Today cars are not just vehicles that move us from one place to another! But they are sophisticated Internet-connected digital systems with dozens of electronic modules spanning hundreds or thousands of digital messages per second between them. As vehicles have become more advanced, incorporating technologies such as Electronic Control Units (ECUs), telematics, and increasing degrees of automation for driving functions, securing vehicles against cyber-attacks has become imperative. In response to this challenge, India has released (Draft Version) a regulation called the Automotive Industry Standard (AIS-189) on Cyber Security and Cyber Security Management Systems (CSMS) in vehicles.

In this blog, we will discuss AIS-189, learn more about it, and discuss how it changes the future of Auto security in India.

Why Automotive Cybersecurity is needed?

Today, vehicles have gone far beyond mere machines they are the computer on wheels. The real risk of cyber attacks has been made possible with the growth in software, connectivity, and automated systems. This would allow hackers to seize control of important auto functions, steal personal information, or twist systems so that disasters could occur. To mitigate these risks, India’s Automotive Industry Standards Committee (AISC) introduced AIS-189 to specify what OEMs and Tier 1/2 must undertake and now follow certain guidelines and criteria.

The AIS-189 is based on the principles of globally acknowledged cybersecurity standards like UNR 155 and provides a common standard to address cyber threats faced by vehicles including aspects related to vehicle security management, risk reduction capabilities, and the development of an embedded cybersecurity solution from conception through end-of-life.

What Does AIS-189 Cover?

AIS-189 primarily applies to vehicles that fall under certain categories, including:

• M (Passenger Cars) and N (Goods Vehicles) with ECUs.
• T (Tractors) that are equipped with at least one ECU.
• L7 (Electric Vehicles) that feature automated driving functionalities at Level 3 or beyond.

The standard provides a comprehensive approach to cybersecurity by ensuring that vehicles are secure during their development, production, and post-production phases. Below are the key elements of the standard.

Cyber Security Management System (CSMS)

The Cyber Security Management System (CSMS) is the core of AIS-189. The system demands a risk-based vehicle manufacturer approach to protect vehicles from cyber threats. Here’s what CSMS entails:

• Development Phase – Applies before a vehicle is type-approved, to ensure that manufacturers identify and assess potential risks, and put into place appropriate correctives.
• Phase Production –  Cyber risks need also to be monitored and controlled during the process of manufacture.
• Post-Production Phase – The life-caring phase after the production, tackles cybersecurity threats, and when new vulnerabilities are popping up security updates should be available due to maintenance.

By using the CSMS, cybersecurity is not a point-in-time consideration, rather it is an ongoing process that spans the life of the vehicle.

Certification and Compliance

To obtain series certification of a vehicle, manufacturers are required to submit the following application:

• Information on the Vehicle and its Cyber Security-Related Systems.
• Information as to the risks evaluated and how they were mitigated.
• CSMS Certificate of Compliance, to show that all required processes for handling cybersecurity risks are in place.

The severity of what could happen to a vehicle if an attacker gets in demands real, industry-standard best practices such as risk assessments and system tests by the Test Agency to verify the manufacturer’s cybersecurity measures. Only if these checks are passed will a car be able to secure type approval.

AIS-189 Threats and Mitigations: The Heart of AIS 189

AIS-189 is based on the threats associated with vehicle cybersecurity, and the mitigations that the industry must use to address those threats. Some key threats include:

• Spoofing of messages – This refers to impersonating legitimate communication signals, such as GPS or vehicle-to-vehicle (V2X) messages.
• Denial of Service (DoS) attacks – These attacks flood a vehicle’s communication channels with junk data, disrupting normal functions.
• Malware attacks – Viruses can infect the vehicle’s communication media, compromising internal systems.
• Manipulation of critical functions – Cyber-attacks may alter key parameters like airbag deployment thresholds, posing serious safety risks.

To address these threats, AIS-189 mandates various mitigations such as ensuring message authenticity and data encryption, securing communication channels, and maintaining robust access control mechanisms.

Securing Back-End Systems and External Interfaces

One of the crucial aspects of vehicle cybersecurity is ensuring that the back-end servers are secure. AIS-189 outlines measures that manufacturers must take to protect back-end servers from unauthorized access, insider threats, and cloud computing vulnerabilities.

Besides server protection, the standard also denies users hacking external interfaces such as OBD ports or even USB ports that are often accessed directly by hackers trying to avoid going through all types of secured software connections.

Continuous Assessments, And Reporting

The Cyber Threat Landscape constantly changes, and so must the countermeasures. Under AIS-189, continual vigilance by manufacturers to new attack surface vulnerabilities and cyber-incursions is mandated. Manufacturers are required to make an annual report to the Test Agency, covering details of monitoring activity and any new threats they have discovered.

Should a manufacturer’s cyber security protections be missing, the Test Agency could also revoke the Certificate of Compliance to get unsafe cars off public roads.

One Step Closer To A Safe Future

AIS-189 is a significant milestone towards laying down the robust cyber security framework for vehicles in India. It further emphasized a risk-based, security-by-design cybersecurity strategy, including suggested guidelines that would force automakers to recognize and control hazards in vehicle operation, maintenance, disassembly, and design.

The adoption of AIS-189 would not only bring conformity to the global arena but will also gift India with an automotive industry that is future-ready in times of digitization. As vehicles advance with additional technology and connectivity, you can expect that more concern for cybersecurity will come along as well, being among the most important issues when it comes to keeping drivers and passengers safe.

Conclusion

With AIS-189, the Indian government has laid the foundation for a secure automotive future. It encourages manufacturers to adopt best practices in cybersecurity, ensuring that their vehicles can withstand the growing number of cyber threats. As the automotive industry continues to innovate, the focus on cybersecurity will be key to maintaining trust and safety in the era of connected and autonomous vehicles.