The 5StarS consortium is today launching its proposed assurance framework for connected and autonomous vehicle cybersecurity from design to end of life, following a two-year research project funded by Innovate UK.
The consortium combined the expertise of research organisations HORIBA MIRA, Ricardo, Roke, Thatcham Research and Axillium Research, and were commissioned to address increased cybersecurity threats around connected vehicles.
As increased connectivity of vehicle systems - such as in-car entertainment - increases exposure to cyber threats, consumers and insurers need to be able to have confidence that vehicle manufacturers are managing cybersecurity appropriately.
The assurance framework sets out to build trust in the ability of manufacturers to mitigate against cyber threats and be resilient to attacks, as well as being able to demonstrate that they will respond quickly and effectively to attacks or vulnerabilities.
The framework will enable manufacturers to gain assurance in the capabilities of their products, use resilience as a market differentiator and establish meaningful ways of communicating cybersecurity risk to consumers.
Key benefits for vehicle manufacturers implementing the framework include:
- building consumer trust in the overall safety of vehicles
- highlighting vehicle countermeasures against - and resilience to - cyber attacks
- cyber risk being reflected in insurance premiums
- ability to monetise good practice in cybersecurity through a rating that differentiates their products from the competition in consumers’ eyes
Future of Mobility Minister Michael Ellis comments: “Self-driving technology will help transform our society for the better, and the UK has led the way globally in supporting the world’s first standard on vehicle cyber security.
“The new assurance framework developed by the 5StarS consortium builds on this work, helping ensure this technology is safe, secure, and resilient to cyber attacks.”
Paul Wooderson, Cybersecurity Principal Engineer at HORIBA MIRA and 5StarS project lead, said: “The 5StarS project has delivered a novel and scalable way for vehicle manufacturers to increase confidence in the cybersecurity of their products, from the design stage through the vehicle lifecycle, and demonstrate that to consumers and insurers.
“We are confident that the framework is a workable and positive response to the issues posed by new technology that enables vehicle manufacturers and others to deal with the risks but also consider the clear opportunities on offer.”
The assurance framework introduces independent vehicle vulnerability assessments and, crucially, it is aligned with emerging regulations and standards, such as ISO/SAE 21434, UNECE and the CAV Innovation System Framework.
The 5StarS vehicle assessment consists of four components:
- Product Development - concept and design
- Production, operations, maintenance and decommissioning
- Cybersecurity governance and management
- Vulnerability assessment
The scores from the assessment are aligned to the UK Government Department for Transport Principles of Cyber Security for Connected and Autonomous Vehicles.
It is proposed that manufacturers would receive a full report of the findings allowing them to resolve issues. It is likely scoring thresholds will increase over time, driving good behaviour and innovation in cybersecurity, ensuring manufacturers maintain high ratings.
As new technology and cybersecurity best practice change, the criteria will be amended (and manufacturers given advance warning). The proposed timings for adoption and implementation of the framework are laid out in a roadmap, enabling assurance to be increased over time – see supporting timeline.
CONSUMER-FACING ASSURANCE RATING SYSTEM
Additionally, 5StarS is proposing an assurance rating system to reassure consumers about their choice of vehicle. The system will:
- meaningfully reflect the level of cybersecurity assurance of a vehicle - applying to new vehicles only
- inform the consumer’s buying decision
- provide underwriters with information to help assess a vehicle’s cyber risk
- address the evolving threat landscape, including international differences
- include consideration for ongoing maintenance/technical inspection
- contain variables allowing amendments in response to the changing landscape