Cybersecurity

Standardization and Cyber regulations in mobility

The automotive ecosystem, which has been constantly evolving and seen to have undergone multiple innovations, is going through yet another transformation in the areas of autonomous vehicle and connectivity. 

This transformation is enabled by a combination of multiple technologies – communication, networking, data and vehicle, which have culminated to bring about interesting changes from being human-driven, electromechanical vehicles to autonomous or driverless cars. The transformation though is not limited to only the automotive sector and rather spreads across the entire spectrum from fuel, plants manufacturing the products to dealers and to the whole supply chain itself.  

Technology is at the heart of the transformational journey inclusive of a combination of software, communication, networking, artificial intelligence, data and vehicle technology. At the other end, there is also a shift from the traditional ecosystem catering to an area wise connectivity, to a global ecosystem with increased interactions. 

Another important aspect is safety, which has been the primary driver for regulations so far in the auto industry. Industry standards, methodologies and quality testing were put in place to structure this sector where stakeholders from OEMs to Auto component manufacturers were expected to adhere with. Transformation in the auto industry has expanded this realm for standardization for safety rather than limiting to traditional hardware and electronic components, quality management and safety testing. Similar to our experience across IT, Cloud and Mobile sectors, the automotive industry is also the focus area now for both academic researchers and bad actors.

Safety = Hardware Quality + Security + Privacy

Safety in the context of the automotive sector needs no further emphasis. Automotive safety has traditionally referred to the physical safety aspects such as traffic collisions. However, with cars now coming equipped with 100s of ECUs and millions of lines of code to control from AC to infotainment to brakes and interacting with other vehicles or Road Side Unit (RSU) and to like tollgates etc. safety has been redefined from the traditional outlook to encompass security and privacy. 

The need for security and privacy has been well demonstrated by numerous research and real-life incidents. One such classic example is the hack of Jeep Cherokee by two security researchers. The hackers were able to control a Jeep on the highway remotely – from their home. They were able to control the climate control system, radio, windshield wipers, display and also kill the engine wirelessly. All this was possible because of the remote access enabled into the Jeep. While the vulnerability which enabled the above hack to take place has been fixed, many open security vulnerabilities are lying in the underlying connected ecosystem. (1)

Data privacy is another aspect that is of utmost importance considering the amount of data in a connected car, which is related to the person who owns the car or uses the car. Today, connected cars generate 25GB of data per hour. (2) All this data is stored in databases or cloud of OEM’s, cloud providers, component manufacturers and service providers. 

Any collaboration, be it within an industry or across, requires standardization to enable the involved players to speak the same language and achieve common goals. The ecosystem described earlier, demands collaborative partnerships cutting across the different technologies and various industries must amplify the need for standardization and calls for regulations in various aspects. 

To that effect, some of the questions that the regulators are trying to answer are:

  1. What could be the cybersecurity requirements when a car communicates with a Road Side Unit (RSU)? 
  2. What are the aspects that need to be considered when it comes to the use of current telecom technologies and future 5G technology? 
  3. How will Over the Air (OTA) updates be managed in a secure manner?
  4. How detection and response to security incidents will be handled?
  5. How will you maintain the end to end integrity of all the components in the car?
  6. What framework, standard or methodologies should the auto components manufacturer, service providers and OEM have to adhere to ensure inter-operability and compliance?
  7. Who owns the data? 
  8. Who determines what is private and its various facets? 

Automotive regulators are attempting to provide answers to such questions through regulations to bring in standardization. 

So far, each country has taken an approach that is suitable for their geography and local requirements when it comes to Automotive security. 

For instance in the United States, ‘Federal Motor Vehicle Safety Standards’ is an essential requirement that the automotive manufacturers need to adhere. Canada, on similar lines, follows a regulation called the ‘Canada Motor Safety standards’. 

In India, the Motor vehicles Act, 1988 and the Central Motor vehicle rules, 1989 are the two principal regulations for the automotive sector. The AIS certification was established in India along with the CMVR in 1989. These standards are based on the UNECE standards mentioned earlier.  (4)

One of the regulations, which was released by AIS committee, was on “Intelligent Transportation Systems (ITS) – Requirements for Public Transport Vehicle Operation” or AIS 140 as it is popularly known. AIS 140 mandates that the public transport vehicle be fitted with Vehicle Location Tracking, Camera Surveillance System and Emergency Request Button. It also mandates that the security and privacy for the ITS are maintained per applicable laws/guidelines of various government authorities. 

The society of Indian Automobile manufacturers has also drawn a roadmap for automobile safety standards (3). The roadmap was presented to the Government in January 2002, which received in-principle approval of the Ministry of Road Transport & Highways. 

Based on the consultation, a roadmap has been finalized by the Ministry, and work has commenced on drafting standards and notifications.

Another regulation that has a global reach are the rules developed by ‘World Forum for harmonization of vehicle Regulations’ developed by UNECE. There are 62 participating countries in this forum. Overtime, we can expect an increase in the number of automotive regulations. The call for standardization across the automotive industry is inevitable. The existing regulations will see an inclusion of cybersecurity and privacy aspects similar to UNECE WP.29, which covers cybersecurity holistically. 

It is necessary that regulations include various aspects of the vehicle – from pre-production to production to post-production.

As mentioned earlier, the auto industry cannot be restricted to a particular region anymore and a holistic approach needs to apply. 

India, which is becoming the hub for global OEMs will benefit by the adoption of global standards. For the Auto OEMs and Auto Component manufacturers in India, rather than waiting for the Indian specific law to happen, it is better to start preparing for compliance to some of the industry best practices and standards like UNECE.

Drawing parallel with the IT industry, it took some time for standardizations and agreements for this industry to arrive . We expect to foresee the same churn happening in the space of the auto sector as well. 

The good news is, the change is already seen to happen, and it is evolving. The best practices from the IT sector will be quickly adapted in the auto sector, leading to quicker standardization and so an evolved auto sector is to be seen for a newly emerged India.

###

References

1 https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

2 https://www.tuxera.com/blog/autonomous-cars-300-tb-of-data-per-year/

(3) <http://www.siam.in/technical-regulation.aspx?mpgid=31&pgidtrail=34

(4) https://www.altran.com/as-content/uploads/sites/5/2018/01/cybersecurity-in-automotive_position-paper.pdf

https://morth.nic.in/sites/default/files/Finalized_Draft_AIS_140_regarding_Intelligent_Transportation_Systems_.pdf

Published in Telematics Wire

Back to top button