AUTOCRYPT, Author at AUTOCRYPT

2 November, 2021 . 6 mins read

3 Stages of In-Vehicle Security: A Step-By-Step Guide to Vehicular Cybersecurity

Vehicular cybersecurity is now an inseparable component of automobiles. To establish an ecosystem where vehicles can safely connect with the outside world, UNECE’s WP.29 regulations on vehicular cybersecurity require automakers (OEMs) to manage cybersecurity risks at every stage of a vehicle’s lifecycle. This includes 1) pre-production design and development stage, where cybersecurity gets embedded into the supply chain; 2) production stage, where hardware and software components are integrated and tested for interoperability; and 3) post-production stage, where continuous monitoring and timely updates are required to keep the vehicle protected throughout its lifespan.

As a cybersecurity adviser on the International Transport Forum’s Corporate Partnership Board (CPB), AUTOCRYPT has been contributing its expertise in vehicular cybersecurity standardization and policymaking, making the company a specialist in cybersecurity integration and regulatory compliance. Developed to help OEMs integrate cybersecurity with functional safety, AUTOCRYPT’s in-vehicle security solution, AutoCrypt IVS, provides a robust end-to-end security package for all three stages of vehicle production, stretching beyond regulatory requirements.

In this article, we break down AUTOCRYPT’s in-vehicle security process to look at how a vehicle is secured at each stage.

1. Threat Assessment and Remediation Analysis (TARA)

The biggest difference between vehicular cybersecurity and IT cybersecurity is that a vehicle does not run on a host computer, nor a unified operating system. Instead, each vehicle has a unique electronic and electric (E/E) architecture made up of over a hundred electronic control units (ECU), interoperating through the Controller Area Network (CAN bus). This means that there cannot be an off-the-shelf cybersecurity software or tool that is readily installable across all vehicles; instead, in-vehicle security needs to be custom-designed for each vehicle model.

To develop a system and process for a particular vehicle, it is crucial to start by assessing the threats associated with the specific OEM and vehicle model through an engineering methodology called Threat Assessment and Remediation Analysis (TARA). TARA is widely used for the initial assessment of cybersecurity risks, based on a deep analysis of the vehicle’s architecture, followed by a prediction of potential vulnerabilities and entry points. After identifying the risks, security engineers will thoroughly select a pool of necessary countermeasures that can mitigate these specific risks.

During TARA, AUTOCRYPT begins by identifying critical assets within the target vehicle, then compiles a list of attack vectors that hackers could potentially use to access and intrude the system. After that, the level of risk and feasibility of each attack vector is analyzed, before arriving at a final list of threat priorities. These priorities are used to design and develop a security model, where detection engines and software modules get embedded in different parts of the vehicle.

2. Threat Modeling and Security Testing

After initial design and development of the in-vehicle security system, it is then time to conduct a series of tests by simulating real-life hacking scenarios to verify the efficacy of the security model. In this stage, three types of security testing are implemented: vulnerability scanning, fuzz testing, and penetration testing.

Vulnerability Scanning

Unlike threat assessment in TARA, vulnerability scanning requires the physical vehicle prototype with the adopted security model. Both software static testing and dynamic testing are performed. The former checks for errors in the development stage, including leaks and buffer overflows, whereas the latter executes the code to test for vulnerabilities in runtime environments by analyzing the behaviours of dynamic variables.

Fuzz Testing

Fuzz testing, or fuzzing, is a type of automated software testing technique that feeds a large pool of randomly generated invalid and unexpected inputs into the program as an attempt to make it crash or break it through. If a vulnerability a found, a fuzzer can be used to pinpoint the potential causes. Fuzzing is a quick and useful way to identify unexpected coding errors, highly effective at mitigating most automated hacking techniques.

Penetration Testing

Penetration testing is the most advanced and sophisticated test of the three. It requires security analysts and red team hackers to manually search and exploit vulnerabilities using complex hacking techniques such as password cracking and injection, then try to manipulate and exfiltrate data from the vehicle. AUTOCRYPT’s red team, led by experienced resident white hat hacker Dr. Jonghyuk Song, performs penetration testing to vehicle components and security software prior to final implementation, ensuring that no vehicle leaves the factory in a vulnerable state.

