Automotive Cyber Security Best Practices for Small-Series OEMs

Jesse K.Sultanik, Director of Business Development

In July 2024, all new or existing “vehicle types” will be subject to UNR 155 type approval for cyber security. This is a huge milestone for the industry, and for the safety of drivers and passengers worldwide.

This upcoming deadline introduces myriad challenges for automakers of all shapes and sizes. These challenges may be even more acute for small-series automotive manufacturers, i.e. companies producing up to 10,000 vehicles per year.  Whether a tech-savvy EV startup or a traditional commercial vehicle manufacturer, small-series OEMs must cross several unique hurdles on their way to meeting the new cyber security requirements.

To help small-series OEMs navigate this brave new world, we’ve highlighted the key cyber security challenges and outlined best practices for managing the transition to cyber-secure vehicles and management systems. Learn more about our compliance starter kit for small-series automotive manufacturers.

• Compliance Starter Kit

Small-Series OEMs Aren’t Created Equal

In terms of cyber security awareness and preparedness, most small-series manufacturers can be grouped into two general categories: 1) traditional small-series OEMs that primarily target niche markets (e.g., manufacturers of high-end luxury cars, special purpose vehicles such as cement mixers or commercial vehicles like coach and bus); and 2) electric vehicle (EV) startups founded in the last decade that have infused agile development and software-centricity to the production process.

Naturally, traditional OEMs and EV startups have different competencies and cultures, affecting their cyber security readiness and ability to apply cyber security controls and processes to vehicle development, manufacturing, and management/maintenance. While EV OEMs tend to be ahead of their traditional counterparts in understanding the cyber security challenges, they are less experienced in the systematic, repeatable, and certifiable processes necessary to meet automotive regulatory requirements.

Yet, regardless of these differences, there are a number of cyber security compliance challenges that are common to all types of small-series OEMs.

Profiling the Multi-Vectored Challenge

Regardless of their current situation, automotive cyber security compliance can be highly burdensome. Consider the cases where the development of new vehicles began without cyber security risks in mind, or OEMs that intend to keep their existing, approved vehicles on the market. Such scenarios could lead to change requests which always involve new unexpected costs and delays.

The organizational and technical cyber security requirements have become a prerequisite for vehicle-type approvals and sales. UNR 155 is turning cyber security from a “nice to have” to a must-have” feature within vehicle programs and management systems. Accordingly, small-series OEMs are evaluating and expanding the competencies available to them for all cyber security engineering, operations, and management tasks. 

For each type of small-series OEM, the challenges are slightly different: Tech-savvy EV OEMs may be more software-oriented and aware of the need for cyber security by design, but have less experience in vehicle certification and automotive go-to-market than traditional small-series OEMs.

Either way, both traditional OEMs and EV startups must assimilate cyber security know-how and skill sets into their organizations and vehicle programs. To meet these requirements, OEMs will need to bolster their capabilities, evaluate the scale of work or adjustments necessary, and to plan the road toward compliance.

In this context, small series OEMs face dual uncertainties in human resources and budgets. Margin pressures are widely known in automotive, even for companies with long, storied histories. For new OEMs yet to scale their first or second generation vehicles, aligning investors’ expectations with the need for additional development work on cyber security can be difficult.

Aware of this gap between investment, capabilities, and requirements, small-series OEMs are tasking non-cyber security staff members with the cyber-compliance project. In many cases, this means that functional safety and quality assurance managers are taking on expanded responsibility scope.

This approach demonstrates an effort to meet the new requirements while maintaining a certain cost sensitivity. Notwithstanding, non-cyber professionals may not have all the skills or know-how to overcome some cyber-related challenges. As such, many small series OEMs are also turning to automotive cyber security vendors to identify and leverage the available competencies and products relevant to their needs.

Partnering with these vendors, small-series OEMs can leverage experiences related to the implementation of process and technical measures. In many cases, vendors have the things small series OEMs may lack — the right knowledge base to analyze requirements, experience from prior cyber security implementation work (process or product), as well as various cyber security controls to achieve compliance coverage and proper risk management (e.g., threat monitoring, vulnerability scanning, active detection, and prevention etc.).

