Who pays? Examining the costs of automotive cybersecurity and related standards
During its two-year participation in Secure-CAV (a project focusing on advanced cybersecurity for connected and autonomous vehicles) Copper Horse had the opportunity to examine the automotive cybersecurity standards landscape. One of the subsequent outputs based on this work was a living list – published to give stakeholders a head start in navigating the various resources that are available – grouped around i) recommendations directly addressing automotive security, ii) extensions to safety considerations, iii) coding and software standards and iv) general foundations.
From this exercise, we were able to make a number of observations. Firstly, that there is a growing collection of automotive cybersecurity recommendations and, related to that, evidence of collaboration between organizations within this space. Examples include the joint work by SAE and ISO on the development of the 21434 ‘Road vehicles – Cybersecurity engineering’ standard, and by MISRA and AUTOSAR on harmonising C++ coding guidelines. These findings were encouraging to see, but sadly that was pretty much the end of the good news.
Questioning the purchasing cost of standards
To emphasise why we were so troubled by the rest of our findings, let’s remind ourselves that standards – at their heart – are a force for good. When surveyed, more than 70% of UK businesses stated that ‘standards had contributed to improving their supply chain by improving the quality of supplier products and services.’ Recognising the benefits to the wider industry, and to the health and safety of humankind, organisations allow, and even encourage, their members to donate their time to standards development. The topics discussed can be complex to resolve and participants, technical experts in their field, provide input for free.
Voluntary contributions aside, there are still costs that need to be met – standards must be typeset and made available either in print or, more commonly, hosted online. Plus, some kind of system is required to take payment and resources made available for managing customer queries. And while these separate costs add up, scaling efficiencies should be factored in before reaching the final total. For example, an organization providing thousands of standards should be in a better position to offer standards at a lower price compared with an organization that just added a few each year to its catalogue. Also, if the organization charged membership fees then these too could help to subsidize the process and lower the price that must be met by purchasers of the standard.
These are, we believe, reasonable expectations. But browsing the web presented a different picture as we were greeted with a head-scratching array of pricing decisions, a few of which we’ve shared below. Remember – these are usually for a single user license(!). Most organisations are going to require lots of people to read and understand standards.
2021/22 Pricing
As illustrated in the 2022 pricing table above, ISO 21434:2021 cost CHF 198 (GBP 158.6) if purchased via the ISO website, but retailed for GBP 289 (or GBP 144.5 with a member discount – noting that membership carried an annual fee of between GBP 207 and 1435 depending on the size of the joining organization) from the BSI website. Alternatively, the same text could be found for USD 125 (GBP 91.8) via SAE. Lastly, as a side note, we observed that the price of ISO 21434 displayed on the SAE website increased by USD 5 to 125 USD – in the period from conducting our original research (Aug 2021-Jan 2022) – while the price displayed on the BSI website appeared to have jumped by GBP 9 to GBP 289.
Moving onto another pricing discrepancy, ISO 26262-1:2018 cost CHF 38 (GBP 30.4) if purchased via the ISO website, but retailed for GBP 225 (or GBP 112.5 with a member discount) from the BSI website – a mark up, at its worst, of 640%(!) on the ISO price. In the case of ISO 26262, the BSI shop offered a ‘solution pack price’ of GBP 1810 for a bundle of the first 10 elements of ISO 26262 (which is still more expensive than purchasing the documents separately from the ISO store). And it’s unclear where the discounts came from – they couldn’t be postage savings, as viewing the items in the basket showed that the ‘solution pack’ is provided in a digital format together with DRM. Again, reflecting on historical price changes – the total cost of ISO 26262 (parts 1 to 10) was unchanged at CHF 1430 whereas the corresponding BSI price increased from GBP 2436 to 2513 in the period from conducting the initial research.
