EV

OBD

Media

USB

Service provider

OEM backend

ITS

TPMS

Camera Radar Lidar

Keyless entry GPS

DABV2X

GSM/3G/4G Consumer devices

WiFi BluetoothImmobiliser

A Roadmap to ResilienceHOW THE AUTOMOTIVE SECTOR CAN BUILD TRUST

IN CONNECTED VEHICLES

Contents

Executive Summary __________________________________________________________________ 3

Introduction _________________________________________________________________________ 4

The Requirement for an Assurance Framework and Rating System ________________________ 6

Understanding Risk _________________________________________________________________ 6

Existing Demand for Cybersecurity Assurance __________________________________________ 7

Benefits ___________________________________________________________________________ 8

A Roadmap to Increased Assurance for Connected and Autonomous Vehicles _____________ 10

Industry Adoption _________________________________________________________________ 10

Timings __________________________________________________________________________ 10

Assurance Framework _______________________________________________________________ 12

Innovation Framework _____________________________________________________________ 13

Assessment Overview ______________________________________________________________ 14

The Assurance Rating System _______________________________________________________ 18

Governance ________________________________________________________________________ 22

Additional Considerations __________________________________________________________ 24

Next Steps – Making the Roadmap a Reality ____________________________________________ 25

Conclusion _________________________________________________________________________ 26

Acknowledgements _________________________________________________________________ 27

5StarS: A ROADMAP TO RESILIENCE2

The 5StarS Consortium was created in 2017,

funded by UK government-backed Innovate

UK and bringing together automotive industry

experts: HORIBA MIRA, Ricardo, Thatcham

Research, Roke and Axillium.

Our mission is to develop a framework

for vehicle manufacturers to implement in

response to the technological developments

that are sweeping across the automotive

sector.

While technology is a common component

of new vehicles, it can bring a greater threat

of cyber attacks. Consumers expect the

latest technology to be included but their

awareness of cybersecurity issues is growing.

It is a threat to the sector that stakeholders

must also take seriously.

The 5StarS assurance framework will give

vehicle manufacturers a measure of their

vehicles’ resilience and allow stakeholders to

understand their risks from connectivity. We

also propose a consumer-facing assurance

rating system to reassure motorists about

their choice of vehicle. We believe this will

build trust in the engineering and operation

process and, crucially, in the safety, security

and resilience of vehicles.

This paper summarises the output of the

consortium’s work, incorporating feedback

from stakeholders. It sets out the benefits

to all stakeholders of adhering to the

framework. It includes a roadmap that vehicle

manufacturers will follow to pass the tests of

the assurance framework. It also introduces

details of independent assessments and the

agility built into the framework, allowing it to

be adapted to deal with continually changing

threats. Finally, we present details of the

consumer-facing assurance rating system.

Executive Summary

1 https://www.iso.org/standard/70918.html 2 https://www.iso.org/standard/69315.html

The framework has been designed with

vehicles launched in the UK in mind. However,

it is intended to be globally relevant and aligns

to international standards. The roadmap

factors in - but goes further than - other

vehicle cybersecurity tests, standards and

assessments in development, such as the

emerging ISO/SAE 214341 and the CAV

Innovation System Framework2.

Through our research and evidence gathered

to develop the framework, we are confident

that it is a workable and positive response to

the issues posed by new technology. It will

allow vehicle manufacturers and others to

deal with the risks but also consider the clear

opportunities on offer.

The 5StarS consortium is now evaluating

opportunities to conduct trials, in order to

validate the assurance framework and its

implementation.

Ultimately, the 5StarS framework will

help build trust in the huge advances new

technology can bring to the automotive sector

and provide return on investment through

increased vehicle sales.

5StarS: A ROADMAP TO RESILIENCE 3

In the automotive sector connectivity will be

a key driver of future sales volumes. As such,

motorists want to know they are spending

their hard-earned money on vehicles

that have proven, built-in safeguards and

resilience against emerging forms of crime

such as remote data theft.

This need is already recognised within

the industry. As GM’s head of product

cybersecurity, Jeff Massimilla, states:

“Cyber is something customers are making

purchasing decisions on… the customer’s

notion of a particular company’s cybersecurity

proficiency is likely to become like many other

competitive metrics when it comes to winning

a spot on a buyer’s consideration list.”

As vehicle manufacturers install ever-

more ingenious technology to differentiate

their vehicles - from in-car entertainment

and voice-activated payment systems, to

connectivity that will boot up our homes as

we drive there - criminal threats that exploit

inherent weaknesses are sure to ramp up.

Meanwhile, the arrival of Connected

Autonomous Vehicles (CAVs) and Advanced

Driver Assistance Systems (ADAS) is also

accelerating the debate around technology’s

role in, and impact on, road safety.

Continuing to build consumers’ trust in

both vehicle safety and cybersecurity will

therefore be critical. The consortium’s mission

is to develop an assurance framework

that underpins future assessments of the

cybersecurity capabilities of new vehicles and

their resilience to attacks.

