close search bar

Sorry, not available in this language yet

close language selection

Secure software development for modern vehicles

Dr. Dennis Kengo Oka

Mar 07, 2023 / 2 min read

In the automotive industry today, software-defined vehicles (SDVs), electric vehicles (EVs), and connected and autonomous vehicles are becoming increasingly popular. As the development of vehicles with improved safety features, better operation, and enhanced user experience progresses, it is important to recognize that all of these advancements require more-advanced and complex software. And that increases the risk of vulnerabilities, which in turn increases the attack surface. Further, these vehicles contain valuable assets, making them more sought-after as targets.

Cybersecurity trends and standards

In recent years, the automotive industry has seen several new standards and regulations introduced, including ISO/SAE 21434 Cybersecurity engineering, Automotive SPICE for Cybersecurity, and UN-R155 Cybersecurity and Cybersecurity management system. As more organizations establish cybersecurity policies, processes, and activities for product development, there has been an increased maturity of cybersecurity in the industry.

Threats and security challenges for modern vehicles

Modern vehicles include several features that are common in SDVs, EVs, and connected and autonomous vehicles. There are several types of damage scenarios possible to these features, including financial damage and damage to safety, operation, and privacy.

Secure Software Development Process for Modern Automotive Industry by Synopsys

Figure 1: The four main areas for threats and security challenges.

These features have four main areas to consider for threats and security challenges.

  • Wireless interfaces include Wi-Fi, Bluetooth, cellular communication, and V2X. Moreover, autonomous vehicles can contain over 40 cameras and sensors including front cameras, surround cameras, side cameras, rear-view cameras, front radar, rear radar, lidar, and multiple ultrasonic sensors.
  • Wired interfaces include one common attack vector, the diagnostic port in the vehicle. For EVs, the charging port is an additional attack vector.
  • Target systems for connected vehicles include externally facing systems such as in-vehicle infotainment systems, telematics control units, and V2X connectivity units. Additionally, systems can contain valuable assets such as personally identifiable information and cryptographic keys/credentials. There are also systems controlling important or critical functionality such as keyless entry systems (via body control module), passive entry passive start systems, and battery management systems. For autonomous vehicles, target systems include safety-critical systems related to advanced driver assistance systems and autonomous driving that are responsible for steering, acceleration, and braking.
  • Ecosystems involve other vehicles, the users' mobile devices, OEM backends, cloud solutions, and over-the-air update platforms. For EVs, the ecosystem also involves V2G entities such as charging stations, smart homes, and the electric grid. Besides securing the vehicles themselves, it is imperative that all security-critical entities in the ecosystem are also secured.

Solutions to overcome the challenges and reduce vulnerabilities in modern vehicles

Automotive organizations should follow best practices and establish cybersecurity policies and processes based on, for example, ISO/SAE 21434, including deploying appropriate application security testing tools to establish a secure software development life cycle.

Focusing on project-level activities, a threat analysis and risk assessment should be performed to identify critical risks in the product. During product development, the software should be tested for security vulnerabilities. Static application security testing (SAST) should be performed to detect issues in the source code. Moreover, software composition analysis (SCA) should be performed to detect vulnerable open source software components in commonly used libraries such as communication libraries or crypto libraries. Fuzz testing should be performed on the high-risk wireless and wired interfaces to detect implementation issues and security vulnerabilities. Furthermore, dynamic application security testing (DAST) and penetration testing should be performed on software in the ecosystem, such web apps and mobile apps.

Upcoming blog posts will provide detailed examples, specifically for SDVs, EVs, and connected and autonomous vehicles.

Continue Reading

Explore Topics