Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
EV
OBD
Media
USB
Service provider
OEM backend
ITS
TPMS
Camera Radar Lidar
Keyless entry GPS
DABV2X
GSM/3G/4G Consumer devices
WiFi BluetoothImmobiliser
A Roadmap to ResilienceHOW THE AUTOMOTIVE SECTOR CAN BUILD TRUST
IN CONNECTED VEHICLES
Contents
Executive Summary __________________________________________________________________ 3
Introduction _________________________________________________________________________ 4
The Requirement for an Assurance Framework and Rating System ________________________ 6
Understanding Risk _________________________________________________________________ 6
Existing Demand for Cybersecurity Assurance __________________________________________ 7
Benefits ___________________________________________________________________________ 8
A Roadmap to Increased Assurance for Connected and Autonomous Vehicles _____________ 10
Industry Adoption _________________________________________________________________ 10
Timings __________________________________________________________________________ 10
Assurance Framework _______________________________________________________________ 12
Innovation Framework _____________________________________________________________ 13
Assessment Overview ______________________________________________________________ 14
The Assurance Rating System _______________________________________________________ 18
Governance ________________________________________________________________________ 22
Additional Considerations __________________________________________________________ 24
Next Steps – Making the Roadmap a Reality ____________________________________________ 25
Conclusion _________________________________________________________________________ 26
Acknowledgements _________________________________________________________________ 27
5StarS: A ROADMAP TO RESILIENCE2
The 5StarS Consortium was created in 2017,
funded by UK government-backed Innovate
UK and bringing together automotive industry
experts: HORIBA MIRA, Ricardo, Thatcham
Research, Roke and Axillium.
Our mission is to develop a framework
for vehicle manufacturers to implement in
response to the technological developments
that are sweeping across the automotive
sector.
While technology is a common component
of new vehicles, it can bring a greater threat
of cyber attacks. Consumers expect the
latest technology to be included but their
awareness of cybersecurity issues is growing.
It is a threat to the sector that stakeholders
must also take seriously.
The 5StarS assurance framework will give
vehicle manufacturers a measure of their
vehicles’ resilience and allow stakeholders to
understand their risks from connectivity. We
also propose a consumer-facing assurance
rating system to reassure motorists about
their choice of vehicle. We believe this will
build trust in the engineering and operation
process and, crucially, in the safety, security
and resilience of vehicles.
This paper summarises the output of the
consortium’s work, incorporating feedback
from stakeholders. It sets out the benefits
to all stakeholders of adhering to the
framework. It includes a roadmap that vehicle
manufacturers will follow to pass the tests of
the assurance framework. It also introduces
details of independent assessments and the
agility built into the framework, allowing it to
be adapted to deal with continually changing
threats. Finally, we present details of the
consumer-facing assurance rating system.
Executive Summary
1 https://www.iso.org/standard/70918.html 2 https://www.iso.org/standard/69315.html
The framework has been designed with
vehicles launched in the UK in mind. However,
it is intended to be globally relevant and aligns
to international standards. The roadmap
factors in - but goes further than - other
vehicle cybersecurity tests, standards and
assessments in development, such as the
emerging ISO/SAE 214341 and the CAV
Innovation System Framework2.
Through our research and evidence gathered
to develop the framework, we are confident
that it is a workable and positive response to
the issues posed by new technology. It will
allow vehicle manufacturers and others to
deal with the risks but also consider the clear
opportunities on offer.
The 5StarS consortium is now evaluating
opportunities to conduct trials, in order to
validate the assurance framework and its
implementation.
Ultimately, the 5StarS framework will
help build trust in the huge advances new
technology can bring to the automotive sector
and provide return on investment through
increased vehicle sales.
5StarS: A ROADMAP TO RESILIENCE 3
In the automotive sector connectivity will be
a key driver of future sales volumes. As such,
motorists want to know they are spending
their hard-earned money on vehicles
that have proven, built-in safeguards and
resilience against emerging forms of crime
such as remote data theft.
This need is already recognised within
the industry. As GM’s head of product
cybersecurity, Jeff Massimilla, states:
“Cyber is something customers are making
purchasing decisions on… the customer’s
notion of a particular company’s cybersecurity
proficiency is likely to become like many other
competitive metrics when it comes to winning
a spot on a buyer’s consideration list.”
As vehicle manufacturers install ever-
more ingenious technology to differentiate
their vehicles - from in-car entertainment
and voice-activated payment systems, to
connectivity that will boot up our homes as
we drive there - criminal threats that exploit
inherent weaknesses are sure to ramp up.
Meanwhile, the arrival of Connected
Autonomous Vehicles (CAVs) and Advanced
Driver Assistance Systems (ADAS) is also
accelerating the debate around technology’s
role in, and impact on, road safety.
Continuing to build consumers’ trust in
both vehicle safety and cybersecurity will
therefore be critical. The consortium’s mission
is to develop an assurance framework
that underpins future assessments of the
cybersecurity capabilities of new vehicles and
their resilience to attacks.