Introduction

As vehicle manufacturers install ever-more ingenious technology to differentiate their vehicles - criminal threats that exploit inherent weaknesses are sure to ramp up.

5StarS: A ROADMAP TO RESILIENCE4

There is currently no way for consumers to make informed buying decisions based on cybersecurity, or for insurers to evaluate cybersecurity risk when pricing insurance premiums.

5StarS’ proposed assurance framework is

based on independent assessments that will

scrutinise vehicles’ cybersecurity capabilities.

There are several phases involved and these

are set out as a roadmap on the following

pages.

Several CAV-related cybersecurity standards

and regulations are in the pipeline, such as

UNECE regulations and ISO/SAE 21434, and

the roadmap has been developed in tandem

with these emerging standards. However, they

are intended to be used by manufacturers

to build in cybersecurity as part of their

engineering processes. There is currently no

way for consumers to make informed buying

decisions based on cybersecurity, or for

insurers to evaluate cybersecurity risk when

pricing insurance premiums. The output of the

5StarS assurance framework is an assurance

rating system that motorists, insurers and the

wider industry can easily understand; note the

success of the Euro NCAP rating system.

We believe a cybersecurity assurance

framework and assurance rating system will

bring certainty not found in other industry

proposals:

• building consumer trust in the overall safety

of vehicles

• specifically, highlighting vehicle defences

against cyber attacks and their resilience to

those threats in the event of a breach

• potentially resulting in reduced insurance

premiums

• increased future vehicle sales - and

therefore return on investment in actions

brought about by the framework - as a

result of the above.

This paper is intended to present

stakeholders – vehicle manufacturers,

insurers, policymakers and infrastructure

owners - with details of the framework

assessment criteria, the rating system and a

roadmap to implement both.

Stakeholders that implement the framework

will reap multiple rewards. It enables vehicle

manufacturers and suppliers to monetise

the investment they are already making,

driving further investment, differentiation,

competition and improvement.

Introduction

5StarS: A ROADMAP TO RESILIENCE 5

Consumerdevices

Bluetooth

WiFiDABGPS

Keylessentry

Immobiliser

Camera Radar Lidar

TPMS

OBD

USBMedia

EV

GSM/3G/4G

Service provider

Entry points to attack the vehicle

- Remote

- Physical

Vehicle as an IoT attack vector

Attacks move “down the stack” as countermeasures improve

In-vehicle network (CAN, FlexRay)

JTAG serial I/O

Side channels

OEM backend

ITS

Understanding Risk

These are exciting times for the automotive

industry. Technology is transforming vehicle

production and the driving experience

as a whole. But with the implementation

of next-generation systems comes great

responsibility.

That responsibility begins with an

understanding of risk. As vehicles become

smarter, so will criminals looking to exploit

vulnerabilities.

Figure 1 shows the typical attack surface of a

connected vehicle.

The Requirement for an Assurance Framework and Rating System

Figure 1. Vehicle attack surface

5StarS: A ROADMAP TO RESILIENCE6

Consumerdevices

Bluetooth

WiFiDABGPS

Keylessentry

Immobiliser

Camera Radar Lidar

TPMS

OBD

USBMedia

EV

GSM/3G/4G

Service provider

Entry points to attack the vehicle

- Remote

- Physical

Vehicle as an IoT attack vector

Attacks move “down the stack” as countermeasures improve

In-vehicle network (CAN, FlexRay)

JTAG serial I/O

Side channels

OEM backend

ITS

Risk can be assessed as a function of threat,

vulnerability and impact. Using connected

cars as an example:

Vulnerability = A weakness that can be

exploited in order to attack e.g. an open

wireless network port on a connected

infotainment system

Threat = Potential to exploit vulnerability e.g.

a criminal installs malware into a vehicle’s

systems via an exposed entry point on the

attack surface

Impact = Damage to the vehicle; physical or

digital information theft; injury; reputational

damage to the parent brand.

The 5StarS consortium’s framework seeks to

assure consumers that the vehicle they are

interested in buying or using, and insurers

that the vehicle they are insuring, is subject to

appropriate and effective cybersecurity risk

management.

Existing Demand for Cybersecurity Assurance

The UN is currently developing global

regulations on cybersecurity for vehicle

type approval. A UNECE task force has

developed draft regulations requiring vehicle

manufacturers to have their management

systems for cybersecurity and over-the-air

software updates independently audited

before a new vehicle can gain type approval.

Meanwhile, a joint working group of industry

experts is currently developing a new

international standard, ISO/SAE 21434 Road

vehicles – Cybersecurity engineering, which

will define the automotive industry state-of-

the-art for cybersecurity engineering. This

standard is also expected to be the reference

against which the UNECE cybersecurity

management system audit is carried out.

ISO 56000 Innovation Management is also

currently under development. This standard

will act as guidance for the development

of a CAV Innovation System Framework,

developed by Axillium, and provide the

standards to which all stages of innovation

activity will adhere. The innovation framework

is designed to allow for integration of the

assurance and assurance rating frameworks

during future CAV innovation so that

cybersecurity is considered from the earliest

stage of R&D/product development (see

page 13).

