British Cybersecurity Standardization is poised to address future threats with PAS

The UK market for connected and autonomous vehicles is about to grow significantly to an estimated £52 Billion annually by 2035.

Ralph Diamond

Director Of Engineering

Published on February 10, 2019

The UK market for connected and autonomous vehicles is about to grow significantly to an estimated £52 Billion annually by 2035. As a means of maintaining awareness and sustaining cybersecurity across the lifetime of vehicles and related infrastructure, the British Standard Institution published PAS 1885:2018 named “The Fundamental Principles of Automotive Cyber Security Specification”.

A “PAS” is a Publicly Available Specification, this is a pre-standardization document that closely resembles a formal standard in structure and format but which has a different development model. The objective of a Publicly Available Specification is to speed up standardization. It should be understood that this is not a standard, but more of a recommendation, and will undoubtedly provide the basis of a new vehicle cyber-security standard.

This PAS was written by the BSI (British Standards Institution) in conjunction with a number of relevant Governmental agencies, academic institutions, independent automotive testing facilities and several vehicle manufacturers. The PAS is addressing vehicle manufacturers, Tier 1 & Tier 2 suppliers, service centers, aftermarket suppliers, automotive authorities and service providers in the automotive industry.

Without a doubt, the document is very well thought out and covers the Automotive cybersecurity field in much greater depth and breadth than any automotive cybersecurity standard that we have seen to date.

This PAS is intended to be read in conjunction with “Key Principles of Cyber Security for Connected and Automated Vehicles”, published by the UK Government in August 2017.

The PAS cites the principles: “1) organizational security is owned, governed and promoted at board level; 2) security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain; 3) organizations need product aftercare and incident response to ensure systems are secure over their lifetime; 4) all organizations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system; 5) systems are designed using a defense-in-depth approach; 6) the security of all software is managed throughout its lifetime; 7) the storage and transmission of data is secure and can be controlled; and 8) the system is designed to be resilient to attacks and respond appropriately when its defenses or sensors fail.” (PAS 1885:2018, page iii).

One of the outstanding points of the document that comes through very clearly is the heavy emphasis on the direct involvement and direct personal accountability of every member of the board of directors in every single aspect of automotive cybersecurity. The board level may delegate but is clearly to be held accountable at a personal level. In Addition, there are mandates of documentation which must be specifically performed and demonstrated as being understood by the board in nearly every single aspect of automotive cybersecurity concerning past, present & future vehicles, the supply chain, 3rd party contractors, intellectual property etc. According to this spirit, the board is specifically required to bring in (external) advisors, again part of the reasoning behind this is that the board will not be able to plead ignorance if things do go wrong. Once again all of this has to be documented as well as clearly written evidence of an understanding by the board and the resulting corrective actions as a result of the advisors’ comments.

In other words, they will not be able “to pass the buck” they will be held directly responsible, so they had better get it right & do it properly.

One of the more interesting aspects of the document is the treatment of risk-taking, realizing that every company has its own individual view and risk culture. Again, the use of advisors is required in the independent assessment of those risks.

Overall the document is an excellent guideline well though out & well laid out in helping the automotive manufacturer and all the companies in the supply chain help conform to this set of best practices in automotive cybersecurity. With its clear emphasis on everybody being responsible from the top to the bottom, we believe that it will form the basis for the future definitive standard in Automotive Cyber-Security.

On additional aspects of the PAS – in our next blog entry.