Event Recording

UNECE R 155: Security-by-Design for the Automotive Supply Chain and In-Vehicle Cybersecurity

Log in and watch the full video!


Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
I'm Matthias, I'm the director of the practice. I am, I'm an Analyst. I'm an advisor with coping a goal, Analyst since 2014. And today I want to talk about a topic that deserves much more attention, but it has not yet gained that attention. At least it did not reach me. There are certain areas that have a look at that. I want to talk about U N ECE R 1 55, which sounds cryptic maybe is, but I think this is something that we really need to focus on in the future. If there are any questions later, make sure that you raise them to me. I cannot collect them with my microphone running around here, so help me in completing these 30 minutes. Of course, we are saving the best for last, so have fun. And if you ask about the images that I used, all except for these, this one, they are created by an ai and I had lots of fun creating these pictures just to make sure that they, that these are mentioned.
First of all, U N E C E R 1 55. It is about security by design for the automotive supply chain and for in vehicle cybersecurity. And again, we are talking about regulations, again, regulations driving innovation, driving technical, catching up with what already should be done much earlier and vehicles and regulations. We are all driving cars. We go to the turf, we go to the regular inspections. When it comes to having our cars checked, and this is required by regulation, we need to go there every two or four years. A car needs to have an approval for this model, for this type somewhere. And this is something that is really nothing new. So responsible is the U N E C, the United Nations Economic Commission for Europe. They are those who issue those regulations and they define overarching internationally applica applicable regulations for components and systems.
And they do that, do that for a very long time. They say, Okay, this brake has to look like this, otherwise it doesn't work or it's just not allowed to be here. Tires, breaking systems, airbags, lighting, whatever. This is nothing new. And once a vehicle manufacture, no matter where they are, they want to sell their vehicle, their car on a separate, on a selection of markets. They go to their local, yeah, to their local country and the regulators there. And they will approve that or, or will trust a third party and they will make sure that there is a type approval for that thing that they want to use the car for break for lights. This is only done once within that country. And this is then accepted mutually as an international agreement. So I do that. For example, when Bosch does this for a light, they do that in Germany.
And this approval is accepted around the world where U N E C has the contracts available. So this is the foundation for mutual international recognition. Nothing new today. Cars have changed. That's the first created picture. Just I said super computers on wheels and this is the result. So this is the picture here. And this is true. Our cars are super computers on wheels, just like our iPhones or, and Android phones that we have in, in our pocket are supercomputers. And they do much more than we could all never, ever imagine 20 years or 30 years ago. Cars are not one supercomputer. There are many supercomputers on wheels. I, I googled for that and I tried to find out are figures that can be used to, to, to demonstrate the the size. So an autonomous vehicle uses the equivalent of 200 laptops to get around. Just imagine that.
And we are talking about today's laptops. So the big ones, the good ones. So this is the first aspect. The second is to understand that the vehicle is a party in a vehicle ecosystem. It's not not just a car. It's not just a car. And actually the suppliers and the manufacturers, I rephrase that a bit, should be at the forefront of actions when it comes to securing this vehicle ecosystem. This is where U N E C E are. 1 55 comes into play car. Not just a car. First step, A car is not just a car, it's not just the, I have, I still have a dump car, a very dump car. It's old. This is a dump car. Modern cars have much more. So of course this is the car itself. But there's software, there are subsystems in there. Individual systems from different vendors, from different suppliers. There are sensors. A good example is the battery, which has in its own identity more or less, and which then talks to charges. And all of this is for us considered to be a car. But there's more these cars, they communicate, they talk to a network infrastructure. So the first of these nice three letter or three, yeah, character acronyms, vtm, V two M, vehicle to network. This is a communication that needs to be secured and there is network infrastructure as part of this vehicle. In in in ecosystem. This needs to be understood as this
Next step. The user, the user of the car. And I don't say the driver because this is not the only user, but it is one of those, think of the owner of a car. So this is the one who paid the bill, who owns the car, who has the document document that says this is your car. Hey Matthias, this is your car.
