Since their conception, manufacturers have needed to consider an assortment of issues to assure safety and reliability in the fabrication of automobiles. For these interests, standards have long been relied upon for guidance. However, as modern technology finds its way into vehicle systems, the scope of preparedness for harm brought on from vehicle use must be expanded to meet issues beyond physical hazards. With the growing installation of electronics, sensors, and, now, automated systems, automobile design must incorporate cybersecurity.
The inclusion of cybersecurity should not, however, occur at the end of development. Instead, it should be built into the design, following an appropriate lifecycle process framework that encompasses production, operation, service, and decommissioning. According to SAE J 3061-2016 (SAE J3061-2016) – Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, the standard that allows users to follow such a framework to identify and assess cybersecurity threats and design cybersecurity into cyber-physical vehicle systems throughout the entire development lifecycle process, this process should be considered after an assessment of potential cybersecurity threats.
Before we delve deeper into the concepts that organizations must address in determining the presence of cybersecurity threats, it is important to establish the relationship between system safety and system cybersecurity, two ideas essential to the SAE J 3061-2016 standard. System safety is understood as the state of a system that does not cause harm to life, property, or the environment, while system cybersecurity is the state of a system that does not allow exploitation of vulnerabilities that can lead to financial, operational, privacy, or safety losses.
Expanding upon these two definitions, a safety-critical system may cause harm to life, property, or the environment if the system does not behave as intended or desired. A cybersecurity-critical system, similarly, may lead to financial, operational, privacy, or safety losses if the system is compromised through a potential vulnerability. These two domains are very closely interrelated, as all safety-critical systems are cybersecurity-critical due to the capability of a cyberattack to impact safety. Thus, the engineering process elements for system safety and system cybersecurity are intertwined at different facets.
For systems that may be considered cybersecurity-critical cyber-physical vehicle systems, the initial assessment should include potential threats related to operation, privacy, finance, and reputation. Overall, the concept phase for system development should consider some general questions, such as:
- Will there be any Sensitive data and/or Personally Identifiable Information (PII) stored on, or transmitted by, your system that could make your system a target?
- What role does your system have (if any) in the safety-critical functions of a vehicle?
- Can your system be used as a “stepping stone” to an attack on another system?
With questions like these answered, those involved in the design of the vehicle systems can determine whether cybersecurity efforts are necessary and to what extent they should be conducted. Furthermore, SAE J 3061-2016 advises designers to not only instill cybersecurity throughout the different stages of the lifecycle process, but also within the organization itself. Organizations should be expected to create, foster, and sustain a cybersecurity culture, training employees in the proper way to think about the subject, assuring that they can recognize it as a key concern with the design of vehicle systems.
Organizations should also consider the way the driver will interact with the systems. Ultimately, the driver is subject to substantial losses from any cybersecurity vulnerabilities, so comprehending their behavior can be impeccable.
Principles on managing cybersecurity have been present for some time, and they can be found in Microsoft’s Security Development Lifecycle (SDL) guiding principles, as well as IEEE’s Avoiding the Top 10 Software Security Design Flaws. The latter of these comprises the following concepts for secure design:
- Earn or Give, But Never Assume, Trust
- Use an Authentication Mechanism that Cannot Be Bypassed or Tampered With
- Authorize After You Authenticate
- Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources
- Define an Approach that Ensures All Data Are Explicitly Validated
- Use Cryptography Correctly
- Identify Sensitive Data and How They Should Be Handled
- Always Consider the Users
- Understand How Integrating External Components Changes Your Attack Surface
- Be Flexible When Considering Future Changes to Objects and Actors
Concepts from these guiding principles have been tailored for cyber-physical systems cybersecurity in accordance with the SAE J 3061-2016 document. This standard builds off these ideas to assure cybersecurity throughout its extensive details of its implementation in the different stages of the design lifecycle.
SAE J 3061-2016 (SAE J3061-2016) – Cybersecurity Guidebook for Cyber-Physical Vehicle Systems is available on the ANSI Webstore.