A Roadmap to Resilience

HOW THE AUTOMOTIVE SECTOR CAN BUILD TRUST

IN CONNECTED VEHICLES

OEM
backend
GSM/ Camera Keyless
3G/4G Radar Lidar entry GPS
Consumer devices
Service
provider

V2X TPMS DAB WiFi Bluetooth

Immobiliser
ITS

EV

OBD

Media

USB
 Contents

Executive Summary___________________________________________________________________ 3

Introduction__________________________________________________________________________ 4

The Requirement for an Assurance Framework and Rating System _________________________ 6

Understanding Risk__________________________________________________________________ 6

Existing Demand for Cybersecurity Assurance___________________________________________ 7

Benefits____________________________________________________________________________ 8

A Roadmap to Increased Assurance for Connected and Autonomous Vehicles______________ 10

Industry Adoption__________________________________________________________________ 10

Timings___________________________________________________________________________ 10

Assurance Framework________________________________________________________________ 12

Innovation Framework______________________________________________________________ 13

Assessment Overview_______________________________________________________________ 14

The Assurance Rating System________________________________________________________ 18

Governance_________________________________________________________________________ 22

Additional Considerations___________________________________________________________ 24

Next Steps – Making the Roadmap a Reality_____________________________________________ 25

Conclusion__________________________________________________________________________ 26

Acknowledgements__________________________________________________________________ 27

2 5StarS: A R OADMAP TO R E SI L I E NCE

Executive Summary

The 5StarS Consortium was created in 2017,
funded by UK government-backed Innovate
UK and bringing together automotive industry
experts: HORIBA MIRA, Ricardo, Thatcham
Research, Roke and Axillium.
Our mission is to develop a framework
for vehicle manufacturers to implement in
response to the technological developments
that are sweeping across the automotive
sector.
While technology is a common component
of new vehicles, it can bring a greater threat
of cyber attacks. Consumers expect the
latest technology to be included but their
awareness of cybersecurity issues is growing.
It is a threat to the sector that stakeholders
must also take seriously.
The 5StarS assurance framework will give
vehicle manufacturers a measure of their
vehicles’ resilience and allow stakeholders to
understand their risks from connectivity. We
also propose a consumer-facing assurance
rating system to reassure motorists about
their choice of vehicle. We believe this will
build trust in the engineering and operation
process and, crucially, in the safety, security
and resilience of vehicles.
The framework has been designed with
vehicles launched in the UK in mind. However,
it is intended to be globally relevant and aligns
to international standards. The roadmap
factors in - but goes further than - other
vehicle cybersecurity tests, standards and
assessments in development, such as the
emerging ISO/SAE 214341 and the CAV
Innovation System Framework2.
Through our research and evidence gathered
to develop the framework, we are confident
that it is a workable and positive response to
the issues posed by new technology. It will
allow vehicle manufacturers and others to
deal with the risks but also consider the clear
opportunities on offer.
The 5StarS consortium is now evaluating
opportunities to conduct trials, in order to
validate the assurance framework and its
implementation.
Ultimately, the 5StarS framework will
help build trust in the huge advances new
technology can bring to the automotive sector
and provide return on investment through
increased vehicle sales.

This paper summarises the output of the

consortium’s work, incorporating feedback
from stakeholders. It sets out the benefits
to all stakeholders of adhering to the
framework. It includes a roadmap that vehicle
manufacturers will follow to pass the tests of
the assurance framework. It also introduces
details of independent assessments and the
agility built into the framework, allowing it to
be adapted to deal with continually changing
threats. Finally, we present details of the
consumer-facing assurance rating system.

1
https://www.iso.org/standard/70918.html
2
https://www.iso.org/standard/69315.html

5StarS: A ROADM AP T O RESILIEN C E 3


As vehicle manufacturers
install ever-more ingenious
technology to differentiate
their vehicles - criminal
threats that exploit
inherent weaknesses are
sure to ramp up.
4 5StarS: A R OADMAP TO R E SI L I E NCE
Introduction
In the automotive sector connectivity will be
a key driver of future sales volumes. As such,
motorists want to know they are spending
their hard-earned money on vehicles
that have proven, built-in safeguards and
resilience against emerging forms of crime
such as remote data theft.
This need is already recognised within
the industry. As GM’s head of product
cybersecurity, Jeff Massimilla, states:
“Cyber is something customers are making
purchasing decisions on… the customer’s
notion of a particular company’s cybersecurity
proficiency is likely to become like many other
competitive metrics when it comes to winning
a spot on a buyer’s consideration list.”
As vehicle manufacturers install ever-
more ingenious technology to differentiate
their vehicles - from in-car entertainment
and voice-activated payment systems, to
connectivity that will boot up our homes as
we drive there - criminal threats that exploit
inherent weaknesses are sure to ramp up.
Meanwhile, the arrival of Connected
Autonomous Vehicles (CAVs) and Advanced
Driver Assistance Systems (ADAS) is also
accelerating the debate around technology’s
role in, and impact on, road safety.
Continuing to build consumers’ trust in
both vehicle safety and cybersecurity will
therefore be critical. The consortium’s mission
is to develop an assurance framework
that underpins future assessments of the
cybersecurity capabilities of new vehicles and
their resilience to attacks.
5StarS’ proposed assurance framework is
based on independent assessments that will
scrutinise vehicles’ cybersecurity capabilities.
There are several phases involved and these
are set out as a roadmap on the following
pages.
This paper is intended to present
stakeholders – vehicle manufacturers,
insurers, policymakers and infrastructure
owners - with details of the framework
assessment criteria, the rating system and a
roadmap to implement both.