This not, does not necessarily have to be the driver. There's a relationship between the, these two could be even the same person, but this could be my daughter and I'm the owner. Allow, I give permission to use that car implicitly by handing over the key or whatever the key may be. Or explicitly by, yeah, allowing her to have access to the car. I, I think this is not, not too long in the future when I really can say this person needs to authenticate and then they can use the car. And that's the use case that we see later as well. Other users get a key, maybe the maintainer that just does something with the car. So the ecosystem grows and what can they do? Lots of things. Perform software. Update this guy, charge it, all of them open the door. Maybe I love this use case of open the trunk when Amazon delivers a package and they can deliver to the trunk of your car without opening anything else, but they are allowed to open the trunk of the current and put the package in there. This is a great use case that I love. In that context. Go faster than 90 kilometers per hour. Me? Yes, my daughter. No, it's very simple. And you can think of lots of other use case where there is access control in for the car for the users. So we have an identity, we have a resource. John mentioned that and we have mentioned that earlier. This is the policy. So to apply the identity, action, resource context.
Next thing, infrastructure,
A traffic sign, the roads, the lightings in a smart city, these are elements that can be part of the communication and part of the equation. And there we are with V to I. So vehicle to infrastructure. Next step V to V, vehicle to vehicle. They communicate with each other. Of course they should either implicitly. So there's a camera on detecting air that looks like a trolley, like a truck or that looks like, I don't know, a parked car or like a pedestrian. So V two P. Again, a relationship for cars to have a look at other entities. The insurance, they want to make sure that they understand what the car does and indirectly what the driver does or if the car is well maintained, if if it is, has gone through all the tests that are required. And in turn, they may be in a situation to provide cheaper insurances for brave or yeah, subordinate drivers that they are willing to, to obey the rules imposed by the insurance fleet management. Maybe there is no owner, maybe this is a part of a fleet. It's, it's a, it's a rented car, it's a, it's a shared car and part of a fleet management. Then roles change again. And there will be very different tasks to understand to try to find out where's my car. So my, in terms of the fleet management, not in terms of the driver so that they understand the status of their fleet, is their maintenance required. All of this kind of stuff then is done by the fleet management.
And now to those who are very much important, and I mentioned them to the left, the manufacturers, the BMW use the audio Audi, the Pares, the Mercedes Benz of this world. They need to have access to their car that they produce and maybe sold or gave to a fleet management company. But they will have a relationship with that as well and they will have to have influence on that. And indirectly the supply chain as well. So the Bosch and the Hellers of this world, they create all those building blocks that comprise the overall car. So it is not just a car. And if we think of what I'm talking about all the time is how to secure that, how to make sure that this component with this, this software used by the, this this manufacturer created by this supply chain company, how this is made secure end to end. And I said this is quite a challenge and it is quite a challenge. So this, there's lots of work to do here. Enter U N E C E R 1 55, 4th of March, 2021. This is revision three. It's a document that is entitled, I read it out. Uniform provisioning concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system. I would add an S here. Management systems. So this is the document that I'm talking about today.
It is cybersecurity applied to vehicle ecosystems, everything that we've seen before, all parts thereof for three important questions. When what? Where it is already there it is enforced. What is it? It is a requirement that vehicle manufacturers have a security management system in place for overall cybersecurity and that is R 1 55. And additionally for software updates. I ignore that for now for the rest of this presentation. But keep that in mind. It's not even the full complete picture that I'm talking about the talking about the software update as well. And it is to be applied to most on-road vehicles. Where U N ece, that is the range where they act. New countries, Japan, South Korea and this is one third of all vehicles more or less produced in these areas. We are skipping everything that is US and South America, but this is substantial. So we add a fourth question. So what, so what means OEMs and members of the supply chain need to design and build a cyber security management system as CSMs and of tho for those who have done ISO 27 0 1? Yes, exactly. This is a CSMs and this is isms. So very close to that. Independent third parties must verify and certify the validity of these systems at national vehicle registration. Authorities expect these certifications. So the same as we've seen for the brakes in 1958. We see now for cybersecurity for the full ecosystem at at least for those OEMs and the supply chain companies.
What does that mean? I, I've learned a new word. I did not know that Hoel location, this was new to me, but I took Wikipedia and told me that this is a granting of approval by an official authority and that is ex exactly making sure that they all speak the same language and that they understand that one approval is applicable for all of the contract countries and regions. What does that mean? Manufacturers? The deployment of cyber management, security management, cyber security management system CSMs will be mandatory with tough, tough deadlines. It needs to be designed in place and used and fully functional by July, 2022 if they want to register new types. Looks like a showstopper here and 2024 for all new connected vehicles. So these are tough deadlines and yeah, let's have a look. Just this is very new. This is the next stop. So we apply cyber security to cars and the vehicle ecosystem.
