by Timo van Roermund, Technical Director, Automotive Security, NXP Semiconductors
On July 6, 2022, UN R155 entered into force in Europe. And exactly one year ago, the first edition of the standard ISO/SAE 21434 was published. These were landmarks for the automotive industry, accelerating the shift from security-through-obscurity to security-by-design.
This is terrific news for consumers because it offers a high degree of confidence that hackers won’t be able to wreak havoc on their increasingly connected cars. However, for the auto industry it presents massive challenges, not the least of which is meeting the mandated tight deadlines.
In this blog, I’ll recap the history of R155 and ISO/SAE 21434 and explain how NXP managed to achieve compliance with the standard soon after it was published. In a second part, I’ll will delve into some of the challenges faced by the industry as it begins to apply the requirements in the development of new vehicles and their components.
What is Vehicle Type Approval?
Europe, like many other regions, follows a system of type approval for vehicles. This means that all vehicles can only be registered with the local authorities for use on public roads after the vehicle successfully passes compliance tests carried out by designated testing bodies and laboratories (‘technical services’). And since July 6 of this year, these tests will also assess compliance with the new cybersecurity regulation UN R155, making cybersecurity a mandatory requirement for new vehicle types.
The ISO/SAE 21434 standard provides clear security requirements for vehicles and their components to protect them against hacks. The standard also supports the implementation of the R155 requirements in organizations across the supply chain. So, compliance with this standard is de-facto a requirement for automotive suppliers like NXP.
Why was This Needed?
Cars today connect over many different interfaces, from USB, CAN bus, Wi-Fi, Bluetooth®, cellular, and Ethernet, so the attack vectors for hackers make a vehicle an appealing attack target. These risks have grown dramatically as hackers have become extremely proficient in finding entry points to vehicle components and systems and exploit them to their advantage.
To address these new challenges, parallel efforts were initiated in 2016 to create both a new regulation, as well as an associated standard for automotive cybersecurity. These initiatives were spearheaded by the World Forum for Harmonization of Vehicle Regulations (UNECE WP.29), the auto industry, the Society of Automotive Engineering (SAE) and the International Organization for Standardization (ISO). UN R155 and ISO/SAE 21434 are the results of those efforts.
Both are different, so it’s important to explain how they work together. UN R155 is a regulation, a binding directive that must be complied with to obtain type approval and with that, market access in the more than 60 countries that are in the process of adopting the regulation UN R155.
In contrast, ISO/SAE 21434 is a standard created by SAE and ISO. Initially, both groups worked separately on security standards but ultimately joined forces and collaborated with automakers, component and system suppliers, cybersecurity vendors, governing organizations, and more than 100 experts from more than 82 companies in 16 countries. The standard supports the implementation of the R155 requirements in organizations across the supply chain. Hence, UN R155 and ISO/SAE are complementary, and together they prescribe the requirements for cybersecurity in future vehicles.
What are These New Requirements?
ISO/SAE 21434 establishes cybersecurity engineering baselines for connected vehicles and addresses the engineering of electrical and electronic systems. The standard lays out clear organizational and procedural requirements throughout the entire vehicle lifecycle, from concept and development to production, operations maintenance and decommissioning.
It calls for effective methods for fostering a cybersecurity culture, including cybersecurity awareness management, competence management and continuous improvement, as well as close collaboration throughout the supply chain. It also specifies a threat analysis and risk assessment (TARA) methodology to identify and determine potential threats, feasibility and impact.
UN R155 requires OEMs to have a certified Cybersecurity Management System (CSMS) in place. A CSMS is a systematic risk-based approach defining organizational processes and policies, responsibilities, and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks. It requires measures to be implemented for managing vehicle cyber risks, for securing vehicles by design to mitigate risks throughout the value chain, and for detecting and responding to security incidents.
In short, while UN R155 mandates the deployment of a CSMS, ISO/SAE 21434 explains how to implement one. Further details on the history of UN R155 and ISO/SAE 21434 can be found my blog entitled “The New 21434 Automotive Engineering Cybersecurity Standard.”
What About Certification?
Every comprehensive set of requirements requires a means of verification, and for this purpose R155 mandates that the OEM’s CSMS be reassessed at least every three years to verify that it is compliant with R155. It is a prerequisite for achieving vehicles type approval. After a successful audit by the approval authority or its technical service, the OEM receives a Certificate of Compliance for its CSMS.
Suppliers will need to support the OEMs. R155 requires OEMs to demonstrate that supplier-related risks are identified and managed under the CSMS. As a result, suppliers must provide OEMS with appropriate evidence. A practical way to do so is by achieving compliance with ISO/SAE 21434 and performing applicable cybersecurity activities and generating applicable work products as defined in the standard.
How NXP Achieved Compliance
Building on its expertise in security, NXP has refined and extended its existing policies and processes to meet the requirements of ISO/SAE 21434. An independent third party confirmed this compliance through an audit and certification in mid-2022.
This did not come overnight. In fact, our efforts to achieve compliance started in June 2019, when the “Intermediate baseline of ISO/SAE 21434” became available. Although the standard was far from being stable at that time, we knew that the timelines of R155 would be very tight, and we anticipated that compliance with ISO/SAE 21434 would soon become a market requirement.
With this in mind, we identified gaps and addressed them and in 2020. The first official draft available and TÜV SÜD performed a pre-audit (conformity assessment) based on it. In the months that followed, we further tweaked our processes and policies based on the findings from this pre-audit.
The final draft was published in February 2021 after which TÜV SÜD performed an audit that was successful and a certificate was issued only a few days after the standard was released, verifying that NXP’s cybersecurity engineering processes were compliant with ISO/SAE 21434. NXP was the first semiconductor supplier to be so certified and since then at least one other large automotive supplier has also been certified, and other suppliers are working hard to achieve compliance as well.
But, of course, this is just only the beginning, and in the last 12 months we have applied those certified processes in the development of new semiconductor solutions. We’re preparing for the first re-audit in which TÜV SÜD will inspect a few of our development projects.
A Helping Hand
As should surprise no one, achieving the goals set forth in the new cybersecurity requirements is a massive undertaking, that when combined with eye-watering deadlines, makes for an engineering nightmare. But companies do not need to address this alone.
In fact, the industry recognized early on that collaboration was key to address common challenges related to automotive security and in 2015 established an organization called the Automotive Information Sharing and Analysis Center (Auto-ISAC).
Members of this industry-driven community share and analyze intelligence about emerging cybersecurity risks to the vehicle, and collectively enhance vehicle cybersecurity capabilities across the global automotive industry.
Between 2016 and 2019, this community developed seven best practices guides on topics that are also covered by the standard. This, in combination with a trusted network of peers, helps members ramp up their cybersecurity capabilities faster than they could do alone. It also helps the industry achieve compliance with R155 and ISO/SAE 21434.