Académique Documents
Professionnel Documents
Culture Documents
OEM
backend
GSM/ Camera Keyless
3G/4G Radar Lidar entry GPS
Consumer devices
Service
provider
EV
OBD
Media
USB
Contents
Executive Summary___________________________________________________________________ 3
Introduction__________________________________________________________________________ 4
Understanding Risk__________________________________________________________________ 6
Benefits____________________________________________________________________________ 8
Industry Adoption__________________________________________________________________ 10
Timings___________________________________________________________________________ 10
Assurance Framework________________________________________________________________ 12
Innovation Framework______________________________________________________________ 13
Assessment Overview_______________________________________________________________ 14
Governance_________________________________________________________________________ 22
Additional Considerations___________________________________________________________ 24
Conclusion__________________________________________________________________________ 26
Acknowledgements__________________________________________________________________ 27
The 5StarS Consortium was created in 2017, The framework has been designed with
funded by UK government-backed Innovate vehicles launched in the UK in mind. However,
UK and bringing together automotive industry it is intended to be globally relevant and aligns
experts: HORIBA MIRA, Ricardo, Thatcham to international standards. The roadmap
Research, Roke and Axillium. factors in - but goes further than - other
vehicle cybersecurity tests, standards and
Our mission is to develop a framework
assessments in development, such as the
for vehicle manufacturers to implement in
emerging ISO/SAE 214341 and the CAV
response to the technological developments
Innovation System Framework2.
that are sweeping across the automotive
sector. Through our research and evidence gathered
to develop the framework, we are confident
While technology is a common component
that it is a workable and positive response to
of new vehicles, it can bring a greater threat
the issues posed by new technology. It will
of cyber attacks. Consumers expect the
allow vehicle manufacturers and others to
latest technology to be included but their
deal with the risks but also consider the clear
awareness of cybersecurity issues is growing.
opportunities on offer.
It is a threat to the sector that stakeholders
must also take seriously. The 5StarS consortium is now evaluating
opportunities to conduct trials, in order to
The 5StarS assurance framework will give
validate the assurance framework and its
vehicle manufacturers a measure of their
implementation.
vehicles’ resilience and allow stakeholders to
understand their risks from connectivity. We Ultimately, the 5StarS framework will
also propose a consumer-facing assurance help build trust in the huge advances new
rating system to reassure motorists about technology can bring to the automotive sector
their choice of vehicle. We believe this will and provide return on investment through
build trust in the engineering and operation increased vehicle sales.
process and, crucially, in the safety, security
and resilience of vehicles.
1
https://www.iso.org/standard/70918.html
2
https://www.iso.org/standard/69315.html
GPS DAB
WiFi Consumer
Keyless devices
entry Bluetooth
Immobiliser ITS
Camera
Radar Lidar
Service OEM
provider backend
GSM/
3G/4G
TPMS
OBD - Remote
- Physical
Vehicle as an IoT attack vector
USB In-vehicle network JTAG Side Attacks move “down the stack”
Media (CAN, FlexRay) serial I/O channels as countermeasures improve
EV
Vehicle manufacturers
Regulations, Standards and Best Practice and suppliers
ISO/SAE 21434
Cybersecurity Engineering SAE BSI PAS UN ECE
Under development J3061 1885 WP.29
Innovation & Product
development according to Submit for
international standards assessment
Cybersecurity
5StarS “Automotive Cybersecurity through Assurance” project Assessment Laboratory
Assurance rating
5StarS
Automotive Cybersecurity through Assurance
Standards
(ISO/SAE 21434)
Regulations
(UNECE)
UNECE
Transition period
ISO/SAE
21434
Project complete
5StarS
Industry adoption Phase 1 Phase 2 Phase 3
ISO/CD
56000
TR56002: Innovation TR56004: Innovation Dynamic evolution of innovation concepts
management system management assessment
Figure 4. Proposed timeline for the implementation of each phase of the roadmap
Assurance Framework
Product development
ITS
Agility Validity
Service OEM
provider backend
• Verification of current and future project In turn, the innovation framework will feed into
technology readiness levels the assurance framework roadmap as
illustrated in Figure 4 in Timings.
The benefits to stakeholders are:
1. Concept and design (product development) - the engineering processes used to design
security into vehicles and systems; covering concept, system and component design, and testing
and validation during vehicle and system engineering. The assessment should consider the
existence of suitable processes and whether they have been followed.
DEVELOPMENT PHASE P RO D U C T I
Static Analysis
Penetration Testing
SUPPLY CHAIN
ASSURANCE
Education of Staff
Field Monitoring Telematics Data Supply Chain Assurance
Staff Vetting
Security Incident
Management Data Sanitisation
Verifying the Awareness of
Cyber Security Policy
Transponders
Access Control Tests
Log Reviews
Development Stage
System Security
Assessment Methods
10.6a) There should be an easy way for an existing owner to There is no central There is a central There is a central
remove all of their personal data from their vehicle prior to method of method of method of
sale or transfer to a new owner. The sanitisation procedure sanitisation. sanitisation that sanitisation that
should; performs some but performs all of the
not all of the stated stated steps.
• Be easily accessible, probably through the menu of the
steps.
infotainment.
• Inform the owner what will happen if they do run the
procedure and request their confirmation prior to
proceeding.
• Confirm to the user when complete both via an audible
and visual signal.
• There should be verification of the sanitisation.
