Hello, this is Hermes Solution, your trusted expert partner in automotive cybersecurity and functional safety.
Today, we will discuss an important emerging issue in the automotive industry: “The Innovations and Challenges of Cloud Connectivity in the Automotive Industry.”
Today’s automobiles have evolved beyond mere transportation tools, becoming “IoT devices on wheels.” Equipped with software-defined vehicle (SDV) operating systems similar to smartphones, vehicles are wirelessly connected to external services such as OTA (Over-The-Air) updates, vehicle monitoring, and infotainment, enabling real-time service delivery. The advancement of cloud computing technology has established the foundation for handling massive data storage and processing, facilitating services like autonomous driving, predictive maintenance, and vehicle performance optimization.
However, this increased connectivity also introduces new cybersecurity threats. Communication ports, cloud server APIs, and mobile applications—necessary for interactions between vehicles and external servers—can all serve as potential attack pathways. The 2015 Jeep Cherokee hacking incident demonstrated the devastating potential of remote attacks that could control engines, brakes, and steering systems, shocking the industry and highlighting how cloud-based automotive services, despite their convenience, expand the attack surface to include physical safety threats.
So how can we leverage the advantages of cloud-based services while ensuring robust vehicle security? This question has become crucial for automotive OEMs, suppliers (Tier 1, 2, etc.), and IT/cloud companies alike. Hermes Solution addresses these automotive security challenges by effectively implementing global cybersecurity standards like ISO/SAE 21434, helping chart the automotive industry’s path forward.
ISO/SAE 21434: Foundation of Automotive Cybersecurity
Background and Key Contents
ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering,” jointly published in 2021 by ISO (International Organization for Standardization) and SAE (Society of Automotive Engineers), systematically identifies and manages cybersecurity risks throughout the entire vehicle lifecycle—from development and production to operation and disposal.
The core concept is “Security by Design,” embedding cybersecurity from the earliest design stages to preemptively mitigate risks, continuously updating and monitoring security throughout operations. Historically, the automotive industry lacked unified cybersecurity standards, leading OEMs to approach cybersecurity individually or reactively. ISO/SAE 21434 bridges this gap, clearly defining security responsibilities and elevating industry-wide cybersecurity standards.
Alignment with UN R155
UN R155, a cybersecurity regulation by UNECE WP.29, mandates the establishment of Cybersecurity Management Systems (CSMS) for new vehicles sold after July 2022. It explicitly references ISO/SAE 21434 as its guideline, making compliance essential for global market entry. Consequently, cybersecurity has become mandatory rather than optional.
Security Threats in Cloud-Based Automotive Services
Expanded Attack Surface
Cloud-based automotive services involve extensive data exchanges between vehicles and the cloud, including:
OTA Updates: Wireless distribution of firmware/software for enhancements and bug fixes.
Real-time Vehicle Diagnostics: Sending operational and component status data to the cloud for predictive maintenance.
Infotainment: Providing music streaming, location-based services, and traffic information.
Increased connectivity broadens the entry points for attackers. Cloud server infiltration, data interception/manipulation, supply chain attacks (malicious firmware distribution), and account hijacking can all potentially lead to remote vehicle control, blending IT threats with severe physical consequences.
Complex Supply Chain Structure
Vehicles contain numerous electronic control units (ECUs) from multiple suppliers. Adding cloud service providers, data centers, telecommunications firms, and software developers creates a complex ecosystem. Compromise of any single link could propagate malicious updates or malware throughout the vehicle’s systems.
Application of ISO/SAE 21434: TARA and Security Requirements
Importance of Threat Analysis and Risk Assessment (TARA)
ISO/SAE 21434 emphasizes comprehensive TARA processes:
Asset Identification: Vehicle ECUs, cloud servers, sensitive data (user information, payment details).
Threat Scenario Identification: Unauthorized access, data manipulation, ransomware, Denial-of-Service (DoS), and supply chain attacks.
Risk Assessment: Evaluating threat likelihood and impact to prioritize mitigation strategies.
TARA results inform specific security requirements tailored for cloud-based automotive services, such as mandatory use of TLS 1.3+ and mutual certificate validation for vehicle-cloud communications.
Data Security, Communication Security, Backend Infrastructure Security, OTA Security
ISO/SAE 21434 provides detailed guidance across vehicle development and operation lifecycles, emphasizing four primary security areas for cloud-based services:
- Data Security:
Ensuring confidentiality, integrity, and availability of data through encryption, access control, log monitoring, and secure disposal. - Communication Security:
Protecting data exchanges with encryption, authentication, intrusion detection/prevention systems (IDS/IPS), and secure key management. - Backend Infrastructure Security:
Securing cloud servers, networks, APIs, virtual environments through regular vulnerability scanning, penetration testing, disaster recovery (DR), and business continuity planning (BCP). - OTA Update Security:
Ensuring integrity, authenticity, and secure rollback mechanisms through mutual authentication, encryption, and digital signatures.
Continuous Security Management in Operations and Maintenance
Security Operation Centers (SOC) and Real-time Monitoring
ISO/SAE 21434 requires robust security practices beyond development, extending to operational vehicles. Establishing cloud-based SOCs enables global real-time monitoring of vehicle telematics data, server logs, and network traffic, allowing prompt detection and response to cybersecurity incidents.
Incident Response and Vulnerability Management
ISO/SAE 21434 mandates:
Vulnerability reporting channels for prompt issue reporting.
Rapid security patch deployment via OTA or offline updates.
Incident response training through simulations, promoting inter-team coordination during incidents.
Effective ongoing security monitoring and incident management minimize impacts, preserving customer trust.
Integration with Existing Systems and Future Challenges
Harmonization with Existing Safety Standards
Many companies already apply ISO 26262 (functional safety) and Automotive SPICE (software quality processes). Integrating cybersecurity with these processes avoids redundancy and enhances efficiency.
Cloud Supply Chain Management
Clearly defined shared responsibility models, regular security assessments of cloud partners (AWS, Azure, GCP, etc.), and mandated security audits and certifications (ISO/IEC 27017, CSA STAR) significantly mitigate risks.
Rapidly Changing Threat Environment
With emerging communication protocols (C-V2X, 5G/6G) and evolving vehicle architectures (domain/zone-based E/E architecture), new vulnerabilities continuously emerge. ISO/SAE 21434 advocates Continuous Security Improvement through regular reassessment, embedded software updates, and ongoing cybersecurity training.
Benefits and Conclusion
Regulatory Compliance and Market Accessibility
Compliance with ISO/SAE 21434 simplifies meeting global cybersecurity regulations like UN R155, enhancing market competitiveness.
Reduced Security Risks and Enhanced Brand Trust
Standardized cybersecurity processes proactively reduce risks of security incidents and data breaches, strengthening long-term brand reputation and customer satisfaction.
Improved Organizational Process Maturity
Implementing ISO/SAE 21434 enhances overall organizational maturity, positively impacting quality, safety, and efficiency, thereby boosting competitiveness.
Cloud-based automotive services will continue driving mobility innovations, but cybersecurity threats must be rigorously addressed. ISO/SAE 21434 provides a comprehensive framework for addressing these challenges, ensuring both convenience and safety.
Hermes Solution is committed to creating safer, innovative cloud-based automotive services. Join us to secure and shape the future of connected mobility.