Several CAV-related cybersecurity standards Stakeholders that implement the framework

and regulations are in the pipeline, such as will reap multiple rewards. It enables vehicle
UNECE regulations and ISO/SAE 21434, and manufacturers and suppliers to monetise
the roadmap has been developed in tandem the investment they are already making,
with these emerging standards. However, they driving further investment, differentiation,
are intended to be used by manufacturers competition and improvement.
to build in cybersecurity as part of their
engineering processes. There is currently no
way for consumers to make informed buying
decisions based on cybersecurity, or for
insurers to evaluate cybersecurity risk when
pricing insurance premiums. The output of the
5StarS assurance framework is an assurance
rating system that motorists, insurers and the
There is currently no way
wider industry can easily understand; note the for consumers to make
success of the Euro NCAP rating system.

We believe a cybersecurity assurance

informed buying decisions
framework and assurance rating system will based on cybersecurity,
bring certainty not found in other industry
proposals: or for insurers to evaluate
• building consumer trust in the overall safety cybersecurity risk when
of vehicles
pricing insurance
• specifically, highlighting vehicle defences
against cyber attacks and their resilience to premiums.
those threats in the event of a breach

• potentially resulting in reduced insurance

premiums

• increased future vehicle sales - and

therefore return on investment in actions
brought about by the framework - as a
result of the above.

5StarS: A ROADM AP T O RESILIEN C E 5

 The Requirement Understanding Risk

for an Assurance These are exciting times for the automotive

industry. Technology is transforming vehicle

Framework and production and the driving experience

as a whole. But with the implementation
Rating System of next-generation systems comes great
responsibility.

That responsibility begins with an

understanding of risk. As vehicles become
smarter, so will criminals looking to exploit
vulnerabilities.

Figure 1 shows the typical attack surface of a

connected vehicle.

GPS DAB
WiFi Consumer
Keyless devices
entry Bluetooth
Immobiliser ITS

Camera
Radar Lidar
Service OEM
provider backend
GSM/
3G/4G
TPMS

Entry points to attack the vehicle

OBD - Remote
- Physical
Vehicle as an IoT attack vector
USB In-vehicle network JTAG Side Attacks move “down the stack”
Media (CAN, FlexRay) serial I/O channels as countermeasures improve
EV

Figure 1. Vehicle attack surface

6 5StarS: A R OADMAP TO R E SI L I E NCE

Risk can be assessed as a function of threat,
vulnerability and impact. Using connected
cars as an example:
Vulnerability = A weakness that can be
exploited in order to attack e.g. an open
wireless network port on a connected
infotainment system
Threat = Potential to exploit vulnerability e.g.
a criminal installs malware into a vehicle’s
systems via an exposed entry point on the
attack surface
Impact = Damage to the vehicle; physical or
digital information theft; injury; reputational
damage to the parent brand.
The 5StarS consortium’s framework seeks to
assure consumers that the vehicle they are
interested in buying or using, and insurers
that the vehicle they are insuring, is subject to
appropriate and effective cybersecurity risk
management.
Existing Demand for
Cybersecurity Assurance
The UN is currently developing global
regulations on cybersecurity for vehicle
type approval. A UNECE task force has
developed draft regulations requiring vehicle
manufacturers to have their management
systems for cybersecurity and over-the-air
software updates independently audited
before a new vehicle can gain type approval.
Meanwhile, a joint working group of industry
experts is currently developing a new
international standard, ISO/SAE 21434 Road
vehicles – Cybersecurity engineering, which
will define the automotive industry state-of-
the-art for cybersecurity engineering. This
standard is also expected to be the reference
against which the UNECE cybersecurity
management system audit is carried out.
ISO 56000 Innovation Management is also
currently under development. This standard
will act as guidance for the development
of a CAV Innovation System Framework,
developed by Axillium, and provide the
standards to which all stages of innovation
activity will adhere. The innovation framework
is designed to allow for integration of the
assurance and assurance rating frameworks
during future CAV innovation so that
cybersecurity is considered from the earliest
stage of R&D/product development (see
page 13).
Elsewhere, consumer groups such as
Consumer Reports in the US have announced
plans to evaluate the security and privacy
aspects of consumer products, including
vehicles. Just like data security generally,
cyber threats are reaching the collective
consumer consciousness as a component
of overall vehicle safety. In response, the US
SPY Car Act, introduced in 2015, includes a
number of demands of vehicle manufacturers.
The 5StarS assurance framework is
specifically designed to build on relevant
published and emerging international
standards and regulations, with members of
the consortium actively involved in both the
UNECE and ISO/SAE developments. The
5StarS framework enhances the standards
and regulations, and introduces additional
assurance, by providing supplementary
assessment criteria.
The requirements of the 5StarS assessment
are aligned with SAE J3061, the current
draft of ISO/SAE 21434 and the UK National
Cyber Security Centre (NCSC) Cybersecurity
Assurance Framework. Therefore, it is
expected that a vehicle manufacturer can
achieve an efficient cybersecurity assessment
with reasonable effort by aligning processes
and activities with the 5StarS framework.
5StarS: A ROADM AP T O RESILIEN C E 7
 Figure 2. How the Automotive Cybersecurity through Assurance project
relates to standards and regulatory activity

Vehicle manufacturers
Regulations, Standards and Best Practice and suppliers

ISO/SAE 21434
Cybersecurity Engineering SAE BSI PAS UN ECE
Under development J3061 1885 WP.29
Innovation & Product
development according to Submit for
international standards assessment

Align and Inform standardisation

Cybersecurity
5StarS “Automotive Cybersecurity through Assurance” project Assessment Laboratory

Innovation Framework Assessment Framework Assurance Rating Framework

Assurance rating

Insurers & Consumers

It’s important to note that standards and Benefits
regulations in development or already being
With the introduction of the assurance
used do not ultimately provide consumers
framework, we believe those operating in
with a way to make informed buying decisions
the manufacturing supply chain can pinpoint
based on cybersecurity properties, or for
problems based on the scoring output of
insurers to evaluate threats when pricing
the assessments and try to fix the issues –
insurance premiums.
ultimately helping to build insurer certainty
The goal of 5StarS is to fill this gap by and consumer trust.
providing a roadmap to increased assurance
The wider benefits for all stakeholders are
in the cybersecurity of connected and
manifold, as set out in Table 1.
autonomous vehicles. This roadmap starts
by providing practical guidance and support
for vehicle manufacturers to meet the
demands of the emerging regulations and
standards, and defines a progression towards
independent assessment, feeding into a
risk-based framework with a visible rating for
insurers and consumers.

8 5StarS: A R OADMAP TO R E SI L I E NCE

 Stakeholder Key Benefits

Vehicle Clear line of sight between investment in cybersecurity and revenue

manufacturers
A means of increasing consumer confidence and building trust
compared to self-assessment approach

Improved cybersecurity of products or variants through independent

testing

Benchmark for measuring cybersecurity engineering against rival

vehicle manufacturers

Reduced product liability by employing cybersecurity engineering

best practice

Potential sharing of costs across supply chain via assurance

assessment of vehicle, systems and sub-systems

Insurers Gives assurance that vehicles to be insured are subject to

appropriate and effective cybersecurity risk management, so new
group rating can be applied with confidence

Provision of assurance rating demonstrating vehicle manufacturers’

understanding of risk and actions taken to mitigate it

Policymakers/ Gives visibility of trending vulnerabilities and threats of cyber attacks

government in anonymised form.

Provides governance around current and future management and

mitigation of associated risks by the automotive sector

Infrastructure Helps infrastructure operators understand the CAV cybersecurity

landscape and level of consumer demand / future pressure on
infrastructure systems

Consumers Assurance rating system provides a direct comparison between different

models when motorist is comparing and choosing vehicles
Builds trust among motorists about vehicle manufacturers’ commitment to
manage cyber-attack risks, and the safety and security of their vehicle

Table 1. Summary of stakeholder benefits

5StarS: A ROADM AP T O RESILIEN C E 9

 A Roadmap to Industry Adoption

Increased Assurance Following the completion of the 5StarS

project in 2019, we propose a period of

for Connected and adoption of the assurance framework as an

Autonomous Vehicles
The 5StarS project is set to conclude in 2019
when we will make final recommendations for a
cybersecurity assessment and assurance rating
framework, following industry consultation and
further research.
This will require additional development
by consortia to promote adoption by the
automotive industry and support from other
stakeholders. The adoption timeframe will
depend on the route taken.
The first version of the 5StarS framework should
provide a meaningful but achievable level of
assurance that can be supplemented as the
level of cybersecurity of the automotive industry
matures, as illustrated in Figure 3 below.
assessment process. We suggest the end of
this period of adoption should coincide with
the planned publication date of the finalised
ISO/SAE 21434 standard, currently expected
at the end of 2020.
Timings
5StarS will use a phased approach to the
roadmap to continually raise the bar for
manufacturers. The full assessment criteria
will be applicable from the start, but the
scoring thresholds will be used to increase
the difficulty of attaining a high score over
time. Therefore, manufacturers will have the
potential to reach the maximum score of five
stars immediately, although a more rigorous
approach to cybersecurity will be required to
achieve this same score in future.

5StarS
Automotive Cybersecurity through Assurance

5StarS assurance framework

Increasing assurance

Standards
(ISO/SAE 21434)

Regulations
(UNECE)

Figure 3. Increasing assurance offered by the 5StarS framework

10 5StarS: A R OADMAP TO R E SI L I E NCE

 Initially, the timing of the phase changes will
be aligned to the introduction of the new
standards from ISO/SAE 21434 and UNECE
to reduce the overhead and duplication of
effort required by manufacturers to take part
in a 5StarS assessment.
As new technology and cybersecurity best
practice change over time, the criteria will be
amended again. However, the 5StarS
consortium will work with manufacturers to
give them advance warning whenever
possible, thus maintaining consistency of
scoring. Our current proposal is that, in future,
assessment criteria will be reviewed annually.
Figure 4 below sets out the proposed timeline
for the implementation of each phase of the
roadmap relative to the timeline of the UNECE
regulations, ISO/SAE 21434 and the
innovation framework. Each phase will require
adoption and development with industry
involvement prior to implementation. The
assessment ratings will be adjusted so that, at
each successive phase, the requirements to
achieve a given rating will be more stringent.

2019 2020 2021 2022 202?

Adoption
by WP.29

UNECE
Transition period

ISO/SAE 21434 ISO/SAE 21434

DIS Publication

ISO/SAE
21434

Project complete

5StarS
Industry adoption Phase 1 Phase 2 Phase 3

Dynamic evolution of test requirements and rating thresholds

ISO CD 56000 ISO CD 56000

Committee stage Publication stage

ISO/CD
56000
TR56002: Innovation TR56004: Innovation Dynamic evolution of innovation concepts
management system management assessment

TR56003: Innovation management tools

and methods for innovation partnerships

Figure 4. Proposed timeline for the implementation of each phase of the roadmap

5StarS: A ROADM AP T O RESILIEN C E 11

 Assurance Framework

The 5StarS Assurance Framework is

illustrated in Figure 5. It comprises several
elements, including the System Lifecycle
and Maturity Model, the Vehicle Assessment
Framework, the Vehicle Cybersecurity
Assurance Rating and the CAV Innovation
System Framework. These elements are
described in more detail below.

Best Practices International Standards Regulations

BSI PAS 1885 ISO/SAE 21434 UNECE
DfT principles SAE J3061 NHTSA

Assurance Framework

Alignment to international standards and regulations

Sub-system Vehicle Vehicle

Assurance Cybersecurity Cybersecurity
Assessment Assurance
Rating

Product development

System Production, operations, maintenance & decommissioning

Lifecycle
and Maturity
model Cybersecurity governance & management
National
variance
Vulnerability assessment

Threat landscape monitoring

ITS

Agility Validity
Service OEM
provider backend

In-vehicle network JTAG Side

(CAN, FlexRay) serial I/O channels

CAV Innovation System Framework

Figure 5. Illustration of the overall 5StarS framework

12 5StarS: A R OADMAP TO R E SI L I E NCE

Innovation Framework
Currently in development, the CAV Innovation
System Framework (CISF or innovation
framework) has been designed to integrate
into the assurance framework to provide a
system for vehicle manufacturers to assess
and ensure that exploitation considerations
are built in at the initial concept stages, and
can therefore achieve the assurance
framework accreditation and assurance
rating.
At present, there is not a recognised standard
for managing the innovation aspects of large,
collaborative CAV R&D projects. Aligning the
CAV innovation framework with ISO 56000
will ensure:
• Innovation management
• Identification of CAV opportunities for
market exploitation
• Identification of funding opportunities for Innovation Management – Tools and Methods
technology exploitation
• Verification of current and future project In turn, the innovation framework will feed into
technology readiness levels
The benefits to stakeholders are:
• For vehicle manufacturers, de-risking the
innovation process of their internal R&D
and supply chains, increasing the
likelihood of achieving a high 5StarS rating
• Consumers will benefit from improved
products, sooner, if the product innovation
process is streamlined
In terms of product development/verification,
the innovation framework sits in the vehicle
pre-concept stage, feeding into the
engineering space of the overall assurance
framework.
Successful integration of the innovation
framework will help simplify the process of
implementing changes and facilitate roll-out
of new versions.
ISO 56000 Innovation Management System, a
key component of the innovation framework,
sits alongside the engineering stream of ISO/
SAE 21434 but is expected to be applied from
an earlier date.
ISO/TR 56004 Innovation Management
Assessment is also currently being proposed.
The innovation framework would include
elements of it, along with Digital Readiness
Level tools and R&D processes that already
form part of the framework under ISO 56003
for Innovation Partnership.
the assurance framework roadmap as
illustrated in Figure 4 in Timings.
5StarS: A ROADM AP T O RESILIEN C E 13
 Assessment Overview
The vehicle cybersecurity assessment consists of the four components described below.
Components 1, 2 and 3 are supported by the System Lifecycle and Maturity Model, which defines
best practices across the vehicle lifecycle as well as assessment criteria. Component 4 covers an
assessment of the vehicle itself.

1. Concept and design (product development) - the engineering processes used to design
security into vehicles and systems; covering concept, system and component design, and testing
and validation during vehicle and system engineering. The assessment should consider the
existence of suitable processes and whether they have been followed.

DEVELOPMENT PHASE P RO D U C T I

Cybersecurity Governance and Management Secure by

Concept and Design (product development) Prod

CONFORMANCE MONITORING TESTING

Test Driven Development

Feature Definition Convenience

Static Analysis

Initiation of Cyber Security

Threat Modelling Safety-related Systems
Lifecycle
Unit Testing

Threat Analysis and Risk Integration Testing

Vulnerability Assessment Safety Critical Systems
Assessment
ADAS (Advance Driver-
Assistance Systems) Regression Testing
Airbag Systems
Cyber Security Concept Risk Assessment Battery Management Systems
Seat Belts Exploratory Testing
Braking Systems
Drive-by Wire
Park by Wire
Fuzz Testing
Functional Requirements Safety Considerations Power Steering Systems

Penetration Testing

Initial Cyber Security Risk Assessment

Assessment Performance Testing

Evaluation of Concept Automated Testing

and Design

SUPPLY CHAIN
ASSURANCE

Figure 6. Illustration of assessment components

14 5StarS: A R OADMAP TO R E SI L I E NCE

 2. Cybersecurity governance and management - considering whether appropriate
organisational measures for cybersecurity are in place, independent of particular projects. This
includes assessing an organisation’s cybersecurity culture, provision of appropriate resources,
training and information sharing. The above elements take into account the emerging standards
and expected regulatory requirements mentioned.

3. Production, operations, maintenance and decommissioning - the processes in place when

the vehicle is in the field, including aspects such as field monitoring processes, incident
management and response, and product (including over-the-air) updates.

ON PHASE POST-PRODUCTION PHASE

Default / Defence in Depth Principles / Cyber Security Standards

uction Ownership Transfer of Ownerhip End of Vehicle Life

INFORMATION SECURITY Support Period Personal Data Testing

ASSESSMENTS

Data Protection Infotainment Systems Information Security

Assessment Methods Assessments

Education of Staff
Field Monitoring Telematics Data Supply Chain Assurance

Staff Vetting
Security Incident
Management Data Sanitisation
Verifying the Awareness of
Cyber Security Policy

Transponders
Access Control Tests

Social Engineering Tests Detection and Transfer

of Ownership

Log Reviews

Development Stage
System Security

Assessment Methods

Maintenance and Updates

Digital Updates Physical Updates

5StarS: A ROADM AP T O RESILIEN C E 15

 10.3a) An incident response team (IRT) should be set up with The team has a set of The team has a set of The team has a set of
adequate resources and a set of procedures in place to procedures in place procedures in place procedures in place
quickly and efficiently determine the category of incident but there is no and there is explicit and there is explicit
and provide a timely response, informing relevant persons explicit budgeting for budgeting for budgeting for
or organisations. incident response. incident response. incident response
and the incident
response team is
well resourced.

10.6a) There should be an easy way for an existing owner to There is no central There is a central There is a central
remove all of their personal data from their vehicle prior to method of method of method of
sale or transfer to a new owner. The sanitisation procedure sanitisation. sanitisation that sanitisation that
should; performs some but performs all of the
not all of the stated stated steps.
• Be easily accessible, probably through the menu of the
steps.
infotainment.
• Inform the owner what will happen if they do run the
procedure and request their confirmation prior to
proceeding.
• Confirm to the user when complete both via an audible
and visual signal.
• There should be verification of the sanitisation.

11.3.3a) OTA updates should be designed so that safety or security Unmitigated Security There are some The creation of
is not impacted during the update. Users should not be vulnerabilities or mitigated actions to security
able to drive the vehicle during an update if it is not safe to safety risks are prevent security vulnerabilities or
do so. created when an vulnerabilities or safety risks during an
OTA update takes safety risks being OTA update is fully
place. when an OTA update mitigated against to
takes place. an acceptable level
of risk.

Table 2. Examples of assessment criteria that will be used in the lifecycle assessment.
Indicators of good practice are used to score elements of the vehicle lifecycle.

4. Vulnerability assessment – as well as assessing the processes that the vehicle manufacturer
has in place and followed when developing the vehicle, it is also important to assess the vehicle
itself, to seek further assurance that the processes have actually resulted in a sufficiently resilient
realisation of the vehicle.

The vulnerability assessment begins with security-focused reviews of the vehicle manufacturer’s
work products, such as threat and vulnerability analyses, risk assessments, design and test
specifications, and penetration tests and results.

From these activities, an independent vulnerability analysis and practical tests are carried out to
identify any residual product vulnerabilities - and whether they could be exploited.

The assessor shall carry out an independent vulnerability analysis followed by a test plan
consisting of appropriate tests, to explore and assess the exploitability of any identified residual
vulnerabilities.

16 5StarS: A R OADMAP TO R E SI L I E NCE

As the tests will vary over time and between vehicles, a guideline document giving examples of
appropriate cybersecurity tests will be maintained by the 5StarS committee. This document will be
used for two purposes:

• By the assessment laboratory to develop an appropriate test plan for the vehicle under
assessment;

• By the laboratory accreditation process to ensure the consistency of the assessments carried
out by approved assessment laboratories and to verify the competence of laboratories and their
assessors.

During an assessment, appropriate tests will be planned based on the categories shown in Table 3.
Some non-exhaustive examples are given for each category, which will be expanded further in the
guidelines to be maintained by the 5StarS committee (see Governance, page 22).

All applicable tests for a given assessment will be selected from the test guideline document based
on the features of the vehicle. For example, if the vehicle does not have a Wi-Fi hotspot fitted, those
tests will not be carried out and there will be no negative impact on the assessment result.

Test category Examples of tests

1. Long-range Jamming, spoofing or eavesdropping of cellular and broadcast

wireless tests interfaces

2. Short-range Manipulation of wireless interfaces such as Wi-Fi, Bluetooth

wireless tests
Spoofing of sensor measurements to manipulate driver assistance
or automated driving functions

3. Physical interface Manipulation of OBD-II diagnostic protocols

tests
Sufficiency of isolation of the OBD-II port from safety-relevant
functions.

4. In-vehicle Spoofing or tampering of messages on the CAN bus

network tests
Effectiveness of any intrusion detection systems

Effectiveness of any message authentication

5. ECU hardware Reverse engineering, re-flashing or other manipulation of embedded

and software tests software

Accessibility of debug ports (e.g. JTAG)

Recovery of cryptographic keys by side channel analysis

Table 3. Test categories and examples

5StarS: A ROADM AP T O RESILIEN C E 17

 The Assurance Rating System
After each assessment, the laboratory will issue a detailed report to the manufacturer
containing full details of findings, including the level of assurance achieved by the
assessed vehicle. The report enables the manufacturer to understand the outcome of the
assessment and any findings or issues to be resolved. At this stage there is the
opportunity for the manufacturer to resolve any open issues before proceeding to obtain
an assurance rating for the vehicle. The assessment criteria and requirements are
illustrated in Figure 7 below, followed by an explanation of how they are grouped.

Assessment
Assessment
criteria
Scoring

System lifecycle Criteria corresponding DfT Key Principles

criteria UNECE audit of Cyber Security
requirements for CAV
Cybersecurity Within each
Governance and of the 8
Management
Criteria corresponding 1 principles
Product to all ISO/SAE 21434
Development requirements
Level 1
2 Score
Production,
Operations,
Maintenance and Level 2
5StarS additional
Decommissioning
criteria 3 Score

Level 3
4 Score

Vulnerability
Basic
5
Assessment

Design review 6
Medium
Vulnerability
analysis
7
Penetration
testing High
8

Figure 7. Assessment criteria (an explanation of DfT principles can be found on page 19)

18 5StarS: A R OADMAP TO R E SI L I E NCE

The levels below illustrate how the assessment criteria are grouped by difficulty level, and their
alignment with the requirements of the standards and regulations. This aids the definition of the
thresholds used to derive the rating from the assessment scores:

• Level 1 criteria based on independent audit of the vehicle manufacturer’s cybersecurity

management system against the anticipated regulatory requirements of UNECE, and includes
the results of a basic level of vulnerability assessment and testing.

• Level 2 criteria based on independent assessment against the anticipated requirements of ISO/
SAE 21434 or equivalent standards, and includes the results of a medium level of vulnerability
assessment and testing.

• Level 3 criteria based on independent assessment against the requirements of the full 5StarS
framework including additional system lifecycle criteria, and includes the results of a high level of
vulnerability assessment and testing.

As part of the assessment process, the laboratory records a set of scores aligned to the assurance
needs of insurers and consumers.

Results of the assessment are categorised according to the Department for Transport (DfT)
Principles for cybersecurity in Connected Autonomous Vehicles as shown in Table 4.

Category Criteria

1 Organisational security is owned, governed and promoted at board level

2 Security risks are assessed and managed appropriately and

proportionately, including those specific to the supply chain

3 Organisations need product aftercare and incident response to ensure

systems are secure over their lifetime

4 All organisations, including sub-contractors, suppliers and potential third

parties work together to enhance the security of the system

5 Systems are designed using a defence-in-depth approach

6 The security of all software is managed throughout its lifetime

7 The storage and transmission of data is secure and can be controlled

8 The system is designed to be resilient to attacks and respond appropriately

when its defences or sensors fail.

Table 4. DfT Principles for Cybersecurity in Connected Autonomous Vehicles

5StarS: A ROADM AP T O RESILIEN C E 19

 Assurance rating measurement criteria
Requirements of the assurance rating system are as follows. It shall:
• build upon initial consultation with insurers to define a rating that is understandable to insurers
and the consumer, while still meaningfully reflecting the level of cybersecurity assurance
• consider the perception of the rating by consumers and insurers
• address the evolving threat landscape and the applicability of the rating beyond the date of issue
• address differences between countries
• include consideration for maintenance and periodic technical inspection.

Principle 1
Recommendations

Principle 2
Recommendations
Insurer
Weighting
Principle 3 Principle 1- 8
Recommendations Recommendations 1-8

Principle 4

Threshold Banding
Recommendations
Assessment
Scoring
Principle 5
Recommendations

Principle 6
Recommendations
Consumer
Weighting
Principle 7
Recommendations

Principle 8
Recommendations

Figure 8. Process of moving from assessment to assurance rating

The rating will reflect the confidence in a vehicle’s cyber resilience based on the 5StarS assurance
framework - in turn related to future, mandatory cybersecurity standards - and be comparable to
other rated vehicles. Insurers will also receive textual comments for each one of the eight principles
as guidance on why the vehicle received the rating, as well as a score breakdown. To avoid
confusion, the insurer rating will not be made public.

The aim of the rating is to inform the consumer’s buying decision as well as to provide underwriters
with information to help assess a vehicle’s cyber risk. Given their different priorities, the final scores
for consumers and insurers may differ. The rating will influence the vehicle’s insurance group rating.
This affects the cost of insuring the rated vehicle for the consumer. The assurance rating system
will apply to new vehicles only.

Just as the Euro NCAP star rating has won widespread recognition, we believe that the 5StarS
rating system will be of huge benefit, not just to consumers and insurers but also vehicle
manufacturers that require a visible representation of their efforts and investment to meet the
stringent assessment tests of the assurance framework.

20 5StarS: A R OADMAP TO R E SI L I E NCE

5StarS: A ROADM AP T O RESILIEN C E 21
 Governance

The 5StarS consortium proposes that the

assurance framework should be governed
based on the example in Figure 9 below.
There follows a description of key
stakeholders’ role in the process - NB the
example illustrates the proposed governance
model for the UK, but the model is applicable
internationally:

5StarS committee

ITS

Service OEM
Monitor
provider backend

Thatcham and
Consumer bodies
In-vehicle network JTAG Side
Participate
(CAN, FlexRay) serial I/O channels
Develop
Threat landscape and
maintain

Participate
5StarS
Assessment scheme Represent
Assurance Rating scheme
Participate Participate

Assessment
report
Accredit
Vehicle Insurers and
manufacturers and Consumers
suppliers Independent National
Develop Cybersecurity Cybersecurity
Assessment Technical Authority Consult
Laboratories
Submit rating
Submit for assessment

Vehicle Vehicle assurance

rating database

Figure 9. 5StarS assurance framework governance

22 5StarS: A R OADMAP TO R E SI L I E NCE

Vehicle manufacturers and suppliers
The vehicle manufacturer and its tiered supply chain develop products according to the relevant
regulations, standards and best practice, and submit products for assessment prior to release for
production. The vehicle manufacturer selects a 5StarS-accredited assessment laboratory of its
choice and enters into a contract with the laboratory to carry out the assessment.

Independent cybersecurity assessment laboratories

Cybersecurity assessment laboratories, independent of vehicle or component manufacturers, are
accredited by the relevant national cybersecurity technical authority (see below) to carry out vehicle
cybersecurity assessments and issue vehicle cybersecurity assurance ratings according to the
5StarS assurance framework.

A laboratory accreditation scheme will be required to ensure consistency of assessments between

laboratories. It is proposed that this scheme will be overseen by the national cybersecurity
technical authority of the country in which the assessment laboratory is located. The accreditation
is to be carried out by an accreditation body such as UKAS, analogous to standards such as ISO
17025.

National cybersecurity technical authority

Each nation supporting the assessment scheme appoints an appropriate technical authority, which
may be the government national cybersecurity agency, for example the National Cyber Security
Centre (NCSC) in the UK. The technical authority oversees the accreditation of each of the
assessment laboratories located within its jurisdiction, and periodically monitors the laboratories to
ensure consistent application of the framework and competency across laboratories.

5StarS Committee
This committee is responsible for the ongoing development and iteration of the 5StarS assurance
framework and all its elements. This is to ensure that the scheme is kept up to date with the
evolving security landscape and continues to meet the needs of all stakeholders.

5StarS: A ROADM AP T O RESILIEN C E 23

 Additional Considerations

Ongoing Assessments
Assessment is expected to be carried out before vehicle type approval. Assessors should therefore
be required to examine existing cybersecurity measures during production, but also any measures
in place for the post-production lifecycle.

Vehicle Assurance Rating Database

The vehicle assurance ratings issued by the assessment laboratories are be stored in a central
repository that can be consulted by the relevant stakeholders, such as consumers and insurers.
This database shall only store the final ratings; the full vehicle cybersecurity assessment report is
shared only with the relevant vehicle manufacturer.

Geographical Scope
Although the 5StarS project is UK government-funded and the consortium partners are UK-based,
it is planned that the assurance framework and assurance rating system will apply internationally.
This will assist vehicle manufacturers aiming to sell vehicles globally, not just in the UK.

As a consequence, the framework is being designed to align to current and emerging international
standards and best practice, so that it can be applied outside the UK.

Supply Chain Scope

The supply chain scope should include the vehicle manufacturer and the tiered suppliers of
components and services that are supplied under contract to the vehicle manufacturer, in this
instance relating to cybersecurity-relevant systems. The 5StarS project is developing vehicle-level
and system/sub-system frameworks which will be integrated into the overall assurance framework.

24 5StarS: A R OADMAP TO R E SI L I E NCE

Next Steps –
Making the Roadmap a Reality
The 5StarS consortium now seeks to build
upon initial feedback received from our key
stakeholder groups of manufacturers,
government and insurers on the proposals
outlined in this document.

A trial phase is now required in which we will

invite interested vehicle manufacturers to
validate the assurance framework against
their vehicles.

The proposed governance approach also

requires further development and evaluation
with all key stakeholders, to define the
implementation and ongoing operation of the
framework.

The 5StarS consortium are now evaluating

opportunities to conduct these trials and
would welcome any input on next steps via
the project website:

www.5starsproject.com

5StarS: A ROADM AP T O RESILIEN C E 25

 Conclusion

This paper outlines the 5StarS consortium’s

proposals for an assurance framework and an
assurance rating system for cybersecurity in A system for assuring the
the automotive industry, and the reasons they
are required. resilience and efficacy of
Like many industries, vehicle manufacturing is the intricate components
undergoing seismic changes driven by new
technology. While consumers will be and systems that operate
enthused by the scope of these products, in the vehicles is crucial for
they also need to know that their vehicles and
personal data will remain safe from the threat customers’ peace of mind
of cyber attacks.

A system for assuring the resilience and

efficacy of the intricate components and
systems that operate in the vehicles being
brought to market is crucial for customers’
peace of mind. Simultaneously,
demonstrating that appropriate security
measures are in place can accelerate a whole
new revenue stream for the industry.

In a hyper-connected world, cybersecurity

matters more than ever. Can you afford to be
left standing at the roadside or will you play
your part in making the roadmap a reality?

26 5StarS: A R OADMAP TO R E SI L I E NCE

Acknowledgements

The 5StarS consortium would like to thank the following

for their feedback during the consultation phase:

• SMMT and representatives of vehicle manufacturers

• Thatcham Research Security Committee (insurers)

• ADIG Cyber Sub-group (insurers)

• Government agencies: DfT, CCAV, NCSC, InnovateUK

5StarS: A ROADM AP T O RESILIEN C E 27

A Roadmap to Resilience
HOW THE AUTOMOTIVE SECTOR CAN BUILD TRUST
IN CONNECTED VEHICLES

www.5starsproject.com