11.3.3a) OTA updates should be designed so that safety or security Unmitigated Security There are some The creation of
is not impacted during the update. Users should not be vulnerabilities or mitigated actions to security
able to drive the vehicle during an update if it is not safe to safety risks are prevent security vulnerabilities or
do so. created when an vulnerabilities or safety risks during an
OTA update takes safety risks being OTA update is fully
place. when an OTA update mitigated against to
takes place. an acceptable level
of risk.
Table 2. Examples of assessment criteria that will be used in the lifecycle assessment.
Indicators of good practice are used to score elements of the vehicle lifecycle.
4. Vulnerability assessment – as well as assessing the processes that the vehicle manufacturer
has in place and followed when developing the vehicle, it is also important to assess the vehicle
itself, to seek further assurance that the processes have actually resulted in a sufficiently resilient
realisation of the vehicle.
The vulnerability assessment begins with security-focused reviews of the vehicle manufacturer’s
work products, such as threat and vulnerability analyses, risk assessments, design and test
specifications, and penetration tests and results.
From these activities, an independent vulnerability analysis and practical tests are carried out to
identify any residual product vulnerabilities - and whether they could be exploited.
The assessor shall carry out an independent vulnerability analysis followed by a test plan
consisting of appropriate tests, to explore and assess the exploitability of any identified residual
vulnerabilities.
• By the assessment laboratory to develop an appropriate test plan for the vehicle under
assessment;
• By the laboratory accreditation process to ensure the consistency of the assessments carried
out by approved assessment laboratories and to verify the competence of laboratories and their
assessors.
During an assessment, appropriate tests will be planned based on the categories shown in Table 3.
Some non-exhaustive examples are given for each category, which will be expanded further in the
guidelines to be maintained by the 5StarS committee (see Governance, page 22).
All applicable tests for a given assessment will be selected from the test guideline document based
on the features of the vehicle. For example, if the vehicle does not have a Wi-Fi hotspot fitted, those
tests will not be carried out and there will be no negative impact on the assessment result.
Assessment
Assessment
criteria
Scoring
Level 3
4 Score
Vulnerability
Basic
5
Assessment
Design review 6
Medium
Vulnerability
analysis
7
Penetration
testing High
8
Figure 7. Assessment criteria (an explanation of DfT principles can be found on page 19)
• Level 2 criteria based on independent assessment against the anticipated requirements of ISO/
SAE 21434 or equivalent standards, and includes the results of a medium level of vulnerability
assessment and testing.
• Level 3 criteria based on independent assessment against the requirements of the full 5StarS
framework including additional system lifecycle criteria, and includes the results of a high level of
vulnerability assessment and testing.
As part of the assessment process, the laboratory records a set of scores aligned to the assurance
needs of insurers and consumers.
Results of the assessment are categorised according to the Department for Transport (DfT)
Principles for cybersecurity in Connected Autonomous Vehicles as shown in Table 4.
Category Criteria
Principle 1
Recommendations
Principle 2
Recommendations
Insurer
Weighting
Principle 3 Principle 1- 8
Recommendations Recommendations 1-8
Principle 4
Threshold Banding
Recommendations
Assessment
Scoring
Principle 5
Recommendations
Principle 6
Recommendations
Consumer
Weighting
Principle 7
Recommendations
Principle 8
Recommendations
The rating will reflect the confidence in a vehicle’s cyber resilience based on the 5StarS assurance
framework - in turn related to future, mandatory cybersecurity standards - and be comparable to
other rated vehicles. Insurers will also receive textual comments for each one of the eight principles
as guidance on why the vehicle received the rating, as well as a score breakdown. To avoid
confusion, the insurer rating will not be made public.
The aim of the rating is to inform the consumer’s buying decision as well as to provide underwriters
with information to help assess a vehicle’s cyber risk. Given their different priorities, the final scores
for consumers and insurers may differ. The rating will influence the vehicle’s insurance group rating.
This affects the cost of insuring the rated vehicle for the consumer. The assurance rating system
will apply to new vehicles only.
Just as the Euro NCAP star rating has won widespread recognition, we believe that the 5StarS
rating system will be of huge benefit, not just to consumers and insurers but also vehicle
manufacturers that require a visible representation of their efforts and investment to meet the
stringent assessment tests of the assurance framework.
5StarS committee
ITS
Service OEM
Monitor
provider backend
Thatcham and
Consumer bodies
In-vehicle network JTAG Side
Participate
(CAN, FlexRay) serial I/O channels
Develop
Threat landscape and
maintain
Participate
5StarS
Assessment scheme Represent
Assurance Rating scheme
Participate Participate
Assessment
report
Accredit
Vehicle Insurers and
manufacturers and Consumers
suppliers Independent National
Develop Cybersecurity Cybersecurity
Assessment Technical Authority Consult
Laboratories
Submit rating
Submit for assessment
5StarS Committee
This committee is responsible for the ongoing development and iteration of the 5StarS assurance
framework and all its elements. This is to ensure that the scheme is kept up to date with the
evolving security landscape and continues to meet the needs of all stakeholders.
Ongoing Assessments
Assessment is expected to be carried out before vehicle type approval. Assessors should therefore
be required to examine existing cybersecurity measures during production, but also any measures
in place for the post-production lifecycle.
Geographical Scope
Although the 5StarS project is UK government-funded and the consortium partners are UK-based,
it is planned that the assurance framework and assurance rating system will apply internationally.
This will assist vehicle manufacturers aiming to sell vehicles globally, not just in the UK.
As a consequence, the framework is being designed to align to current and emerging international
standards and best practice, so that it can be applied outside the UK.
www.5starsproject.com
www.5starsproject.com