Targeted software security practices can help overcome challenges in satisfying emerging cybersecurity standards in the automotive industry.
In the automotive industry today, software-defined vehicles (SDVs), electric vehicles (EVs), and connected and autonomous vehicles are becoming increasingly popular. As the development of vehicles with improved safety features, better operation, and enhanced user experience progresses, it is important to recognize that all of these advancements require more-advanced and complex software. And that increases the risk of vulnerabilities, which in turn increases the attack surface. Further, these vehicles contain valuable assets, making them more sought-after as targets.
In recent years, the automotive industry has seen several new standards and regulations introduced, including ISO/SAE 21434 Cybersecurity engineering, Automotive SPICE for Cybersecurity, and UN-R155 Cybersecurity and Cybersecurity management system. As more organizations establish cybersecurity policies, processes, and activities for product development, there has been an increased maturity of cybersecurity in the industry.
Modern vehicles include several features that are common in SDVs, EVs, and connected and autonomous vehicles. There are several types of damage scenarios possible to these features, including financial damage and damage to safety, operation, and privacy.
Figure 1: The four main areas for threats and security challenges.
These features have four main areas to consider for threats and security challenges.
Automotive organizations should follow best practices and establish cybersecurity policies and processes based on, for example, ISO/SAE 21434, including deploying appropriate application security testing tools to establish a secure software development life cycle.
Focusing on project-level activities, a threat analysis and risk assessment should be performed to identify critical risks in the product. During product development, the software should be tested for security vulnerabilities. Static application security testing (SAST) should be performed to detect issues in the source code. Moreover, software composition analysis (SCA) should be performed to detect vulnerable open source software components in commonly used libraries such as communication libraries or crypto libraries. Fuzz testing should be performed on the high-risk wireless and wired interfaces to detect implementation issues and security vulnerabilities. Furthermore, dynamic application security testing (DAST) and penetration testing should be performed on software in the ecosystem, such web apps and mobile apps.
Upcoming blog posts will provide detailed examples, specifically for SDVs, EVs, and connected and autonomous vehicles.
Dr. Dennis Kengo Oka is an automotive cybersecurity expert with more than 15 years of global experience in the automotive industry. He received his Ph.D. in automotive security focusing on solutions for the connected car from Chalmers University of Technology in Sweden. As a Principal Automotive Security Strategist at Synopsys, he focuses on security solutions for the automotive software development lifecycle and supply chain. Dennis has over 70 publications consisting of conference papers, journal articles and books, and is a frequent public speaker at international automotive and cybersecurity conferences and events.