Introduction
As vehicle manufacturers install ever-more ingenious technology to differentiate their vehicles - criminal threats that exploit inherent weaknesses are sure to ramp up.
5StarS: A ROADMAP TO RESILIENCE4
There is currently no way for consumers to make informed buying decisions based on cybersecurity, or for insurers to evaluate cybersecurity risk when pricing insurance premiums.
5StarS’ proposed assurance framework is
based on independent assessments that will
scrutinise vehicles’ cybersecurity capabilities.
There are several phases involved and these
are set out as a roadmap on the following
pages.
Several CAV-related cybersecurity standards
and regulations are in the pipeline, such as
UNECE regulations and ISO/SAE 21434, and
the roadmap has been developed in tandem
with these emerging standards. However, they
are intended to be used by manufacturers
to build in cybersecurity as part of their
engineering processes. There is currently no
way for consumers to make informed buying
decisions based on cybersecurity, or for
insurers to evaluate cybersecurity risk when
pricing insurance premiums. The output of the
5StarS assurance framework is an assurance
rating system that motorists, insurers and the
wider industry can easily understand; note the
success of the Euro NCAP rating system.
We believe a cybersecurity assurance
framework and assurance rating system will
bring certainty not found in other industry
proposals:
• building consumer trust in the overall safety
of vehicles
• specifically, highlighting vehicle defences
against cyber attacks and their resilience to
those threats in the event of a breach
• potentially resulting in reduced insurance
premiums
• increased future vehicle sales - and
therefore return on investment in actions
brought about by the framework - as a
result of the above.
This paper is intended to present
stakeholders – vehicle manufacturers,
insurers, policymakers and infrastructure
owners - with details of the framework
assessment criteria, the rating system and a
roadmap to implement both.
Stakeholders that implement the framework
will reap multiple rewards. It enables vehicle
manufacturers and suppliers to monetise
the investment they are already making,
driving further investment, differentiation,
competition and improvement.
Introduction
5StarS: A ROADMAP TO RESILIENCE 5
Consumerdevices
Bluetooth
WiFiDABGPS
Keylessentry
Immobiliser
Camera Radar Lidar
TPMS
OBD
USBMedia
EV
GSM/3G/4G
Service provider
Entry points to attack the vehicle
- Remote
- Physical
Vehicle as an IoT attack vector
Attacks move “down the stack” as countermeasures improve
In-vehicle network (CAN, FlexRay)
JTAG serial I/O
Side channels
OEM backend
ITS
Understanding Risk
These are exciting times for the automotive
industry. Technology is transforming vehicle
production and the driving experience
as a whole. But with the implementation
of next-generation systems comes great
responsibility.
That responsibility begins with an
understanding of risk. As vehicles become
smarter, so will criminals looking to exploit
vulnerabilities.
Figure 1 shows the typical attack surface of a
connected vehicle.
The Requirement for an Assurance Framework and Rating System
Figure 1. Vehicle attack surface
5StarS: A ROADMAP TO RESILIENCE6
Consumerdevices
Bluetooth
WiFiDABGPS
Keylessentry
Immobiliser
Camera Radar Lidar
TPMS
OBD
USBMedia
EV
GSM/3G/4G
Service provider
Entry points to attack the vehicle
- Remote
- Physical
Vehicle as an IoT attack vector
Attacks move “down the stack” as countermeasures improve
In-vehicle network (CAN, FlexRay)
JTAG serial I/O
Side channels
OEM backend
ITS
Risk can be assessed as a function of threat,
vulnerability and impact. Using connected
cars as an example:
Vulnerability = A weakness that can be
exploited in order to attack e.g. an open
wireless network port on a connected
infotainment system
Threat = Potential to exploit vulnerability e.g.
a criminal installs malware into a vehicle’s
systems via an exposed entry point on the
attack surface
Impact = Damage to the vehicle; physical or
digital information theft; injury; reputational
damage to the parent brand.
The 5StarS consortium’s framework seeks to
assure consumers that the vehicle they are
interested in buying or using, and insurers
that the vehicle they are insuring, is subject to
appropriate and effective cybersecurity risk
management.
Existing Demand for Cybersecurity Assurance
The UN is currently developing global
regulations on cybersecurity for vehicle
type approval. A UNECE task force has
developed draft regulations requiring vehicle
manufacturers to have their management
systems for cybersecurity and over-the-air
software updates independently audited
before a new vehicle can gain type approval.
Meanwhile, a joint working group of industry
experts is currently developing a new
international standard, ISO/SAE 21434 Road
vehicles – Cybersecurity engineering, which
will define the automotive industry state-of-
the-art for cybersecurity engineering. This
standard is also expected to be the reference
against which the UNECE cybersecurity
management system audit is carried out.
ISO 56000 Innovation Management is also
currently under development. This standard
will act as guidance for the development
of a CAV Innovation System Framework,
developed by Axillium, and provide the
standards to which all stages of innovation
activity will adhere. The innovation framework
is designed to allow for integration of the
assurance and assurance rating frameworks
during future CAV innovation so that
cybersecurity is considered from the earliest
stage of R&D/product development (see
page 13).
