Cybersecurity Rating Framework and Its Application to J1939-91C Standard 2024-01-2803

Connectivity is becoming increasingly prevalent in the automotive industry, and with that comes a growing awareness among consumers and regulators of the potential risks. Present-day automobiles are becoming smart and more software-driven. Conversely, every line of code equals a possible threat to the vehicle, the passenger, or the original equipment manufacturer (OEM). To hit the brakes on the alarming increase in cyber threats, government bodies have introduced standards and regulations globally. The United Nations Economic Commission for Europe (UNECE) WP.29 R155 & R156 regulations and International Organization for Standardization/Society of Automotive Engineers (ISO/SAE) 21434 standards are becoming mandatory for all OEMs and are designed to ensure that vehicle functionalities work as intended and are built to mitigate safety risks. UNECE R155 explicitly references ISO/SAE 21434 and mandates a certified cybersecurity management system (CSMS) as a prerequisite for automotive manufacturers to achieve vehicle type approval and sell new vehicle types. However, the gap in the CSMS framework is a lack in a standardized system that provides guidance and common criteria for automakers to measure a vehicle’s level of compliance and compute a publicly accepted cybersecurity rating. To help establish increased consumer confidence, OEMs and smart mobility stakeholders could take additional proactive steps to ensure the safety and security of their products. This paper addresses the above requirement and discusses the cybersecurity rating framework (CSRF) that could establish a framework for rating vehicle cybersecurity by standardizing the measurement criteria, parameter vectors, process, and tools. This framework could empower automakers to implement a process to measure and report their vehicle security rating. Thus, this rating system may be instrumental in building vehicle owners’ trust and confidence in their vehicles’ cyber safety when adopting advanced technology. This paper proposes a CSRF framework to identify a security rating for a particular vehicle system to complement other existing or under-development CSR-type standards. In addition, this paper overviews the SAE J1939-91C (CAN-FD security standard), which then is utilized in experiments to simulate on-board communications. Then the CSRF method is applied to measure the security rating of the electronic control units (ECUs), identify the gaps, and recommend the mitigations. SAE J1939-91C provides methods for establishing trust and securing mutual messages with optional encryption. SAE J1939-91C ensures message authenticity, integrity, and confidentiality by implementing complex cryptographic operations including hash functions and random key generation. The CSRF framework will generate numerous metrices based on simulated communications using the SAE J1939-91C standard to measure and rate the security level of an ECU or a connected off-board device (such as a diagnostics tool). This CSRF rating system may be easily applied with other cybersecurity industry standards including ISO/SAE 21434, WP.29 R155/156, in addition to the ever-evolving attack vectors landscape. CSRF can extend these ratings for all ECUs in the vehicle and thereby achieve the security rating of the entire vehicle variant. The detailed discussion of CSRF specification is out of scope for this paper.