This content is not included in your SAE MOBILUS subscription, or you are not logged in.
Cybersecurity Metrics for Automotive Systems
ISSN: 2572-1046, e-ISSN: 2572-1054
Published April 06, 2021 by SAE International in United States
Event: SAE WCX Digital Summit
Citation: Cheah, M. and Oka, D., "Cybersecurity Metrics for Automotive Systems," SAE Int. J. Transp. Cyber. & Privacy 4(2):117-129, 2021, https://doi.org/10.4271/2021-01-0138.
Cybersecurity for automotive systems is challenging, and one of the major challenges is how to measure this specific system property. With the increased need for cybersecurity in automotive systems due to the development of more advanced technologies and corresponding increased threat vectors, coupled with the upcoming International Organization for Standardization and the Society for Automotive Engineers (ISO/SAE) 21434 cybersecurity standard for automotive systems and cybersecurity regulations in The United Nations Economic Commission for Europe World Forum for Harmonization of Vehicle Regulations (UNECE WP.29), it is becoming increasingly important for auto manufacturers and suppliers to have a clear and common understanding and agreement of cybersecurity metrics for the development and deployment of vehicles. The main contribution of this article is the contextualization of existing metrics from literature and mapping out how they may fit within a standardized framework. We highlight the challenges to create awareness around the lack of common understanding and outline the first potential steps towards a consensus. For example, one can consider assurance levels as a form of metric. Since guarantees of security are not possible, verification and validation methods such as various forms of testing can be used to give an assurance of security. For the automotive industry, there are discussions around cybersecurity assurance levels (CALs), which are outlined in an informative annex in the ISO/SAE 21434 draft standard. The CAL values are used to indicate subsequently the increasing scope, extent, and depth of assurance activities to be performed to achieve that level of assurance. A common understanding of the answer to “how much cybersecurity is enough?” will inspire greater confidence in practitioners who design and test the technical measures, in the industry as regards a balanced approach to cybersecurity and ultimately, in consumers who need to know that the products that they buy will be safe and secure.