Currently, the concept of connected vehicles is prevalent. The belief in the future where vehicles will become people’s second living space and act similarly to a mobile data center aligns with the core concept of the MIH Consortium’s initiatives. Cybersecurity is critical to the regular operation and protection of connected vehicles. MIH Technical Consultant Brook Lu identifies the topics that the MIH Security & OTA Working Group focuses on supplier management, cybersecurity solutions, user data protection, and even the latest emerging technologies like blockchain and Web3. MIH and its members are working together to provide comprehensive automotive cybersecurity protections for the next generation of EVs.
If you want a more in-depth look at the technical development of the Security & OTA Working Group, participate in the MIH Demo Day on November 8.
The various governments worldwide have implemented strict vehicle safety regulations. Today, the automotive industry is entering a new era of mobility. Emerging technologies increase users’ convenience, especially the Internet of Vehicles (IoV) applications. The automotive industry and the governments must consider the required cybersecurity regulations to respond to the potential risks. We can see relevant standards are developed. For example, the European Union requires automakers and component suppliers to follow lSO/SAE 21434, officially released in 2021. In addition, the World Forum for Harmonization of Vehicle Regulations (WP.29), under the UN Economic Commission for Europe (UNECE), has released new ECE Regulations: R155 and R156, regarding vehicle cybersecurity and software updates and entered into force in January 2021.
In short, the ECE R155 specifies requirements for cybersecurity, simulates cyber-attacks, and allows relevant manufacturers to add prevention mechanisms during product design. ECE R156 is a security specification for the Over-the-Air (OTA) and software update management system of the Internet of Vehicles. ISO/SAE 21434 covers the complete life cycle of vehicles, including cybersecurity standards in the development, manufacturing, operation, maintenance, and recycling stages.
Vendor Management for Mature Cybersecurity Strategies
Motivated by the global emphasis on automotive cybersecurity, the Security & OTA Working Group focuses on three major categories: vendor management from the source, cybersecurity solutions, and user data protection. The working group is establishing vehicle cybersecurity frameworks and viewing vehicle security from multiple perspectives.
Regarding vendor management, the working group is working on three projects: one is to implement BSIMM (Building Security in Maturity Model). BSIMM is an internationally authoritative standard software security evaluation system. It aims to measure and evaluate the security activities of enterprises through quantitative data, to understand the maturity of a company’s security controls. For example, if the computer of the company’s employees has been hacked, it will affect the developed products or not. BSIMM helps to verify the supplier’s security management capabilities.
Second, to establish a supplier’s SBOM (Software Bill of Materials) system to manage software components. SBOM is a list of software components that make up a software product. Software vendors developed their products by leveraging Open Source software and layering in code that someone else has already built. When the Open Source software has security vulnerabilities, we can check the supplier’s SBOM and update the codes immediately to fix bugs and vulnerabilities.
Third, to establish a development process that complies with cybersecurity regulations. For example, conduct Threat Analysis and Risk Assessment (TARA) during product design and adopt Open Source Vulnerability Check and Penetration Testing during product verification. To minimize the security risk and weaknesses of the product, we have to complete all the security assessments in an early stage.
Monitor Abnormal Packets from Components to the Cloud
The automakers and suppliers not only need to avoid creating cybersecure vulnerabilities and weaknesses during product development and design, but also research and implement appropriate cybersecurity solutions in the vehicle. The Security & OTA Working Group cooperates with partners to research In-Vehicle Intrusion Detection and Prevention Systems (IDPS), which is used to monitor vehicle components and analyze abnormal data packets.
In addition, with the cloud-based Vehicle Security Operation Center (VSOC) and OTA technologies, if the vehicle is hacked and the problem cannot be solved on the car side, the system will notify the cloud VSOC, and fix bugs and update software via OTA updates. The end-to-end security monitoring of the vehicle is realized.
Returning Data Control to Vehicle Owners
The connected vehicle will become the largest data collection platform in the future. There are many sensors on electric vehicles, such as cameras, radar, Lidar, Global Navigation Satellite System(GNSS), Temperature sensor, Inertial Measurement Unit (IMU), and other sensors.
The data collected is not only the information inside the car but also the information of the outside environment, such as street view, shops and pedestrians on the street, road conditions, etc. That points out a problem: the legality of data collection.
For vehicle owners, the current data and information are all in the hands of car manufacturers. With the rise of user awareness of data collection and privacy, the current way no longer satisfies the owners. At present, the working group also researches Decentralized Identification (DID) technology by encrypting car owners’ data to prevent hacking. Therefore, the mission of the working group is to combine convenience, user habits, and cybersecurity. MIH’s goal is to decentralize the data collection with emerging technologies such as Web3 and NFTs to return data ownership and control to vehicle owners.
Brook Lu, MIH Technical Development Consultant
Areas of expertise include research on security-related issues such as Connectivity/Cloud Platform/Edge Computing/Web3.