From Regulation to Road: Managing Cybersecurity Risks in Modern Vehicles

An Abstract

The rapid evolution of software-defined vehicles and connected systems has significantly increased the scope of the attack surface, which exposes vehicles to new cybersecurity vulnerabilities. To mitigate these risks, dedicated cybersecurity standards and regulations have been formed by the automotive regulatory bodies. These establish structured approaches for threat analysis, risk management, and secure vehicle lifecycle processes. In this article, vehicle security standards, regulations, and their importance are presented. The implementation of a Cybersecurity Management System (CSMS) across the complete vehicle life cycle to achieve compliance with the standards and regulations has been outlined. Furthermore, a case study to achieve compliance with ISO 21434 has also been presented.

An Overview

Today, to enhance the vehicle system performance, user comfort, functionality, and vehicle quality, the evolution in the automotive industry with the integration of many advanced technologies has resulted in an increase in the number of Electronic Control Units (ECUs). These ECUs offer advanced connected-vehicle features, which include smartphone integration, over-the-air (OTA) updates, Cloud services, and other connected devices, as well as Advanced Driver Assistance Systems (ADAS), EV charging, telematics, and infotainment. These features also increase the scope of the cybersecurity attack surface of a vehicle.

Due to this, there is a need for applicable cybersecurity regulations and standards compliance. The International Organization of Standardization (ISO) and Society of Automotive Engineers (SAE) form the ISO/SAE 21434 standard [1]. The United Nations (UN) Regulation 155 (Cybersecurity Management System: CSMS) [2] and UN Regulation 156 (Software Update Management System: SUMS) [3] have been derived by the United Nations Economic Commission for Europe (UNECE) to ensure authenticated diagnostics, secure software updates, secure communication, robust key management, and continuous cybersecurity risk management across the vehicle product lifecycle. India has drafted its own version of Automotive Industry Standard (AIS) 189[4] and AIS 190[5], meant to ensure compliance and security for Indian road vehicles.

The major contributions to this article are outlined below:

• The automotive cybersecurity standards and regulations, such as ISO/SAE 21434, UN R155, UN R156, AIS 189, and AIS 190 have been analyzed thoroughly.
• The article outlines the integration of ISO/SAE 21434 clauses within the V-model development process.
• It provides a road map for achieving compliance with ISO/SAE 21434.
• A comparative analysis between the ISO/SAE 21434, UN R155, UN R156, AIS 189, and AIS 190 is included.
• A case study on achieving compliance with ISO/SAE 21434 has also been presented.

ISO/SAE 21434 Standard

This section analyzes the ISO/SAE 21434 structure and integration of clauses into a V-model development cycle.

A. ISO/SAE 21434 Structure

ISO/SAE 21434 provides a structure to manage cybersecurity throughout the vehicle product lifecycle; it is an integral element from conception to decommissioning. The standard is classified into 15 different clauses. Clauses 1 to 5 deal with the generic and project-specific requirements. Clauses 6 to 15 describe the concept requirements, development, verification, and validation to the end-of-life and decommissioning phases. The clauses and their short descriptions are illustrated in Fig. 1.

B. Cybersecurity Product Lifecycle in V-Model

ISO/SAE 21434 is aligned with the V-model development lifecycle, integrating cybersecurity activities across all phases of the system development and validation, which has been represented in Fig. 2. In the V-cycle, the left side contains the concept phase, the mid-section refers to development tasks, and the right side focuses on the verification and validation processes.

Compliance with ISO/SAE 21434

The guidelines to achieve compliance with ISO/SAE 21434 need to be followed across the product lifecycle, as illustrated by the roadmap in Fig.3.

A Comparative Analysis Between the Standards and Regulations

To design and develop a vehicle security system, ISO/SAE 21434 offers technical guidance that ensures that the security practices are followed during the vehicle development process. The regulatory requirements UN R155 and UN R156 defined by UNECE make it mandatory to follow even before manufacturing, and to get a Type Approval from the respective authority. Similarly, for the Indian market, the Automotive Research Association of India (ARAI) formed national standards such as AIS 189 and AIS 190 in a draft version. Table 1 focuses on the key comparison between the ISO/SAE 21434 and the UN Regulations.

