SAST and SCA Solutions Essential to Meeting UN Regulation No. 155 for Vehicle CybersecurityMay 5, 2022 Tweet
The World Forum for Harmonization of Vehicle Regulations (WP.29) of the United Nations Economic Commission for Europe (UNECE) is a global regulatory forum within the UNECE Inland Transportation Committee. WP.29 drafted a regulation, No. 155, addressing vehicle cybersecurity and cybersecurity management systems (CSMS).
UN R155 requires that automobile manufacturers take cybersecurity seriously and demonstrate security best practices. While the regulation is directed at manufacturers, it has ramifications throughout the automotive supply chain and affects all vehicle OEMs, suppliers and contractors. Manufacturers apply for approval for conformance to the regulation with complete documentation on the cybersecurity measures in place during design, development and production. The regulations main goals include:
- Reducing cybersecurity risks, the organization's structure and processes must be in place
- Designing a vehicle's architecture and putting cybersecurity mitigations in place
- Ensuring vehicle cybersecurity throughout its entire life cycle
UN R155 is required for automobile sales in 54 member countries. Although the United States and China, for example, are not members of the UNECE, the prediction is that the regulation will become a de facto worldwide standard.
Cybersecurity Management System
The implementation of a certified Cybersecurity Management System (CSMS) is a fundamental aspect of UN Regulation No. 155 and defined as follows:
‘"Cybersecurity Management System (CSMS)" means a systematic risk-based approach defining organizational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks.’
The establishment of the CSMS includes comprehensive cybersecurity management of the entire vehicle lifecycle:
- Risk management for the entire organization as well as each vehicle's complete life cycle
- Each type of vehicle has its own risk evaluation.
- Audits of cybersecurity for all types of vehicles
- Identifying and repairing flaws across the whole development and production process
- Existing vehicle types are monitored for cybersecurity and incident response
- Cybersecurity management documentation
Relationship to ISO/SAE 21434
ISO/SAE 21434 shares the same aims as the UN R155. In fact, the Proposal for Interpretation Document (WP.29-182.05) clarifies the requirements of UN R155 and provides guidance on what can be used for evidence to prove conformance to the standard. This document includes a link between ISO/SAE 21434 and UN R155 (see Section 6 of WP.29-182.05.) Although ISO/SAE 21434 is not the only way to satisfy requirements it is probably a good choice:
“The standards referenced are intended as examples, not mandatory. Nevertheless, a coherence-check (see section 6 “Link with ISO/SAE DIS 21434 (E)”) has shown that especially the ISO/SAE DIS 21434 can be very supportive in implementing the requirements on the CSMS to the organizations along the supply chain” – WP.29-182.05
The Role of SAST in a Cybersecurity Management System
The UN R155 states in paragraph 22.214.171.124, that “The vehicle manufacturer shall demonstrate that the processes used within their Cybersecurity Management System ensure security is adequately considered, including risks and mitigations listed in Annex 5.” Where Annex 5 contains seven high-level and 30 sub-level descriptions of vulnerabilities and threats, including 69 attack vectors that directly affect vehicle cybersecurity.
Annex 5 serves as a guide for developers to better understand and mitigate these attack vectors. Although not a comprehensive checklist, Annex 5 is a useful resource for manufacturers. Static Application Security Testing (SAST) tools play an important role in detecting and preventing many of the root causes of these vulnerabilities.
UN R155 continues in part e, of paragraph 126.96.36.199, that “The vehicle manufacturer shall demonstrate that the processes used within their Cybersecurity Management System ensure security is adequately considered, including risks and mitigations listed in Annex 5. This shall include: e) The processes used for testing the cybersecurity of a vehicle type;” WP29-182-05e, recommends this include the processes for handling vulnerabilities identified during testing, and justification for cybersecurity tests that include “vulnerability scanning.” SAST fits in well with the guidelines here.
How SAST Tools like GrammaTech CodeSonar Help
SAST tools are useful in augmenting existing implementation and testing practices and are meant to provide discovery and mitigation of several classes of vulnerabilities. Consider the following strengths of SAST tools which apply for both secure and safety critical development.
- Enforcing coding standards for safety, security, and style. Automating code analysis during code development ensures quality, safety and security in the development stream every day. Standards and secure coding guidelines include: ISO/SAE 21434, ISO 26262, MISRA, AUTOSAR, ASPICE, CERT, and other.
- Reducing manual effort in proving software robustness and behavior. SAST tools augment software testing by providing more assurance of software quality.
- Reducing number of defects throughout development. Code that works the first time is much cheaper to test and integrate than buggy code. Bugs removed from the code before testing (or even source configuration management) reduces costs and risk.
- Finding serious defects that elude testing. Despite the testing rigor required for automotive software, SAST tools have found defects that were missed. These are the most worrisome types of defects.
