Automobiles, Cyber & UN R155

10843914886?profile=RESIZE_400xLast week, we reported an alleged cyber-attack on Italian automaker Ferrari.  Well, high end automaker has confirmed the leak of some internal documents but did not say how it happened.  On 10 October, RansomEXX, a ransomware-as-a-service operator, claimed to have breached Ferrari, though the company said it is investigating how the leak occurred.  Italy’s Red Hot Cyber reported that internal documents, including repair manuals, datasheets, etc., sizing up to 6.99 gigabytes, were leaked.  RansomEXX has added Ferrari, whose racing division Scuderia Ferrari partnered with Bitdefender last week, to its list of victims.  Ferrari is just the latest in a line of automakers who have been struck by hackers.[1]   

Many have marveled at the latest innovations from Tesla, the skill of Google’s self-driving cars, or, at the very least, enjoyed playing a podcast on our phone through our car’s speakers.  The automotive industry continues to innovate, bringing connectivity to vehicles in new ways from the cockpit to the engine.  These new tools change the way people drive and view their cars.  An automobile is no longer just for transportation from point A to point B, but cars are rolling data centers that transmit a wealth of actionable intelligence to the networks and systems around them.  However, that same information is also a valuable commodity to hackers – who are looking to steal it at any cost.[2]

It is projected that by 2025, there will be over 400 million connected cars in operation, up from some 237 million in 2021.  That growth brings risk, and so it is particularly important that we secure connected cars from cyber security threats.

An Ongoing Threat - While there is a solid body of knowledge around securing automakers’ back-end networks, the actual car and the interconnected systems and components inside the vehicle are the least understood part of the automotive security equation.  WiFi, Bluetooth, LTE and 5G, CAN bus, V2X and the entire infotainment system are all entry points that pose serious security risks for automotive manufacturers.  New technologies such as Voice-as-an-Interface may further expand the attack surface from the vehicle to the consumer through connected ecosystems such as Amazon, Apple, and Google.

However, cybersecurity standards for cars are only emerging recently.  The United Nations Economic Commission for Europe (UNECE) issued UN R155 that will came into effect on 1 July 2022 - for new vehicle types.  These rules govern cybersecurity and cybersecurity management systems (CSMS) for all vehicles sold in major markets outside of the US, Canada and China.

Cybersecurity within the automotive industry has a long way to go to catch up to traditional enterprise cybersecurity standards and best practices.  Automotive original equipment manufacturers (OEMs) and component manufacturers need to manage vehicle cybersecurity risks, mitigate risks along the supply chain by securing vehicles in the design stage, detect and respond to security incidents across a vehicle fleet, and provide safe, secure software updates that do not compromise vehicle security.

Protecting Vehicle Systems - Even in the relatively short life of connected vehicles we have seen reported attacks on everything from in-vehicle components and systems and back-end services to third-party technology providers and maintenance systems.  The governance of connected automobiles remains essential to establishing cybersecurity measures across the industry.  Vehicle cybersecurity starts with the OEM and each part of the value chain must adhere to regulations and mandatory legal requirements.

Manufacturers must install, evolve and maintain a CSMS throughout the product chain.  In many areas, manufacturers must work together to create a governance framework that assigns responsibility to different parties.  This includes those with roles in each part of the supply chain from OEM factories and legacy systems to component suppliers including those supplying sensors, ECUs, connections and other communication technology to maintain cohesion across applications.

ICS Cybersecurity Conference - To ensure proper security, automotive OEMs and suppliers must:

  • Establish an incident response plan. Every device company needs best practices to include protocols for recovering from cyber threats and patching vulnerabilities. They should be able to communicate with car owners, dealers, and other manufacturers to prepare, find, fix and close any issues that arise.  These guidelines are largely covered by the adoption of a CSMS which is outlined in the International Standards Organization/Society of Automotive Engineering (ISO/SAE) 21434 standards and mandated by UN R155.
  • Collaborate with appropriate parties. As with IT systems, no one technology product works in isolation. Connected car device manufacturers must have open lines with other providers to share security best practices and send alerts of potential vulnerabilities.
  • Manage and assess risk. Not all cybersecurity threats pose the same threat level.  Device makers need to be aware of all dangers and treat those that could lead to safety and data security issues.  This process can help automakers identify and protect the most critical assets to ensure the vehicle’s integrity.  This is also covered by the adoption of a CSMS as outlined by ISO/SAE 21434 and mandated by UN R155.
  • Bake security into the design process and entire automotive ecosystem. With the risk of vulnerabilities now better understood, cybersecurity must be a top priority for the entire automotive ecosystem including the car, the network communications, the cloud services, and the connected apps on your phone.

A Look at Testing - Mitigating cybersecurity threats is just the beginning of the process.  It really is about validating that the security measures you have taken work. In order to understand that you have to think like a hacker.  For automakers and suppliers, cybersecurity should take place at several levels.  For the suppliers, they must test their devices and components including connected components at the communications protocol layer.  For the automaker, they need to ensure that any supplier components have been thoroughly tested.  Then, automotive manufacturers must ensure that any original parts and systems in alignment with their CSMS have been thoroughly tested.  The security testing should include functional cybersecurity testing, fuzz testing, and vulnerability testing.  These tests do not just need to cover a comprehensive suite of potential threat vectors; they also must account for the various points of entry an attacker can take.  That means testing across all the communication interfaces a modern car uses, including cellular, Wi-Fi, Bluetooth, CAN, and automotive ethernet.  But that is only half the battle.  Software updates: the preferred method to mitigate emerging threats across automotive components and systems; require verification. This process is painstakingly repetitious, and automation is key to making this happen.

Compliance with UN R155 demands a repeatable, scalable, and well-documented testing approach.  And between sprawling attack surfaces, emerging threats, and mandatory compliance processes, integration and automation aren’t luxury, they are a must-have.  While it is possible to cobble individual hardware and software components together into an automotive cybersecurity test platform, the time commitment of managing a homegrown system can easily outweigh any potential benefits.

The Road Forward - As vehicles become more connected and autonomous and a part of our everyday life, the need to secure them only grows more critical and complex.  The role of testing becomes even more critical to the success of the next generation of vehicles on the market.  Better managing the cybersecurity needs of these cars starts at the beginning of the design process and continues throughout the life of the vehicle.  With a committed industry, we can mitigate threats as they emerge and let everyone enjoy these truly incredible machines.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!