4 April, 2022 Webmaster

How Current Regulation and Standardization Impact the Automotive Cybersecurity

In Track E Cybersecurity & Connectivity on May 18th at VECS 2022 we will have the pleasure of listening to a Keynote from Dr. Markus Tschersich, Head of Security & Privacy Research & Governance at Continental. In this role he is member of the German delegation of ISO TC22/SC32/WG11 that was in charge to work on the ISO/SAE 21434 Cybersecurity Engineering. In the regulatory environment, he is CLEPA delegate in the UN Task Force on Cybersecurity/OTA issues and he is piloting the CLEPA Taskforce on Cybersecurity. We got the opportunity to ask Dr. Tschersich a few questions before the event and he was kind enough to share his insights as well as giving us a teaser of his presentation.

Can you please tell us about your presentation at VECS?
With the UN Regulation No. 155 and the ISO/SAE 21434 standard, the topic of Automotive Cybersecurity has now reached a high relevance in the Automotive Industry. Mid of this year, the regulation will be enforced for the new and upcoming vehicle types as a prerequisite to get type approval granted. This is also related to a certification along the whole value-chain. Nevertheless, this is only the start of a longer journey of Automotive Cybersecurity. Expectations from society, politics and customers on each organization on handling Automotive Cybersecurity will further increase. Therefore, hurdles to jump over will get higher and higher.

The target of this talk is therefore to show which regulatory challenges we will be confronted with globally and market specific as Automotive industry. Further, I will also highlight some technical developments that will define future Automotive from a Cybersecurity perspective.

Which Cybersecurity regulations are having an impact on the automotive industry?
First of all, there is of course the UN Regulation No. 155 and the national implantation to the EU by the General Safety Regulation. Additionally, to that, we have also other markets national implementation. But, in China for examples there are building upon the UN Regulation and adapt it to a national regulation with more intense technical requirements. Further, also the EU is working on horizontal regulations that will also affect the Automotive Industry.

How will that affect the car manufactures?
The UN Regulation No. 155 is directly putting requirements to the car manufacturers. It will be similar to national adaptations like in China. Nevertheless, this will always impact the whole value-chain, as Cybersecurity challenges cannot be solved by one organization solely.

What are the challenges working with standardization in Cybersecurity?
Cybersecurity is not new in the world of standardization if you keep the ISO/IEC 27001 and related standards in mind. Hence, those standards are mainly focusing on IT Security aspects. Therefore, for Automotive we further have to consider the aspects of E/E and the high value of Safety. This was also the main intention to work on the ISO/SAE 21434.

What differentiates standardization work in Europe compared to Asia, for example?
The current standardization is a global activity also considering Asia and Americas. Hence, China has a longer history in adapting standards to their national needs. Hence, so far, the Chinese adaptation of the ISO/SAE 21434 seems to not deviate much from the international version.

What can the automotive industry learn from other industries when it comes to Cybersecurity?
IT Security has a much longer history when it comes to Cybersecurity. In general, the methods, technologies and skill are not deviating so much. Nevertheless, Automotive Cybersecurity does not have the Information so much in focus. It is more looking in the direction of Safety where real-time communication and the availability of signals is much more important.

Looking ahead, what are the main challenges within Cybersecurity the next years?
The recent standardization focused quite a lot on organizational aspects. That is very important and a solid baseline. But, we see a trend that regulation and standardization wants to focus more on the technology side. That is understandable and not wrong. Nevertheless, it has to be taken care that the product portfolio in Automotive is too diverse to handle different vehicle architectures and different supplying systems in the same way. We have to take care to standardize where it makes sense to enrich the overall resilience of a product and to make decisions along the value-chain better and more efficient. But, we should not block the innovation potential in some areas by limiting the scope of products to much based on too detailed standards and certification schemes.