Automotive Cybersecurity: Enabling Safety and Security for the Connected Car

  Enquiry / contact me

An application story by Hwee Yng Yeo, Keysight Technologies

Hydraulics & Pneumatics

Automotive Cybersecurity: Enabling Safety and Security for the Connected Car
Automotive Cybersecurity: Enabling Safety and Security for the Connected Car
Figure 1: The Connected Car presents both wired and wireless potential attack surfaces
Figure 1: The Connected Car presents both wired and wireless potential attack surfaces
Figure 2: Cybersecurity risk management throughout the car’s lifecycle.
Figure 2: Cybersecurity risk management throughout the car’s lifecycle.
Figure 3: Overview of the Keysight automotive cybersecurity penetration test components.
Figure 3: Overview of the Keysight automotive cybersecurity penetration test components.
Figure 4: Penetration test setup example from Keysight Technologies.
Figure 4: Penetration test setup example from Keysight Technologies.

The modern Connected Car runs on software from various sources. According to Code Complete (by Steve McConnell; Cob and Mills, 1990), even the best coding practices produce one coding error per 10,000 lines of code. With about 100,000,000 lines of code in a modern high-end car, this works out to about 10,000 software bugs onboard!

According to Upstream Security’s Global Automotive Cybersecurity Report 2020, the number of known automotive cyber-security incidents almost doubled between 2018 and 2019. The study analyzed 367 publicly reported automotive cyber-attack incidents since 2010, 155 of which are from 2019. These latest figures equate to a 94 per cent year-on-year growth.

The more dramatic hacks and threats to personal safety often make headlines, such as white-hat carjacking with packet codes sent over the internet anywhere in the world. This exposed vulnerability heightens the fear that hackers can hijack autonomous vehicles miles way, with helpless passengers onboard.

The Connected Car is no different from our laptop or mobile phone, containing precious commodity welcomed on the dark web. Seemingly mundane information such as route preferences, credit card payment records, or the driver’s locations, can fetch high prices from seeking bidders.

A single cyber hack can cost car makers up to $1 billion, and more losses in reputation and customer trust. That’s why car makers are starting to view cybersecurity very seriously. The industry is considering  cybersecurity ratings for cars – the brand or model that sports a five-shield security rating will likely bolster the brand’s value and fetch a premium.

The Connected Car – A Hacker’s Paradise?

A closer look at the sub-systems enabling vehicular communication reveals numerous points of vulnerability (see Figure 1). Hackers can launch various attack paths, ranging from cryptographic attacks at the hardware level, to over-the-air (OTA) protocol attacks. The industry is aware of the need to fortify these at-risk interfaces, there is no official automotive cybersecurity standard all this while. 

As the industry awaits official standards, automotive OEMs and subsystem makers are not leaving any loophole to chance. Most of them include cybersecurity risk management in their fleet’s product life cycle (see Figure 2).

One of the ways which the automotive design and test engineers try to secure the car is by using a holistic intrusion protection strategy (see Figure 3). It combines hardware security validation, with software to stress test the potential attack interfaces against a dynamic threats library. As the aim of the automotive cybersecurity developers is to stay steps ahead of the hackers, the engineers must constantly update their test plans and run them against a “live” application and threat intelligence (ATI) library. For example, Keysight operates ATI subscription services spanning years of knowledge gained from attack information.

In the penetration test platform illustrated above, both wireless and wireline interfaces within the car can be tested to validate the robustness of safety-critical components such as ECUs, as well as communication systems for advanced driver assistance systems (ADAS), and vehicle-to-everything (V2X) applications. 

Automotive Cybersecurity Pen Test Set-up

A cybersecurity penetration test architecture may comprise these key components (see Figure 4):
•    Connectivity gateways - allow both wired and wireless connection to the various automotive DUTs. 
•    Test management server – lets the white hat engineers manage their test plans, including scanning for vulnerabilities through various reconnaissance scenarios, for example port scanning, fuzz testing, and many more. 
•    Recon and fuzzing server – the fuzzing plus many other PEN test scenarios are run on this Linux-based server. This is where coding errors and other security loopholes are uncovered, before executing simulated cyberattacks.
•    Application & threat intelligence (ATI) library – this is where all captured threats and information are stored. It provides granular application-level visibility and control, geolocation, known-bad IP address blocking, and other threat information. 
•    Automation – With hundreds of DUTs and thousands of testplans, an intelligent automation platform provides the sanity check for engineers to keep their pen test operations together.