After completion of threat modeling and security testing, all errors and vulnerabilities will be corrected and reviewed. Finally, the vehicle will be ready to enter the market.

vehicular cybersecurity diagram — *Figure 1. Three Stages of In-Vehicle Security*

3. Threat Mitigation

As the vehicle gets passed down to the consumer, the role of cybersecurity does not end here. In fact, this is only the beginning of a long journey of continuous monitoring, prevention, and incident response. At this stage, the security engineering of AutoCrypt IVS works at its best to protect the ECUs by running both an intrusion detection system (IDS) and intrusion protection system (IPS) to block hacking attempts, encrypting all messages to prevent data tampering, and controlling access to all storages to ensure privacy and financial safety. It also monitors the central gateway for any abnormal behaviour throughout the vehicle’s CAN bus and between the vehicle to the external network. Such data is then collected in real-time by the OEM and reported to AutoCrypt vSOC (Vehicle Security Operations Center) for analysis.

Vehicle Security Operations Center

Similar to the SOC in IT security, vSOC brings enterprise threat intelligence to the mobility environment by monitoring the activities and conditions of all active vehicles using live data collected and shared from the OEM’s cloud. AutoCrypt vSOC provides an easy-to-navigate graphical user interface, allowing the OEM to track and analyze threats by region and prioritize updates and patches.

*Figure 2. AutoCrypt vSOC GUI for an OEM customer*

Vehicular Cybersecurity Made Easy With AUTOCRYPT

Most OEMs do not have the time and capacity to assess, deploy, and manage all three stages of vehicular cybersecurity in-house. Over the past decade, AUTOCRYPT has been filling this gap not only by offering AutoCrypt IVS as a product, but also by designing and developing a complete in-vehicle security solution that OEMs can rely on in the long-run.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

28 October, 2021 . 2 mins read

AUTOCRYPT Demonstrates Interoperability in China’s Largest “Four Layers” C-V2X Demonstration Following Showcase at 2021 China-SAE Congress and Exhibition

SHANGHAI, CHINA, Oct. 28, 2021 — Leading automotive and mobility cybersecurity provider AUTOCRYPT Co., Ltd. demonstrated the interoperability of its AutoCrypt V2X security solution at the C-V2X Cross-Industry Pilot Plugfest, China’s largest “Four Layers” C-V2X application testing event, held alongside the 2021 China-SAE Congress and Exhibition (SAECCE) in Shanghai from October 19 to 21.

The annual “Four Layers” C-V2X interoperability demonstration is organized by IMT-2020 (5G) Promotion Group C-V2X Working Group and China-SAE (Society of Automotive Engineers), gathering OEMs and Tier 1 suppliers from around the world. This year’s C-V2X demonstration was held on test roads across the Shanghai-Suzhou-Wuxi metropolitan area, one of China’s major ITS hubs.

The “Four Layers” of interoperability refers to the physical layer (vehicle), network layer (on-board units or OBUs), message layer (communication modules), and security layer (V2X modules and key management). In the demonstration, AutoCrypt V2X’s software development kit (SDK) was embedded in the OBUs of a major Tier 1 supplier, while its Security Credential Management System (SCMS) was paired with one of the eight participating root certificate authorities (CA).

“The successful completion of the demonstration continues to confirm the interoperability of AutoCrypt V2X in the C-ITS environment,” said Daniel ES Kim, AUTOCRYPT’s Co-Founder and CEO. “As the V2X security provider for all eight full-scale C-ITS projects in South Korea, AUTOCRYPT has worked closely with OEMs and chipmakers across the globe, and our team is highly experienced in adapting to the specific needs and requirements of each client.”

Along with the demonstration, AUTOCRYPT showcased its latest technologies and offered consultations at SAECCE 2021, where its technical experts made two key presentations, one of which explained the role of Plug&Charge (PnC) security for smart EV charging, while the other provided guidance to OEMs on how to incorporate in-vehicle security systems to meet both WP.29 and Chinese regional regulations.

This marks AUTOCRYPT’s third consecutive year of participation in the dual events. To find out more about AUTOCRYPT’s comprehensive mobility security solutions, contact global@autocrypt.io.

25 October, 2021 . 6 mins read

Top 6 Cybersecurity Challenges Unique to the Automotive Industry

Cybersecurity is one of the most complex and dynamic fields in the data-driven world, involving a constant battle between hackers and defenders. As internet connectivity reaches every corner of our lives, cybersecurity is now an essential component for automobiles. Yet, many are surprised to find out that cybersecurity in the automotive industry is entirely different from what we are used to encountering in the IT industry, and this means that there are challenges in terms of preparation and prevention. This article takes a closer look at how automotive cybersecurity differs from traditional IT security, with cybersecurity challenges unforeseen in the automotive industry.

1. Massive Scale and Density

As vehicles become increasingly digitalized and connected, many like to draw comparisons between cars and computers, referring to automobiles as “computers on wheels”. However, comparing a car to a computer is not quite fair because a car is, in fact, made up of hundreds of individual computers, which by industry terms are called electronic control units (ECU). The scale of the IT infrastructure in a vehicle resembles that of a small enterprise network, with all the computers, servers, and networking devices densely packed into this metal box. Now imagine having to manage cybersecurity risks for tens of millions of these densely packed “enterprise networks”; a single world-class OEM has between 20 to 100 million active vehicles on the road, a scale never seen in a single corporate IT environment.

Despite this seemingly impossible task, OEMs make cybersecurity scalable by incorporating it into the design and manufacturing stage. Since all vehicles of the same model contain an entirely identical IT infrastructure, they are able to pre-establish cybersecurity measures and embed them into the vehicle parts during the manufacturing stage. This brings us to the next point: type approval.

2. Regulations Requiring Cybersecurity Type Approval

In the IT industry, computer and device manufacturers are not directly responsible for the cybersecurity of their products. It is up to the users, mostly enterprises, to implement cybersecurity tools to protect their network and data. As a result, IT cybersecurity regulations tend to be enforced on enterprise users, not manufacturers. For instance, data privacy laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) mandate enterprises to have reasonable security measures to protect the customer data they possess. It is only recently that governments have started to require more transparent reporting from hardware manufacturers due to the latest surge of supply chain attacks.

In contrast, in the automotive industry, since cybersecurity must be deployed during the manufacturing stage, OEMs are directly held accountable for failures in cybersecurity implementation. UNECE’s WP.29 working party was the first to establish a set of regulations that require vehicular cybersecurity type approval, meaning that all vehicles must be assessed and qualified prior to being put on sale. The following diagram illustrates a stage-by-stage comparison of when cybersecurity is implemented between the automotive and the IT industry.

blog image — **Cybersecurity Implementation: Automotive Industry vs. IT Industry**

3. System Complexity

Besides having greater scale and density, the internal system of a vehicle—referred to as the E/E (electrical and electronic) architecture—is much more complex than that of a computer. With more than 30,000 hardware components moderated by over 100 ECUs, a single vehicle operates on over 100 million lines of code. What makes things more complex is that the in-vehicle system is largely distributed without a universal operating system; as each ECU serves a unique purpose, every one of them is crucial to a car’s functionality. For instance, some ECUs are paired with sensors and actuators. Some are paired with the powertrain. The ECU that provides wireless connectivity is called the telematics control unit (TCU)—or on-board unit (OBU)—overseeing communications between the vehicle and the outside world.

Given that the ECUs are highly sophisticated minicomputers, they are often manufactured by different third-party suppliers that specialize in their own field of expertise. This means that to implement cybersecurity throughout the vehicle, OEMs need to work with both cybersecurity providers and ECU manufacturers to ensure that all needs are aligned and all components interoperable. An example of such multi-party collaboration is demonstrated when AUTOCRYPT partnered with ECU manufacturer NXP Semiconductors to embed its AutoCrypt V2X software development kit (SDK) into NXP’s OBUs. The secured chipsets are then able to be delivered to OEMs for assembly.

As vehicles become more and more sophisticated, the industry is now looking for ways to group the ECUs by their domains of service and slowly work towards a more centralized vehicle system that is easier to assemble and manage, transforming the multi-tier supply chain into a more horizontal supply line.

4. Long Lifespan

Having covered the differences in the manufacturing process, it is now time to look at how car consumers differ from electronics consumers. With increasingly efficient engines, advanced mechanics, and precise quality control systems, vehicles now last longer than ever. As a result, more and more consumers are keeping their cars for longer, with the average age of vehicles on US roads reaching a record 12.1 years in 2020. This is three times the average age of computers in the US.

This might be good news to the consumers. Yet, long-lasting cars pose a new challenge to OEMs as they need to spend more effort into managing software updates for each car model to ensure that they are free of security vulnerabilities. More active vehicles on the road also put more strain on the Vehicle Security Operation Center (vSOC), which needs to constantly monitor all vehicle systems in real-time.