And in the last, and possibly most curious, of our examples we considered ISO 9001. The widely deployed requirements for quality management systems could be purchased for EURO 33.49 (GBP 27.8) from the Estonian Centre for Standardisation and Accreditation (EVS), CHF 138 (GBP 110.5) directly from the ISO shop or for GBP 155 (or GPB 77.5 with a member discount) from BSI.
2023 Pricing
We revisited the data in 2023 and have discussed this further in our previously unreleased Secure-CAV paper: ‘The Applicability of Automotive Cybersecurity Standards’. We observed that prices have on the whole increased again, with some standards showing large price increases (perhaps due to subject popularity) and in rare circumstances price reductions – one being offered for free. On the whole, increases appeared to be inflationary price rises. Some bodies such as ANSI, AIAG and MISRA did not increase their prices.
No Alternative?
From our earlier discussion on standards provision, most cost savings should be baked into the final price, so it is bizarre to see such large differences for what are identical documents delivered digitally.
To avoid the charges, consumers of standards could choose to use an alternative standard, but this isn’t always possible, particularly if governments and regulators are mandating them. The additional problem is that when using a particular standard, you’re then often locked into a pyramid of other standards. One standard will have a dependency on, say two others and these will then have further dependencies. We’re not saying that standards bodies that require purchasing of individual documents are operating Ponzi schemes, but can be frustrating to say the least as a small to be forced into purchasing more standards (especially as a small company).
None of this has taken into account the cost of updates to documents, change-request marked-up versions, or the guidance documents that sometimes accompany standards (at similar charges). Let’s also take a moment to remember that many of the people creating the standards are actually volunteering huge amounts of their own time and receive no compensation for it. Particularly in the cyber security world, people are very passionate about protecting users and give a lot of their own time. So the engine-room of some of these bodies is essentially contributed labour at minimal-to-no-cost to the standards body itself.
Some bodies and associations make their standards available to download for free, although participating in the drafting of the requirements may require an obligatory payment if membership is required to contribute. Notably (in the authors’ experience), these other bodies don’t require DRM or individual user licenses for documentation so the benefits scale pretty quickly.
So what if product makers and their partners are mandated to use a specific set of recommendations, and barred from the market if they don’t? In such cases, standards setting organisations have, in effect, a license to print money – especially when requirements must be considered throughout the supply chain and purchased many times over to cater for teams using multiple workstations.
Trying before buying, transparency and licensing
Charging for standards raises other issues too. From a usability perspective, putting standards behind a paywall is a pain as you now have a problem in determining the relevancy and applicability of the information. Some firms will miss out on recommendations that could benefit their business, while others will pay for documents that they may never use.
During our research, we did find historical evidence of standards being made available through a rental model where, for a few Euros, you could access material for 24 hours to make a decision on whether you’d like to purchase the information on a permanent basis. But today this approach appears to have been phased out, at least for standards in the automotive cybersecurity domain.
ISO has an ‘Online Browsing Platform’ that, in its words, ‘can help you decide whether it is the right standard you are looking for.’ However, the requirements themselves are hidden from the free-to-view portions displayed and users browsing the site are left to judge the suitability of the document based on the contents of the ‘scope’, ‘normative references’, ‘terms and definitions’ and ‘bibliography’ sections.
Safety organisation UL does make a portion of its UL standards available to read for free via its online viewer. However, the functionality of the tool is compromised compared with the more easily found paid-for options such as hardcopies and downloadable secure read-only PDF versions. The PDFs ship with digital rights management (DRM) and either a 1-year or 3-year renewable subscription.
Licensing raises questions about what happens when an employee leaves. The examples we’ve highlighted here come with single-user licenses tied to the purchaser, which may not be the most practical arrangement. Bigger companies may be able to afford broader rights enabling them to post copies on their intranets, but again this just penalises the smaller firms – a topic we’ll come back to in our conclusions.
Winds of change?
