Automotive cyber security standards released: Preparing manufacturers against this ever increasing risk

Cyber security is critical for autonomous vehicles, as for any technology reliant on artificial intelligence. The safety and credibility of autonomous vehicles is solely dependent on the software’s ability to fight off any potential cyber breaches. Accordingly, manufacturers and others involved in the AV industry should take close note of The fundamental principles of automotive cyber security, a Publicly Available Specification (PAS) published by the British Standards Institute (BSI).

To boost the UK’s position as a world leader in autonomous vehicle production, the Department for Transport sponsored the BSI to develop a new cyber security standard intended to be used throughout the automotive sector. It was published on 31 December 2018 and gives guidance to manufacturers of AVs, their supply chains and wider ecosystems on understanding and maintaining the security of their vehicles and associated systems. Although a PAS is not law, this agreed good practice could well lead to future legislation as the Government often draws on standards when putting together legislation or guidance documents themselves.

The standards place responsibility directly on the Board of Directors of an organisation to “own, manage and govern security within the organisation and in relation to its supply chain by adopting a security-minded approach that is documented in a security strategy” (recital 5.1.1) and that “depending on the scope of the organisation’s activities the… factors might need to be addressed at international, national, regional and/or local level” (note 2 to recital 5.1.1). Demanding engagement at the highest level of a company not only increases the likelihood of successful compliance but also aims to produce a cultural shift towards implementing and maintaining cyber security protections.

The standards take a “lifecycle” approach. They apply to the “entire automotive development and use” life cycle including specification, design, implementation, integration, production, operation, servicing and decommissioning. Where manufacturers may come to rely on a modular approach, including reliance on electronics providers that are used to radically shorter product lifetimes, this raises a significant risk. If a manufacturer or developer can no longer support a product, vehicle system or software, it must identify the contingent safety and security risks and, if there is a significant increase in those risks, take steps including notifying all affected parties, providing a searchable register of obsolete products and systems and working with aftermarket organisations to develop technical solutions to mitigate any further risks.

The standards also address the threat posed by storing aggregated data. Consumer behaviour is changing as users adapt to connected and automated vehicles, leading to extraordinary aggregation of data. For instance, Bluetooth technology connects mobile devices to a car to make and receive calls and messages. This gives the car access to address books and messaging accounts, as well as other personal data stored on the device which could include stored passwords and even bank details. Likewise, navigation systems allow current and previous locations of a vehicle and its occupants to be tracked and stored. The new cyber security standards require the Board of Directors to assess the increased risks and sensitivity from aggregation of data (recital 4.3.8). It highlights the increased business impact of any potential compromise and forces them to think more widely than just potential breaches to their autonomous vehicle technology.

Overall, the approach of the BSI shows that cyber risk will be a board-level concern for those in the AV industry. Modular, highly connected components will lead to unpredictable interactions and consequent risks. Data aggregation is another new phenomenon creating new, emergent risks. Together with concerns about ethical and legal liability for operation of AVs, these factors demand a coherent, multidisciplinary approach from those involved in manufacturing and developing AVs.

The author would like to thank Aimee Denholm, Knowledge Paralegal, for her assistance in preparing this article.