Elsewhere, consumer groups such as

Consumer Reports in the US have announced

plans to evaluate the security and privacy

aspects of consumer products, including

vehicles. Just like data security generally,

cyber threats are reaching the collective

consumer consciousness as a component

of overall vehicle safety. In response, the US

SPY Car Act, introduced in 2015, includes a

number of demands of vehicle manufacturers.

The 5StarS assurance framework is

specifically designed to build on relevant

published and emerging international

standards and regulations, with members of

the consortium actively involved in both the

UNECE and ISO/SAE developments. The

5StarS framework enhances the standards

and regulations, and introduces additional

assurance, by providing supplementary

assessment criteria.

The requirements of the 5StarS assessment

are aligned with SAE J3061, the current

draft of ISO/SAE 21434 and the UK National

Cyber Security Centre (NCSC) Cybersecurity

Assurance Framework. Therefore, it is

expected that a vehicle manufacturer can

achieve an efficient cybersecurity assessment

with reasonable effort by aligning processes

and activities with the 5StarS framework.

5StarS: A ROADMAP TO RESILIENCE 7

Innovation Framework Assurance Rating FrameworkAssessment Framework

ISO/SAE 21434 Cybersecurity Engineering

Under development

Align and Inform standardisation

SAEJ3061

BSI PAS1885

UN ECE WP.29

Vehicle manufacturers and suppliers

Innovation & Productdevelopment according to

international standardsSubmit forassessment

CybersecurityAssessment Laboratory

Assurance rating

Insurers & Consumers

5StarS “Automotive Cybersecurity through Assurance” project

Regulations, Standards and Best Practice

Benefits

With the introduction of the assurance

framework, we believe those operating in

the manufacturing supply chain can pinpoint

problems based on the scoring output of

the assessments and try to fix the issues –

ultimately helping to build insurer certainty

and consumer trust.

The wider benefits for all stakeholders are

manifold, as set out in Table 1.

It’s important to note that standards and

regulations in development or already being

used do not ultimately provide consumers

with a way to make informed buying decisions

based on cybersecurity properties, or for

insurers to evaluate threats when pricing

insurance premiums.

The goal of 5StarS is to fill this gap by

providing a roadmap to increased assurance

in the cybersecurity of connected and

autonomous vehicles. This roadmap starts

by providing practical guidance and support

for vehicle manufacturers to meet the

demands of the emerging regulations and

standards, and defines a progression towards

independent assessment, feeding into a

risk-based framework with a visible rating for

insurers and consumers.

Figure 2. How the Automotive Cybersecurity through Assurance project

relates to standards and regulatory activity

5StarS: A ROADMAP TO RESILIENCE8

Innovation Framework Assurance Rating FrameworkAssessment Framework

ISO/SAE 21434 Cybersecurity Engineering

Under development

Align and Inform standardisation

SAEJ3061

BSI PAS1885

UN ECE WP.29

Vehicle manufacturers and suppliers

Innovation & Productdevelopment according to

international standardsSubmit forassessment

CybersecurityAssessment Laboratory

Assurance rating

Insurers & Consumers

5StarS “Automotive Cybersecurity through Assurance” project

Regulations, Standards and Best Practice

Table 1. Summary of stakeholder benefits

Stakeholder Key Benefits

Vehicle manufacturers

Clear line of sight between investment in cybersecurity and revenue

A means of increasing consumer confidence and building trust

compared to self-assessment approach

Improved cybersecurity of products or variants through independent

testing

Benchmark for measuring cybersecurity engineering against rival

vehicle manufacturers

Reduced product liability by employing cybersecurity engineering

best practice

Potential sharing of costs across supply chain via assurance

assessment of vehicle, systems and sub-systems

Insurers Gives assurance that vehicles to be insured are subject to

appropriate and effective cybersecurity risk management, so new

group rating can be applied with confidence

Provision of assurance rating demonstrating vehicle manufacturers’

understanding of risk and actions taken to mitigate it

Policymakers/ government

Gives visibility of trending vulnerabilities and threats of cyber attacks

in anonymised form.

Provides governance around current and future management and

mitigation of associated risks by the automotive sector

Infrastructure Helps infrastructure operators understand the CAV cybersecurity

landscape and level of consumer demand / future pressure on

infrastructure systems

Consumers Assurance rating system provides a direct comparison between different models when motorist is comparing and choosing vehicles

Builds trust among motorists about vehicle manufacturers’ commitment to manage cyber-attack risks, and the safety and security of their vehicle

5StarS: A ROADMAP TO RESILIENCE 9

5StarS assurance framework

Standards(ISO/SAE 21434)

Incr

easi

ng a

ssur

ance

Regulations(UNECE)

5StarSAutomotive Cybersecurity through Assurance

The 5StarS project is set to conclude in 2019

when we will make final recommendations for a

cybersecurity assessment and assurance rating

framework, following industry consultation and

further research.