5. Scattered Locations

Speaking of vehicle monitoring, we need to talk about the unique challenges that the vSOC faces as compared to the SOC of an enterprise network. The computers and servers in a company do not move, hence it is easy for the cybersecurity team to monitor suspicious activities at all times and respond to threats immediately. On the other hand, vehicles move around constantly across cities and even countries. Oftentimes, they will enter zones without internet connectivity, making it difficult for the vSOC to detect and respond to threats due to delays in data transfer.

6. Damage Severity and Recovery

Lastly, in case a cyberattack happens, an enterprise will most likely lose sensitive data and experience operation disruptions. However, a successful cyberattack against a vehicle system not only puts data at risk, but the personal safety of the passengers and all those others on the road. Patching vulnerabilities is also more complex in the automotive industry because the OEM needs to work with different Tier 1 suppliers and cybersecurity providers to ensure smooth updates.

How AUTOCRYPT Overcomes Automotive Cybersecurity Challenges

What sets AUTOCRYPT apart from other automotive cybersecurity providers is its capability to offer a complete set of end-to-end solutions that help OEMs overcome all aspects of cybersecurity challenges throughout the vehicle. From securing in-vehicle systems and V2X communications, to EV charging and fleet management, AUTOCRYPT eliminates the complexity of searching for a different provider for each problem, making it a completely personalized experience for each client.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

21 October, 2021 . 3 mins read

AUTOCRYPT Named “Automotive Cybersecurity Company of the Year” for Second Year in a Row in 2021 AutoTech Breakthrough Awards

SAN FRANCISCO, Oct. 20, 2021 — Leading EV and autonomous vehicle cybersecurity provider AUTOCRYPT, announced today that for the second year running, it has been named “Automotive Cybersecurity Company of the Year” in the 2021 AutoTech Breakthrough Awards, making it the only company to have won this title to date. Run by the Tech Breakthrough group, AutoTech Breakthrough is a leading market intelligence organization that recognizes the top companies, technologies, and products in the global automotive and transportation technology markets today.

autotech breakthrough awards autocrypt 2021

AUTOCRYPT is the only automotive cybersecurity provider in the world that offers a complete security package for the entire mobility ecosystem. From securing in-vehicle systems and V2X communications to EV charging and fleet management, AUTOCRYPT provides a custom-built end-to-end solution for each client looking to integrate cybersecurity with functional safety, eliminating the complexity of searching for different providers. With branches and subsidiaries in Asia, North America, and Europe, AUTOCRYPT works closely with its clients based on regional needs.

“We are thrilled to be recognized by AutoTech Breakthrough for this award again this year. This back-to-back recognition is a strong indication that we have done things right, yet also encourages us to continue refining our products and solutions to exceed customer expectations,” said Daniel ES Kim, AUTOCRYPT’s Co-Founder and CEO. “With the industry’s most capable R&D professionals holding decades of experience in IT and vehicular cybersecurity prior to our spinoff, we truly understand the challenges of OEMs and infrastructure developers and aim to tackle them at the individual level.”

This year’s AutoTech Breakthrough Awards program attracted more than 1,400 nominations from over 15 different countries across the globe, with categories including Connected Car, Electric Vehicles, Engine Tech, Automotive Cybersecurity, Sensor Technology, Traffic Tech, and many more.

“As Plug&Charge (PnC) rolls out for EVs, simply plugging the car into the charging station involves the exchange of payment, driver, and vehicle information, making cybersecurity essential. AUTOCRYPT’s dedication to cybersecurity has allowed it to not only overcome today’s challenges but to shape the future of mobility with all industry partners by breaking through technical and regulatory barriers,” said Bryan Vaughn, Managing Director of AutoTech Breakthrough Awards. “Congratulations to AUTOCRYPT, once again this year, for being our choice for ‘Automotive Cybersecurity Company of the Year.'”

Having opened its German office in Munich earlier this year, AUTOCRYPT is now working closely with European OEMs on in-vehicle and V2X security solutions. To find out more about AUTOCRYPT’s comprehensive mobility security solutions, contact global@autocrypt.io.

