Cybersecurity Metrics for Automotive Systems

Cybersecurity for automotive systems is challenging and one of the major challenges is how to measure this system property. We present in this paper the context surrounding cybersecurity metrics from literature and highlight the first potential steps towards a common understanding of how much cybersecurity is enough. With the increased need for cybersecurity in automotive systems due to the development of more advanced technologies and corresponding increased threat vectors, coupled with the new ISO/SAE 21434 cybersecurity standard for automotive systems and cybersecurity regulations in UNECE WP.29, it is becoming increasingly important for auto manufacturers and suppliers to have a clear and common understanding and agreement of cybersecurity metrics for the development and deployment of vehicles. The main contribution of this paper is contextualization of existing metrics and mapping out how they may fit within a standardized framework. We highlight the challenges to create awareness around the lack of common understanding and outline first potential steps towards a consensus. For example, one can consider assurance levels as a form of metric. Since guarantees of security are not possible, verification and validation methods such as various forms of testing can be used to give an assurance of security. For the automotive industry, there has been much discussion around cybersecurity assurance levels (CALs) which are outlined in the ISO/SAE 21434 draft standard. The CAL can for instance range from a value of 1 to 4, subsequently increasing scope, extent and depth of assurance activities to be performed to achieve that level of assurance. A common understanding of the answer to “how much cybersecurity is enough?” will inspire greater confidence in practitioners who design and test the technical measures, in industry with regards to a balanced approach to cybersecurity and ultimately, in consumers who need to know that the products that they buy will be safe and secure.