This will require additional development

by consortia to promote adoption by the

automotive industry and support from other

stakeholders. The adoption timeframe will

depend on the route taken.

The first version of the 5StarS framework should

provide a meaningful but achievable level of

assurance that can be supplemented as the

level of cybersecurity of the automotive industry

matures, as illustrated in Figure 3 below.

Industry Adoption

Following the completion of the 5StarS

project in 2019, we propose a period of

adoption of the assurance framework as an

assessment process. We suggest the end of

this period of adoption should coincide with

the planned publication date of the finalised

ISO/SAE 21434 standard, currently expected

at the end of 2020.

Timings

5StarS will use a phased approach to the

roadmap to continually raise the bar for

manufacturers. The full assessment criteria

will be applicable from the start, but the

scoring thresholds will be used to increase

the difficulty of attaining a high score over

time. Therefore, manufacturers will have the

potential to reach the maximum score of five

stars immediately, although a more rigorous

approach to cybersecurity will be required to

achieve this same score in future.

A Roadmap to Increased Assurance for Connected and Autonomous Vehicles

Figure 3. Increasing assurance offered by the 5StarS framework

5StarS: A ROADMAP TO RESILIENCE10

202120202019

UNECE

ISO/SAE 21434

5StarS

ISO/CD 56000

2022 202?

Dynamic evolution of test requirements and rating thresholds

ISO/SAE 21434Publication

ISO CD 56000Committee stage

ISO CD 56000Publication stage

TR56002: Innovationmanagement system

TR56003: Innovation management toolsand methods for innovation partnerships

TR56004: Innovationmanagement assessment

Dynamic evolution of innovation concepts

ISO/SAE 21434DIS

Project complete

Adoptionby WP.29

Transition period

Industry adoption Phase 1 Phase 2 Phase 3

Initially, the timing of the phase changes will

be aligned to the introduction of the new

standards from ISO/SAE 21434 and UNECE

to reduce the overhead and duplication of

effort required by manufacturers to take part

in a 5StarS assessment.

As new technology and cybersecurity best

practice change over time, the criteria will be

amended again. However, the 5StarS

consortium will work with manufacturers to

give them advance warning whenever

possible, thus maintaining consistency of

scoring. Our current proposal is that, in future,

assessment criteria will be reviewed annually.

Figure 4 below sets out the proposed timeline

for the implementation of each phase of the

roadmap relative to the timeline of the UNECE

regulations, ISO/SAE 21434 and the

innovation framework. Each phase will require

adoption and development with industry

involvement prior to implementation. The

assessment ratings will be adjusted so that, at

each successive phase, the requirements to

achieve a given rating will be more stringent.

Figure 4. Proposed timeline for the implementation of each phase of the roadmap

5StarS: A ROADMAP TO RESILIENCE 11

SystemLifecycle

and Maturitymodel

VehicleCybersecurity

AssuranceRating

Assurance Framework

Alignment to international standards and regulations

CAV Innovation System Framework

Product development

Production, operations, maintenance & decommissioning

Cybersecurity governance & management

Vulnerability assessment

VehicleCybersecurityAssessment

Sub-systemAssurance

Agility Validity

Nationalvariance

RegulationsUNECENHTSA

International StandardsISO/SAE 21434

SAE J3061

Best PracticesBSI PAS 1885DfT principles

Service provider

In-vehicle network (CAN, FlexRay)

JTAG serial I/O

Side channels

OEM backend

ITS

Threat landscape monitoring

The 5StarS Assurance Framework is

illustrated in Figure 5. It comprises several

elements, including the System Lifecycle

and Maturity Model, the Vehicle Assessment

Framework, the Vehicle Cybersecurity

Assurance Rating and the CAV Innovation

System Framework. These elements are

described in more detail below.

Assurance Framework

Figure 5. Illustration of the overall 5StarS framework

5StarS: A ROADMAP TO RESILIENCE12

Innovation Framework

Currently in development, the CAV Innovation

System Framework (CISF or innovation

framework) has been designed to integrate

into the assurance framework to provide a

system for vehicle manufacturers to assess

and ensure that exploitation considerations

are built in at the initial concept stages, and

can therefore achieve the assurance

framework accreditation and assurance

rating.

At present, there is not a recognised standard

for managing the innovation aspects of large,

collaborative CAV R&D projects. Aligning the

CAV innovation framework with ISO 56000

will ensure:

• Innovation management

• Identification of CAV opportunities for

market exploitation

• Identification of funding opportunities for

technology exploitation

• Verification of current and future project

technology readiness levels

The benefits to stakeholders are:

• For vehicle manufacturers, de-risking the

innovation process of their internal R&D

and supply chains, increasing the

likelihood of achieving a high 5StarS rating

• Consumers will benefit from improved

products, sooner, if the product innovation

process is streamlined

In terms of product development/verification,

the innovation framework sits in the vehicle

pre-concept stage, feeding into the

engineering space of the overall assurance

framework.

Successful integration of the innovation

framework will help simplify the process of

implementing changes and facilitate roll-out

of new versions.

