Automotive companies will face challenging cybersecurity challenges in 2022. Security teams can turn to BSIMM12 for guidance.
2021 was a busy year for security personnel in the automotive industry. The automotive industry was faced with a difficult timetable as cybersecurity became a necessity for compliance and market access.
- According to the United Nations Regulation WP.29R155, “In Europe, the new regulation regarding cyber security will be mandatory on all new vehicle types starting in July 2022, and will also become mandatory on all new vehicles manufactured after July 2024.”
- The official ISO/SAE21434 “Road Vehicles – Cybersecurity Engineering” version was published on August 31, 2021. This document provides a framework to manage cybersecurity risks and requirements throughout the lifecycle of vehicle products.
- China is the world’s largest automobile market. On September 14, 2021 the Equipment Industry Development Center of Ministry of Industry and Information Technology published the “Opinions Towards Strengthening the Management of Intelligent Networked Automotive Manufacturers and Products Access.” This requires original equipment manufacturers (OEMs), to perform self-assessments of vehicle data security, cybersecurity, and driving aid functions. The results had to be reported by October 12, 2021.
Security teams in automotive companies are seeing “forced growth” due to strict cybersecurity compliance requirements. Security groups need to sort through the complex checklists in order to create a work plan that is feasible within each organization’s capabilities.
One, individual security activities can now be transformed into a process-based cybersecurity management (CSMS) system. Automotive firms need to focus their limited resources quickly in order to establish enterprise security capabilities that are compliant. These are two very different approaches, single-point vs. Landscape, depth vs. breadth. This is what the automotive OEM security teams face. This is where you can find valuable information about how other companies have solved the problem.
Ecomservicessummit Software Integrity Group, a group of data, research and consultant experts, set out in 2008 to collect data about the various paths organizations took to address the software security challenges. They wanted to find out which organizations had implemented highly effective software security programs, conduct interviews, and publish their findings. These findings were published as the first report on “Building Security in Maturity Model (BSIMM).
Since then, BSIMM continues to grow from 9 participating companies to 128 participating businesses in 2021. This includes nearly 3,000 members of the software security group and over 6,000 satellite (security champions) members.
Based on real-world observations, the BSIMM report offers a unique perspective. It gives CISOs and security leaders a framework and model to benchmark their software security programs against. This includes key activities and tools for consideration.
BSIMM is a descriptive model, not a prescriptive model like standards, regulations, or secure code development life cycle process models. It is a “just-the facts” approach. This focuses on documenting observations and rationalizing data to create a common language for describing and communicating software security initiatives.
Comparing BSIMM security activities against company implementation statuses does not give companies a clear picture of the situation. The analysis can be the foundation of enterprise software security improvement. BSIMM is not a guideline for security groups, but a measuring stick.
The automotive industry is facing many cybersecurity challenges. Software security and software development in the automotive sector are becoming more important than ever due to the increasing popularity of software-defined vehicles technology. Although BSIMM focuses primarily on software security, product manufacturers in high-tech industries have used it to assess product-related security activities.
BSIMM uses a framework of 12 software security practices organized under four domains–governance, intelligence, SSDL touchpoints, and deployment–currently encompassing 122 activities. BSIMM activities are controls that are implemented within a software security risk management system. The activities implemented might be used as preventive or detective, corrective, compensating, or corrective controls in a software-security initiative. The activities can be viewed as controls to make it easier for compliance, governance and risk teams and legal, audit and other risk management groups to understand the BSIMM’s worth.
Let’s look at some security practices to get a better understanding about the value BSIMM provides the automotive industry, particularly for building the software security systems.
UN R155 states that vehicle OEMs must first demonstrate the basic capabilities and security processes of their systems. To prove that specific products meet the certification cybersecurity system and process requirements, each model must be approved. Many vehicle OEMs, however, have chosen the opposite approach. These regulations and standards are used to determine the project’s cybersecurity requirements. This allows the work products to be used as evidence of compliance throughout the enterprise.
According to the BSIMM12 report, there are two ways for companies to build a mature security system. The first is to build a security system from the top through compliance requirements. Another is to increase security capabilities by utilizing the engineering team.
BSIMM is a descriptive tool that compares and contrasts the two approaches. However, it does not evaluate their merits and disadvantages. A governance-led approach is usually adopted by organizations that create a software security initiative. This is a program designed to coordinate software security activities across the organization. A leader of an initiative to implement software security must first create a central team structure. Although this might not require immediate hiring of employees, it may be necessary for a full-time team to execute key activities that support the further establishment and institutionalization software security-related policies and standards at the organizational level.
Three key security activities are described in the BSIMM12 Report.
- Policy: Create policies
- Security standards: Standards
- Process: Publish the process and adapt as needed
The current organizational structure of many OEMs means that security teams are often drawn from engineering research and design teams. They lack the necessary power to implement security-related policies and standards at the enterprise level. Security groups often lack adequate budget and support. Security teams should restrict the key activities they are performing to a single project and use the budget allocated for that project.