Best Practices for Small-Series OEMs

To tackle the above challenges in an efficient way, small-series OEMs can adopt several OEM cyber security strategies supporting the drive towards cyber-secure vehicles and manufacturing organizations.

1. Implement cyber security policies, processes, and procedures within a “cyber security management system” to meet new regulatory requirements as well as industry state-of-the-art. UNR 155 may lay out the requirements, but ISO/SAE 21434 and ASPICE provide traceable, repeatable frameworks for safety and cyber security development.

2. Conduct a thorough risk assessment to understand the potential cyber threats to vehicles, their systems, and supply chains. Based on such assessment, proper security concepts and requirements can be developed. Guidance on these activities can be found in the ISO/SAE 21434 cyber security engineering for road vehicles standard.

3. Provide training and education for employees to increase cyber security awareness and best practices adoption across disciplines, including secure coding, penetration and fuzz testing, vulnerability management, intrusion detection and analysis and VSOC.

4. Consider engaging vendors to accelerate targeted activities like cyber security process establishment or implementation of cyber security controls for monitoring and analysis purposes. Vendors that offer capabilities across several automotive cyber security domains can save the time and bandwidth of small-series personnel.

5. Work with UNECE-accredited technical services or testing, inspection, and certification entities. Whether developing a complete vehicle or component systems, it can be hugely beneficial to receive ongoing feedback from such organizations, which eventually make compliance recommendations and determinations for your final products.

6. Determine the extent of risk associated with newly discovered and existing threats and vulnerabilities by systematically maintaining a database with all software materials, versions, assets and the like — i.e., the software bill of materials (SBOM). Manufacturers are required to have an updated risk analysis and must be able to ascertain the known vulnerabilities to vehicles and vehicle components in the field at all times.

7. Regularly review and update cyber security systems, protocols and contingency plans to ensure ongoing compliance and protection against evolving cyber threats. Periodic risk assessments that consider the new risks, vulnerabilities and technologies are required by UNR 155 and also necessary for proper risk management throughout the lifecycle. In addition, to comply with UNR 155, OEMs’CSMS processes must be recertified every three years to ensure that new and evolving threats as well as lessons learned are incorporated into the relevant risk management processes.

8. Deploy security sensors in new vehicles, and deploy cloud-based cyber security to analyze the data collected from these sensors and the service layer infrastructure (vehicle communications and connected services). These measures are critical for basic incident management and reporting, investigation of cyber threats and attack mitigation.
9. Couple the identification of cyber threats, vulnerabilities and attacks with the ability to update security-related configurations and components through over-the-air (OTA) updates. Fleet-wide responses, such as limp-home mode or disabling functionality should also be considered to limit the fallout from any incident.

10. Employ security bookkeeping tools to assist in the management and use of security-related data (e.g., risk assessment results, testing results, requirements documentation, etc.). With some tools, activities such as risk identification, impact analysis and traceability can be automated to improve efficiencies, knowledge reusability and compliance.

11. Address risk introduced to the vehicle through aftermarket hardware/software by inspecting communication coming from aftermarket-compatible areas of the vehicle. In addition to physical separation, establish other isolation techniques such as OS / hardware / authentication mechanisms. For small series OEMs, this type of risk can be particularly important to address within the analysis of threats to the vehicle according to its intended usage.

Bottom Line

Small series OEMs face significant challenges in complying with UNR 155 regulations and developing robust cyber security systems. To mitigate these challenges, there are best practices and guidelines that can be followed to ensure compliance, mitigate the risk of cyber threats and ensure business continuity for OEMs delivering software-defined, connected vehicles. By working closely with external experts, suppliers and vendors — i.e., the available cyber security know-how in the value chain — small series OEMs can overcome the challenges posed by cyber threats and maximize the value within new, promising business models.