ISO 56000 Innovation Management System, a

key component of the innovation framework,

sits alongside the engineering stream of ISO/

SAE 21434 but is expected to be applied from

an earlier date.

ISO/TR 56004 Innovation Management

Assessment is also currently being proposed.

The innovation framework would include

elements of it, along with Digital Readiness

Level tools and R&D processes that already

form part of the framework under ISO 56003

Innovation Management – Tools and Methods

for Innovation Partnership.

In turn, the innovation framework will feed into

the assurance framework roadmap as

illustrated in Figure 4 in Timings.

5StarS: A ROADMAP TO RESILIENCE 13

Concept and Design (product development)

Cybersecurity Governance and Management Secure by Default / Defence in Depth Principles / Cyber Security Standards

Production Ownership Transfer of Ownerhip

Maintenance and Updates

End of Vehicle Life

DEVELOPMENT PHASE PRODUCTION PHASE POST-PRODUCTION PHASE

Feature Definition

CONFORMANCE MONITORING TESTING INFORMATION SECURITYASSESSMENTS

SUPPLY CHAINASSURANCE

Initiation of Cyber SecurityLifecycle

Threat Analysis and Risk Assessment

Cyber Security Concept

Functional Requirements

Convenience

Safety-related Systems

Safety Critical Systems

ADAS (Advance Driver-Assistance Systems)

Airbag SystemsBattery Management Systems

Seat BeltsBraking SystemsDrive-by WirePark by Wire

Power Steering Systems

Risk AssessmentInitial Cyber SecurityAssessment

Evaluation of Concept and Design

Threat Modelling

Vulnerability Assessment

Risk Assessment

Safety Considerations

Test Driven Development

Static Analysis

Unit Testing

Integration Testing

Regression Testing

Exploratory Testing

Fuzz Testing

Penetration Testing

Performance Testing

Automated Testing

Assessment Methods

Education of Staff

Staff Vetting

Verifying the Awareness ofCyber Security Policy

Access Control Tests

Social Engineering Tests

Log Reviews

Development StageSystem Security

Assessment Methods

Support Period

Data Protection

Field Monitoring

Security IncidentManagement

Personal Data

Digital Updates Physical Updates

Infotainment Systems

Telematics Data

Data Sanitisation

Transponders

Detection and Transferof Ownership

Testing

Information SecurityAssessments

Supply Chain Assurance

Figure 6. Illustration of assessment components

Assessment Overview

The vehicle cybersecurity assessment consists of the four components described below.

Components 1, 2 and 3 are supported by the System Lifecycle and Maturity Model, which defines

best practices across the vehicle lifecycle as well as assessment criteria. Component 4 covers an

assessment of the vehicle itself.

1. Concept and design (product development) - the engineering processes used to design

security into vehicles and systems; covering concept, system and component design, and testing

and validation during vehicle and system engineering. The assessment should consider the

existence of suitable processes and whether they have been followed.

5StarS: A ROADMAP TO RESILIENCE14

Concept and Design (product development)

Cybersecurity Governance and Management Secure by Default / Defence in Depth Principles / Cyber Security Standards

Production Ownership Transfer of Ownerhip

Maintenance and Updates

End of Vehicle Life

DEVELOPMENT PHASE PRODUCTION PHASE POST-PRODUCTION PHASE

Feature Definition

CONFORMANCE MONITORING TESTING INFORMATION SECURITYASSESSMENTS

SUPPLY CHAINASSURANCE

Initiation of Cyber SecurityLifecycle

Threat Analysis and Risk Assessment

Cyber Security Concept

Functional Requirements

Convenience

Safety-related Systems

Safety Critical Systems

ADAS (Advance Driver-Assistance Systems)

Airbag SystemsBattery Management Systems

Seat BeltsBraking SystemsDrive-by WirePark by Wire

Power Steering Systems

Risk AssessmentInitial Cyber SecurityAssessment

Evaluation of Concept and Design

Threat Modelling

Vulnerability Assessment

Risk Assessment

Safety Considerations

Test Driven Development

Static Analysis

Unit Testing

Integration Testing

Regression Testing

Exploratory Testing

Fuzz Testing

Penetration Testing

Performance Testing

Automated Testing

Assessment Methods

Education of Staff

Staff Vetting

Verifying the Awareness ofCyber Security Policy

Access Control Tests

Social Engineering Tests

Log Reviews

Development StageSystem Security

Assessment Methods

Support Period

Data Protection

Field Monitoring

Security IncidentManagement

Personal Data

Digital Updates Physical Updates

Infotainment Systems

Telematics Data

Data Sanitisation

Transponders

Detection and Transferof Ownership

Testing

Information SecurityAssessments

Supply Chain Assurance

2. Cybersecurity governance and management - considering whether appropriate

organisational measures for cybersecurity are in place, independent of particular projects. This

includes assessing an organisation’s cybersecurity culture, provision of appropriate resources,

training and information sharing. The above elements take into account the emerging standards

and expected regulatory requirements mentioned.

