Cyber-security standards for connected and automated vehicles published

News by Tom Reeve

A standard for the cyber-security of vehicles, both connected and automated, has been published by the BSI.


Standard applies to connected and automated cars. (pic: Busakorn Pongparnit/GettyImages)

A new cyber-security standard for self-driving cars has been published today by the British Standards Institute (BSI).

It follows the publication last year by the government of guidance on key principles for vehicle cyber-security for connected and automated cars.

The government says that the publication of PAS 1885:2018 ‘The fundamental principles of automotive cyber security’ will reinforce the UK’s position as a leading developer of automated vehicle technology.

The UK market for connected and automated vehicles is expected to be worth £52 billion a year by 2035.

The BSI worked with academics and businesses in the car industry including Jaguar Land Rover, Ford and Bentley, as well as the National Cyber Security Centre (NCSC) and the Centre for the Protection of National Infrastructure (CPNI).

The minister for the future of mobility, Jesse Norman, said: "As vehicles get smarter, major opportunities for the future of mobility increase. But so too do the challenges posed by data theft and hacking. This cyber security standard should help to improve the resilience and readiness of the industry, and help keep the UK at the forefront of advancing transport technology."

The BSI said that PAS 1885 "sets out fundamental principles on how to provide and maintain cyber-security in relation to reducing threat and harm to products, services and systems within increasingly connected and collaborative intelligent transport ecosystems".

It is intended to be applied to new and modified systems but is not expected to be applied to systems retroactively, the BSI said.

In the principles for vehicle cyber-security published last year, the government laid out eight key principles and sub-principles:

  • Principle 1 - organisational security is owned, governed and promoted at board level
  • Principle 2 - security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
  • Principle 3 - organisations need product aftercare and incident response to ensure systems are secure over their lifetime
  • Principle 4 - all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
  • Principle 5 - systems are designed using a defence-in-depth approach
  • Principle 6 - the security of all software is managed throughout its lifetime
  • Principle 7 - the storage and transmission of data is secure and can be controlled
  • Principle 8 - the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events