Introduction to Automotive Cybersecurity (ISO 21434) terms

Welcome to our first ever blog post of functionalsafetyfirst.com on...Cybersecurity!!

Cybersecurity in vehicles is evolving faster than ever — and much like functional safety, it’s become a non-negotiable pillar of modern automotive development. It’s no surprise that functional safety engineers are now exploring ISO/SAE 21434, while cybersecurity experts are diving into ISO 26262. The two worlds are converging rapidly.

But if you’re a functional safety engineer stepping into cybersecurity for the first time, where do you start?

How do you get comfortable with the “cyber language” — the new terms, the lifecycle, the regulations, and the mechanisms like encryption, secure boot, secure OTA, and intrusion detection? This article is our attempt to make that journey simpler.

In this article, we will introduce you to a few terms used in the ISO 21434, with short relatable examples. Towards the end, we will look at applying these terms to one of the most prominent and publicized remote hacking demonstration of 2015, the Jeep Cherokee cyberattack.

1. Cybersecurity incident

This is what we call informally as "someone hacked a car" in the real-world. Any news you read up online about how Attackers hacked a car remotely, locked/unlocked it, accessed its infotainment system or even drove it - these are all cybersecurity incidents.

2. Damage Scenario

This is the consequence of the cyber incident, which affects a certain functionality of the vehicle, consequentially affecting the driver/passengers in the car or the road users outside the car. For example, if someone hacked your car and changed your audio playlist, then this affects the "infotainment" function of the car, consequentially affecting your privacy.

Unlike safety, where we are mainly concerned about safety-relate consequences or Hazards, "Damages" in cybersecurity extend beyond safety - damages can have 4 categories – 

1. financial
2. operational 
3. safety
4. privacy

3. Threat Scenario

Threat Scenario and Damage Scenario have a cause-effect relationship. A Threat scenario refers to the possible causes/events/methods in which an attacker could hack the car. A Threat scenario leads to a Damage scenario. For e.g., let’s say an attacker tampered the diagnostic connector of the infotainment device and used it to read and overwrite the audio playlist, this tampering is the threat scenario, which leads to the damage stated in the previous definition.

 In a different perspective, you could also say that a cybersecurity incident is a “real life” manifestation of a threat scenario.

4. Asset

This is the "object" that is attacked. In the example of someone hacking a car and changing a playlist, the 'Infotainment system' was attacked and the 'playlist' was attacked. These two are examples of "assets" or objects that were attacked. Why is an asset attacked? Because it has certain properties that are important to be preserved. If these properties are not preserved, or are compromised during an attack, it leads to a damage scenario. For e.g., if a "braking algorithm" is an asset, and if the algorithm is hacked, it can lead to damage scenarios, such as braking too much/too less or an unintended braking or not braking when intended.

The correct identification of assets is crucial for making the right cybersecurity solutions. The challenge with assets is that they can go broad and deep. Assets can be tangible such as electronic control units (ECUs), Hardware, a CAN bus connection, Memories etc and can be Intangible such as software, intellectual property, personal information, algorithms, location of a vehicle or individual, specific functionality data etc

5. Cybersecurity Property - Confidentiality, Integrity, Availability

When we described asset, we stated that an asset has certain properties that are worth protecting. These are what we call as cybersecurity properties, also commonly known as CIA Triad.

The common cybersecurity properties are:

Confidentiality - Ensuring that sensitive information can only be accessed by authorized users and is protected from unauthorized disclosure.  E.g., The personal audio preferences of a driver, the favourite routes of a driver etc.

Integrity - refers to preventing unauthorized modification of information. E.g., if a Malicious ECU injects false vehicle speed CAN messages into the Vehicle CAN network, this will lead to an incorrect display of speed in the dashboard, in other words, loss of integrity of Vehicle speed.

Availability - this means ensuring that the data and systems are available and operational when needed. E.g., if the braking algorithm was hacked and braking does not happen anymore, then the availability of the system has been compromised.

6. The Attack terms! - Attack Path/Surface/Vector

Three terms that seem to be similar but have subtle differences. 

Attack Surface - This refers to all the possible sets of entry points through which attackers initiate attacks on the vehicle. For e.g., a wireless interface such as a Bluetooth connection from your mobile phone to your infotainment system, or a wired connection from an OBD (On board diagnostics) connector connected to the OBD port in the ECU. Attack surfaces encompass all possible avenues (outside the vehicle as well as inside) that can be exploited by attackers.

Attack Vector - This is the exact method used by an attacker to gain unauthorized access to a system. For e.g., an attacker remotely unlocks or locks a car from an APP in the mobile phone by exploiting a weak password. Masquerading is another common attack vector where an attacker impersonates a legitimate user, device (such as a sensor), or an ECU to gain unauthorized access to the vehicle's network.

Attack Path - This is the exact sequence of steps that an attacker takes to attack a System. It is the complete path that the attacker travels through, after initiating the attack through the attack vector. For example, once an attacker exploits a weak password to access the infotainment system, they further exploit other weakness in the system to get access to the vehicle CAN bus through the infotainment system. Further they exploit the CAN bus to send wrong signals to a Steering ECU, which leads to an incorrect functioning of the vehicle's steering. The exact end-to-end path from the wireless connection until the Steering through which the attack happened is the attack path.

Note that only the term “attack path” is defined in the ISO 21434, while the other two terms are used but not defined.

Here’s a diagram that summarizes the relationship between the terms we have learnt so far:

Now, let’s apply these terms to the 2015 Jeep-Cherokee Hack, to get an end-to-end understanding.