8 October, 2021 . 2 mins read

AUTOCRYPT to Present V2X Security Solution at ITS World Congress 2021

HAMBURG, GERMANY, Oct. 8, 2021 — AUTOCRYPT Co., Ltd., a leading mobility security solutions provider, announced its participation at the ITS World Congress 2021 event to be held between October 11th to 15th, 2021. ITS World Congress is one of the largest events focusing on future mobility and digitalization of transportation, and the event offers exceptional access to the global community by inviting all sectors in the mobility field to play a role in the ongoing development of intelligent transport systems (ITS) and services.

At this year’s ITS World Congress, AUTOCRYPT will be presenting a range of mobility security solutions dedicated to creating a holistic mobility security services platform with a focus on V2X security, supporting regional standards of the EU, North America, as well as China, and APAC.

AUTOCRYPT’s V2X security product AutoCrypt V2X not only provides an endpoint security library and backend PKI authentication system but also customizable UI based on centralized management service. As one of the top five V2X security providers in the world, according to Markets and Markets, AUTOCRYPT plans to showcase its oversight of South Korea’s smart road V2X capabilities at booth B5.014 at the ITS event.

Additionally, with its newest vSOC (Vehicle Security Operations Center) for its in-vehicle security solution, AutoCrypt IVS, OEMs can enjoy convenient management and access to oversee monitoring and detection of any vehicular cybersecurity threats.

“As Europe sets itself apart as an essential market for the development of mobility and security solutions, our expansion into Europe with our newest Munich office and ITS World Congress 2021 gives us confidence for a post-pandemic era,” said Daniel ES Kim, AUTOCRYPT’s CEO and co-Founder. “We are thrilled to provide more of our solutions worldwide by offering a greater commitment to providing integrated mobility security technologies for OEMs and suppliers in the industry.”

Find out more about AUTOCRYPT and its comprehensive mobility security solutions by visiting booth B5.014 or contact global@autocrypt.io.

6 October, 2021 . 2 mins read

AUTOCRYPT Shortlisted for 2021 Informa Tech Automotive Awards as “Automotive Cybersecurity Product of the Year” for V2X Security Solution

DETROIT, MICHIGAN, Oct. 6, 2021 — AUTOCRYPT Co., Ltd., an industry-leading automotive and mobility cybersecurity company, announced today that its V2X security solution—AutoCrypt V2X—has been shortlisted for the title of “Automotive Cybersecurity Product of the Year” at the 2021 Informa Tech Automotive Awards. Formerly known as the TU-Automotive Awards, these are the most prestigious and anticipated awards throughout the automotive industry, celebrating the best products and services across automotive technology.

AutoCrypt V2X is a complete cybersecurity solution for V2X (vehicle-to-everything) communication, the foundational technology for autonomous driving and Intelligent Transport Systems (ITS), supporting the regional standards of North America, the EU, as well as China and Asia-Pacific. Recognized as one of the top five global market leaders in the V2X security market by Markets and Markets, AUTOCRYPT’s V2X security solution boasts high performance and low computation load, capable of processing 2,500 verifications per core per second, twice the industry standard.

“Automotive Cybersecurity Product of the Year” is a title that will be given to one outstanding cybersecurity technology product or service with active users during the year of 2020. AUTOCRYPT’s nomination for the title reflects AutoCrypt V2X’s market success, demonstrated by outstanding product performance, experienced consultations, and profound expertise from being the sole V2X security provider for South Korean C-ITS projects.

“We are thrilled to have been shortlisted for this prestigious award,” said Daniel ES Kim, AUTOCRYPT’s Co-Founder and CEO. “Our industry-leading authentication and key management technologies have allowed us to build the most robust V2X security solution in the market. We look forward to paving the path towards autonomous driving by helping OEMs overcome the limitations of sensors and providing smart road infrastructure for governments and city planners.”

The final winners of the awards will be announced during the 2021 Automotive Tech Week held at Novi, Michigan between November 15 and 19, 2021. AUTOCRYPT will be exhibiting at the event, where the company’s Chief Strategy Officer, Jaeson Yoo, will give a track presentation on the topic “Breaking Through the Barrier: Secure Fleet Management for Inclusive Transport” at 11:45 am on Wednesday, November 17 (EST).

This is the third year in a row in which AUTOCRYPT has been recognized by the awards program. AUTOCRYPT previously won the “Best Auto Cybersecurity Product/Service” title in 2019, and later was selected as a finalist for “Automotive Tech Company of the Year” in 2020.