Elsewhere, consumer groups such as
Consumer Reports in the US have announced
plans to evaluate the security and privacy
aspects of consumer products, including
vehicles. Just like data security generally,
cyber threats are reaching the collective
consumer consciousness as a component
of overall vehicle safety. In response, the US
SPY Car Act, introduced in 2015, includes a
number of demands of vehicle manufacturers.
The 5StarS assurance framework is
specifically designed to build on relevant
published and emerging international
standards and regulations, with members of
the consortium actively involved in both the
UNECE and ISO/SAE developments. The
5StarS framework enhances the standards
and regulations, and introduces additional
assurance, by providing supplementary
assessment criteria.
The requirements of the 5StarS assessment
are aligned with SAE J3061, the current
draft of ISO/SAE 21434 and the UK National
Cyber Security Centre (NCSC) Cybersecurity
Assurance Framework. Therefore, it is
expected that a vehicle manufacturer can
achieve an efficient cybersecurity assessment
with reasonable effort by aligning processes
and activities with the 5StarS framework.
5StarS: A ROADMAP TO RESILIENCE 7
Innovation Framework Assurance Rating FrameworkAssessment Framework
ISO/SAE 21434 Cybersecurity Engineering
Under development
Align and Inform standardisation
SAEJ3061
BSI PAS1885
UN ECE WP.29
Vehicle manufacturers and suppliers
Innovation & Productdevelopment according to
international standardsSubmit forassessment
CybersecurityAssessment Laboratory
Assurance rating
Insurers & Consumers
5StarS “Automotive Cybersecurity through Assurance” project
Regulations, Standards and Best Practice
Benefits
With the introduction of the assurance
framework, we believe those operating in
the manufacturing supply chain can pinpoint
problems based on the scoring output of
the assessments and try to fix the issues –
ultimately helping to build insurer certainty
and consumer trust.
The wider benefits for all stakeholders are
manifold, as set out in Table 1.
It’s important to note that standards and
regulations in development or already being
used do not ultimately provide consumers
with a way to make informed buying decisions
based on cybersecurity properties, or for
insurers to evaluate threats when pricing
insurance premiums.
The goal of 5StarS is to fill this gap by
providing a roadmap to increased assurance
in the cybersecurity of connected and
autonomous vehicles. This roadmap starts
by providing practical guidance and support
for vehicle manufacturers to meet the
demands of the emerging regulations and
standards, and defines a progression towards
independent assessment, feeding into a
risk-based framework with a visible rating for
insurers and consumers.
Figure 2. How the Automotive Cybersecurity through Assurance project
relates to standards and regulatory activity
5StarS: A ROADMAP TO RESILIENCE8
Innovation Framework Assurance Rating FrameworkAssessment Framework
ISO/SAE 21434 Cybersecurity Engineering
Under development
Align and Inform standardisation
SAEJ3061
BSI PAS1885
UN ECE WP.29
Vehicle manufacturers and suppliers
Innovation & Productdevelopment according to
international standardsSubmit forassessment
CybersecurityAssessment Laboratory
Assurance rating
Insurers & Consumers
5StarS “Automotive Cybersecurity through Assurance” project
Regulations, Standards and Best Practice
Table 1. Summary of stakeholder benefits
Stakeholder Key Benefits
Vehicle manufacturers
Clear line of sight between investment in cybersecurity and revenue
A means of increasing consumer confidence and building trust
compared to self-assessment approach
Improved cybersecurity of products or variants through independent
testing
Benchmark for measuring cybersecurity engineering against rival
vehicle manufacturers
Reduced product liability by employing cybersecurity engineering
best practice
Potential sharing of costs across supply chain via assurance
assessment of vehicle, systems and sub-systems
Insurers Gives assurance that vehicles to be insured are subject to
appropriate and effective cybersecurity risk management, so new
group rating can be applied with confidence
Provision of assurance rating demonstrating vehicle manufacturers’
understanding of risk and actions taken to mitigate it
Policymakers/ government
Gives visibility of trending vulnerabilities and threats of cyber attacks
in anonymised form.
Provides governance around current and future management and
mitigation of associated risks by the automotive sector
Infrastructure Helps infrastructure operators understand the CAV cybersecurity
landscape and level of consumer demand / future pressure on
infrastructure systems
Consumers Assurance rating system provides a direct comparison between different models when motorist is comparing and choosing vehicles
Builds trust among motorists about vehicle manufacturers’ commitment to manage cyber-attack risks, and the safety and security of their vehicle
5StarS: A ROADMAP TO RESILIENCE 9
5StarS assurance framework
Standards(ISO/SAE 21434)
Incr
easi
ng a
ssur
ance
Regulations(UNECE)
5StarSAutomotive Cybersecurity through Assurance
The 5StarS project is set to conclude in 2019
when we will make final recommendations for a
cybersecurity assessment and assurance rating
framework, following industry consultation and
further research.
