Attacking the Cybersecurity Threat

SAE Standards News aims to update readers on the extensive activity in the SAE Global Ground Vehicle Standards development arena, by more than 800 ground vehicle committees comprised of volunteers from global industry stakeholders and SAE GVS staff who support the committee work.

Hot topics among product developers don't get much hotter than cybersecurity. "We have quite a few things [on that subject] in the pipeline," noted Tim Weisenberger, Project Manager, Technical Programs, Ground Vehicle Standards.

Cloud-based systems to enable enhanced vehicle features are one potential pathway for cybersecurity attack (image: Delphi).

First SAE Cyber committee: The scope of SAE's first cybersecurity committee—focused on Vehicle Electrical Systems Security—encompasses on-board vehicle electrical systems that affect vehicle control, or otherwise act contrary to the occupants’ interests if the systems are manipulated by an attacker. The committee brings together experts from the automotive and cybersecurity industries for information sharing, Weisenberger said. It has one work in progress (WIP) in the active Vehicle Electrical Hardware Security task force.

This team is developing a recommended practice for security methods and tools for protecting vehicle electrical system hardware. They're examining existing best practices for hardware security approaches from both the cybersecurity and automotive industries. The resulting document will derive security approaches for use cases such as theft protection, authentication for secure booting and software flashing and secure storage of data. The task force's work also includes hardware-security recommendations for the silicon industry.

Best-practices guide: SAE J3061 recommends best practices for building security into the product development lifecycle. Following its publication in 2016, the Vehicle Cybersecurity Systems Engineering Committee quickly began work to build standards with J3061 as the foundation. Their two active task forces are developing a best practice to serve as a framework for industry to examine security testing methods and tools for vehicle hardware and software security. Weisenberger told AE that the standard will be vendor- agnostic.

The committee aims to develop a classification scheme for the automotive industry to use in threat analysis and risk assessment, to identify discrete integrity levels, he said. It is also examining how Automotive Cybersecurity Safety Integrity Levels relate to the safety-integrity levels from ISO 26262, a functional safety standard.

Attacking the cyber threat to DSRC: Multiple SAE Ground Vehicle Standards committees in the passenger vehicle and commercial sectors are examining the cybersecurity discipline. The E/E Diagnostics Committee is looking at OBD security and OBD “dongle” security. The On-Road Automated Vehicle Committee is beginning to research J3061 and do a gap analysis. The Truck and Bus Controls and Comms Committee has a cybersecurity task force. In addition, the Dedicated Short Range Communications committee has long been tackling security issues in DSRC communications.

Joint SAE-ISO collaboration: “SAE is being targeted by many other standards-development organizations and those such as IEEE, TIA and ITU, for joint work,” Weisenberger said. And the growing list of active collaborations is expected to continue, he reported.

It includes SAE and ISO approving a Partner Standards Development Organization (PSDO) Agreement that kicked off late last year. With approximately 44 experts from 11 nations, SAE and ISO created the Joint Working Group to house experts from both organizations to work together to develop an international, joint SAE-ISO standard.

“The importance of the Joint Working Group is that it is the first test case for the PSDO between SAE and ISO,” Weisenberger explained. The agreement is a test only and aims to drive cooperation between highly correlated SAE and ISO standards. The agreement identified three candidate standards: SAE J2945 (Wireless Power Transfer)/ISO 19363, J2953 (V2G Interoperability)/ISO 15118 and J3016 (Vehicle Automation Levels)/ISO DTR 20545. Cybersecurity was added after the draft agreement and therefore selected as the first test case.

The group has developed processes, procedures and rules that can serve as the template for all future joint work items. “Now we are poised to begin the technical work and both SAE and ISO will be examining the success of work-item development to inform them on future collaborations,” he said.

SAE-NIST team up: In a related development, SAE is currently engaged with the National Institute of Standards and Technology on a limited pilot project to test the effectiveness of security methods and tools applied, at an automotive supplier or OEM using NIST's "federated testbed," a portable software set.