Securing the Software-Defined Vehicle

SDV engineers can learn from the Internet of Things.

Photo by Adi Goldstein | Unsplash

Old car models with mechanical components are rapidly giving way to the increasingly software-defined vehicle (SDV) with features that not only allow drivers and passengers to stay connected to the digital world but to enjoy a safer and easier journey with automated driving features (see Figure 1).

With increasing connectivity comes greater exposure to cybersecurity risks, as attested by the Internet of Things (IoT). It wasn’t so long ago when the conveniences of mobile connectivity seemed like a real boon, from banking and buying bespoke brands just a click away. That was until cybercrimes became a bane and a scourge, estimated to cost the global economy more than US $20 trillion a year by 2026, a 1.5x increase compared to 2022, according to Statista. These staggering dollar amounts represent hard lessons learned, and the automotive industry is stepping up on preemptive efforts to secure the next big data mine on wheels: the SDV.

Securing SDVs is extremely challenging, as increased connectivity means an increased number of potential attack interfaces (see Figure 2). Not only are cyber-hacking tools more advanced, but attackers are also moving beyond direct attacks against individual vehicles to target fleets, mobility applications, and services.

Evolving regulations and standards

Example of an automotive cybersecurity test setup. (Keysight Technologies)

Until the recent past, there were no global automotive cybersecurity standards, leaving automakers and their Tier 1 supply chain to develop their own cybersecurity testing requirements. In 2020, the United Nations’ World Forum for Harmonization of Vehicle Regulations (WP.29) introduced an automotive cybersecurity regulatory framework for OEMs.

For example, UN Regulation 155 (UN R155) mandates rigorous cybersecurity management system audits for automakers and their suppliers. It also requires automakers to obtain "vehicle type approval", which involves auditors conducting tests on vehicle products sharing the same electrical architecture. As recently as September 2021, SAE and the International Organization for Standardization (ISO) jointly published the ISO/SAE 21434 standard.

Greater connectivity interfaces increase the vulnerability of software-defined vehicles to cyberattacks. (Keysight Technologies)

Automakers and their key suppliers must comply with UN R155 regulations while ISO/SAE 21434 is a set of guidelines. Both must go hand-in-hand if automakers want to bring new vehicle models to market.

Exactly how can automakers and Tier 1s translate both regulation and standards into action to secure the software-defined vehicle? The automotive industry has the benefit of leveraging learnings from cybersecurity experts who have been trying to stay ahead of hackers since the Internet of Things arrived. For example, the non-profit cybersecurity advocate group Open Web Application Security Project has an OWASP Top 10 list of vulnerabilities that automakers reference to secure the various attack interfaces of the software-defined vehicle. Table 2 shows the OWASP Top10 list, and the tests that automakers can implement for boosting automotive cybersecurity:

Putting security to the test

Testing is an essential part of the UN R155 automotive cybersecurity management system (CSMS). Different systems must be thoroughly tested, from onboard hardware like physical in-vehicle networks, electronic control units, and EV charging ports through all layers of the open systems interconnection (OSI) stack. Multiply that with different threat scenarios and design iterations, the list of tests is extensive.

Four key stages of development for software-defined vehicles (World Economic Forum)

To manage the exhaustive lists of tests and be able to manage and pass audit trails, automakers, and their suppliers are turning to turnkey automotive cybersecurity test solutions. These solutions comprise electronic systems and software to emulate a victim vehicle and hacker(s). They typically comprise these key elements (see Figure 3):

  1. Wireless and wireline signal emulators and analyzers to simulate and monitor the vehicle’s communication systems
  2. Reconnaissance and exploitive attack servers
  3. Application and threat intelligence library from which different attacks can be selected and scheduled
  4. Automation and tracking platform to manage test data and results for reporting and auditing

Early detection saves money – and reputation

Taking a page off the history of the Internet of Things, and in more recent times, the smartphone, where millions of dollars are lost daily to scammers and hackers, securing the connected smart vehicle of the future is both important and urgent. IoT and the smartphone changed the way we live. There is no going back to an off-grid world for most of us, despite the dangers of cyber exploitations.

SDVs will likely expand upon the connected way of living for us. Hopefully, with lessons learned on how to secure our connected world, automakers and their key suppliers can stay many steps ahead of cybercriminals waiting to exploit both individual car owners and organizations that run fleets and associated transportation systems and electric vehicle supply equipment. Rigorous testing throughout a vehicle’s life cycle will minimize the risks of automotive cyberattacks and help keep automakers and service providers off the headlines of who’s been hacked.

Hwee Yng Yeo is industry and solutions marketing manager at Keysight Technologies.