This will require additional development
by consortia to promote adoption by the
automotive industry and support from other
stakeholders. The adoption timeframe will
depend on the route taken.
The first version of the 5StarS framework should
provide a meaningful but achievable level of
assurance that can be supplemented as the
level of cybersecurity of the automotive industry
matures, as illustrated in Figure 3 below.
Industry Adoption
Following the completion of the 5StarS
project in 2019, we propose a period of
adoption of the assurance framework as an
assessment process. We suggest the end of
this period of adoption should coincide with
the planned publication date of the finalised
ISO/SAE 21434 standard, currently expected
at the end of 2020.
Timings
5StarS will use a phased approach to the
roadmap to continually raise the bar for
manufacturers. The full assessment criteria
will be applicable from the start, but the
scoring thresholds will be used to increase
the difficulty of attaining a high score over
time. Therefore, manufacturers will have the
potential to reach the maximum score of five
stars immediately, although a more rigorous
approach to cybersecurity will be required to
achieve this same score in future.
A Roadmap to Increased Assurance for Connected and Autonomous Vehicles
Figure 3. Increasing assurance offered by the 5StarS framework
5StarS: A ROADMAP TO RESILIENCE10
202120202019
UNECE
ISO/SAE 21434
5StarS
ISO/CD 56000
2022 202?
Dynamic evolution of test requirements and rating thresholds
ISO/SAE 21434Publication
ISO CD 56000Committee stage
ISO CD 56000Publication stage
TR56002: Innovationmanagement system
TR56003: Innovation management toolsand methods for innovation partnerships
TR56004: Innovationmanagement assessment
Dynamic evolution of innovation concepts
ISO/SAE 21434DIS
Project complete
Adoptionby WP.29
Transition period
Industry adoption Phase 1 Phase 2 Phase 3
Initially, the timing of the phase changes will
be aligned to the introduction of the new
standards from ISO/SAE 21434 and UNECE
to reduce the overhead and duplication of
effort required by manufacturers to take part
in a 5StarS assessment.
As new technology and cybersecurity best
practice change over time, the criteria will be
amended again. However, the 5StarS
consortium will work with manufacturers to
give them advance warning whenever
possible, thus maintaining consistency of
scoring. Our current proposal is that, in future,
assessment criteria will be reviewed annually.
Figure 4 below sets out the proposed timeline
for the implementation of each phase of the
roadmap relative to the timeline of the UNECE
regulations, ISO/SAE 21434 and the
innovation framework. Each phase will require
adoption and development with industry
involvement prior to implementation. The
assessment ratings will be adjusted so that, at
each successive phase, the requirements to
achieve a given rating will be more stringent.
Figure 4. Proposed timeline for the implementation of each phase of the roadmap
5StarS: A ROADMAP TO RESILIENCE 11
SystemLifecycle
and Maturitymodel
VehicleCybersecurity
AssuranceRating
Assurance Framework
Alignment to international standards and regulations
CAV Innovation System Framework
Product development
Production, operations, maintenance & decommissioning
Cybersecurity governance & management
Vulnerability assessment
VehicleCybersecurityAssessment
Sub-systemAssurance
Agility Validity
Nationalvariance
RegulationsUNECENHTSA
International StandardsISO/SAE 21434
SAE J3061
Best PracticesBSI PAS 1885DfT principles
Service provider
In-vehicle network (CAN, FlexRay)
JTAG serial I/O
Side channels
OEM backend
ITS
Threat landscape monitoring
The 5StarS Assurance Framework is
illustrated in Figure 5. It comprises several
elements, including the System Lifecycle
and Maturity Model, the Vehicle Assessment
Framework, the Vehicle Cybersecurity
Assurance Rating and the CAV Innovation
System Framework. These elements are
described in more detail below.
Assurance Framework
Figure 5. Illustration of the overall 5StarS framework
5StarS: A ROADMAP TO RESILIENCE12
Innovation Framework
Currently in development, the CAV Innovation
System Framework (CISF or innovation
framework) has been designed to integrate
into the assurance framework to provide a
system for vehicle manufacturers to assess
and ensure that exploitation considerations
are built in at the initial concept stages, and
can therefore achieve the assurance
framework accreditation and assurance
rating.
At present, there is not a recognised standard
for managing the innovation aspects of large,
collaborative CAV R&D projects. Aligning the
CAV innovation framework with ISO 56000
will ensure:
• Innovation management
• Identification of CAV opportunities for
market exploitation
• Identification of funding opportunities for
technology exploitation
• Verification of current and future project
technology readiness levels
The benefits to stakeholders are:
• For vehicle manufacturers, de-risking the
innovation process of their internal R&D
and supply chains, increasing the
likelihood of achieving a high 5StarS rating
• Consumers will benefit from improved
products, sooner, if the product innovation
process is streamlined
In terms of product development/verification,
the innovation framework sits in the vehicle
pre-concept stage, feeding into the
engineering space of the overall assurance
framework.
Successful integration of the innovation
framework will help simplify the process of
implementing changes and facilitate roll-out
of new versions.