- Accelerating certification evidence. Documenting the results of cybersecurity validation is critical to proving compliance to certification standards. SAST tools have rich reporting features to help support certification requirements.
In addition, SAST tools help with vulnerability detection and discovery ensuring no unreasonable risk remains in the product. For example, SAST tools provide the following capabilities:
- Shift left vulnerability detection and prevention: SAST tools such as GrammaTech CodeSonar are integrated with developer’s development environment and project build systems. Early detection of poor security practices and possible vulnerabilities are detected as soon as the code is written. Preventing these kinds of security issues before they enter code repositories or unit testing saves downstream resources.
- Continuous source code assessment: SAST is often applied initially to a large codebase as part of its initial integration, however where it really shines is after an initial code quality, safety and security baseline is established. As each new code block is written (file or function), it can be scanned by the SAST tools and developers can deal with the errors and warnings quickly and efficiently before checking code into the build system.
- Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to sinks (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability. Code injection and data leakage are possible outcomes of these attacks which can have serious consequences.
Cybersecurity Management of the Software Supply Chain
A key aspect of implementing CSMS is extending security risk management to suppliers. Automobiles are made from thousands of parts and software from hundreds of suppliers. Any component that can potentially pose a security threat. Section 188.8.131.52 of UN R155 says:
“The vehicle manufacturer shall be required to demonstrate how their Cybersecurity Management System will manage dependencies that may exist with contracted suppliers, service providers or manufacturer’s sub- organizations.”
To fulfill this, WP.29-182.05 indicates that understanding the inherited risk of the supply chain:
“The requirement may be considered fulfilled if all the following statements are true
- The vehicle manufacturer has a deep understanding of its supply chain, including sub-contractors and the wider risks it faces. The vehicle manufacturer considers factors such as supplier’s partnerships, competitors, nationality and other organizations with which they sub-contract. This informs its risk assessment and procurement processes.
- The vehicle manufacturer’s approach to supply chain risk management considers the risks to its vehicle types arising from supply chain subversion by capable and well-resourced attackers.
The Role of SBOMs in Security Risk Management
Adopting software supply chain risk management and using software bills of materials (SBOMs) to facilitate this goes a long way to improving security posture.
As with physical BOMs which are used to manage the parts supply chain, SBOMs help monitor and manage software components for security vulnerabilities and licensing issues. This also means better supplier decisions based upon actionable information in SBOMs.
Integration of software composition analysis (SCA) in this manner and using SBOMs as a critical development artifact on a regular basis, has many benefits, including:
- Discover: Identify open source components in third-party code and COTS/third-party software. Detect known (N-day) and unknown (Zero-day) vulnerabilities in those components.
- Manage: Make more intelligent security decisions based on visibility into code/software. Adhere to security, licensing and vendor risk management and compliance requirements.
- Remediate: Protect against cybersecurity threats with actionable vulnerability intelligence. Streamline vulnerability remediation to mitigate software risk.
How SCA Tools like CodeSentry Help
SCA tools such as GrammaTech CodeSentry can analyze open source, third-party and commercial off the shelf (COTS) software and determine the constituent components even when the only available media are binary files. In doing do, it generates an SBOM and vulnerability report which determines the risk of the identified open source components. SBOMs also provide:
- Identifying and avoiding vulnerabilities in reused components in your own developed software and software purchased by your organization.
- Managing software supply chain risk to remove and reduce the unknown security risk in reused software. SBOMs provide data for business decisions on software purchases and open source reuse.
- Supply chain qualification to ensure consistency and accountability from suppliers. Suppliers that meet the SBOM requirements during procurement are given preferential treatment.
- Improved security and downstream benefits that come with risk management and mitigation. Avoiding and catching security risks before they become embedded in their product pays huge dividends during development and deployment of your products.
- Common understanding of software assets that comes with a standardized SBOM amongst software developers, suppliers and open source projects. SBOMs become a way to communicate software contents and dependencies within and outside an organization.
SBOMs are an important artifact in the software supply chain and will become the common way to assure the provenance and security requirements of software acquired in the automotive software supply chain.
SBOMs, SCA, and SAST tools clearly play an important role in the development of safe and secure automobile software and vehicle manufacturing. As part of Cybersecurity Management System required by UN Regulation 155, tools play an important role in ensuring security during the development and testing of code used in automotive systems. SCA tools play an important role in generating and verifying SBOMs for open source and third-party software to ensure the security and integrity of the software supply chain.
Furthermore, SAST tools assist the software development team in adhering to the guidelines and standards for ensuring software quality, safety, and security. SAST tools, when used in conjunction with continuous integration and delivery pipelines, automate the detection and prevention of vulnerabilities before they enter the code repository.