023 to implement it, which in reality means as soon as today, if not yesterday.


Relationship between R155 and ISO/SAE 21434:2021 and R156 and ISO 24089:2023

There is a strong connection between the R155 regulation and the ISO/SAE 21434:2021 standard that was already mentioned. As the standard specifies, cybersecurity is required for electrical and electronic systems in vehicles. Yet, no specific technology is outlined, nor are detailed cybersecurity solutions for automotive.

In terms of ISO/SAE 21434:2021, though, guidance is provided on how to implement – both organizationally and project-wide – a cybersecurity management system, policies for addressing vehicle safety concerns, as well as continuous activities to demonstrate the effort being put into ensuring IT security.

A cybersecurity incident response protocol or a market-proven secure software development approach could be included in such activities. As far as automotive cybersecurity is concerned, ISO SAE 21434 doesn’t directly address the issue; rather, it concentrates on securing the computer systems inside vehicles. A focus is placed on managing cyber risks, though.

Regulation R156, on the other hand, elaborates on issues related to the vehicles themselves (e.g., homologation) and, more specifically, the software, and formulates requirements for its update and management. Regulation R156 is addressed in the ISO 24089:2023 standard.

Who and what competencies do you need to ensure cybersecurity in automotive?

It’s not shocking to say that today’s car is more like a moving computer than a gasoline-powered vehicle. What competencies do you need in your team to handle cybersecurity in automotive industry?

It is worth noting that the engineering department itself, which develops vehicle systems, is a rather specialized area, and its scope includes proficiency in safety-critical systems, hence, knowledge of microcontrollers and assembly-based mnemonic implementations is absolutely vital.

  • Security researchers – With the abundance of exotic protocols such as CAN, LIN, FlexRay found in modern automotive systems, a high demand is created for specialists who can perform controlled degradation. Hence, security researchers may prove indispensable in many organizations. In today’s cars, you won’t find any shortage of Bluetooth, 802.11, or GPS/GLONASS/Galileo modules. Unfortunately, along with extending the car’s functional capabilities and providing conveniences, this also exposes it to a range of communication risks. It has been documented that controlling a vehicle remotely has been possible for at least eight years, and statements can be found in automotive magazines or the internet that this is possible for all vehicles made after 2005. Taking control of the car opens up possibilities for stopping it, manipulating its comfort systems or safety-critical software, or violating privacy policies, since the attacker has access to GPS data.
  • Experienced engineers with threat modeling and risk identification skills – identifying these risks accurately and granting them appropriate, independent, and authoritative levels is crucial to securing products. It is also worth mentioning the specialists working on cryptography-based security. To make reverse engineering harder, they may also obfuscate code (obfuscate) to ensure an appropriate level of confidentiality of transmitted data.
  • Pentesters, or those who carry out penetration tests on systems, such as fuzzing, or which assess cryptographic security measures or the Wi-Fi or Bluetooth modules.
  • Auditors whose knowledge of regulations allows them to test your processes thoroughly and meticulously and who know where to look for weaknesses in your operations. Due to their role, they will assume the part of an oracle who will confirm compliance with the standard guidelines after reviewing your processes, procedures, documentation, and interviews. If the assessment shows a negative result, you will suffer the consequences willy-nilly.

It can be dizzying to keep track of all the functions and needs, especially as the IT market is experiencing staff shortages. It’s not easy to deal with cybersecurity in automotive industry, but taking care of it sooner rather than later is worth the effort. Neglect will have severe consequences and will be far more costly to fix than preparing your organization for the upcoming R155 and R156 regulations with an experienced team.

Quite a mundane problem can be faced by companies that develop automotive systems. There is a shortage of skilled professionals knowledgeable about cybersecurity and the industry itself. If your organization is also facing a dearth of engineers, use a technology partner with experience in automotive cybersecurity solutions and get in touch.

Watch our webinar: 10 questions about cybersecurity in automotive

Pentester versus cyberthug. Who checks the security of your application better

Written by: Krzysztof Labuda,
Security Test Consultant

A participant in the Certified Ethical Hacker CEH v11 program, teaches the latest commercial-grade hacking tools, techniques, and methodologies used by hackers and information security professionals.

the form below.
We will contact you to set up
a conversation at the convenient
moment for you.