The forthcoming era of mobility excites consumers and brings forth lucrative business opportunities for automobile manufacturers. With escalating connectivity, future mobility solutions such as autonomous vehicles and remote functional enhancements become increasingly feasible. However, alongside these advancements, hackers also stand to gain, exploiting the expanding connectivity to launch cyber-attacks through novel avenues.
Global Regulatory Framework
Recognizing the rising importance of cybersecurity, recent publications like the ISO/SAE 21434 standard and UNECE WP.29 regulations R155 and R156 comprehensively address cybersecurity and software updates. These regulations mandate cybersecurity management systems and engineering specifications to ensure vehicle safety and establish a global framework for automotive cybersecurity. Making cybersecurity mandatory for vehicle type approval, particularly within Europe, these international regulations address cybersecurity and software updates comprehensively and aim to safeguard the interconnected vehicles we all use today.
UNECE R155/R156 and ISO/SAE 21434
The United Nations Economic Commission for Europe (UNECE WP.29) serves as a distinctive international regulatory platform for the standardization of vehicle regulations. UNECE regulation 155 (R155) focuses on uniform provisions concerning vehicle approval, emphasizing cybersecurity and the implementation of a Cybersecurity Management System (CSMS). Additionally, UNECE regulation 156 (R156) mandates security requirements, particularly emphasizing software updates. UNECE R155 aligns with the industry-standard ISO/SAE 21434, titled “Road vehicles – Cybersecurity Engineering.”
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). SAE International on the other hand is a global association of more than 128,000 engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries. Standards from SAE International are used to advance mobility engineering throughout the world.
The ISO/SAE 21434 standard delineates engineering prerequisites for cybersecurity risk management across various phases, including concept development, production, operation, maintenance, and decommissioning of electrical and electronic (E/E) systems in road vehicles, encompassing their components and interfaces.
Both R155 and R156 necessitate the implementation of measures by vehicle manufacturers, applicable to passenger cars, vans, trucks, buses, and light four-wheeler vehicles equipped with automated driving functionalities from level 3 onwards, as well as trailers fitted with at least one electronic control unit. So basically every road approved vehicle that has an ECU built in.
These regulations mandate action across four distinct domains:
- Managing vehicle cyber risks
- Designing vehicles with inherent security features to mitigate risks throughout the value chain
- Detecting and responding to security incidents across vehicle fleets
- Providing safe and secure software updates, ensuring vehicle safety is uncompromised and establishing a legal basis for “Over-the-Air” (OTA) updates to on-board vehicle software.
Moreover, compliance with UNECE WP.29 R155 necessitates consideration of two key aspects: organizational structures and processes pertaining to cybersecurity management, alongside vehicle requirements aimed at managing cybersecurity risks.
How dissecto can help you comply?
Security Test Environment
HydraVision is a platform as a service, that integrates automated security testing into ECU lifecycles, ensuring compliance with the latest directives and standards like UNECE R155 and ISO/SAE 21434. Our smart Security-Test-Environment enables automotive suppliers not only to easily comply with the new directives and standards, but also to perform real, hands-on cybersecurity testing on their products, automatically and remotely. New threats (CVEs) reported by developers, dissecto research or third parties such as Auto-ISAC & ASRG are proactively monitored and tested, without the need to create new attack vectors against your system.
HydraVision is a robust security validation and testing solution, comprising four integral layers to fortify digital defenses:
- Commencing with interface-level tests, HydraVision scans low-level drivers for potential vulnerabilities.
- The second layer involves comprehensive testing of protocols, assessing their robustness and identifying potential weaknesses. Additionally, HydraVision introduces fuzzing techniques to enhance the precision of security evaluations.
- The third layer encompasses the evaluation of complex security controls and functions, ensuring a comprehensive examination of the system’s defensive capabilities.
- Finally, HydraVision addresses the tip of the cybersecurity iceberg by providing dedicated security tests for known Common Vulnerabilities and Exposures (CVEs), fortifying the system against identified threats.
This multifaceted approach positions HydraVision as a feature-rich library, offering automation for security tests across diverse levels, effectively safeguarding against a spectrum of potential risks.
Pentesting
We are offering pentests of embedded systems, automotive systems and hardware components. A penetration test, or pentest, simulates cyberattacks to assess a system’s, networks’s or application’s security. It reveals weaknesses and strengths, aiding in risk assessment. The process targets specific systems and goals, using various methods to breach security. Results inform the client of vulnerabilities and recommend mitigation strategies. Penetration tests are integral to security audits, mandated by standards like UNECE R155 and supporting risk assessments. Penetration tests can be tailored to meet your individual requirements.
Training
As cars become more interconnected, they also become more vulnerable. Stay ahead of the curve with our customizable trainings & workshops. Delve into the fundamentals of automotive protocols and ECUs to identify attack surfaces effectively. Learn to hack real cars with insights into OEM design philosophies and firmware reverse engineering. Explore automation strategies for network and system security assessments. From CAN communication to firmware dumping, our trainings cover it all and can be tailored to match your individual requirements.
Do you have questions or need support?
We’re here to help! Reach out to us if you have and questions regarding dissecto HydraVision or our other services: