Cars, Hackers & Cyber Security

As vehicles become more connected, cyber security risks grow, making effective risk management a priority in the automotive sector. In this episode, we explore Threat Analysis and Risk Assessment (TARA) in automotive cyber security, and why automating this process is essential to keep pace with evolving threats and regulatory requirements. We’ll also examine the ISO/SAE 21434 and UNR 155 standards, which drive the need for consistent, high-quality risk assessments.

We focus on PlaxidityX’s Security AutoDesigner, an automated automotive TARA software that uses the STRIDE model to streamline the identification and mitigation of potential risks in automotive systems. Through this automation, PlaxidityX offers faster, more accurate threat analysis while reducing the risk of human error and maintaining compliance with global standards.

Tune in to discover why automation isn’t just a convenience—it’s becoming a necessity for automotive cyber security to protect against sophisticated cyber threats, maintain compliance, and ultimately ensure driver safety.

TIME-STAMPED SHOW NOTES:
  • (00:00) Introduction to Automotive Cyber Security Risk Management
  • (04:58) Why Use STRIDE?
  • (05:41) Why Automate TARA?
  • (06:32) Why Automate TARA Using STRIDE?
  • (07:04) PlaxidityX Threat Analysis and Risk Assessment Automation Tool
  • (08:19) Holistic View of PlaxidityX Products based on V-Model
  • (08:51) Outro on PlaxidityXs’ TARA automation tool
Contact us:
https://www.linkedin.com/company/plaxidityx/
https://www.youtube.com/@PlaxidityX
contact@plaxidityx.com

What is Cars, Hackers & Cyber Security?

As cars become smarter and more connected, the demand for top-tier automotive cyber security has never been higher. With expert insights from PlaxidityX, a leading automotive cyber security company, we’ll guide you through the challenges and solutions protecting millions of vehicles worldwide. Whether you’re an industry expert or just curious about how cars are secured in the digital age, this podcast comprehensively looks at how cyber defenses are developed, tested, and deployed.

We don’t just talk about the technology; we talk about what it means for you—the driver, the manufacturer, the tech enthusiast. We explore how automotive cyber security solutions are applied in real-world scenarios to safeguard everything from onboard infotainment systems to critical vehicle control units.

Tune in to gain a deeper understanding of how manufacturers are staying one step ahead of hackers and ensuring a more secure, connected world.

00:00:00:09 - 00:00:03:12

Welcome to cars, hackers and cybersecurity.

00:00:04:01 - 00:00:07:01

Here we break down the latest in automotive cybersecurity,

00:00:07:01 - 00:00:10:16

helping you stay ahead in building secure connected vehicles.

00:00:12:17 - 00:00:22:21

Hi. Today we'll explore how stride based Terra Automation streamlines automotive cybersecurity, offering a more consistent and efficient way to manage risks.

00:00:23:23 - 00:00:48:05

Every living creature on Earth naturally practices risk management and various life situations to intelligently make decisions affecting it. In our human world, risk management is embedded in different industries. For instance, in the food industry, we aim to prevent food borne diseases. In finance, investors aim to make decisions in the face of uncertainty. In the health industry, we prioritize patient safety.

00:00:48:07 - 00:01:13:16

And in construction, it's important to protect the environment. Each industry follows its own regulations and processes for managing risk. It's crystal clear the automotive industry must consider the risks of operating a vehicle on the road. In this industry, there are a variety of risk management processes, including safety, risk management, supply chain risk management, quality risk management, and operational risk management.

00:01:13:18 - 00:01:42:09

In recent years, a new type of risk management is emerging. Cybersecurity risk management. In response to growing concerns about automotive cybersecurity, regulatory bodies and industry groups began developing standards and guidelines. The ISO S80 21 434 international Standard, titled Road Vehicles Cybersecurity Engineering, was released in 2021 and provides a framework for ensuring cybersecurity throughout the lifecycle of a vehicle.

00:01:42:11 - 00:01:44:24

Additionally, there is U.N. regulation number

00:01:45:22 - 00:01:53:21

155 on cybersecurity and cybersecurity management systems, which entered into force on January 22nd,

00:01:53:21 - 00:02:16:04

This regulation was developed by the United Nations Economic Commission for Europe, or Unesco, as part of its World Forum for Harmonization of Vehicle Regulations 1.29 under 155 aims to ensure that automotive manufacturers implement effective cybersecurity measures throughout the vehicle lifecycle.
00:02:16:06 - 00:02:32:03

The regulation requires manufacturers to establish a cybersecurity management system or automotive CMS, and to assess and mitigate cybersecurity risks to protect vehicles from cyber threats. The EU and additional countries in Asia, such as Japan and South Korea

00:02:32:03 - 00:02:42:04

have adopted this regulation. It means every new type of vehicle in these regions needs to be compliant with UNR. 155. Starting from July 2024.

00:02:42:06 - 00:02:59:14

All new vehicles being produced must comply with it. It's important to understand two key concepts threat and risk. A threat is a potential violation of something valuable. While a risk is a threat with likelihood and probability. Threat analysis and risk assessment,

00:02:59:14 - 00:03:01:00

Also known as Tara.

00:03:01:00 - 00:03:08:08

is the process of identifying threats that could potentially manifest in real risks and making decisions about those risks.

00:03:08:10 - 00:03:38:03

Risk can be accepted reduced by implementing mitigations avoided by addressing the root cause, or transferred to another party to whom the risk belongs. The global Nist's Cybersecurity Framework, published by the U.S. National Institute of Standards and Technology, provides common language and best practices for managing cybersecurity risks in an organization in five zones. Identify, protect, detect, respond, and recover back to automotive cybersecurity.