A holistic penetration test platform allows the engineer to examine the plethora of cybersecurity loopholes that may put the driver, passenger, and the marque at risk. No single car maker has an exhaustive list of cybersecurity vulnerabilities. That is one reason why car makers are turning to what their IOT counterparts have been doing – subscribing to secure and dynamic threat intelligence libraries that are available 24x7. 

Future-Proofing Automotive Cybersecurity

Even as the white hats build up their arsenal of test plans in the lab, the need to have a robust security strategy is finally garnering the much-needed attention of management teams to rethink automotive cybersecurity. The industry is aware the piecemeal approach to defending the car of the future is no longer sufficient. Enterprise-level automated test platforms involving big data will become increasingly important to help car makers enhance safety and security, as the world moves towards widespread adoption of autonomous driving through ADAS and V2X technologies. 

Advocates believe different segments of the automotive industry can leverage these insights to secure not just the individual vehicle, but entire traffic systems. This collective knowledge can help to forge evolving automotive cybersecurity standards to better secure the future of the internet on wheels. 

Hwee Yng Yeo, Keysight Technologies

Posted on December 10, 2020 - (754 views)
Keysight Technologies, Inc.
1400 Fountaingrove Parkway
95403-1738 Santa Rosa - USA
+1-303 662 4748
View full company profile
Location
Related articles
Pump and Valve Innovator Finds a Test Rig Technology that Talks the Torque
ELGi Partners with the Italian Red Cross to Maintain Critical COVID-19 Response Vehicles
Low-flow Rate Double Syringe Pump
Collaborative Project for new butterfly seals
Low-flow Rate Double Syringe Pump
High-Quality Compressed Air Serves Traditional Winery
"10% of all Electricity from Industry is Used to Produce Compressed Air Accounting for 80 TWh/year. ELGi has been able to Introduce Efficiency Improvement Gains Equating to a Considerable Reduction in Total Energy Consumed Across the Region"
Modular Principle Enhanced with Double-cardanic Coupling Variant
ELGi Encapsulated (EN) Lubricated Screw Air Compressors
Exploring Advancements in Electric Vehicles and Charging in 2020
Next Generation of Industrial Gas Springs
Direct Acting High-speed Servo Valve
Aichi Tokei Denki TRX/TRZ
Aichi Tokei Denki TRX/TRZ
Aichi Tokei Denki TRX/TRZ
MXT Hydraulics Solution
Full-service Bolting Equipment Provider
Compact and Precise Level Switches
Regulators to maintain the desired temperature
Fan Filters for Good air Filtration
Automated Quality Control to Increase E-car Throughput
Modular Electrohydrostatic Actuation System (EAS)
ELGi’s Screw Air Compressor Powers Mission-critical, 24/7 operations Air Needs for Granlund’s Production
Enhancing Performance in Machine Shops
Compact Pressure and Vacuum Switch
Durable Ball Valves in Hygienic and Non-hygienic Applications
Compact Triaxal Accelerometer
Peristaltic Pump for Atomic Spectroscopy
Aichi Tokei Denki TRX/TRZ
Aichi Tokei Denki TRX/TRZ
Modular Principle Enhanced with Double-cardanic Coupling Variant
Automated Quality Control to Increase E-car Throughput
ExxonMobil and INNIO Announce Introduction of Jenbacher N Oil 40 lubricant for Jenbacher Gas Engines
Class '0' Certified Oil-free Compressed Air Portfolio
Cut costs and increase productivity – ExxonMobil launches long-life hydraulic oils – Mobil DTE™ 20 Ultra Series
Innovative Hydraulic Systems
Aichi Tokei Denki TRX/TRZ
Aichi Tokei Denki TRX/TRZ
Aichi Tokei Denki TRX/TRZ
Steel Mill Cuts Bearing Failures in Half Following Switch to Mobil™ Lubricant