What does U N E C R 1 55 look at? And I hate this abbreviation that could have really found a better name. GDPR is not much better. But anyway, so let's have a look at what they really want to look at. And I think that makes it more tangible because it's important to understand that they have a bigger picture of what they look at. So this is the annex five of U N E C E R 1 55. This is an example is not com not comprehensive, but just examples. So they look at threats regarding back end service related to vehicles in the field. So they leave the car, they go to the systems that the car manufacturer or somebody else provides as a service as part of the ecosystem. For example, unauthorized access of any kind to a database in a system that is on the backend server somewhere on on premise in the cloud, wherever this is full cybersecurity.
The tradition of cybersecurity, this is protecting systems provided by corporations providing services to somebody. This is at least a huge chunk of subset of cyber securities that we usually look at. Second threats to vehicles regarding their communication channels. So the car travels and it communicates V2 n as as we've seen before or I have 10 minutes left to speed up. So everything man in the middle, spoofing, replay, breaking up, encryption, everything like that. So everything that we know of that this was full network security and more threats to vehicles regarding the update procedures I've mentioned that one compromised updates, threats to vehicles regarding unintended human actions facilitating a cyber attack. So actually tricking me as Matthias being in my car and saying there's an update required, please press that button and I press it and I get the unwanted update. So innocent victim is tricked into undesired actions, threats to vehicles regarding the external connectivity. This is not the communications but the connectivity. For example, if you pass by a very strong magnet and this is interrupted and you lose control and this is not what you want to have. So yeah, short range range, wireless systems or sensors. So communication breaks. So these were the first 2, 4, 5 items. And the last one is thrust vehicle data and codes or privacy breach. This is identity and access. Yes.
Quick question in for a pointers to ruin the camera's detection.
Exactly. Yeah, that would be that, that just should be in there. These are just examples. These are the, these are the weddings that are more or less reused from that. So I've, I've been told if I use the the, the, the red light, the laser pointer here towards this camera, I'm in trouble with them. So and the sames true for the, for the car as well. Exactly. But, but this would be also some, some example of this as well. So it's not only necessary highly. Yeah, high technical attack. It could be just a, a guy, a, a child, a kid running around with the laser pointer and interfering with the camera. So that's vehicle data of course privacy breach or identity fraud to, to extract data from the car, which of course contains PII from the people that we've seen before in the picture. And now finally that what I want wanted to mention as well, potential vulnerabilities that could be exploited if not sufficiently protected or hardened. So this is everything else. Status quo, reality check why I'm talking all the time. What does this mean? First of all, computer on wheels. I love it. Cybersecurity on an organizational level is required. It's organizational level. It's not the car, the car is yeah, collateral, well defined processes, well defined responsibilities, well defined controls and measures for the car manufacturers and for the full supply chain ecosystem. If you look at the picture before, it's this, this, and this, and forget the charger.
So this is what we're talking about. They need to act and they need to act right now. Where are we right now? Broken computer on the street. A broken old time computer on the street. Sorry. There has been a survey conducted among OEMs and suppliers. It has been done by Pricewaterhouse Coopers and due credit is given, it's called pedal to the metal, How to navigate the way to automotive. Automotive cybersecurity issued in May this year. They have been asked of the OEMs. So the, the car manufacturers have been asked. Yes, yes, yes, we have a CSMs. Now, while we have designed the csm, they are not, most are not operational. May may, maybe that has changed. We November,
At least two thirds had their CSMs design audited. But that was the status quo. Remember 2020 was the
And then we have a different picture when estimating whether competitors have had the CSMs. So if they talk about the others, the picture change the business. So only two fifth of OEMs have anything and one quarter of the suppliers. So that is the notion within the market. I may be wrong, these are the figures as published, but this is what we need. We need a call to action. So enter the cyber security management system. I don't read it out in full because of time, five minutes left. But nevertheless, computer, keyboard on wheels. It's the foundation for automotive cyber security. We need to understand this is something that is really something new and it's challenging, but it's for me as a driver of car, this is why is it not yet there? That's that's the question.
