Since cars are increasingly getting integrated with the internet and software, they are at risk of being hacked, and this may cause harm to the driver or passengers. Modern automotive cybersecurity engineering is all about finding and addressing these threats and incorporating countermeasures into automotive systems and software.
With increasing connectivity and autonomy in vehicles, so too does the risk of cyber threats to vehicle systems. Integrating security into the very core of vehicle systems will require constant work to counter potential threats. Hackers can have great incentives to look for vulnerabilities in the armor by developing new attack vectors that can reach key controls of the vehicle.
The automotive industry cannot afford to continue to ignore cybersecurity as an addendum. Safety and brand reputation lie in the ability of vehicles to be designed with the capability to withstand new tactics by adversaries. This article will seek to describe what automotive cybersecurity engineering entails in terms of threat analysis, secure design principles, validation and continuous governance.
What is Automotive Cybersecurity Engineering?
Automotive cybersecurity engineering is the practice of building protections into vehicle systems and software to guard against cyber threats. The goal is to create layers of defense that make vehicles resilient to attacks and unauthorized access.
Some key aspects of automotive cybersecurity engineering include:
- Threat Modeling: As stated in the article, the first step in automotive cybersecurity engineering is threat and risk assessment (TARA). Analyzing the potential attack surfaces and entry points in a vehicle’s interconnected systems. This involves looking at the different ways bad actors could breach the vehicle.
- Risk Assessments: Identifying the most pressing and highest-impact risks based on threat modeling sets priorities for which vulnerabilities should be addressed first.
- Architecture Design: Developing layered defenses and “security by design” principles when creating vehicle architectures and software. The architecture choices make intrusion and exploitation more difficult.
- Tools & Testing: Techniques like fuzzing, penetration testing, and static analysis are used to validate the effectiveness of defenses and uncover new vulnerabilities. This is red teaming conducted against automotive systems.
- Governance: Creating and implementing cybersecurity standards, best practices, training, and culture within automotive organizations. This governance ensures consistency across teams and models.
The end goal is to make vehicles cyber-resilient to real-world attacks that could put drivers in danger. As connectivity and autonomous capabilities grow, so do the risks.
Get exclusive access to all things tech-savvy, and be the first to receive
the latest updates directly in your inbox.
Why Automotive Cybersecurity Engineering Matters
Automotive cybersecurity is important because vehicles have shifted from isolated mechanical systems to sophisticated computers on wheels. There are several key factors driving the need for cybersecurity engineering in the automotive industry.
Connected Systems Open Up Attack Avenues
Today’s vehicles integrate cellular, WiFi, Bluetooth and dedicated short-range communications (DSRC). Many external interfaces could potentially be exploited by hackers to gain access. Once inside, attackers can pivot to take control of critical systems like brakes and steering. Without contingencies in place, connected vehicles become prime targets.
Engineering protections into the architecture and software are necessary to monitor against, detect, and respond to unauthorized access attempts across all communication channels. Segmenting and isolating critical driving systems is also key to containing attacks.
Autonomous Systems Have Immense Attack Surfaces
Self-driving vehicles rely heavily on an array of sensors, onboard computing, streaming data, and constant connectivity. The complexity expands the attack surface substantially compared to traditional vehicles. Failures in these systems could literally crash the vehicle.
Adversaries could target autonomous systems to misdirect the vehicle or degrade the capabilities. By tampering with sensor input data or algorithms, attackers may be able to override safety. Engineering redundancies along with anomaly detection capabilities helps make autonomous platforms cyber resilient.
Safety Risks Endanger Human Lives
A successful cyber attack that alters essential vehicle functions directly endangers human safety. The ability to suddenly disable systems like acceleration or braking gives adversaries dangerous control. Without engineered defenses, remote attacks could turn vehicles into 2-ton weapons.
Automotive cybersecurity engineering focuses on protecting the most safety-critical vehicle capabilities by identifying the highest risks based on threat models. Redundancies, segmentation, and access controls make it much harder for adversaries to impact driving operations.
Regulations Pressure the Industry
Regulations like UNECE WP.29 and China’s GB/T 35273 require automakers to implement cybersecurity protections and processes before vehicles hit the market. Developing the capabilities to engineer in security and to demonstrate due diligence has become necessary to meet compliance standards worldwide.
By taking an engineering approach, automakers can systematically comply with cybersecurity requirements across programs and markets while also enhancing actual vehicle resilience rather than just checking boxes.
Brand Reputation and Legal Liability
Brand reputation and legal/financial liability are at stake if automakers fail to secure vehicles from high-impact cyber attacks that endanger drivers adequately. The consequences of safety incidents instigated by breaches could damage consumer trust and open up automakers to major monetary damages.
Engineering security deep into the foundation of vehicle systems and software is the best way to mitigate risks before problems occur. Ensuring protections align with emerging attack trends also demonstrates a duty of care. This due diligence improves resilience while also reducing liability.
