1
What is ISO/SAE 21434 and what does it cover?
Answer
ISO/SAE 21434 is the international standard for automotive cybersecurity engineering. It defines the cybersecurity lifecycle from concept through decommissioning, covering: organizational cybersecurity management, project-level cybersecurity activities, risk assessment (TARA), product development (system, hardware, software), production, operations, and incident response. It was published in 2021 and is required by UN R155 regulation.
2
What is UN R155 and how does it relate to ISO 21434?
Answer
UN R155 is the United Nations regulation requiring OEMs to implement a Cybersecurity Management System (CSMS) for vehicle type approval. It mandates that manufacturers demonstrate cybersecurity processes throughout the vehicle lifecycle. ISO/SAE 21434 provides the technical framework to achieve UN R155 compliance. Since July 2024, all new vehicles sold in UNECE member countries must comply with UN R155.
3
What is TARA (Threat Analysis and Risk Assessment)?
Answer
TARA is the cybersecurity risk assessment method defined in ISO 21434. Steps: 1) Asset identification - identify valuable items (data, functions, ECUs). 2) Threat scenario identification - what could go wrong. 3) Impact assessment - severity of successful attack (safety, financial, operational, privacy). 4) Attack path analysis - how an attacker could exploit vulnerabilities. 5) Attack feasibility rating. 6) Risk determination. 7) Risk treatment decision.
4
How does TARA differ from HARA in functional safety?
Answer
HARA (ISO 26262) assesses risks from random hardware failures and systematic faults - unintentional. TARA (ISO 21434) assesses risks from intentional malicious attacks. HARA uses Severity/Exposure/Controllability to determine ASIL. TARA uses Impact Rating and Attack Feasibility to determine CAL (Cybersecurity Assurance Level). Both feed into the system design but address fundamentally different threat models.
5
What is CAL (Cybersecurity Assurance Level)?
Answer
CAL defines the rigor of cybersecurity activities required, similar to ASIL in functional safety. CAL 1 (lowest) to CAL 4 (highest). Higher CAL requires more rigorous: threat analysis depth, security testing scope, verification methods, and documentation. CAL is determined by the risk value from TARA. CAL influences the choice of security mechanisms, testing thoroughness, and review independence requirements.
6
What is SecOC (Secure Onboard Communication)?
Answer
SecOC is the AUTOSAR module that provides authentication for I-PDUs. It adds a truncated MAC (Message Authentication Code) and freshness value to each message. On reception, the MAC is verified to ensure the message is authentic and hasn't been tampered with. SecOC protects against: spoofing, replay attacks, and message manipulation. It uses symmetric keys (CMAC-AES128 typically) and is configured per PDU.
7
How does SecOC freshness management work?
Answer
Freshness values prevent replay attacks by ensuring each authenticated message is unique. Approaches: counter-based (monotonic counter incremented per message), timestamp-based (synchronized time), or trip counter + message counter. Only a truncated freshness value is transmitted (to save bus bandwidth); the receiver reconstructs the full value. Freshness synchronization after power-on requires a sync protocol between ECUs.
8
What is an HSM (Hardware Security Module)?
Answer
An HSM is a dedicated security co-processor embedded in automotive MCUs that provides: secure key storage (keys never leave the HSM), cryptographic acceleration (AES, RSA, ECC, SHA), secure boot verification, random number generation (TRNG), and tamper resistance. Examples: Infineon AURIX HSM, NXP CSE/HSE, Renesas ICU. The HSM isolates security operations from the main application core.
9
How does secure boot work in automotive ECUs?
Answer
Secure boot verifies firmware integrity and authenticity before execution. Process: 1) Hardware root-of-trust (ROM bootloader) verifies the next boot stage using a public key stored in OTP fuses. 2) Each stage verifies the next using digital signatures (RSA-2048 or ECDSA). 3) Chain of trust extends from bootloader → BSW → application. If any verification fails, the ECU enters a safe state or recovery mode. Prevents execution of tampered firmware.
10
What is the difference between secure boot and measured boot?
