Policies and Guidelines
Policy and Guidelines
Automotive policies around security are still relatively new. While several groups have been working on fleshing out what they will entail, many of the details didn't become public until 2014. This section highlights some of these policies and guidelines and how they currently relate to the automotive industry.
National Highway Traffic Safety Administration (NHTSA)
The NHTSA is US department that was established in 1970 by the Highway Saftey Act. NHTSA is statutorily directed by Congress to issue standards to address safety need identified by the agency. The NTSTA has had to evolve along with the changing technology. In 2012 a new division was formed with the main focus of:* Safe Reliability
- Emerging Technologies (Automated Vehicles)
Federal Motor Vehicle Safety Standards: Vehicle-to-Vehicle (V2V) Communications
A pre-release proposal from the NHTSA for V2V communications was released in August 2014. The general scope of this proposal is:
Automotive Electronic Control Systems Safety and Security
Another request for comments from the NHTSA was released in October of 2014. The general scope of the proposal is:
SAE J3061 - Cybersecurity Guidebook for Cyber-Physical Automotive Systems
As of the end of 2014 this is a WIP Standard that was released Jan 14, 2014 with the following scope:
ISO 26262 - Road vehicles – Functional safety
|PROBABILITY / EXPOSURE|
|Duration||-||<1% of operating time||1-10% of operating time||>10% operating time|
|Frequency||Occur less than once a year||Situation that occurs a few times a year||Situation that occurs once a month||Situations that occur almost every drive|
|Examples||Driving downhill with engine off||Driving on unsecured steep slope||Slippery roads||Braking|
Table 2-1: ASIL Probability / Exposure
|Description||Light and moderate injuries||Severe injuries, possibly life threatening, survival probable.||Life threatening injuries, survival uncertain, fatal injuries|
|Example||Collision with tree < 20 kpm||Collision with tree 20-40 kpm||Collision with tree > 40 kpm|
Table 2-2: ASIL Severity
|Description||Simply controllable||Normally controllable||Difficult to control or uncontrollable|
|Definition||All drivers will be able to avoid it||90% of all drivers will be able to avoid it||10% of all drivers will be able to avoid it|
|Example||Starting a vehicle with locked steering||Stopping a vehicle in case of light failure||Loss of breaks|
Table 2-3: ASIL Controllability
Table 2-4: ASIL Matrix of risk
This safety standard comes from the Department of Defense (DoD). This document is from May 2012 and the scope includes:
|Description||Severity||Mishap Result Criteria|
|Catastrophic||1||Could result in one or more of the following: death, permanent total disability, irreversible significant environmental impact, or monetary loss equal to or exceeding $10M.|
|Critical||2||Could result in one or more of the following: permanent partial disability,injuries or occupational illness that may result in hospitalization of at least three personnel, reversible significant environmental impact, or monetary loss equal to or exceeding $1M but less than $10M.|
|Marginal||3||Could result in one or more of the following: injury or occupational illness resulting in one or more lost work day(s), reversible moderate environmental impact, or monetary loss equal to or exceeding $100K but less than $1M.|
|Negligible||4||Could result in one or more of the following: injury or occupational illness not resulting in a lost work day, minimal environmental impact, or monetary loss less than $100K.|
Table 2-5: MIL-STD-882E Severity Rankings
|Description||Level||Specific Individual Item||Fleet or Inventory|
|Frequent||A||Likely to occur often in the life of an item.||Continuously experienced|
|Probable||B||Will occur several times in the life of an item.||Will occur frequently.|
|Occasional||C||Likely to occur sometime in the life of an item.||Will occur several times.|
|Remote||D||Unlikely, but possible to occur in the life of an item.||Unlikely, but can reasonably be expected to occur.|
|Improbable||E||So unlikely, it can be assumed occurrence may not be experienced in the life of an item.||Unlikely to occur, but possible.|
|Eliminated||F||Incapable of occurrence. This level is used when potential hazards are identified and later eliminated.||Incapable of occurrence. This level is used when potential hazards are identified and later eliminated.|
Table 2-6: MIL-STD-882E Probability Levels
|RISK ASSESSMENT MATRIX|
Table 2-7: MIL-STD-882E Risk Matrix
Five Star Automotive Cyber Safety Program
The public group I Am The Calvary published an open letter in August 2014 at DEF CON, in Las Vegas. This letter was designed to be a guideline for future communication and could be used to grade how the industry was doing in the field of automotive cyber security.
# Safety By Design - Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?
- Standard Based: Use of vetted ISO, NIST or industry standards.
- Supply Chain Rigor: Well-governed, traceable hardware and software supply chains.
- Reduction of Elective Attack Surface & Complexity: Reduction of attack surface lowers exposure.
- Independent, Adversarial Resilience Testing: Independent, qualified security testing from those outside of the development team.
- Third Party Collaboration - Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?
- Standard Based: Use of vetted ISO standards for vendor side disclosure practices and for internal vulnerability handling.
- Positive Incentives: Positive “Recognition and Reward” systems to encourage and stimulate participating in bug reporting.
- Known Interfaces: Independent vulnerability disclosure coordinators.
- Evidence Capture - Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?
- Logging and Legal Standards: Lowest common denominator syntax and verbosity as well as cyber forensics.
- Improve effectiveness of NHTSA: Collecting and retaining data as recommended for cause analysis in the event of a crash.
- Privacy Sensitivity: Decoupling logged data from citizens to avoid privacy and surveillance issues.
- Security Updates - Can your vehicles be securely updated in a prompt and agile manner?
- Secure updating System: Authenticity and quality verification on system updates.
- Service Level Agreements (SLA): Fast Mean Times To Repair (MTTR)
- Robust Notification/Communication: Public communication should be transparent and forthright.
- Segmentation and Isolation - Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems?
- “Air Gaps”: Physical separation of critical systems.
- System Integrity/Recovery: Implementation of a safe recovery mode.
- Enhanced Assurance: Third party review and validation of architecture, implementation and adversary resilience.
State of the Policies
In 2014 newer proposals directly addressed the automotive cyber threat. Most of these policies and guidelines are still in their proposal stage but there should be real progress in these areas in 2015. The two NHTSA request for comments are great examples of attempting to create informed proposals openly and soliciting the community. The I Am The Calvary proposal was the first non-industry, non-government group to attempt to appeal to the overall community. There is a significant effort underway by both the auto-motive industry as well as regulatory bodies to get ahead of the auto cyber security threat before the bad guys do.