New technologies and the recent barrage of UNECE regulations intended to police their use mean a seismic safety and security shake-up for automotive systems engineering. Alastair Ruddle, Horiba MIRA’s chief scientist of vehicle resilience technologies, untangles the changes afoot.
Cybersecurity is the latest systems engineering consideration to join the established ranks of functional safety and the safety of the intended functionality (SOTIF). While ostensibly addressing a familiar automotive engineering domain of risk, these new challenges introduce some fundamentally new and far-reaching consequences for the industry, evidenced by the three new UNECE regulations adopted in March this year, spanning cybersecurity (R155), software updates (R156) and automated lane-keeping systems (R157). These new requirements broaden the scope for threats that demand a risk engineering solution, add a substantial new product lifecycle obligation for vehicle manufacturers, introduce new operational contexts that require solutions and extend traditionally understood safety engineering into new areas of consideration. In total, this represents a major reset for automotive systems engineering.
The first clear evidence that automotive systems engineers are facing the prospect of a fundamental culture shift is the common conflation of cybersecurity with safety. While some cybersecurity attacks result in safety compromises, many do not. Financial fraud perpetrated via road charging systems and the invasion of privacy through illicit data acquisition, including vehicle tracking or eavesdropping on keyless entry transmissions to enable theft, are just some of the illustrations of the scope of cybersecurity that sits beyond the traditional domain of safety-led engineering.
Functional safety also holds the vehicle occupants and other road users as sacrosanct in its considerations; but cybersecurity has an obligation to consider a far wider cohort as future vehicles will increasingly become elements of a wider connected and automated mobility ecosystem, making civil authorities and even nation state economies the potential targets of vehicle cybersecurity threats.
Functional safety also has a disciplinary focus on malfunctions. SOTIF extends the scope of this focus to ‘reasonably foreseeable misuse’, but this still falls short of the need to encompass the intentional abuse that is inherent in cybersecurity attacks.
As a consequence of these three paradigm shifts, the automotive industry’s safety-based engineering tradition will not scale to meet the demands of cybersecurity. The threats are multifarious, the affected parties far more extensive and the sources with which engineered solutions must contend are not passive, but rather rich with intent.
A lifelong commitment…
Like a marriage, vehicle manufacturers are now obliged to embark on a lifelong commitment to their customers. The new UNECE regulations confer new notions of assurance that must contend with far more than just the previously demanded oversight of intended system functionality; the implications of R155 and R156 include providing for evolving performance or functional characteristics of the vehicle as well as cybersecurity updates to contend with new and unforeseen threats. And these vehicle enhancements are to be managed on a continuous basis for the entire vehicle lifecycle using over-the-air updates.
This marks a significant change to the nature of assurance engineering which previously worked to known parameters and was fixed at the point of sale. The future of assurance is now open-ended by comparison, with both future vehicle enhancements and the repulsion of threats not known or understood, but nevertheless forming part of the manufacturer’s duty of care to its customers.
These new obligations require a step-change in systems and processes to manage ongoing assurance activity.
..but with new house rules
In the design phase, engineers will in future need to develop operational readiness for a vehicle. This requires validation that foreseeable threats have been identified and suitable solutions put in place. This approach is analogous to commonplace product launch assurance typically associated with product safety engineering; however, with a new requirement to extend this oversight into the vehicle’s lifecycle, an operational assurance approach is required. This requires a wholly different standard of validation that the risks of continuing to use a product, process or service remain acceptable to the stakeholders throughout its life, making operational assurance a dynamic and continuous requirement.
As much as demanding a new modality in the approach to risk engineering, operational assurance has practical implications too.
Achieving operational assurance will require the development of dedicated vehicle security operations centers by manufacturers to monitor the operational performance of vehicles, as well as methods that facilitate the construction and maintenance of dynamic assurance cases that can be readily modiﬁed as new threats are identiﬁed and the onboard vehicle software evolves.
The implications of continuously updated vehicle software adds a further dimension to the new landscape of electronic systems assurance. Although widely regarded as a hardware issue, electromagnetic compatibility (EMC) is a systems issue with potential to be influenced by software. As software will be subject to continuous future updates, the potential for unintended consequences during the vehicle lifecycle is significant.
Changes for example in control strategies for vehicle electronics could result in different electromagnetic emissions characteristics. Similarly, changes in signal processing methods could change the effect of electromagnetic interference, and hence the immunity performance.
The presence of almost imperceptible levels of noise can significantly degrade the accuracy of artificial intelligence and machine learning technologies, which are increasingly used to support the automation of driving tasks, and these effects are not readily predictable. Consequently, some software changes may also require EMC assurance to be revisited.
Furthermore, in order to identify cybersecurity incidents reliably, it will also be necessary to be able to identify possible confounding sources of anomalous behavior, which include EMC phenomena. Thus, there will also be a need for through-life detection and monitoring of such phenomena. Otherwise false positives could result in considerable engineering effort being wasted on attempting to understand and resolve issues that could be assumed to be due to cybersecurity, but are actually EMC-related.
The changes ahead are significant and substantial for the industry and demand not just new processes, but a new mindset. And the appropriate solutions will demand a greater convergence in the ways that vehicle cybersecurity, functional safety, SOTIF and electromagnetic resilience are engineered and assured.
(Extracted and digested from a longer article, Automotive Cybersecurity Regulations Set to Revolutionize Electronic Systems Assurance by Alastair R Ruddle).