Answer
Secure boot halts execution if verification fails - it enforces integrity. Measured boot records hash measurements of each boot stage into a secure log (like a TPM PCR) but allows execution to continue. The measurements can be remotely attested later. Automotive typically uses secure boot for safety-critical ECUs (immediate enforcement) and measured boot for logging/auditing on high-performance computing platforms.
11
What are the common attack vectors for automotive systems?
Answer
External: OBD-II port (direct physical access), cellular/V2X interfaces, Wi-Fi/Bluetooth, USB/SD card, GNSS spoofing, RF key fob relay. Internal: CAN bus injection (no authentication by default), Ethernet MITM, debug port access (JTAG/SWD), firmware extraction from flash. Supply chain: compromised components, malicious firmware updates. Social engineering: phishing for fleet management credentials.
12
How do you protect CAN bus communication from attacks?
Answer
Native CAN has no security. Protection methods: SecOC - add MAC authentication to CAN frames. CAN-FD - extra payload space accommodates MAC + freshness. Gateway filtering - restrict which messages pass between domains. Intrusion Detection System (IDS) - monitor for anomalous traffic patterns. Network segmentation - isolate critical domains (powertrain, chassis) from infotainment. Rate limiting - detect flooding attacks.
13
What is a vehicle IDS (Intrusion Detection System)?
Answer
A vehicle IDS monitors in-vehicle network traffic for anomalies indicating cyberattacks. Detection methods: rule-based (known attack signatures), anomaly-based (deviations from normal behavior - timing, frequency, payload patterns), and specification-based (violations of protocol rules). The IDS can be: network-based (monitors CAN/Ethernet traffic), host-based (monitors ECU behavior), or hybrid. Alerts are logged and can trigger defensive actions.
14
What is the role of a Vehicle Security Operations Center (VSOC)?
Answer
A VSOC monitors the fleet for cybersecurity incidents in real-time. It receives: IDS alerts from vehicles, backend system alerts, threat intelligence feeds, and vulnerability reports. Functions: incident detection and triage, forensic analysis, coordinated response (OTA patches, fleet-wide mitigations), regulatory reporting (UN R155 incident management), and continuous monitoring. Required by ISO 21434 for post-production cybersecurity.
15
How does TLS/DTLS protect Ethernet communication in vehicles?
Answer
TLS (TCP) and DTLS (UDP) provide encrypted, authenticated communication channels over Ethernet. They establish secure sessions using certificate-based mutual authentication, negotiate encryption algorithms, and protect data in transit. Used for: DoIP diagnostic communication, OTA update delivery, V2X backend communication, and inter-ECU communication on Ethernet. Certificate management and PKI infrastructure are critical challenges.
16
What is a PKI (Public Key Infrastructure) for vehicles?
Answer
Vehicle PKI manages digital certificates for authentication. Components: Root CA (trusted authority), Intermediate CA, and end-entity certificates per ECU/component. Certificates verify: ECU identity during secure boot, OTA update package authenticity, V2X message source, and diagnostic tool authorization. Challenges: certificate lifecycle management across millions of vehicles, revocation handling, and key provisioning during manufacturing.
17
How does key management work in automotive?
Answer
Key management covers the entire lifecycle: generation (using HSM TRNG), provisioning (injecting keys during manufacturing), storage (in HSM secure memory), distribution (secure key exchange protocols), rotation (periodic key updates via OTA), and revocation. Symmetric keys (AES) for SecOC, asymmetric keys (RSA/ECC) for secure boot and TLS. Master keys derive per-ECU keys. Key hierarchy prevents single-key compromise from affecting the entire fleet.
18
What cryptographic algorithms are commonly used in automotive?
Answer
Symmetric encryption: AES-128/256 (block cipher for data encryption and CMAC). Hash functions: SHA-256/384 (integrity verification). Asymmetric: RSA-2048/4096 (legacy secure boot), ECDSA P-256/P-384 (modern digital signatures - smaller keys, faster). Key derivation: HKDF, PBKDF2. Random numbers: TRNG from HSM. NIST and BSI guidelines define minimum strengths. Post-quantum candidates are being evaluated for future vehicles.
19
What is secure OTA update and how does it work?
Answer
Secure OTA process: 1) Backend signs update package with private key. 2) Package is encrypted for transport confidentiality. 3) Vehicle downloads and verifies the signature using the OEM's public key. 4) Decrypts the package. 5) Verifies version (anti-rollback) and compatibility. 6) UCM installs the update. 7) Secure boot verifies the new firmware on next boot. 8) Rollback capability if verification fails.
20
What is a cybersecurity concept in ISO 21434?
Answer
The cybersecurity concept defines how cybersecurity goals are achieved at the system level. It includes: security requirements (derived from TARA risk treatment), security architecture (zones, conduits, trust boundaries), security mechanisms (encryption, authentication, access control), and security testing strategy. Similar to the safety concept in ISO 26262, it bridges risk assessment and technical implementation.
21
How do security zones and conduits work in vehicle architecture?
Answer
Security zones group components with similar trust levels and security requirements. Conduits are communication paths between zones with defined security properties. Example zones: External (untrusted), Gateway (semi-trusted), Powertrain (high trust), ADAS (high trust). Conduits between zones have: firewalls, authentication requirements, and traffic filtering. This segmentation limits attack propagation - compromising infotainment shouldn't reach braking.
22
What is ECU hardening?
Answer
ECU hardening reduces the attack surface of an ECU: disable unused debug interfaces (JTAG/SWD) in production, enable secure boot chain, configure MPU/MMU for memory protection, close unused network ports, disable unused services, implement stack canaries, enable ASLR (on Linux-based ECUs), remove development tools and test features, and apply principle of least privilege. Hardening checklists are part of the cybersecurity plan.
23
How does AUTOSAR handle cybersecurity?
Answer
AUTOSAR provides several security modules: SecOC (communication authentication), CSM (Crypto Service Manager - abstraction for crypto operations), CryIf (Crypto Interface), Cry drivers (HSM interface), KeyM (Key Manager - certificate and key lifecycle), IdsM (Intrusion Detection System Manager - collects and reports security events). These modules integrate with the existing BSW architecture and leverage the HSM hardware.
24
What is the CSM (Crypto Service Manager) in AUTOSAR?
Answer
CSM provides a standardized API for cryptographic operations to BSW and application modules. It abstracts the underlying crypto implementation (software library or HSM). Services: encryption/decryption, MAC generation/verification, hashing, signature generation/verification, random number generation, and key management. CSM routes requests via CryIf to the appropriate crypto driver. This allows swapping crypto backends without changing application code.
25
What is penetration testing for automotive systems?
Answer
Automotive penetration testing simulates real attacks against vehicle systems. Scope: physical attacks (CAN injection, debug port access), wireless attacks (BLE, Wi-Fi, cellular), software attacks (firmware analysis, fuzzing), and backend attacks (API exploitation). Methods follow standards like OWASP and PTES adapted for automotive. Testing is required by ISO 21434 for risk validation. Results feed back into TARA and security requirement updates.
26
What is fuzzing in the context of automotive security?
Answer
Fuzzing sends malformed or random inputs to an interface to discover vulnerabilities. In automotive: CAN frame fuzzing (random IDs, DLCs, payloads), UDS service fuzzing (invalid parameters, out-of-sequence requests), Ethernet protocol fuzzing (malformed SOME/IP, DoIP packets), and file format fuzzing (update packages, configuration files). Tools: CANalyzerfuzz, Defensics, boofuzz. Fuzzing often reveals buffer overflows, null pointer dereferences, and state machine violations.
27
How do you handle vulnerability management for vehicles in the field?
Answer
Vulnerability management process: 1) Monitor - track CVEs, security advisories, and threat intelligence for all vehicle components. 2) Assess - evaluate applicability and risk for the vehicle fleet. 3) Prioritize - based on exploitability, impact, and attack surface exposure. 4) Remediate - develop and test patches, deploy via OTA. 5) Verify - confirm fix effectiveness. 6) Report - notify regulators per UN R155. Continuous process throughout vehicle lifetime (10-15+ years).
28
What is the difference between cybersecurity and functional safety?
Answer
Functional safety (ISO 26262) addresses unintentional failures - random hardware faults and systematic design errors. Cybersecurity (ISO 21434) addresses intentional attacks by malicious actors. Key differences: safety has probabilistic failure models, security faces adaptive adversaries; safety requirements are stable, security threats evolve; safety uses ASIL, security uses CAL. Both must be addressed jointly since a security breach can cause a safety violation.
29
How do safety and security interact in automotive systems?
Answer
Security can impact safety: a CAN injection attack could send false brake signals (security breach → safety hazard). Safety can impact security: a safety mechanism that resets an ECU could be exploited as a denial-of-service. Joint analysis: TARA should consider safety impacts in its impact rating. HARA should consider security threats as potential fault causes. Shared mechanisms: E2E protection serves both safety (data integrity) and security (tampering detection).
30
What is the UNECE WP.29 framework for vehicle cybersecurity?
Answer
WP.29 is the UN working party that established the regulatory framework: UN R155 requires a Cybersecurity Management System (CSMS) for type approval. UN R156 requires a Software Update Management System (SUMS). Together they mandate that OEMs demonstrate: systematic cybersecurity processes, risk assessment, incident response capabilities, and secure update mechanisms. Compliance is verified by technical services during type approval.
31
What are common security mechanisms at the ECU level?
Answer
Access control: secure debug authentication, diagnostic security access (UDS 0x27). Integrity: secure boot, runtime integrity monitoring, CRC checks. Authentication: SecOC for CAN/Ethernet, TLS for IP communication. Confidentiality: encrypted communication channels, encrypted storage. Availability: watchdog, IDS, rate limiting. Audit: security event logging, DTC reporting for security events. Hardware: HSM, OTP fuses, tamper detection.
32
What is the role of the gateway ECU in vehicle security?
Answer
The gateway ECU is the security-critical junction between vehicle network domains. Functions: deep packet inspection (filtering unauthorized messages), domain isolation (preventing cross-domain attack propagation), protocol translation with security enforcement, IDS (monitoring all inter-domain traffic), firewall rules (whitelist allowed communication), and rate limiting (preventing flooding). A compromised gateway can expose the entire vehicle.
33
How is cybersecurity testing integrated into the V-model?
Answer
Left side (design): TARA during concept, security requirements specification, threat modeling during architecture, secure coding guidelines. Right side (testing): code-level security analysis (SAST/DAST), fuzz testing at component level, penetration testing at integration/system level, vulnerability scanning, and security validation against cybersecurity goals. Security testing is iterative - findings loop back to update TARA and requirements.
34
What is secure diagnostics and how is it implemented?
Answer
Secure diagnostics protects diagnostic services from unauthorized access. Mechanisms: UDS Security Access (0x27) with seed-key challenge-response, certificate-based authentication for diagnostic tools, session-based access control (different privileges per session), audit logging of all diagnostic operations, and secure diagnostic communication (DoIP over TLS). ISO 14229 defines security sub-functions; ISO 21434 adds requirements for key management and tool authentication.
35
What are V2X security requirements?
Answer
V2X (Vehicle-to-Everything) communication requires: message authentication (ECDSA signatures on every V2X message), pseudonym certificates (rotating identities for privacy), misbehavior detection (identify vehicles sending false data), certificate management (SCMS - Security Credential Management System), and revocation (blacklist compromised certificates). IEEE 1609.2 and ETSI TS 103 097 define the security protocols. Latency constraints (< 100ms) limit crypto choices.
36
What is a cybersecurity incident response plan for vehicles?
Answer
The incident response plan covers: 1) Preparation - tools, team, communication channels. 2) Detection - IDS alerts, VSOC monitoring, customer reports. 3) Analysis - determine scope, impact, affected vehicles. 4) Containment - isolate affected systems, disable compromised features via OTA. 5) Eradication - develop and deploy patches. 6) Recovery - restore normal operation. 7) Lessons learned - update TARA, improve defenses. Required by UN R155 and ISO 21434.
37
How do you secure the OBD-II port?
Answer
OBD-II is a mandated open interface, making it a significant attack vector. Protections: gateway filtering (limit which ECU responses pass through OBD-II), authenticated access for sensitive services (UDS security access), rate limiting on diagnostic requests, monitoring OBD-II traffic via IDS, disabling non-mandated services in standard OBD mode, and physical security dongle solutions. Complete lockdown is impossible due to regulatory requirements for emission diagnostics.
38
What is runtime integrity verification?
Answer
Runtime integrity verification continuously checks that ECU software hasn't been tampered with during operation. Methods: periodic flash checksum verification (compare against known-good hash), RAM integrity monitoring (detect code injection), control flow integrity (verify execution follows valid paths), stack canaries (detect stack smashing), and watchdog-monitored verification tasks. Complements secure boot which only checks at startup.
39
What is the STRIDE threat model applied to automotive?
Answer
STRIDE categorizes threats: Spoofing - impersonating a legitimate ECU on CAN bus. Tampering - modifying CAN messages in transit. Repudiation - denying actions (limited in automotive). Information Disclosure - extracting firmware/keys from ECU. Denial of Service - flooding CAN bus to prevent legitimate communication. Elevation of Privilege - gaining diagnostic access without authorization. STRIDE helps systematically identify threats during TARA.
40
How does Ethernet switch security work in vehicles?
Answer
Automotive Ethernet switches provide: VLAN segmentation (isolate traffic domains), MAC address filtering (whitelist known ECUs), port-based access control (IEEE 802.1X authentication), traffic shaping and rate limiting (prevent flooding), mirroring for IDS monitoring, and ACLs (Access Control Lists) for fine-grained traffic filtering. TSN (Time-Sensitive Networking) adds stream isolation. Switch configuration must be locked down to prevent unauthorized changes.
41
What is the cybersecurity management system (CSMS)?
Answer
CSMS is the organizational framework required by UN R155. It includes: governance (roles, responsibilities, top management commitment), processes (risk assessment, development, monitoring, incident response), tools and infrastructure (VSOC, vulnerability tracking), competence management (training, certification), supplier management (cybersecurity requirements flow-down), and continuous improvement (lessons learned, threat intelligence). CSMS is audited by technical services for type approval.
42
How do you handle third-party component security?
Answer
Supply chain security process: 1) Include cybersecurity requirements in procurement specifications. 2) Request TARA results and security evidence from suppliers. 3) Verify supplier's cybersecurity processes (ISO 21434 compliance). 4) Perform incoming security testing (vulnerability scanning, fuzzing). 5) Monitor CVEs for all third-party components (especially open-source). 6) Maintain a Software Bill of Materials (SBOM). 7) Contractual obligations for patch delivery timelines.
43
What is a Software Bill of Materials (SBOM) and why is it important?
Answer
An SBOM is a comprehensive inventory of all software components in a system, including: name, version, supplier, license, and dependencies. For cybersecurity: enables rapid vulnerability assessment when new CVEs are published (does our vehicle contain the affected component?). Formats: SPDX, CycloneDX. UN R155 and ISO 21434 effectively require SBOM capability for vulnerability monitoring throughout the vehicle's 15+ year lifetime.
44
What are side-channel attacks relevant to automotive?
Answer
Side-channel attacks extract secrets by observing physical characteristics: power analysis (DPA/SPA - measure power consumption during crypto operations to extract keys), electromagnetic emanation, timing attacks (measure execution time variations), and fault injection (voltage glitching, laser fault injection to bypass secure boot). HSMs are designed to resist these attacks. Countermeasures: constant-time algorithms, power noise generators, and tamper detection.
45
How is cybersecurity addressed during ECU manufacturing?
Answer
Manufacturing security: secure key injection (provision unique keys per ECU via HSM programming stations), identity provisioning (unique ECU certificates), secure boot activation (lock debug interfaces, blow OTP fuses), production testing of security functions, secure logistics (protect firmware and key material), and personnel access control. The manufacturing environment itself must be secured against insider threats and physical access.
46
What is the difference between symmetric and asymmetric crypto in automotive?
Answer
Symmetric (AES): same key for encrypt/decrypt, fast (~100 MB/s on HSM), used for SecOC message authentication, bulk data encryption, and session keys. Key distribution is the challenge - both parties need the same key. Asymmetric (RSA/ECC): key pair (public/private), slower (~1000x), used for secure boot signatures, certificate verification, and key exchange. ECC P-256 is preferred over RSA-2048 for smaller keys and faster operations on constrained ECUs.
47
What is defense in depth applied to vehicle architecture?
Answer
Defense in depth layers multiple security controls so no single failure compromises security: Layer 1 - perimeter (firewall, gateway filtering). Layer 2 - network (SecOC, VLAN segmentation, IDS). Layer 3 - host (secure boot, MPU, hardening). Layer 4 - application (input validation, secure coding). Layer 5 - data (encryption at rest, secure key storage). Layer 6 - monitoring (VSOC, audit logs). Each layer independently provides protection.
48
How do you perform a cybersecurity assessment for an existing vehicle?
Answer
Assessment steps: 1) Architecture review - map all ECUs, interfaces, communication flows. 2) Threat modeling - apply STRIDE/TARA to the actual system. 3) Configuration audit - check firewall rules, enabled services, debug ports. 4) Vulnerability scanning - check software versions against CVE databases. 5) Penetration testing - attempt exploitation of identified weaknesses. 6) Code review - analyze security-critical components. 7) Report findings with risk ratings and remediation recommendations.
49
What security considerations apply to ADAS/autonomous driving systems?
Answer
ADAS security is critical due to safety implications. Concerns: sensor spoofing (LIDAR, radar, camera injection), GNSS spoofing (false position data), V2X message manipulation, ML model adversarial attacks (fooling object detection), and high-performance computing platform security (Linux-based systems). Protections: sensor fusion redundancy, plausibility checking, secure V2X with certificates, model robustness testing, and secure hypervisor for mixed-criticality domains.
50
What is ISO 11452 and electromagnetic immunity testing?
Answer
While primarily an EMC standard, electromagnetic immunity testing has cybersecurity implications. Strong EM fields can cause: bit flips in memory (similar to fault injection), communication errors on CAN/Ethernet, and sensor interference. Security relevance: intentional EM attacks could disrupt ECU operation or bypass security checks. Testing verifies ECU resilience to EM disturbances. Combining EM hardening with cybersecurity provides more robust protection.
51
How do over-the-air updates relate to cybersecurity maintenance?
Answer
OTA is the primary mechanism for cybersecurity maintenance throughout vehicle lifetime. Requirements: secure update channel (signed + encrypted packages), rollback protection (anti-downgrade), partial update capability (patch individual ECUs without full reflash), campaign management (prioritize critical security patches), user notification and consent, and update verification. Without OTA, cybersecurity vulnerabilities in fielded vehicles cannot be effectively remediated.
52
What is automotive SIEM and how does it work?
Answer
Automotive SIEM (Security Information and Event Management) collects and correlates security events from across the vehicle fleet. Sources: IDS alerts from vehicles, backend system logs, OTA system events, diagnostic tool access logs. Functions: event correlation (detect distributed attacks), alerting (notify VSOC analysts), forensics (reconstruct attack timelines), reporting (regulatory compliance). Cloud-based SIEM handles millions of vehicles.
53
How do you secure vehicle-to-cloud communication?
Answer
Protection layers: mutual TLS authentication (vehicle and cloud both verify certificates), encrypted channels (TLS 1.3), API security (OAuth 2.0 tokens, rate limiting), certificate pinning (prevent MITM), secure credential storage in HSM, periodic credential rotation, and anomaly detection on the cloud side. The vehicle's connectivity unit (TCU) manages the secure channel. Backend security includes: DDoS protection, WAF, and access control.
54
What is the role of a Cybersecurity Interface Agreement (CIA)?
Answer
A CIA documents the cybersecurity responsibilities and interfaces between OEM and Tier-1 supplier (or between Tier-1 and Tier-2). It defines: which party performs TARA, security requirements flow-down, shared assumptions, deliverables (security evidence, test reports), vulnerability handling process, and incident response coordination. Required by ISO 21434 for distributed development. Similar to the Safety Interface Agreement in ISO 26262.