NXP recently said it had been certified by a third-party lab to be in compliance with ISO/SAE 21434, an automotive cybersecurity engineering standard that aims to get OEMs and their supply chains to design more robust security into their components, servers, and processes at a time when concerns about hacking of connected vehicle systems are on the rise.
This engineering standard supports the implementation of the R155, an international automotive cybersecurity regulation that will affect vehicle launches in Europe, Japan and Korea when the compliance mandate for the standard goes into effect in July 2022. R155 will affect more than a third of global vehicle production, and ISO/SAE 21434 will ensure the supply chain underpinning this volume of production is ready, NXP said.
“The standard helps to create a common understanding and approach throughout the supply chain, as it provides a common vocabulary for automotive security and lays out clear organizational and procedural requirements throughout the entire vehicle lifecycle, from concept and development, to production, operations and maintenance and finally decommissioning,” said Timo van Roermund, technical director, automotive security at NXP Semiconductors, via email. “In particular, it requires a security-by-design approach, starting from the earliest (concept) phases of product development, which is essential to achieve sound security concepts and solutions. The introduction of standard (ISO/SAE 21434) and the related security regulation (UN R155) are the latest step to accelerate the shift in the automotive industry from security-through-obscurity to security-by-design. This is something which NXP welcomes and fully supports.”
Van Roermund noted that while the recent rapid addition of AI, entertainment, infotainment and autonomous systems to vehicles has heightened security concerns, the possibility of vehicle system hacks is not entirely new.
“Susceptibility to security threats is not new for the auto industry,” he stated. “When the on-board diagnostics (OBD) port was added to vehicles in the 1990s, it provided access to the engine’s management systems. Back then, hacking a vehicle required expensive hardware, physical access to the port, and proprietary software — but there were still those willing to attempt it.”
Now, it is much easier and much less expensive to carry out remote hacks on vehicle systems--even simultaneously on large fleets of vehicles. That forced the automotive industry ecosystem “to step up its efforts to increase its security posture, to address this increasing challenge and to enable adequate protection,” van Roermund said. Industry players established the Automotive Information Sharing & Analysis Center (Auto-ISAC), to help companies otherwise competing with one another to share threat information and best practices, and to promote awareness of automotive cybersecurity issues.
NXP’s support for the standard was certified by TÜV SÜD, a third-party auditing and testing firm. While there is no direct certification testing requirement to prove compliance for the standard, it is likely that manufacturers will audit the Tier 1 members of their supply chains to ensure support, and that those Tier 1 suppliers will audit their own Tier 2 suppliers, an approach similar to that taken with previous automotive standards, van Roermund said.
While ISO/SAE 21434 is a technology-agnostic engineering standard, van Roermund said there are other automotive technology standards emerging that have to do with security, including:
- AUTOSAR Specification of Secure Hardware Extensions – a republication of the HIS SHE specification for on-chip/integrated security modules
- AUTOSAR Crypto Stack – offers a standardized access to cryptographic services for applications and system functions
- FIPS 140-3 – Security Requirements for Cryptographic Modules
- NIST SP 800 series – various specifications of cryptographic primitives and associated guidelines – including FIPS 180-4 (SHA1/SHA2), FIPS 186-4 (digital signatures), FIPS 197 (AES), FIPS 202 (SHA3) etc.
- Standards for secure V2X communication – including IEEE 1609.2 (WAVE) and the ETSI TC ITC series (TS 103 097, TS 102 940, TS 102 941, TS 103 601, …)
- Car Connectivity Consortium (CCC) Digital Key, to allow smartphones and other smart devices to act as a vehicle key