ISO 56000 Innovation Management System, a
key component of the innovation framework,
sits alongside the engineering stream of ISO/
SAE 21434 but is expected to be applied from
an earlier date.
ISO/TR 56004 Innovation Management
Assessment is also currently being proposed.
The innovation framework would include
elements of it, along with Digital Readiness
Level tools and R&D processes that already
form part of the framework under ISO 56003
Innovation Management – Tools and Methods
for Innovation Partnership.
In turn, the innovation framework will feed into
the assurance framework roadmap as
illustrated in Figure 4 in Timings.
5StarS: A ROADMAP TO RESILIENCE 13
Concept and Design (product development)
Cybersecurity Governance and Management Secure by Default / Defence in Depth Principles / Cyber Security Standards
Production Ownership Transfer of Ownerhip
Maintenance and Updates
End of Vehicle Life
DEVELOPMENT PHASE PRODUCTION PHASE POST-PRODUCTION PHASE
Feature Definition
CONFORMANCE MONITORING TESTING INFORMATION SECURITYASSESSMENTS
SUPPLY CHAINASSURANCE
Initiation of Cyber SecurityLifecycle
Threat Analysis and Risk Assessment
Cyber Security Concept
Functional Requirements
Convenience
Safety-related Systems
Safety Critical Systems
ADAS (Advance Driver-Assistance Systems)
Airbag SystemsBattery Management Systems
Seat BeltsBraking SystemsDrive-by WirePark by Wire
Power Steering Systems
Risk AssessmentInitial Cyber SecurityAssessment
Evaluation of Concept and Design
Threat Modelling
Vulnerability Assessment
Risk Assessment
Safety Considerations
Test Driven Development
Static Analysis
Unit Testing
Integration Testing
Regression Testing
Exploratory Testing
Fuzz Testing
Penetration Testing
Performance Testing
Automated Testing
Assessment Methods
Education of Staff
Staff Vetting
Verifying the Awareness ofCyber Security Policy
Access Control Tests
Social Engineering Tests
Log Reviews
Development StageSystem Security
Assessment Methods
Support Period
Data Protection
Field Monitoring
Security IncidentManagement
Personal Data
Digital Updates Physical Updates
Infotainment Systems
Telematics Data
Data Sanitisation
Transponders
Detection and Transferof Ownership
Testing
Information SecurityAssessments
Supply Chain Assurance
Figure 6. Illustration of assessment components
Assessment Overview
The vehicle cybersecurity assessment consists of the four components described below.
Components 1, 2 and 3 are supported by the System Lifecycle and Maturity Model, which defines
best practices across the vehicle lifecycle as well as assessment criteria. Component 4 covers an
assessment of the vehicle itself.
1. Concept and design (product development) - the engineering processes used to design
security into vehicles and systems; covering concept, system and component design, and testing
and validation during vehicle and system engineering. The assessment should consider the
existence of suitable processes and whether they have been followed.
5StarS: A ROADMAP TO RESILIENCE14
Concept and Design (product development)
Cybersecurity Governance and Management Secure by Default / Defence in Depth Principles / Cyber Security Standards
Production Ownership Transfer of Ownerhip
Maintenance and Updates
End of Vehicle Life
DEVELOPMENT PHASE PRODUCTION PHASE POST-PRODUCTION PHASE
Feature Definition
CONFORMANCE MONITORING TESTING INFORMATION SECURITYASSESSMENTS
SUPPLY CHAINASSURANCE
Initiation of Cyber SecurityLifecycle
Threat Analysis and Risk Assessment
Cyber Security Concept
Functional Requirements
Convenience
Safety-related Systems
Safety Critical Systems
ADAS (Advance Driver-Assistance Systems)
Airbag SystemsBattery Management Systems
Seat BeltsBraking SystemsDrive-by WirePark by Wire
Power Steering Systems
Risk AssessmentInitial Cyber SecurityAssessment
Evaluation of Concept and Design
Threat Modelling
Vulnerability Assessment
Risk Assessment
Safety Considerations
Test Driven Development
Static Analysis
Unit Testing
Integration Testing
Regression Testing
Exploratory Testing
Fuzz Testing
Penetration Testing
Performance Testing
Automated Testing
Assessment Methods
Education of Staff
Staff Vetting
Verifying the Awareness ofCyber Security Policy
Access Control Tests
Social Engineering Tests
Log Reviews
Development StageSystem Security
Assessment Methods
Support Period
Data Protection
Field Monitoring
Security IncidentManagement
Personal Data
Digital Updates Physical Updates
Infotainment Systems
Telematics Data
Data Sanitisation
Transponders
Detection and Transferof Ownership
Testing
Information SecurityAssessments
Supply Chain Assurance
2. Cybersecurity governance and management - considering whether appropriate
organisational measures for cybersecurity are in place, independent of particular projects. This
includes assessing an organisation’s cybersecurity culture, provision of appropriate resources,
training and information sharing. The above elements take into account the emerging standards
and expected regulatory requirements mentioned.
