A Road Map to Automotive Cybersecurity Compliance

For many years, automotive software was developed with the thought that the vehicle network and electronic control units (ECUs) were not exposed to or of interest to malicious hackers. Consequently, software developers and cybersecurity engineers had mismatched views and goals when projects began to include cybersecurity requirements.

However, major technological innovation is driving substantial automotive industry changes. Customers are becoming more aware that security is a buying concern and are looking for indications of safer products rather than just exercising brand loyalty. Manufacturers must implement more stringent security management where it is not well standardized or even established at all.

The regulations listed below have triggered a race toward compliance and integration of these standards into the well-established software development process life cycles.

• The United Nations Economic Commission for Europe (UNECE) WP.29 Regulation 155 – Cyber Security and Cyber Security Management System
• Regulation 156 – Software Update and Software Update Management System
• ISO/SAE 21434 – Road Vehicles — Cybersecurity Engineering
• ISO 24089 – Road Vehicles — Software Update Engineering
• ISO/PAS 5112 – Road Vehicles — Guidelines for Auditing Cybersecurity Engineering

Original equipment manufacturers (OEMs) and suppliers now compete to hire and train automotive cybersecurity talent to reduce the gap in their understanding of these regulations and standards and to establish cybersecurity cultures within their organizations. Though these standards set up a framework, ample flexibility or ambiguity exists in their implementation.

A road map for implementing and integrating a cybersecurity culture in organizations and the interdependency with functional safety will prove useful to many stakeholders in this arena who want to demonstrate compliance with these regulations.