Table 1. ISO Standard vs UN Regulations

Table 2 describes the differences and similarities between the UN R155 and AIS 189, both of which consider the CSMS. Similarly, Table 3 points out the differences and similarities between the UN R156 and AIS 190, which focus on the SUMS.

Table 2 Comparison: UN R155 and AIS 189

a. Classification of vehicle types according to UNECE standards [6]

Table 3 Comparison: UN R156 and AIS 190

b. Classification of vehicle types according to UNECE standards [6]

ISO/SAE 21434: A Case Study 

eInfochips achieved compliance for a High Voltage DC-DC Converter (HVDC-DC) ECU by incorporating the documentation requirements from ISO/SAE 21434 and ensuring that the cybersecurity considerations were evaluated at every phase of the product lifecycle. TARA at the ECU level has been derived based on the standard process. From security controls development to verification and validations, the processes were followed as per the standard. Moreover, to mitigate implementation-level security vulnerabilities, software robustness was enhanced through static and dynamic analysis by using the LDRA tool. These analyses are compliant with MISRA C/C+ and CERT C coding standards. The team ensured that all cybersecurity work products are baselined after verifying the fully documented work products with a checklist. By consistently applying cybersecurity best practices during each phase of the VDC-DC ECU product cycle, eInfochips has efficiently met the compliance requirements of ISO/SAE 21434.

Conclusion & Future Work

ISO/SAE 21434 plays a substantial role in the cybersecurity management of Electrical & Electronics (E/E) systems in the vehicle’s life cycle. The regulations UN R155 and R156 create the requirements for CSMS and SUMS, which the stakeholders and vehicle manufacturers have to follow. The secure software update, ISO 24089 [7], is combined with UN R156. Compliance with these global standards helps to ensure vehicle system security by preventing potential vulnerabilities. To ensure vehicle security, eInfochips has followed the best practices for cybersecurity compliance requirements of  ISO/SAE 21434.

Since vehicle technologies are continuously evolving and new risks appear, despite the established standards,s there is scope for future updates. For the Indian markets, vehicles need to be compliant with the Automotive Industry Standards (AIS) based on the release. The trending and new technologies, such as EVs, advanced charging solutions, hydrogen fuel cells, and smartconnectivityt,y are major challenges in cybersecurity solutions.

References

• ISO/SAE 21434:2021, Road vehicles – Cybersecurity engineering, International Organization for Standardization (ISO) and SAE International, 2021.
• United Nations Economic Commission for Europe (UNECE), UN Regulation No. 155: Uniform provisions concerning the approval of vehiclewith regardds to cybersecurity and cybersecurity management system, 2021.
• United Nations Economic Commission for Europe (UNECE), UN Regulation No. 156: Uniform provisions concerning the approval of vehicles with regard to software update processes and software update management system, 2021.
• Automotive Research Association of India (ARAI), AIS 189: Automotive Industry Standard for Vehicle Cybersecurity Management System (CSMS), Ministry of Surface Transport (MoST), Government of India, 2022.
• Automotive Research Association of India (ARAI), AIS 190: Automotive Industry Standard for Software Update Management System (SUMS) in vehicles, Ministry of Surface Transport (MoST), Government of India, 2022.
• United Nations Economic Commission for Europe, Consolidated Resolution on the Construction of Vehicles (R.E.3), Rev.6, UNECE, 2017
• ISO 24089:2023, Road Vehicles – Software Update Engineering, International Organization of Standardization (ISO), 2023.

Dr. Prabhat Kumar Panda is a Member of Technical Staff at eInfochips (An Arrow Company). He is a cybersecurity professional specializing in automotive and IoT security, with over 18 years of experience across industry, research, and academia. He currently leads automotive cybersecurity initiatives across the end-to-end product life cycle, driving secure design, development, verification, and validation of vehicle systems, while ensuring compliance with the ISO/SAE 21434 standard. He holds a Ph.D in Wireless Network Security from Jadavpur University, Kolkata, India, and is certified in the ISO/SAE 21434 standard. He actively mentors engineers, contributes to cybersecurity research, and authors articles on emerging security challenges. He has published around 20 conference and journal papers, and has patents in national and international forums.

LinkedIn: Dr. Prabhat Kumar Panda | LinkedIn