3. Production, operations, maintenance and decommissioning - the processes in place when
the vehicle is in the field, including aspects such as field monitoring processes, incident
management and response, and product (including over-the-air) updates.
5StarS: A ROADMAP TO RESILIENCE 15
Table 2. Examples of assessment criteria that will be used in the lifecycle assessment.
Indicators of good practice are used to score elements of the vehicle lifecycle.
10.3a) An incident response team (IRT) should be set up with adequate resources and a set of procedures in place to quickly and efficiently determine the category of incident and provide a timely response, informing relevant persons or organisations.
The team has a set of procedures in place but there is no explicit budgeting for incident response.
The team has a set of procedures in place and there is explicit budgeting for incident response.
The team has a set of procedures in place and there is explicit budgeting for incident response and the incident response team is well resourced.
10.6a) There should be an easy way for an existing owner to remove all of their personal data from their vehicle prior to sale or transfer to a new owner. The sanitisation procedure should;
• Be easily accessible, probably through the menu of the infotainment.
• Inform the owner what will happen if they do run the procedure and request their confirmation prior to proceeding.
• Confirm to the user when complete both via an audible and visual signal.
• There should be verification of the sanitisation.
There is no central method of sanitisation.
There is a central method of sanitisation that performs some but not all of the stated steps.
There is a central method of sanitisation that performs all of the stated steps.
11.3.3a) OTA updates should be designed so that safety or security is not impacted during the update. Users should not be able to drive the vehicle during an update if it is not safe to do so.
Unmitigated Security vulnerabilities or safety risks are created when an OTA update takes place.
There are some mitigated actions to prevent security vulnerabilities or safety risks being when an OTA update takes place.
The creation of security vulnerabilities or safety risks during an OTA update is fully mitigated against to an acceptable level of risk.
4. Vulnerability assessment – as well as assessing the processes that the vehicle manufacturer
has in place and followed when developing the vehicle, it is also important to assess the vehicle
itself, to seek further assurance that the processes have actually resulted in a sufficiently resilient
realisation of the vehicle.
The vulnerability assessment begins with security-focused reviews of the vehicle manufacturer’s
work products, such as threat and vulnerability analyses, risk assessments, design and test
specifications, and penetration tests and results.
From these activities, an independent vulnerability analysis and practical tests are carried out to
identify any residual product vulnerabilities - and whether they could be exploited.
The assessor shall carry out an independent vulnerability analysis followed by a test plan
consisting of appropriate tests, to explore and assess the exploitability of any identified residual
vulnerabilities.
5StarS: A ROADMAP TO RESILIENCE16
As the tests will vary over time and between vehicles, a guideline document giving examples of
appropriate cybersecurity tests will be maintained by the 5StarS committee. This document will be
used for two purposes:
• By the assessment laboratory to develop an appropriate test plan for the vehicle under
assessment;
• By the laboratory accreditation process to ensure the consistency of the assessments carried
out by approved assessment laboratories and to verify the competence of laboratories and their
assessors.
During an assessment, appropriate tests will be planned based on the categories shown in Table 3.
Some non-exhaustive examples are given for each category, which will be expanded further in the
guidelines to be maintained by the 5StarS committee (see Governance, page 22).
All applicable tests for a given assessment will be selected from the test guideline document based
on the features of the vehicle. For example, if the vehicle does not have a Wi-Fi hotspot fitted, those
tests will not be carried out and there will be no negative impact on the assessment result.
Table 3. Test categories and examples
Test category Examples of tests
1. Long-range wireless tests
Jamming, spoofing or eavesdropping of cellular and broadcast
interfaces
2. Short-range wireless tests
Manipulation of wireless interfaces such as Wi-Fi, Bluetooth
Spoofing of sensor measurements to manipulate driver assistance
or automated driving functions
3. Physical interface tests
Manipulation of OBD-II diagnostic protocols
Sufficiency of isolation of the OBD-II port from safety-relevant
functions.
4. In-vehicle network tests
Spoofing or tampering of messages on the CAN bus
Effectiveness of any intrusion detection systems
Effectiveness of any message authentication
5. ECU hardware and software tests
Reverse engineering, re-flashing or other manipulation of embedded software
Accessibility of debug ports (e.g. JTAG)
Recovery of cryptographic keys by side channel analysis
5StarS: A ROADMAP TO RESILIENCE 17
System lifecyclecriteria
Cybersecurity Governance and Management
Product Development
Production, Operations, Maintenance and Decommissioning
Criteria corresponding UNECE audit requirements
Criteria corresponding to all ISO/SAE 21434 requirements
5StarS additional criteria
Level 1Score
Level 2Score
Level 3Score
Basic
Medium
High
AssessmentScoring
DfT Key Principlesof Cyber Security
for CAVWithin each
of the 8principles
Assessmentcriteria
Vulnerability Assessment
Design review
Vulnerability analysis
Penetration testing
1
2
3
4
5
6
7
8
The Assurance Rating System
After each assessment, the laboratory will issue a detailed report to the manufacturer
containing full details of findings, including the level of assurance achieved by the
assessed vehicle. The report enables the manufacturer to understand the outcome of the
assessment and any findings or issues to be resolved. At this stage there is the
opportunity for the manufacturer to resolve any open issues before proceeding to obtain
an assurance rating for the vehicle. The assessment criteria and requirements are
illustrated in Figure 7 below, followed by an explanation of how they are grouped.