Making cybersecurity a priority across the product development lifecycle is key for both safety and business risk management.
The Automotive Cybersecurity Engineering Process
There are 5 core steps that encompass the vehicle cybersecurity engineering process:
1. Establish Cybersecurity Requirements
The first step is defining the cybersecurity requirements for the specific vehicle under development based on its architecture, features, and risk profile. These derive from a holistic analysis of:
- Applicable regulations and standards
- Corporate cybersecurity policy requirements
- Threat models and risk assessments
- Security architecture principles
- Use cases that inform risks (e.g., autonomy, ride sharing)
These requirements become the cybersecurity blueprint for the vehicle program. They
evolve as new threats and vulnerabilities are uncovered.
2. Design-In Security Controls
With cybersecurity requirements established, the next phase is integrating appropriate safeguards and protections into vehicle systems, software, and communications interfaces. The controls selected align with the risk profile of specific subsystems as informed by thorough threat modeling and assessments.
The emphasis is on the depth of the defense, with layered controls across networks, endpoints and external access points. For example, network segmentation provides gateways between zones to contain threats, while endpoint monitoring looks for anomalies in critical driving functions that could indicate intrusion. Secure software development practices, such as input validation and memory protections, are also enforced.
Beyond technical controls, the process focuses on core cybersecurity principles like least privilege access and separation of duties. Critical vehicle capabilities should only be controllable through isolated, encrypted pathways with authentication. Any external interfaces or debugging modes must be provisioned securely to minimize exposure.
The cybersecurity controls integrated through the foundational architecture and continued governance reflect industry best practices. However, additional compensating controls may also mitigate risks unique to connected, autonomous platforms. The controls must evolve just as fast as the adversaries adapt.
3. Perform Threat Analysis & Risk Assessment
A key step is performing a Threat Analysis and Risk Assessment (TARA) to methodically evaluate potential attack vectors against the vehicle systems/software and classify the associated risk. This involves:
- Identifying attack surfaces: Interfaces, access points and vulnerabilities an attacker could exploit to compromise vehicle systems. Examples include infotainment services, telematics units, OBD-II ports, and remote key fobs.
- Enumerating threats: Feasible attacks against the above surfaces, such as spoofing sensors, injecting CAN messages, reverse engineering ECU firmware, jamming communications channels, and more.
- Determining vulnerabilities: Technical, process and configuration weaknesses that can be exploited to allow the threats.
- Risk evaluation: Determining the severity of each threat based on feasibility, attack cost, and safety/business impact. Establishes risk priorities.
The output is a risk heatmap that guides cybersecurity engineering efforts toward the most pressing risks.
4. Test & Validate Security Controls
Rigorous testing and validation occur across multiple dimensions to ensure that the security controls are working as intended after integration.
At the software level, fuzzing introduces unexpected inputs across interfaces and system calls to catch any crashes, memory issues or error-handling gaps. This uncovers stability issues an attacker may look to exploit.
For broader system assessments, controlled penetration attempts allow ethical hackers to bypass defenses using real adversary techniques. Known as red teaming, these authorized attacks closely mimic a malicious actor and test the built-in monitoring capabilities. Any gaps identified can feed back into the system design.
Functional security testing also validates mitigations aligned to likely attack scenarios and risk priorities from threat modeling. For example, tests may inject malicious messages into internal vehicle networks to confirm intrusion detection mechanisms are working properly. Or they may spoof GPS data as input to autonomous systems to check anomaly response behavior.
This combination of stability testing, simulated attacks, and use case validation provides a comprehensive assessment to harden defenses throughout the development lifecycle.
5. Establish Cybersecurity Governance
Ongoing governance ensures the cybersecurity posture adapts to new threats throughout the vehicle’s lifecycle via:
- Incident Response (IR) Plans: Playbooks for promptly responding to uncover any cyber incidents or vulnerabilities on vehicles in the field.
- Threat Intelligence Monitoring: Continuously monitoring threat feeds, cybercrime forums, and vulnerability databases to find emerging and high-severity issues applicable to their vehicles.
- Version Control & Updates: Pushing security patches and version control for vehicle software and firmware to maintain integrity in the field.
- Best Practices: Establishing secure coding guidelines, architecture principles, design patterns and testing standards that become cybersecurity policy.
This governance allows the cybersecurity baseline to evolve with the threat landscape.
Conclusion
Automotive cybersecurity engineering brings together threat analysis, secure architecture design, resilience testing, and governance to address vehicle cyber risks. As connectivity and software content accelerate, vehicles must be engineered with cybersecurity in mind from the outset. Adversaries have a strong motivation to find chinks in the armor through new attack vectors. By taking a systematic engineering approach, automakers can stay ahead and protect drivers from potential hazards introduced by breaches. However, sustained vigilance is essential, as risk exposure will only grow over time.