close search bar

Sorry, not available in this language yet

close language selection

Secure software development for modern vehicles

Targeted software security practices can help overcome challenges in satisfying emerging cybersecurity standards in the automotive industry.

In the automotive industry today, software-defined vehicles (SDVs), electric vehicles (EVs), and connected and autonomous vehicles are becoming increasingly popular. As the development of vehicles with improved safety features, better operation, and enhanced user experience progresses, it is important to recognize that all of these advancements require more-advanced and complex software. And that increases the risk of vulnerabilities, which in turn increases the attack surface. Further, these vehicles contain valuable assets, making them more sought-after as targets.

Cybersecurity trends and standards

In recent years, the automotive industry has seen several new standards and regulations introduced, including ISO/SAE 21434 Cybersecurity engineering, Automotive SPICE for Cybersecurity, and UN-R155 Cybersecurity and Cybersecurity management system. As more organizations establish cybersecurity policies, processes, and activities for product development, there has been an increased maturity of cybersecurity in the industry.

Threats and security challenges for modern vehicles

Modern vehicles include several features that are common in SDVs, EVs, and connected and autonomous vehicles. There are several types of damage scenarios possible to these features, including financial damage and damage to safety, operation, and privacy.

secure software development for modern vehicles | Synopsys

Figure 1: The four main areas for threats and security challenges.

These features have four main areas to consider for threats and security challenges.

  • Wireless interfaces include Wi-Fi, Bluetooth, cellular communication, and V2X. Moreover, autonomous vehicles can contain over 40 cameras and sensors including front cameras, surround cameras, side cameras, rear-view cameras, front radar, rear radar, lidar, and multiple ultrasonic sensors.
  • Wired interfaces include one common attack vector, the diagnostic port in the vehicle. For EVs, the charging port is an additional attack vector.
  • Target systems for connected vehicles include externally facing systems such as in-vehicle infotainment systems, telematics control units, and V2X connectivity units. Additionally, systems can contain valuable assets such as personally identifiable information and cryptographic keys/credentials. There are also systems controlling important or critical functionality such as keyless entry systems (via body control module), passive entry passive start systems, and battery management systems. For autonomous vehicles, target systems include safety-critical systems related to advanced driver assistance systems and autonomous driving that are responsible for steering, acceleration, and braking.
  • Ecosystems involve other vehicles, the users’ mobile devices, OEM backends, cloud solutions, and over-the-air update platforms. For EVs, the ecosystem also involves V2G entities such as charging stations, smart homes, and the electric grid. Besides securing the vehicles themselves, it is imperative that all security-critical entities in the ecosystem are also secured.

Solutions to overcome the challenges and reduce vulnerabilities in modern vehicles

Automotive organizations should follow best practices and establish cybersecurity policies and processes based on, for example, ISO/SAE 21434, including deploying appropriate application security testing tools to establish a secure software development life cycle.

Focusing on project-level activities, a threat analysis and risk assessment should be performed to identify critical risks in the product. During product development, the software should be tested for security vulnerabilities. Static application security testing (SAST) should be performed to detect issues in the source code. Moreover, software composition analysis (SCA) should be performed to detect vulnerable open source software components in commonly used libraries such as communication libraries or crypto libraries. Fuzz testing should be performed on the high-risk wireless and wired interfaces to detect implementation issues and security vulnerabilities. Furthermore, dynamic application security testing (DAST) and penetration testing should be performed on software in the ecosystem, such web apps and mobile apps.

Upcoming blog posts will provide detailed examples, specifically for SDVs, EVs, and connected and autonomous vehicles.

Learn more about automotive industry security solutions


Dr. Dennis Kengo Oka

Posted by

Dr. Dennis Kengo Oka

Dr. Dennis Kengo Oka

Dr. Dennis Kengo Oka is an automotive cybersecurity expert with more than 15 years of global experience in the automotive industry. He received his Ph.D. in automotive security focusing on solutions for the connected car from Chalmers University of Technology in Sweden. As a Principal Automotive Security Strategist at Synopsys, he focuses on security solutions for the automotive software development lifecycle and supply chain. Dennis has over 70 publications consisting of conference papers, journal articles and books, and is a frequent public speaker at international automotive and cybersecurity conferences and events.

More from Security news and research