3. Production, operations, maintenance and decommissioning - the processes in place when

the vehicle is in the field, including aspects such as field monitoring processes, incident

management and response, and product (including over-the-air) updates.

5StarS: A ROADMAP TO RESILIENCE 15

Table 2. Examples of assessment criteria that will be used in the lifecycle assessment.

Indicators of good practice are used to score elements of the vehicle lifecycle.

10.3a) An incident response team (IRT) should be set up with adequate resources and a set of procedures in place to quickly and efficiently determine the category of incident and provide a timely response, informing relevant persons or organisations.

The team has a set of procedures in place but there is no explicit budgeting for incident response.

The team has a set of procedures in place and there is explicit budgeting for incident response.

The team has a set of procedures in place and there is explicit budgeting for incident response and the incident response team is well resourced.

10.6a) There should be an easy way for an existing owner to remove all of their personal data from their vehicle prior to sale or transfer to a new owner. The sanitisation procedure should;

• Be easily accessible, probably through the menu of the infotainment.

• Inform the owner what will happen if they do run the procedure and request their confirmation prior to proceeding.

• Confirm to the user when complete both via an audible and visual signal.

• There should be verification of the sanitisation.

There is no central method of sanitisation.

There is a central method of sanitisation that performs some but not all of the stated steps.

There is a central method of sanitisation that performs all of the stated steps.

11.3.3a) OTA updates should be designed so that safety or security is not impacted during the update. Users should not be able to drive the vehicle during an update if it is not safe to do so.

Unmitigated Security vulnerabilities or safety risks are created when an OTA update takes place.

There are some mitigated actions to prevent security vulnerabilities or safety risks being when an OTA update takes place.

The creation of security vulnerabilities or safety risks during an OTA update is fully mitigated against to an acceptable level of risk.

4. Vulnerability assessment – as well as assessing the processes that the vehicle manufacturer

has in place and followed when developing the vehicle, it is also important to assess the vehicle

itself, to seek further assurance that the processes have actually resulted in a sufficiently resilient

realisation of the vehicle.

The vulnerability assessment begins with security-focused reviews of the vehicle manufacturer’s

work products, such as threat and vulnerability analyses, risk assessments, design and test

specifications, and penetration tests and results.

From these activities, an independent vulnerability analysis and practical tests are carried out to

identify any residual product vulnerabilities - and whether they could be exploited.

The assessor shall carry out an independent vulnerability analysis followed by a test plan

consisting of appropriate tests, to explore and assess the exploitability of any identified residual

vulnerabilities.

5StarS: A ROADMAP TO RESILIENCE16

As the tests will vary over time and between vehicles, a guideline document giving examples of

appropriate cybersecurity tests will be maintained by the 5StarS committee. This document will be

used for two purposes:

• By the assessment laboratory to develop an appropriate test plan for the vehicle under

assessment;

• By the laboratory accreditation process to ensure the consistency of the assessments carried

out by approved assessment laboratories and to verify the competence of laboratories and their

assessors.

During an assessment, appropriate tests will be planned based on the categories shown in Table 3.

Some non-exhaustive examples are given for each category, which will be expanded further in the

guidelines to be maintained by the 5StarS committee (see Governance, page 22).

All applicable tests for a given assessment will be selected from the test guideline document based

on the features of the vehicle. For example, if the vehicle does not have a Wi-Fi hotspot fitted, those

tests will not be carried out and there will be no negative impact on the assessment result.

Table 3. Test categories and examples

Test category Examples of tests

1. Long-range wireless tests

Jamming, spoofing or eavesdropping of cellular and broadcast

interfaces

2. Short-range wireless tests

Manipulation of wireless interfaces such as Wi-Fi, Bluetooth

Spoofing of sensor measurements to manipulate driver assistance

or automated driving functions

3. Physical interface tests

Manipulation of OBD-II diagnostic protocols

Sufficiency of isolation of the OBD-II port from safety-relevant

functions.

4. In-vehicle network tests

Spoofing or tampering of messages on the CAN bus

Effectiveness of any intrusion detection systems

Effectiveness of any message authentication

5. ECU hardware and software tests

Reverse engineering, re-flashing or other manipulation of embedded software

Accessibility of debug ports (e.g. JTAG)

Recovery of cryptographic keys by side channel analysis

5StarS: A ROADMAP TO RESILIENCE 17

System lifecyclecriteria

Cybersecurity Governance and Management

Product Development

Production, Operations, Maintenance and Decommissioning

Criteria corresponding UNECE audit requirements

Criteria corresponding to all ISO/SAE 21434 requirements

5StarS additional criteria

Level 1Score

Level 2Score

Level 3Score

Basic

Medium

High

AssessmentScoring

DfT Key Principlesof Cyber Security

for CAVWithin each

of the 8principles

Assessmentcriteria

Vulnerability Assessment

Design review

Vulnerability analysis

Penetration testing

1

2

3

4

5

6

7

8

The Assurance Rating System

After each assessment, the laboratory will issue a detailed report to the manufacturer

containing full details of findings, including the level of assurance achieved by the

assessed vehicle. The report enables the manufacturer to understand the outcome of the

assessment and any findings or issues to be resolved. At this stage there is the

opportunity for the manufacturer to resolve any open issues before proceeding to obtain

an assurance rating for the vehicle. The assessment criteria and requirements are

illustrated in Figure 7 below, followed by an explanation of how they are grouped.

