Hello Mr Liedtke. You’ve spent almost half your working life in the telecommunications industry. What processes have you succeeded in transferring from that industry into the automotive sector?
Actually there are quite a lot of parallels, especially on the macro and process level. In the mid-1990s I was working with Bonifaz Maag at Alcatel, where we introduced and rolled out the CMMi process maturity model for software development in the field of ISDN and mobile telephony. The current standard used in the automotive industry is called Automotive SPICE, but the similarities with CMMi, which has now moved forward, are remarkable. Even if the software has become much more complex, standards underlying the development process are basically always the same.
What’s ISO/SAE 21434 all about and why is there a new standard coming along for the automotive industry?
Cars are changing from mechanical devices into computers on wheels. Just like other systems, these computers need protecting from attacks from the outside. The big aims of ‘security’ are totally different from classic ‘safety’ aspects, which are about ensuring that the key parts of the car that are supposed to shield passengers protect life and limb in critical situations. There’s been an automotive-specific standard for functional safety since 2011: ISO 26262. There are no such things as binding guidelines for security in Europe; there’s only the SAE J3061TM security norm in the United States. So there’s no global uniformity, and that has to change.
What key challenges do companies face in the automotive industry if they want to defend their systems from potential cyberattacks?
Some of the conceivable attacks that could take place are that a car is immobilised, that it can be started without a key, or that its total mileage is reduced artificially to raise its value. WIRED magazine has shown what an attack would look like with the example of a Jeep. Security systems should prevent such attacks. What we’re dealing with here is a moving target, because for a start the software used in cars is constantly being updated, but also hackers find ways to sneak in through security loopholes that no-one even had on their radar 24 hours ago. The potential number of angles of attack rises continuously with each interface to the car (Bluetooth, MP3 player, internet, USB, smartphone, video camera, sensors, etc). If a new weak point is discovered, you generally need a patch within hours or days, and this patch has to make its way quickly and securely to vehicles in all corners of the globe.
What role is Kugler Maag Cie playing in creating this standard?
Kugler Maag Cie is one of the European representatives on the ISO/SAE 21434 project. We’re tapping into expertise gained through nearly 15 years of working on processes in the automotive industry to contribute to the development of the standard. Of course, in turn this benefits our customers, who we’re already helping to prepare for working with the new standard.
What tasks should be supported by the new security standard?
The standard will not lay down specific technologies or solutions. That wouldn’t make sense, because they become obsolete again much too quickly. It’s more about formulating the requirements of cybersecurity risk management, for all stages of a product’s lifetime – from components to development, design, production, operation and maintenance, right up to decommissioning. This is because even if a car does have to be scrapped at some point, the personal data of its users has to be protected. The standard lays down uniform definitions for factors that could be considered a weakness or vulnerability, also defining the conditions security has to be tested under.
Will it be enough in the future to base development processes on specifications laid down under ISO/SAE 21434?
Companies have to meet the standard – but it’s not that easy to simply implement it. This is because this standard is a framework for companies, so it forms a basis for defining security management. It provides a foundation based on well-developed processes, and then there are things like awareness training for staff, suitable organisational rules and technical expertise. The standard also tells manufacturers that they should be always be up to speed with the latest advancements in technology. This requires them to keep their eyes on the market and technology.
To what extent is the new security standard binding for automotive companies and suppliers?
ISO standards aren’t laws. Companies aren’t obliged to adhere to them. But they will do, because if something or someone is damaged this determines liability. If a vehicle manufacturer doesn’t adhere to a standard, the onus reverses – it has to prove that it nonetheless did everything it was required to do to avoid damage.
You said that the ISO organisation and SAE International have now joined forces to bring out ISO/SAE 21434 together. What’s this approach all about?
SAE is an American professional association. It’s already issued a security standard for the United States. The rest of the world are not going to simply adopt it the way it is. Coming the other way, SAE are also not going to give up their standard for a new global standard. So after many rounds of discussion, delegates agreed to work together on a new common standard.
Is there a roadmap for implementing ISO/SAE 21434?
The working relationship between ISO and SAE is a new experience for everyone involved. There were a lot things that had to be cleared up in terms of the approach to be adopted, so the original roadmap slipped back a bit. The current plan is to announce the first public version around the middle of 2019. Companies will be able to use this as a basis for preparing for ISO/SAE 21434. The final version will come into effect in the summer of 2020. So there’s still plenty of time to get ready.