ISO/SAE 21434: It’s time to put the brakes on connected car cyber-threats

Connected cars are on the move. Globally their number is set to grow 270% between 2018 and 2022 to reach an estimated 125 million in a couple of years. Increasingly, these vehicles are more akin to high-performance mobile computers with wheels than traditional cars, with features including internet access, app-based remote monitoring and management, advanced driver-assistance, and autonomous driving capabilities. But this also leaves them exposed to sensitive data theft and remote manipulation, which could create serious physical safety issues.

This is where a new standard comes in. ISO/SAE 21434 creates detailed guidance for the automotive industry to help it navigate these challenges and reduce reputational and cyber-risk. A new report from Trend Micro details what industry stakeholders need to, along with our recommendations as cybersecurity experts.

Packed with power

Modern automobiles do far more than transport their occupants from A to B. They are filled with computing power, sensors, infotainment systems and connectivity to help improve the car experience, traffic safety, vehicle maintenance and much more. This all creates complexity, which in turn leads to the emergence of cybersecurity gaps.

For example, there are now more than 100 engine control units (ECUs) in many modern vehicles, packed with software to control everything from the engine and suspension to the brakes. By hijacking the execution of any ECU an attacker could move laterally to any target in the vehicle, potentially allowing them to remotely cause life-threatening accidents.

As our report explains, there are three fundamental issues that make securing connected cars challenging:

Vulnerabilities are difficult to patch due to the highly tiered mature of car supply chains, firmware interoperability and long update times. If updates fail, as they can, a vehicle may be left inoperable.

Protocols used for connectivity between ECUs were not designed with security in mind, allowing attackers to conduct lateral movement.

Aftermarket products and services represent a third area of risk exposure. Akin to unsecured IoT devices in the smart home, they can be abused by attackers to pivot to more sensitive parts of the vehicle.

These vulnerabilities have been highlighted in research dating back years, but as connected cars grow in number, real-world attacks are now starting to emerge. Attack scenarios target everything from user applications to network protocols, to the CAN bus, on-board software and more. In short, there’s much for the bad guys to gain and plenty for carmakers to lose.

Here to help

This is where the new standard comes in. ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” is a typically long and detailed document designed to improve automotive cybersecurity and risk mitigation across the entire supply chain — from vehicle design and engineering through to decommissioning.

As a long-time collaborator with the automotive industry, Trend Micro welcomes the new standard as a way to enhance security-by-design in an area coming under the increasing scrutiny of attackers. In fact, eight out of the world’s top 10 automotive companies have adopted Trend Micro solutions for their enterprise IT.

In order to follow ISO/SAE 21434 and protect connected cars, organizations need comprehensive visibility and control of the entire connected car ecosystem, including: vehicle, network and backend systems. They should then consider developing a Vehicle Security Operations Center (VSOC) to manage notifications coming in from all three areas and to create a bird’s eye view of the entire ecosystem.

Consider the following capabilities in each of these key areas:

Vehicle: Detect in-vehicle vulnerabilities and possible exploitation, including those in critical devices that connected the in-vehicle network to outside networks, for instance, in-vehicle infotainment systems (IVI) and telematic control units (TCUs).

Network: Apply network security policy, monitoring traffic to detect and prevent threats including connections between vehicle and backend cloud and data centers.

Backend: Secure data centers, cloud and containers from known and unknown threats and bugs without compromising performance.

Vehicle SOC: Take quick and effective action by correlating threats detected from the endpoint, network, and backend with individual notifications from each, enabling a bird’s eye view of comprehensive elements.

In uncertain times for the industry, it pays to get ahead of the game, and any prospective changes in local laws that the new ISO/SAE standard may encourage. For carmakers looking to differentiate in a tough market, and do the right thing by protecting their customers, Trend Micro is here to help.

To find out more, read the full report here.