Figure 7. Assessment criteria (an explanation of DfT principles can be found on page 19)

5StarS: A ROADMAP TO RESILIENCE18

The levels below illustrate how the assessment criteria are grouped by difficulty level, and their

alignment with the requirements of the standards and regulations. This aids the definition of the

thresholds used to derive the rating from the assessment scores:

• Level 1 criteria based on independent audit of the vehicle manufacturer’s cybersecurity

management system against the anticipated regulatory requirements of UNECE, and includes

the results of a basic level of vulnerability assessment and testing.

• Level 2 criteria based on independent assessment against the anticipated requirements of ISO/

SAE 21434 or equivalent standards, and includes the results of a medium level of vulnerability

assessment and testing.

• Level 3 criteria based on independent assessment against the requirements of the full 5StarS

framework including additional system lifecycle criteria, and includes the results of a high level of

vulnerability assessment and testing.

As part of the assessment process, the laboratory records a set of scores aligned to the assurance

needs of insurers and consumers.

Results of the assessment are categorised according to the Department for Transport (DfT)

Principles for cybersecurity in Connected Autonomous Vehicles as shown in Table 4.

Table 4. DfT Principles for Cybersecurity in Connected Autonomous Vehicles

Category Criteria

1 Organisational security is owned, governed and promoted at board level

2 Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain

3 Organisations need product aftercare and incident response to ensure systems are secure over their lifetime

4 All organisations, including sub-contractors, suppliers and potential third parties work together to enhance the security of the system

5 Systems are designed using a defence-in-depth approach

6 The security of all software is managed throughout its lifetime

7 The storage and transmission of data is secure and can be controlled

8 The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

5StarS: A ROADMAP TO RESILIENCE 19

InsurerWeighting

ConsumerWeighting

AssessmentScoring

Thr

esho

ld B

andi

ng

Principle 1

Recommendations

Principle 2

Recommendations

Principle 1- 8

Recommendations 1-8

Principle 3

Recommendations

Principle 4

Recommendations

Principle 5

Recommendations

Principle 6

Recommendations

Principle 7

Recommendations

Principle 8

Recommendations

The rating will reflect the confidence in a vehicle’s cyber resilience based on the 5StarS assurance

framework - in turn related to future, mandatory cybersecurity standards - and be comparable to

other rated vehicles. Insurers will also receive textual comments for each one of the eight principles

as guidance on why the vehicle received the rating, as well as a score breakdown. To avoid

confusion, the insurer rating will not be made public.

The aim of the rating is to inform the consumer’s buying decision as well as to provide underwriters

with information to help assess a vehicle’s cyber risk. Given their different priorities, the final scores

for consumers and insurers may differ. The rating will influence the vehicle’s insurance group rating.

This affects the cost of insuring the rated vehicle for the consumer. The assurance rating system

will apply to new vehicles only.

Just as the Euro NCAP star rating has won widespread recognition, we believe that the 5StarS

rating system will be of huge benefit, not just to consumers and insurers but also vehicle

manufacturers that require a visible representation of their efforts and investment to meet the

stringent assessment tests of the assurance framework.

Assurance rating measurement criteria

Requirements of the assurance rating system are as follows. It shall:

• build upon initial consultation with insurers to define a rating that is understandable to insurers

and the consumer, while still meaningfully reflecting the level of cybersecurity assurance

• consider the perception of the rating by consumers and insurers

• address the evolving threat landscape and the applicability of the rating beyond the date of issue

• address differences between countries

• include consideration for maintenance and periodic technical inspection.

Figure 8. Process of moving from assessment to assurance rating

5StarS: A ROADMAP TO RESILIENCE20

5StarS: A ROADMAP TO RESILIENCE 21

5StarS Assessment scheme

Assurance Rating scheme

Service provider

In-vehicle network (CAN, FlexRay)

JTAG serial I/O

Side channels

OEM backend

ITS

Thatcham andConsumer bodies

Insurers andConsumers

Vehiclemanufacturers and

suppliers

Vehicle assurancerating database

NationalCybersecurity

Technical Authority

IndependentCybersecurityAssessmentLaboratories

Monitor

Participate

Participate

Participate

Developand

maintain

5StarS committee

Accredit

Represent

Consult

Submit rating

Vehicle

Submit for assessment

Assessmentreport

Develop

Participate

Threat landscape

The 5StarS consortium proposes that the

assurance framework should be governed

based on the example in Figure 9 below.

