Cybersecurity Metrics for Automotive Systems April 13, 2021 May 16, 2021 Paper and presentation on “Cybersecurity Metrics for Automotive Systems” accepted to SAE World Congress 2021. Abstract: Cybersecurity for automotive systems is challenging and one of the major challenges is how to measure this specific system property. With the increased need for cybersecurity in automotive systems due to the development of more advanced technologies and corresponding increased threat vectors, coupled with the upcoming ISO/SAE 21434 cybersecurity standard for automotive systems and cybersecurity regulations in UNECE WP.29, it is becoming increasingly important for auto manufacturers and suppliers to have a clear and common understanding and agreement of cybersecurity metrics for the development and deployment of vehicles. The main contribution of this paper is contextualization of existing metrics from literature and mapping out how they may fit within a standardized framework. We highlight the challenges to create awareness around the lack of common understanding and outline first potential steps towards a consensus. For example, one can consider assurance levels as a form of metric. Since guarantees of security are not possible, verification and validation methods such as various forms of testing can be used to give an assurance of security. For the automotive industry, there are discussions around cybersecurity assurance levels (CALs) which are outlined in an informative annex in the ISO/SAE 21434 draft standard. The CAL values are used to indicate subsequently increasing scope, extent and depth of assurance activities to be performed to achieve that level of assurance. A common understanding of the answer to “how much cybersecurity is enough?” will inspire greater confidence in practitioners who design and test the technical measures, in industry with regards to a balanced approach to cybersecurity and ultimately, in consumers who need to know that the products that they buy will be safe and secure.