So it defines a uniform standard, more effective management of digital threats in the automotive industry as a whole. And it's, this is maybe one of the most important parts. It's, it moves the cyber security from the individual features. Looking at the brake, looking at the steering wheel to the project and organizational level project would be then creating a new model of car. Not specific programs, but the procedural framework. But that does not mean that they do not go into specific systems or programs. That is, that is part of it. They need to drive or dive deeper. There it goes beyond, it goes beyond protecting against dangerous intrusions into a single system. It touches the ecosystem as a whole,
What needs to be done. A holistic organization level approach, looking at the vehicle from the cradle to the grave. And that means two dimensions. Let's start here. Holistic in many dimensions across the industry. We have covered that. So it's the, the supply chain plus the OEMs, but also for full vehicle life cycle from creating the first plan to implementing it, to having it type approved to, to using it within a car or as the car and then the car over its lifetime until it is either yeah, retired or recycled. Maybe you take the battery out of it and use it in somewhere else and the rest of the car goes into the press. So understanding the car for the full, full vehicle lifecycle, that's, that's covered here. The standard for the CSMs is not the U N E c u N E c E R 1 55. There's a specific standard for that. So it's just points at that. So it's not only just one document, there are more than this. And this is only one extension, but this is the most important one.
Components, spare parts, accessories, all phases from development, production, operation, maintenance to recycling. So the full life cycle. So industry plus life, life cycle. So call to action, what do we need to do? If an organization wants to do that, it should do at least this one. So this is an a recommendation that are also collected by, by research and by talking to my colleagues. You can't create that in one go. This is like, like you have the auditors in your house and they have findings and you say, okay, I have a good plan to mitigate that. The good plan. That is what we're talking about here. So put main focus on threat analysis and risk assessment. Understand what needs to be done first, then drill down. But first create the foundation, create the CSMs as a design. So it's not too bad if they have the CSMs design already approved, which is good aim at achieving security by design for the entire automotive ecosystem.
And I think this is so easy to say for an Analyst who does not build cars. I know, but yeah, this is what they need to do. What to do? Targets for holistic cybersecurity assessment. Define your objectives. This is classical risk management. Identify and manage cybersecurity risks in the supply chain. Assess potential attack schemes, effect of the attack, resulting threat risk management. Bundle them into a holistic cyber security approach. So implement the measures. Of course it's not just paperwork. Make sure that everything is already implemented and document that using the CSMs and provide the proof that threat and vulnerabilities are mitigated and incidents are detected and responded to.
So this, that is what needs to be done. There is no, no genius Analyst final thought here to say other than God, hell do it. One more thing beyond R 1 55. So that was my initial closing slide, the one before. But I think we should go a step further because as we've seen, it's the picture here that was just a short excerpt from the overall picture that I created that this was far from being complete. The genie out of the bottle, the CSMs is there. And I think this is also a good starting point. It's an important shift in perspective, but it's just a start. We need to have the bigger vision and I think the picture that I've drawn earlier that is much closer to the bigger vision than just using the OEMs, the supply chain and the car. So cybersecurity, safety and privacy. We just talk about cybersecurity, safety and privacy. Implicit but not explicit in this document, in a fully interconnected and highly automated ecosystem need to be understood at scale. And scale means the full automotive ecosystem. Every car, every street, every building, every small city. So this is a huge thing to think about.
I'm an identity guy. So identities and relationships and of course the people have an identity, the battery has an identity, the car has an identity, the key has an identity. All these identities represent these things. Vehicles, components, infrastructure and people. They interact and communicate you. We need to trust them and identify all of them and we need to understand their relationships to each other. And there will be many more stakeholders except for those that I've mentioned for the standard. So automative automotive security is, is really just, just starting. And if you look at LinkedIn or if you look at the typical job portals, there are lots of open positions for people who have implement to implement functionality around CSM as at larger OEMs and supply chain companies. And that is for a good reason. And that's it from my side. Thank you very much for your attention. Even do, No okay. It's fine. It's, it's fine. Okay. Thank you very much.

Stay Connected

KuppingerCole on social media

Related Videos


Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

Event Recording

Cyber Warfare - A Reality Check

Cyber Warfare and Disinformation have been heavily weaponized since Russia´s full-scale Invasion of Ukraine and even before, aiming at destabilizing the free part of the world. It is the "synergy of the evil" between cyber warfare and MDM (Misinformation, Disinformation,…

Event Recording

How the Current Crisis could become a Catalyst for Various Transformations

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00