There follows a description of key

stakeholders’ role in the process - NB the

example illustrates the proposed governance

model for the UK, but the model is applicable

internationally:

Governance

Figure 9. 5StarS assurance framework governance

5StarS: A ROADMAP TO RESILIENCE22

Vehicle manufacturers and suppliers

The vehicle manufacturer and its tiered supply chain develop products according to the relevant

regulations, standards and best practice, and submit products for assessment prior to release for

production. The vehicle manufacturer selects a 5StarS-accredited assessment laboratory of its

choice and enters into a contract with the laboratory to carry out the assessment.

Independent cybersecurity assessment laboratories

Cybersecurity assessment laboratories, independent of vehicle or component manufacturers, are

accredited by the relevant national cybersecurity technical authority (see below) to carry out vehicle

cybersecurity assessments and issue vehicle cybersecurity assurance ratings according to the

5StarS assurance framework.

A laboratory accreditation scheme will be required to ensure consistency of assessments between

laboratories. It is proposed that this scheme will be overseen by the national cybersecurity

technical authority of the country in which the assessment laboratory is located. The accreditation

is to be carried out by an accreditation body such as UKAS, analogous to standards such as ISO

17025.

National cybersecurity technical authority

Each nation supporting the assessment scheme appoints an appropriate technical authority, which

may be the government national cybersecurity agency, for example the National Cyber Security

Centre (NCSC) in the UK. The technical authority oversees the accreditation of each of the

assessment laboratories located within its jurisdiction, and periodically monitors the laboratories to

ensure consistent application of the framework and competency across laboratories.

5StarS Committee

This committee is responsible for the ongoing development and iteration of the 5StarS assurance

framework and all its elements. This is to ensure that the scheme is kept up to date with the

evolving security landscape and continues to meet the needs of all stakeholders.

5StarS: A ROADMAP TO RESILIENCE 23

Additional Considerations

Ongoing Assessments

Assessment is expected to be carried out before vehicle type approval. Assessors should therefore

be required to examine existing cybersecurity measures during production, but also any measures

in place for the post-production lifecycle.

Vehicle Assurance Rating Database

The vehicle assurance ratings issued by the assessment laboratories are be stored in a central

repository that can be consulted by the relevant stakeholders, such as consumers and insurers.

This database shall only store the final ratings; the full vehicle cybersecurity assessment report is

shared only with the relevant vehicle manufacturer.

Geographical Scope

Although the 5StarS project is UK government-funded and the consortium partners are UK-based,

it is planned that the assurance framework and assurance rating system will apply internationally.

This will assist vehicle manufacturers aiming to sell vehicles globally, not just in the UK.

As a consequence, the framework is being designed to align to current and emerging international

standards and best practice, so that it can be applied outside the UK.

Supply Chain Scope

The supply chain scope should include the vehicle manufacturer and the tiered suppliers of

components and services that are supplied under contract to the vehicle manufacturer, in this

instance relating to cybersecurity-relevant systems. The 5StarS project is developing vehicle-level

and system/sub-system frameworks which will be integrated into the overall assurance framework.

5StarS: A ROADMAP TO RESILIENCE24

The 5StarS consortium now seeks to build

upon initial feedback received from our key

stakeholder groups of manufacturers,

government and insurers on the proposals

outlined in this document.

A trial phase is now required in which we will

invite interested vehicle manufacturers to

validate the assurance framework against

their vehicles.

The proposed governance approach also

requires further development and evaluation

with all key stakeholders, to define the

implementation and ongoing operation of the

framework.

The 5StarS consortium are now evaluating

opportunities to conduct these trials and

would welcome any input on next steps via

the project website:

www.5starsproject.com

Next Steps – Making the Roadmap a Reality

5StarS: A ROADMAP TO RESILIENCE 25

This paper outlines the 5StarS consortium’s

proposals for an assurance framework and an

assurance rating system for cybersecurity in

the automotive industry, and the reasons they

are required.

Like many industries, vehicle manufacturing is

undergoing seismic changes driven by new

technology. While consumers will be

enthused by the scope of these products,

they also need to know that their vehicles and

personal data will remain safe from the threat

of cyber attacks.

A system for assuring the resilience and

efficacy of the intricate components and

systems that operate in the vehicles being

brought to market is crucial for customers’

peace of mind. Simultaneously,

demonstrating that appropriate security

measures are in place can accelerate a whole

new revenue stream for the industry.

In a hyper-connected world, cybersecurity

matters more than ever. Can you afford to be

left standing at the roadside or will you play

your part in making the roadmap a reality?

Conclusion

A system for assuring the resilience and efficacy of the intricate components and systems that operate in the vehicles is crucial for customers’ peace of mind

5StarS: A ROADMAP TO RESILIENCE26

The 5StarS consortium would like to thank the following

for their feedback during the consultation phase:

• SMMT and representatives of vehicle manufacturers

• Thatcham Research Security Committee (insurers)

• ADIG Cyber Sub-group (insurers)

• Government agencies: DfT, CCAV, NCSC, InnovateUK

Acknowledgements

5StarS: A ROADMAP TO RESILIENCE 27

A Roadmap to ResilienceHOW THE AUTOMOTIVE SECTOR CAN BUILD TRUST

IN CONNECTED VEHICLES

www.5starsproject.com