How ISO 21434 impacts EV cybersecurity
With electronic and electrical components’ footprints growing significantly in road vehicles, ensuring that the vehicle’s telemetry, navigation, safety, and data are protected from cyberattacks is crucial at every stage of design, development, and deployment.
ISO 21434 was developed to ensure that the hyperconnected vehicles are safe for the occupants as well as other vehicles on the roads. EVs being one of the most connected vehicles on the road with the widespread adoption of V2G technologies have led to the expansion of attack surface on the EV technical architecture across the edge to connectivity to Cloud layers. Let us look at how consideration of ISO 21434 in designing and deploying EVs helps mitigate these cybersecurity challenges.
Background
Electric vehicles are seeing a strong demand globally, particularly with the prevalent concerns of climate change and steadily increasing global temperatures. The idea that the electric vehicle technology is essentially a motor, and a battery that is rapidly giving way to a complex architecture of bidirectional charging infrastructure (on vehicle and roadside), regenerative braking, immersive driver experience, and often autonomous driving technology. All these cutting-edge technology components require significant computing, storage, and analysis infrastructure, both at the edge i.e. in the vehicle and charging points as well as in the cloud (at the grid control and fleet remote operator command centers).
This also leads to an increase in the attack surface on the connected vehicle technology value chain. Independent security practitioners have demonstrated in recent times that one can hack into the non-navigation functions of multiple electric cars simultaneously. While this may seem like a harmless prank for now, there is no denying that it is an ominous sign for the times to come.
What are the common cybersecurity risk scenarios in EVs?
Here are the main points of vulnerability for an EV:
1. Electric Vehicles
EVs have a significant footprint of the embedded system software, namely device drivers, operating systems, application runtime for application workloads on data processing, and rule-based control. It also has a lot of firmware for device functioning like sensor integration, interfacing, and communication. Each of these software modules is vulnerable to cyber-attacks. Attackers even target user applications running on mobile and web for car status, control, and driver analytics as well as third-party application integrations for reference data like maps.
2. Charging infrastructure
Connected EV charging points, irrespective of leveraging AC or DC charging technology have complex technical architecture across the hardware, system software, connectivity, and application software or digital layer. They are managed by the charging point operators or CPOs using a mix of on-site and remote monitoring, management, and maintenance. Attack surface on these spans across connected device system software, charging point operator, and user applications across web and mobile platforms, including touchpoints to third-party payment applications.
3. Electrical grid
Finally, EV charging points source electricity from the grids that leverage renewable as well as non-renewable energy sources to maintain the grid power levels at the required levels of voltage and current. Any attack on the network of charging points impacts the grid in an adverse way. For example, a botnet attack assumes control of a large portion of the charging point network. It creates an erroneous, non-existent spike in energy demand,trips the grid, leading to power outage. Here, the attack surface is the integration between the grid and the charging point network.
How does the ISO 21434 help in mitigating these cybersecurity risks?
Prior to this standard coming into effect, the safety and security in the vehicle design were limited to functional safety, governed by ISO 26262. However, lack of coverage on securing the electronic control and data flowing in the connected car ecosystem mandated addressing these concerns in a separate standard, which came into effect as ISO 21434 –Road Vehicles – Cybersecurity engineering. This standard outlines the engineering considerations from concept to decommissioning of secure road vehicles across modalities.
- From detailing activities in the secure product lifecycle to outlining how to set up a cybersecurity culture in the new product development teams, this standard ensures an end-to-end security enablement approach for connected vehicles.
- It helps you set up an objective mechanism for setting up and planning the cybersecurity-related workflows from secure design to end of cybersecurity support.
- It also features methods to conduct threat analysis and risk assessment considering specific damage scenarios, asset properties, and impact characteristics. It further outlines attack paths and feasibility ratings of the attacks. As part of risk assessment, it lays out factors that impact the risk value and subsequent treatment decisions for the ascertained risk value.
The standard is valuable to the EV technology and product companies. It explains a practical approach to ensuring cybersecurity in a scenario where suppliers i.e. product and technology providers as well as customers, both are responsible for ensuring EV cybersecurity across the product lifecycle. Any significant deviation from the model roles and responsibilities outlined in the standards can have impaired security across the EV cybersecurity value chain.
eInfochips has extensive expertise and comprehensive offerings in IoT security across architecture layers of device, connectivity, cloud as well as web/mobile user applications. With experience, in high technology verticals like e-mobility across security lifecycle activities like threat modeling, VAPT, as well as DevSecOps, eInfochips has helped customers develop a secure connected product ecosystem for various industry applications.