BSI offers a service dubbed BSOL which is an online standards management tool hosting more than 100,000 standards from a range of organisations (BSI, ISO, EN, BS, PAS, ASTM and IEC) that can be accessed remotely and by multiple users. For an annual fee (which is undisclosed, but understood to be in the region of several thousand pounds) customers gain access to modules covering different industry areas – such as ‘Road vehicle engineering’ – each featuring anywhere from a few hundred to a few thousand documents. Standards are updated automatically when newer versions become available.
To benefit smaller organizations, who may not need access to a full module, BSOL customers can subscribe to a user-selected list – although again the annual charge is still understood to amount to several thousand pounds, in this case for up to 50 standards.
SAE provides subscription access to its wide range of mobility standards (as well as journal articles, ebooks and videos), which includes ISO 21434, through a digital portal named SAE Mobilus.
Subscription models lend themselves well to digital content, at least on the basis of games, movies, music, financial analysis and news. Some private standards organisations already use this DRM-based model for standards. It seems that this is the preferred way forwards by bodies, locking individual users into pdf files that terminate access after a set period. This only works if the content is priced fairly and from our initial observations this is questionable.
Alternative Approaches
It is worth nothing at this point that there are alternative approaches to standards development that work in industry. Organisations such as the W3C have a pay-to-play approach, but are extremely transparent, with many of their discussions taking place on public mailing lists and with their drafts and outputs being publicly available. This drives engagement and scrutiny, which in turn leads to memberships by organisations that want to contribute to that activity. The outputs of other organisations are also public and freely useable – ETSI is another example. These organisations are successfully able to maintain themselves through the member fees, with different levels for different sizes of business or academia etc. The net result is a very positive contribution back to society in general and clearly stimulates economic growth. For those organisations still taking a closed approach to the publication of standards it seems quite a negative and regressive situation.
Four figure sum
Wrapping up this post and revisiting the prices that were available to view, it’s worth sharing that the purchase cost of the standards collection we identified in our automotive cybersecurity landscape exercise ranged from GBP 4875 to GBP 10770 (in 2022) depending on the size of the purchasing organisation (single user, 3 users or 5 users) and whether it carried BSI membership. By 2023, this had increased, with a price range from GBP 5512 to GBP 12045.
For society to benefit fully from standards, we question whether a five-figure sum is sensible given – as discussed above – that the bulk of the technical input and oversight required to create a standard in the first place is provided at no cost to the standards body itself, via the various committee members and contributors. With the use of digital delivery methods, which are substantially cheaper than printing and postage, the costs involved in managing the distribution of the ‘physical’ final standard are minimal.
Keeping prices high puts market growth at risk as the participation of SME’s who cannot absorb the costs will be hampered, stifling the innovation that such firms may otherwise be in a position to bring. It’s also worth noting, as others have done, that access to knowledge or information on standards is an important factor in exporters’ ability to comply with regulations. An additional point of friction is between companies and suppliers working together, again hitting SMEs hard and potentially excluding them. The cumulative effect could substantially constrain innovation and collaboration.
Obviously someone has to pay for standards to be produced. Whatever cost model is used, if the net effect is restricting the readability of standards – it is a negative outcome for humanity. Transparency of standards is crucial in ensuring the quality of what is being produced and ensuring that they can be widely scrutinised. Standards bodies that do not make their documentation outputs freely available suffer from the fact that no-one can evaluate whether a standard is well-written, useful or even applicable. This can create a situation where regulators and industry all endorse a standard ‘in name’, without ever having read it. The ultimate outcome of this is poor for everyone. It wastes economic activity around the world and potentially ruins burgeoning startups through to mature businesses. In the cyber security world it has greater implications – it could make the world less secure, but we’ll save that topic for another day.
In its 2030 strategy document, ISO has pledged to ‘Invest in training and technology to improve and streamline the standards development and production processes,’ which suggests that there could be savings to be found. We look forward to them.
About the authors
James Tyrrell was a Threat Modelling Analyst at Copper Horse until 2022.
David Rogers is Founder and CEO of Copper Horse.