00:03:38:03 - 00:03:41:18

Risk management. The performance of threat analysis and risk assessment

00:03:41:18 - 00:03:42:09

Tara.

00:03:42:09 - 00:03:46:09

is referenced in various requirements within the Cybersecurity Regulation

00:03:46:09 - 00:03:50:12

Une c 29 UNR 155

00:03:50:17 - 00:03:53:11

The implementation framework for TAA is outlined in the

00:03:53:11 - 00:03:58:04

ISO 21 434 colon 2021

00:03:58:04 - 00:04:03:06

standard. However, these documents do not prescribe a specific method for threat analysis,

00:04:03:06 - 00:04:06:04

Providing flexibility for organizations conducting. Tara.

00:04:06:04 - 00:04:10:03

to choose a methodology based on their skills and capabilities.

00:04:10:03 - 00:04:11:14

ISO. SAP

00:04:11:14 - 00:04:13:16

21 434 colon

00:04:13:16 - 00:04:28:18

2021 standard does mention different threat modeling approaches, including Evita, Pasta, and stride as examples for methods that can be used. Organizations which intersect with automotive cybersecurity concerns may choose to follow both

00:04:28:18 - 00:04:29:05

ISO.

00:04:29:05 - 00:04:47:01

MCE 21 for 34 standard and Neste cybersecurity framework at Plex Cityty ECS are threat analysis best practices based on a threat model called Stride, which was first developed by Microsoft engineers and is utilized for threat modeling and cybersecurity.

00:04:47:03 - 00:04:58:22

It categorizes threats into six categories spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

00:04:58:22 - 00:05:22:06

Why use stride? If we gather several cyber security architects in one room and ask them to analyze threats to a target system, there is a high probability that each of them will analyze different threats, and some may even miss certain threats. As an organization, we aim to establish a common ground for our threat analysis process and ensure it provides comprehensive and accurate coverage.

00:05:22:08 - 00:05:41:14

Using stride addresses these needs by offering completeness and predictability, which is why it is widely adopted in the field. Likewise, Stride is a good fit for organizations of all sizes, either small ones with limited budget and resources. It's a simple framework, and it's easy to train experts to implement it.

00:05:41:19 - 00:05:43:02

Why automate Tara?

00:05:43:07 - 00:05:44:12

On one hand,

00:05:44:12 - 00:05:48:24

Tara is a cyber security process that may sometimes need human judgment.

00:05:48:24 - 00:05:58:20

or creativity that cannot be replicated by machines, especially when it comes to risk treatment decisions and recommendation for implementations of security controls.

00:05:58:22 - 00:06:24:05

Besides, let's not forget the ongoing maintenance tasks of automated systems. On the other hand, in the automotive industry, Tara tends to change periodically during the product development lifecycle based on triggers such as change requests or discovery of new cybersecurity vulnerabilities or incidents. Therefore, we would like to leverage expertise and have a systematic way of performing Tara by automating the whole process.

00:06:24:07 - 00:06:29:05

In particular, if you are a very experienced company with a lot of knowledge in this process,

00:06:29:05 - 00:06:31:18

The automation can yield high quality results.

00:06:33:01 - 00:06:34:24

Why automate Tara using stride?

00:06:36:12 - 00:06:53:00

As mentioned above, using an automated process combined with a simple threat modeling approach like stride is a safe way of achieving quality results in valuable time. It also provides consistency and accuracy by reducing human errors or poor quality identified threats.

00:06:53:02 - 00:07:03:16

Additionally, the results of such a tool are very clear. Making the process of handling the risks and considering security requirements for development and countermeasures easier.

00:07:04:11 - 00:07:08:13

Placidity threat analysis and risk assessment automation tool.

00:07:09:15 - 00:07:16:15

The Plaxidity Tara Automation Tool, a product called Security Auto Designer, part of Plaxidity DevSecOps platform,

00:07:16:15 - 00:07:18:00

provides a security solution from scratch based on the stride threat modeling for vehicle architectures, systems, and components. This solution is compliant

00:07:28:14 - 00:07:32:08

With ISO USA 21 434:2021. The tool is designed to facilitate easy modifications based on various triggers, and can be adjusted to accommodate specific organizational skills.

00:07:42:20 - 00:07:47:14

Furthermore, Security Auto Designer is designed to consider annex five of

00:07:47:14 - 00:07:49:16

UNECE 29.

00:07:49:16 - 00:08:03:12

R155 Threat Catalog in the threat analysis process. The tool is using AI capabilities to automatically generate and consolidate all the analysis data into one report.

00:08:03:12 - 00:08:05:10

This data comes from Plaxidity’s

00:08:05:10 - 00:08:09:21

Threat Catalog database, which was built by Plaxidity experts.

00:08:10:03 - 00:08:16:16

It is based on extensive experience over many years in delivering TARA projects to OEMs and tier-one.

00:08:16:18 - 00:08:18:00

Tier two suppliers.

00:08:19:17 - 00:08:23:00

Holistic view of Plaxidity products based on the V model.

00:08:23:18 - 00:08:32:00

To conclude, in various industries like automotive risk management, especially in cybersecurity, is crucial. Emerging standards like

00:08:32:00 - 00:08:37:02

ISO SAE 21434 and UNR 155

00:08:37:02 - 00:08:52:06

are shaping the approach. While methodologies like Stride offer a systematic way, as exemplified by Plaxidity's TARA automation tool, ensuring comprehensive threat analysis and risk assessment for vehicle cybersecurity.

00:08:53:07 - 00:08:59:05

That's all for today's episode. Keep your engines running smooth and your cyber defenses sharp.

00:08:59:05 - 00:09:03:18

Stay connected by subscribing and visiting Plaxidity.com.

00:09:03:18 - 00:09:07:18

Until next time, stay safe on the road and in the cloud.