Richard Wilson is the Head of Operational Security at GCC. His resume outlines his experience in operational security, mitigation against physical attack vectors, emerging cyber threats to vehicles, and the UK's public sector cyber security community. Key challenges include the increasing lines of code in vehicles, lack of standards to assess cybersecurity products, and implementing recent standards like ISO/SAE 21434 for automotive cybersecurity engineering.
3. Operational
Security
• Vulnerability management
• Protective monitoring
• Incident management
• Configuration and change management
“Services must be operated and managed in a way to impede,
detect or prevent attacks”.
4. Mitigation
against
PhysicalAttack
Vectors
• Installing a network traffic monitoring and tampering alarm
in the vehicle that detects
unusual CAN messages (including messages sent at unusually
high rates) and transmit a
warning signal to fleet managers and manufacturer
cybersecurity team
• Implementing firewalls, whitelisting, and blacklisting of ECU
messages to prevent unsafe
Commands
• Employing secure coding practices and auditing the source
code
• Securing the entire vehicle’s networked functionalities with
mechanical fail-safe
mechanisms.
5. The challenge
Today’s cars have up to 150 electronic control units
By 2030, many observers expect them to have roughly 300
million lines of software code.
By way of comparison, today’s cars have about 100 million
lines of code. To put that into perspective:
• passenger aircraft has an estimated 15 million lines of
code.
• a modern fighter jet about 25 million.
• and a mass-market PC operating system close to 40 million.
7. If theSOC fits.
Part of the challenge for manufacturers is to find their way
through the huge range of cyber-security products and
services available in the marketplace.
There are very few standards against which to assess the
quality of individual products which can also make it difficult to
decide what is appropriate.
8. Journey PAS 1885 - the international standard on road vehicles that
discusses automotive cyber security across the lifetime.
WP. 29 The UNECE World Forum for Harmonization of Vehicle
Regulations.
UN Regulation No. 155 - Cyber security and cyber security
management system
ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
(August 2021).
9. CS &O-T-A
GRVA is the Working Party preparing draft regulations,
guidance documents and interpretation documents for
adoption by the parent body, WP.29.
Activities under the purview of GRVA
- Functional Requirements for Automated Vehicles (FRAV)
- Validation Method for Automated Driving (VMAD)
- Event Data Recorder and Data Storage System for Automated
Driving (EDR/DSSAD)
- Cyber Security and Over-The-Air issues (CS/OTA)
10. Stress testing
Cyber Insurance
& HealthChecks
Time for a cyber health check?
• Cyber insurance.
• GapAnalysis
• Maturity Modelling
11. TheUK’s
Public Sector
Cyber Security
Community
Local Law Enforcement. Whilst the picture varies across the
UK, almost all police forces now have a clearly identifiable
point of contact for dealing with cyber-security issues.
City of London Police andAction Fraud. Much of the cyber-
security challenge manifests itself as criminal activity and in
particular, fraud.
NationalCrime Agency (NCA). The NCA is home of the
National Cyber Crime Unit (NCCU) which coordinates the
national response to cyber-crime.
NationalCyber Security Centre (NCSC). The NCSC is
increasingly providing a central leadership and coordination
role in the public sector
12. So what,
what’s next?
Implementation of the raft of operational processes, developed
in accordance with the detailed requirements of the given
standard.
Compliance (including supply chain) of UNECE R-155
Handrailing ISO/SAE 21434 Road Vehicles – Cybersecurity
Engineering (August 2021). clauses 5 - 15