Figure 7. Assessment criteria (an explanation of DfT principles can be found on page 19)
5StarS: A ROADMAP TO RESILIENCE18
The levels below illustrate how the assessment criteria are grouped by difficulty level, and their
alignment with the requirements of the standards and regulations. This aids the definition of the
thresholds used to derive the rating from the assessment scores:
• Level 1 criteria based on independent audit of the vehicle manufacturer’s cybersecurity
management system against the anticipated regulatory requirements of UNECE, and includes
the results of a basic level of vulnerability assessment and testing.
• Level 2 criteria based on independent assessment against the anticipated requirements of ISO/
SAE 21434 or equivalent standards, and includes the results of a medium level of vulnerability
assessment and testing.
• Level 3 criteria based on independent assessment against the requirements of the full 5StarS
framework including additional system lifecycle criteria, and includes the results of a high level of
vulnerability assessment and testing.
As part of the assessment process, the laboratory records a set of scores aligned to the assurance
needs of insurers and consumers.
Results of the assessment are categorised according to the Department for Transport (DfT)
Principles for cybersecurity in Connected Autonomous Vehicles as shown in Table 4.
Table 4. DfT Principles for Cybersecurity in Connected Autonomous Vehicles
Category Criteria
1 Organisational security is owned, governed and promoted at board level
2 Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
3 Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
4 All organisations, including sub-contractors, suppliers and potential third parties work together to enhance the security of the system
5 Systems are designed using a defence-in-depth approach
6 The security of all software is managed throughout its lifetime
7 The storage and transmission of data is secure and can be controlled
8 The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.
5StarS: A ROADMAP TO RESILIENCE 19
InsurerWeighting
ConsumerWeighting
AssessmentScoring
Thr
esho
ld B
andi
ng
Principle 1
Recommendations
Principle 2
Recommendations
Principle 1- 8
Recommendations 1-8
Principle 3
Recommendations
Principle 4
Recommendations
Principle 5
Recommendations
Principle 6
Recommendations
Principle 7
Recommendations
Principle 8
Recommendations
The rating will reflect the confidence in a vehicle’s cyber resilience based on the 5StarS assurance
framework - in turn related to future, mandatory cybersecurity standards - and be comparable to
other rated vehicles. Insurers will also receive textual comments for each one of the eight principles
as guidance on why the vehicle received the rating, as well as a score breakdown. To avoid
confusion, the insurer rating will not be made public.
The aim of the rating is to inform the consumer’s buying decision as well as to provide underwriters
with information to help assess a vehicle’s cyber risk. Given their different priorities, the final scores
for consumers and insurers may differ. The rating will influence the vehicle’s insurance group rating.
This affects the cost of insuring the rated vehicle for the consumer. The assurance rating system
will apply to new vehicles only.
Just as the Euro NCAP star rating has won widespread recognition, we believe that the 5StarS
rating system will be of huge benefit, not just to consumers and insurers but also vehicle
manufacturers that require a visible representation of their efforts and investment to meet the
stringent assessment tests of the assurance framework.
Assurance rating measurement criteria
Requirements of the assurance rating system are as follows. It shall:
• build upon initial consultation with insurers to define a rating that is understandable to insurers
and the consumer, while still meaningfully reflecting the level of cybersecurity assurance
• consider the perception of the rating by consumers and insurers
• address the evolving threat landscape and the applicability of the rating beyond the date of issue
• address differences between countries
• include consideration for maintenance and periodic technical inspection.
Figure 8. Process of moving from assessment to assurance rating
5StarS: A ROADMAP TO RESILIENCE20
5StarS: A ROADMAP TO RESILIENCE 21
5StarS Assessment scheme
Assurance Rating scheme
Service provider
In-vehicle network (CAN, FlexRay)
JTAG serial I/O
Side channels
OEM backend
ITS
Thatcham andConsumer bodies
Insurers andConsumers
Vehiclemanufacturers and
suppliers
Vehicle assurancerating database
NationalCybersecurity
Technical Authority
IndependentCybersecurityAssessmentLaboratories
Monitor
Participate
Participate
Participate
Developand
maintain
5StarS committee
Accredit
Represent
Consult
Submit rating
Vehicle
Submit for assessment
Assessmentreport
Develop
Participate
Threat landscape
The 5StarS consortium proposes that the
assurance framework should be governed
based on the example in Figure 9 below.
