Status: Final Published
Date: December 2018
Region: United Kingdom
Publicly Available Specification (PAS) 1885:2018 The fundamental principles of automotive cyber security is a specification developed by the U.K. British Standards Institution, sponsored by the Department for Transport. PAS is a pre-standardization document that can be used as a foundation for standard development. It is available for purchase online in digital and in hard copy formats.
The PAS is intended for use by the automotive sector, including vehicle manufacturers, their supply chains, and the wider ecosystem (authorized service centers, aftermarket suppliers, road authorities, and service providers).
It aims to set out the fundamental principles for the provision and maintenance of cybersecurity in intelligent transport ecosystems (e.g., vehicles, related infrastructure, and human elements), including the reduction of threats and harm to products, services, and systems therein.
The PAS aims to cover the security and functional safety aspects of the entire automotive development and use life cycle, including specification, design, implementation, integration, verification, validation, configuration, production, operation, servicing, and decommissioning.
The PAS is intended to be read together with the U.K. Government’s Key Principles of Cyber Security for Connected and Automated Vehicles published in August 2017. As such, it goes through each of these eight principles in detail and describes how to apply them from an organizational perspective:
- Organizational security is owned, governed, and promoted at the board level.
- Security risks are assessed and managed appropriately and proportionately, including those
specific to the supply chain.
- Organizations need product aftercare and incident response to ensure systems are secure over
- All organizations, including sub-contractors, suppliers, and potential third parties, work together
to enhance the security of the system.
- Systems are designed using a defense-in-depth approach.
- The security of all software is managed throughout its lifetime.
- The storage and transmission of data is secure and can be controlled.
- The system is designed to be resilient to attacks and respond appropriately when its defenses or sensors fail.
The PAS focuses on the key areas: the organization’s security context, security governance, assessing and managing security risks, security management over vehicle systems life cycles, working together to enhance system security, applying a defense-in-depth approach, software trustworthiness, management of vehicle system data and information, and vehicle system resilience.
It recognizes that organizations have different risk cultures and appetites, and the PAS can, therefore, be applied according to the various needs and risk assessments performed. The key is that organizations understand the link between the security context and the cybersecurity risks. Above all, the PAS stresses the importance of the board’s accountability and where there is no or limited understanding of the issues, the PAS recommends hiring security experts to help.
Some of the recommendations set out in the PAS include establishing a governance approach, structure, and security strategy. This should include documenting and maintaining records on risk appetites, asset-based risk registers, security strategies and programs, and management plans for security generally, incident response, supply chain security, and information sharing, as well as establish an organizational security culture and ensure a life cycle that embraces security-by-design.
The BSI published around the same time (December 2018) PAS 11281 Connected automotive ecosystems. Impact of security on safety. PAS 11281 is a Code of practice that aims to complement PAS 1885. Sponsored by the Centre for the Protection of National Infrastructure (CPNI), its goal is to provide vehicle manufacturers and associated stakeholders (maintenance organizations, infrastructure operators, owners of large vehicle fleets, digital service providers) with recommendations on how to manage the security risks that could potentially compromise safety in a connected automotive ecosystem (and notably for connected and autonomous vehicles (CAVs)).
PAS 11281 also refers back the key principles of cybersecurity for CAVs and is intended to complement other recommendations published elsewhere, notably the European Union Agency for Cybersecurity’s (ENISA) Cyber security and resilience of smart cars – good practices and recommendations, the U.S. NHTSA Cybersecurity for Modern Vehicles, and the U.K.’s National Cybersecurity Centre (NCSC) Network and Information Security (NIS) Directive guidance.