BSIMM observed that emerging engineering-led and governance-led approaches to software security management offer different perspectives that may not be compatible. While governance-led groups tend to focus on compliance and rules, emerging engineering-led efforts often focus on feature velocity, automation error avoidance, and software resilience.
While success does not require the same viewpoints, they must be able to work together to ensure the firm’s safety. This means that the teams need to work together on risk management issues in order to maximize their strengths and minimize their flaws. While many automotive OEMs create their cybersecurity systems using engineering projects, the security group must still understand the overall framework. It is vital that the security group receives sufficient support throughout the enterprise and not just for specific projects.
TARA is a method to assess risks
An entire chapter of ISO/SAE 21434 was dedicated to threat analysis, risk assessment (TARA) activities as well as related requirements. This is a reflection of the importance TARA activities within the automotive industry.
TARA is viewed by some as pre-work in developing product security requirements. Many automotive OEMs and suppliers still use TARA to implement it, often hiring security consultants and experts. It is important to ensure that TARA is implemented in accordance with ISO/SAE 2134. Security teams are familiar with the security protection mechanism (cybersecurity control), but it is difficult to communicate the cybersecurity requirements to engineers.
TARA activities are designed to optimize cybersecurity needs by identifying threats and assessing their risks. These activities also serve another important purpose: they help organizations determine the priority of cybersecurity testing and developing activities, based on the different risk levels. This will allow security teams to concentrate on high-risk threats. This is done by using Cybersecurity Assurance Layer (CAL), as per ISO/SAE 21434. TARA activities that are successful will help security personnel determine where to allocate the budget in order to increase security in critical areas.
BSIMM’s security framework emphasizes the use of attack models in intelligence domain. These attack models allow the security team to think of security issues as an attacker. They can gather threat modelling inputs and abuse cases. Data classification is also possible. Technology-specific attack patterns are also collected using these attack models. BSIMM12 provides 11 examples of attack modeling activities that can be used to assist security personnel in filling in any gaps.
Permeability testing can help you detect security problems
Prior to the introduction of security functions and the SSDL, penetration testing was the most common security activity used by automotive OEM security groups. Security teams could discover and expose product weaknesses through pen testing, which promoted the need to have security requirements. BSIMM12 found that 87% of participating companies used external penetration testing services in order to identify problems. Penetration tests show that organizations are vulnerable to security threats. It can also be used to bring in adversarial thinking and help avoid blind spots.
To conduct a successful penetration attack, the tester must identify system vulnerabilities and find effective ways to exploit them. Testing projects for penetration testing usually have a defined test timeline and provide targets and test environments to the testers in an “opaque box” fashion. Because it is difficult to find new vulnerabilities and expand the scope of the search within a given time frame, testers spend a lot of time finding them.
Security groups can make the opaque-box test a gray-box by giving penetration testers more technical information, either internal or external, to address this issue. To do more detailed analysis and uncover more interesting problems, the testers must be able use the source code, design documents and architecture analysis results. Penetration tests may include:
- TARA reports are required during the concept design phase. They include the identified threat scenarios, attack methods, as well as constructed attack trees. Penetration testers may be needed to verify the security measures being implemented and the acceptable residual risk.
- Security scanning and static analysis of the code to determine the relevancy of the penetration work.
- Testing interfaces that have been opened to allow testers to directly infiltrate the internals. This mimics the way real attackers would approach an interface and instead of landing directly on the target asset, opening it in this manner is very realistic. This can be used to check if the defense-in depth design was properly implemented.
The BSIMM12 report outlines three levels of penetration testing. Each level includes seven security activities. These can be used to assist security groups in improving the security of their products.
- External penetration testers are used to detect problems
- Send the results to the defect mitigation and management system
- Internally use penetration testing tools
- All information is available to penetration testers
- For application coverage, schedule periodic penetration tests
- Deep-dive analysis can be performed using external penetration testers
- You can customize penetration testing tools
Make an incident response plan
Security is not a 100% guarantee that a product or system will be secure. Therefore, the primary goals of security are to quickly respond to security incidents and manage risk effectively. The software security framework of BSIMM12 identifies configuration management and vulnerability management as key security practices and details 12 related security actions. To ensure that critical security information flows in both directions, 84% of BSIMM12 participants have a software security team that works closely with the incident response team. Software security teams must also open communication channels with software vendors and infrastructure. BSIMM also contains security activities that show how to respond to security incidents to improve security processes.
The path to success
The challenge in cybersecurity is the constant evolution of external threats. Even if an organization holds a compliance certificate it does not cover all of its security capabilities. To ensure that the enterprise’s security team is working efficiently, it needs to be continuously improved. Based on real-world observations, analysis and feedback, the annual BSIMM Report is a living document that evolves and changes. The BSIMM data changes in steps as security methods evolve and new threats emerge. The BSIMM report provides insight and analysis on new trends in software security. This can be a useful reference tool for corporate security teams. Participating companies in the BSIMM group exchange information and learn from one another. The online BSIMM report can be obtained . Contact Ecomservicessummit experts for more detailed analysis and interpretation. Also, learn how to schedule a detailed evaluation.