There follows a description of key
stakeholders’ role in the process - NB the
example illustrates the proposed governance
model for the UK, but the model is applicable
internationally:
Governance
Figure 9. 5StarS assurance framework governance
5StarS: A ROADMAP TO RESILIENCE22
Vehicle manufacturers and suppliers
The vehicle manufacturer and its tiered supply chain develop products according to the relevant
regulations, standards and best practice, and submit products for assessment prior to release for
production. The vehicle manufacturer selects a 5StarS-accredited assessment laboratory of its
choice and enters into a contract with the laboratory to carry out the assessment.
Independent cybersecurity assessment laboratories
Cybersecurity assessment laboratories, independent of vehicle or component manufacturers, are
accredited by the relevant national cybersecurity technical authority (see below) to carry out vehicle
cybersecurity assessments and issue vehicle cybersecurity assurance ratings according to the
5StarS assurance framework.
A laboratory accreditation scheme will be required to ensure consistency of assessments between
laboratories. It is proposed that this scheme will be overseen by the national cybersecurity
technical authority of the country in which the assessment laboratory is located. The accreditation
is to be carried out by an accreditation body such as UKAS, analogous to standards such as ISO
17025.
National cybersecurity technical authority
Each nation supporting the assessment scheme appoints an appropriate technical authority, which
may be the government national cybersecurity agency, for example the National Cyber Security
Centre (NCSC) in the UK. The technical authority oversees the accreditation of each of the
assessment laboratories located within its jurisdiction, and periodically monitors the laboratories to
ensure consistent application of the framework and competency across laboratories.
5StarS Committee
This committee is responsible for the ongoing development and iteration of the 5StarS assurance
framework and all its elements. This is to ensure that the scheme is kept up to date with the
evolving security landscape and continues to meet the needs of all stakeholders.
5StarS: A ROADMAP TO RESILIENCE 23
Additional Considerations
Ongoing Assessments
Assessment is expected to be carried out before vehicle type approval. Assessors should therefore
be required to examine existing cybersecurity measures during production, but also any measures
in place for the post-production lifecycle.
Vehicle Assurance Rating Database
The vehicle assurance ratings issued by the assessment laboratories are be stored in a central
repository that can be consulted by the relevant stakeholders, such as consumers and insurers.
This database shall only store the final ratings; the full vehicle cybersecurity assessment report is
shared only with the relevant vehicle manufacturer.
Geographical Scope
Although the 5StarS project is UK government-funded and the consortium partners are UK-based,
it is planned that the assurance framework and assurance rating system will apply internationally.
This will assist vehicle manufacturers aiming to sell vehicles globally, not just in the UK.
As a consequence, the framework is being designed to align to current and emerging international
standards and best practice, so that it can be applied outside the UK.
Supply Chain Scope
The supply chain scope should include the vehicle manufacturer and the tiered suppliers of
components and services that are supplied under contract to the vehicle manufacturer, in this
instance relating to cybersecurity-relevant systems. The 5StarS project is developing vehicle-level
and system/sub-system frameworks which will be integrated into the overall assurance framework.
5StarS: A ROADMAP TO RESILIENCE24
The 5StarS consortium now seeks to build
upon initial feedback received from our key
stakeholder groups of manufacturers,
government and insurers on the proposals
outlined in this document.
A trial phase is now required in which we will
invite interested vehicle manufacturers to
validate the assurance framework against
their vehicles.
The proposed governance approach also
requires further development and evaluation
with all key stakeholders, to define the
implementation and ongoing operation of the
framework.
The 5StarS consortium are now evaluating
opportunities to conduct these trials and
would welcome any input on next steps via
the project website:
www.5starsproject.com
Next Steps – Making the Roadmap a Reality
5StarS: A ROADMAP TO RESILIENCE 25
This paper outlines the 5StarS consortium’s
proposals for an assurance framework and an
assurance rating system for cybersecurity in
the automotive industry, and the reasons they
are required.
Like many industries, vehicle manufacturing is
undergoing seismic changes driven by new
technology. While consumers will be
enthused by the scope of these products,
they also need to know that their vehicles and
personal data will remain safe from the threat
of cyber attacks.
A system for assuring the resilience and
efficacy of the intricate components and
systems that operate in the vehicles being
brought to market is crucial for customers’
peace of mind. Simultaneously,
demonstrating that appropriate security
measures are in place can accelerate a whole
new revenue stream for the industry.
In a hyper-connected world, cybersecurity
matters more than ever. Can you afford to be
left standing at the roadside or will you play
your part in making the roadmap a reality?
Conclusion
A system for assuring the resilience and efficacy of the intricate components and systems that operate in the vehicles is crucial for customers’ peace of mind
5StarS: A ROADMAP TO RESILIENCE26
The 5StarS consortium would like to thank the following
for their feedback during the consultation phase:
• SMMT and representatives of vehicle manufacturers
• Thatcham Research Security Committee (insurers)
• ADIG Cyber Sub-group (insurers)
• Government agencies: DfT, CCAV, NCSC, InnovateUK
Acknowledgements
5StarS: A ROADMAP TO RESILIENCE 27
A Roadmap to ResilienceHOW THE AUTOMOTIVE SECTOR CAN BUILD TRUST
IN CONNECTED VEHICLES
www.5starsproject.com