Category: Blog

31 May, 2024 . 3 mins read

Securing Vehicles with Automotive Intrusion Detection Systems (IDS)

It has long been established that cybersecurity is becoming more important in the automotive industry. The mass adoption of cybersecurity practices in the industry is in line with the development of vehicle technology. Nowadays vehicles have more complex internal structures and are more exposed to external communication channels, meaning that there are more endpoints that need protection from cyber threats. Automakers are turning to various cybersecurity approaches to secure their vehicles, one of the most common ones being automotive intrusion detection systems (IDS).

What is an Automotive IDS?

An automotive IDS is an intrusion detection system adapted specifically for the automotive industry. These solutions monitor network traffic entering and traversing the vehicle, as well as the activities within the vehicle’s components, to detect traffic anomalies or potentially malicious activity. IDS compares the monitored traffic and behaviors against a database of known cyber threats and attack patterns. If a match is found, it raises an alert to the relevant administrators or security personnel to address.

Automotive IDSs typically employ two main detection methods:

1. Signature-based detection: Matches observed activity against a database of known malicious patterns or signatures.

2. Anomaly-based detection: Identifies deviations from established normal network behavior or activity baselines, flagging any unusual activities that might indicate a potential intrusion.

It’s important to note that an intrusion detection system is a monitoring tool, meaning it detects threats but does not actively prevent or mitigate them. Upon detecting anomalous behavior or a potential threat, the IDS sends an alert, allowing administrators to investigate and take appropriate action.

Types of Automotive IDS

IDSs are categorized based on their deployment location and the scope of activity they monitor. In the automotive context, we will discuss two main types:

1. Network-based IDS (N-IDS)

A network-based IDS monitors the entire vehicle network for anomalous activity, checking all incoming and outgoing traffic. This provides a broad, network-level view of potential threats and can detect attacks targeting the vehicle’s communication channels or network infrastructure.

2. Host-based IDS (H-IDS)

A host-based IDS is a security software designed to monitor the activities of an individual host or vehicle component, such as an Electronic Control Unit (ECU). It focuses on detecting threats targeting specific systems or components within the vehicle, providing a more granular level of cybersecurity monitoring.

While implementing either one of these intrusion detection system types will help protect an automobile from cyber attacks, most contemporary vehicles will benefit from a mix of both host-based and network-based IDS. For instance, Autocrypt’s IDS combines both network-based and host-based IDS to ensure maximum threat monitoring coverage across the vehicle’s network and individual components.

Comprehensive Vehicle Protection

To ensure comprehensive vehicle protection, automakers are highly advised to implement multiple cybersecurity solutions simultaneously. Since an IDS is a monitoring-only device, pairing it with an Intrusion Prevention System (IPS) would ensure that malicious activities are not only detected but also mitigated.

Additionally, implementing diverse cybersecurity measures will help automakers better address the requirements of vehicle cybersecurity regulations like UN R155 and R156, which mandate cybersecurity throughout the entire vehicle lifecycle.

By adopting a multi-layered approach with complementary cybersecurity solutions like IDS, IPS, and others, automakers can significantly enhance the overall security posture of their vehicles, safeguarding them against a wide range of cyber threats in today’s connected automotive landscape.

Visit our in-vehicle security solutions page to find the solution that best fits your cybersecurity needs.

Follow AUTOCRYPT on LinkedIn to stay informed about our latest news and blogs.

9 May, 2024 . 3 mins read

Compliance with UN R156: Securing Vehicle Software Updates

In the past, vehicles were purchased with a fixed set of functionalities that remained unchanged until the owner acquired a new vehicle. However, modern cars have evolved into customizable platforms with software that can be continuously updated and enhanced.

To meet the growing demand for personalization and remain competitive, manufacturers now offer advanced features that can be subscribed to and downloaded onto vehicles at any time after purchase. These functionalities, such as entertainment applications, driver assistance systems, self-driving capabilities, and others, are constantly being improved and updated.

Maintaining this kind of flexible software structure requires vehicle manufacturers to implement periodic update procedures. However, since these updates essentially alter the vehicle’s software and carry a fair amount of potential risks, it is crucial that they are implemented in the most secure way possible. This is where the UNECE Regulation 156 (UN R156) comes into play, establishing a much-needed framework for secure vehicle software updates.

UN R156 Requirements

UNECE Regulation 156 establishes the minimum cybersecurity and Software Update Management System (SUMS) requirements for vehicle manufacturers. According to the regulation, manufacturers must implement the SUMS and demonstrate that they have the necessary processes in place to comply with all secure software update requirements. The requirements can be divided into two main categories:

  1. Software Update Management System Requirements: These include securing communication channels for updates, validating software integrity, implementing access control mechanisms, and maintaining update logs for auditing purposes.
  2. Vehicle Type Requirements: Specific rules and standards that vehicles must meet to ensure secure software updates.

As vehicles become increasingly software-defined, the ability to update their software securely and efficiently is paramount as unsecured software updates can leave vehicles vulnerable to cyber threats, such as malware infections, data breaches, or even remote control of vehicle systems. These risks can compromise vehicle safety, privacy, and security, making it essential to implement robust cybersecurity measures for software updates.

Securing Updates for UN R156 compliance

UNECE Regulation 156 requires manufacturers to implement appropriate cybersecurity measures to mitigate potential risks from software updates. These measures include:

  • Implementing a software update management system
  • Securing communication channels for update processes
  • Validating software integrity to prevent tampering
  • Implementing access control mechanisms to protect against unauthorized access
  • Maintaining update logs for auditing purposes

AUTOCRYPT offers a suite of in-vehicle cybersecurity products and solutions that implement the necessary security processes in line with UN R156 requirements for secure software updates. Apart from cybersecurity implementation, we also offer UN R155/156 compliance consulting services. Visit our UNECE WP.29 Consulting page to learn more and download the WP.29 regulation checklist outlining the steps for UNECE regulation compliance.

As the automotive industry continues to embrace software-defined vehicles, UN R156 plays a crucial role in ensuring the safe and secure updating of vehicle software. By establishing baseline requirements for cybersecurity and software update management systems, this regulation helps protect vehicles, their occupants, and the broader transportation ecosystem from potential cyber threats. Compliance with UNECE Regulation 156 is a critical step towards building a safer and more secure future for the automotive industry.

12 April, 2024 . 4 mins read

Cybersecurity Management System for UNECE Regulation 155

The automotive industry is entering an important stage of cybersecurity implementation. In July of 2024, UNECE Regulation 155 (UN R155) about vehicle cybersecurity and Cybersecurity Management Systems (CSMS) is coming into full force. What does this mean for the larger automotive industry?

Vehicle manufacturers across the 64 WP.29 member countries will be required to adhere to regulatory compliance measures outlined in UNECE Regulation 155. Vehicles that do not comply with the regulations will not be eligible for registration starting July 2024. We can already see how the regulation is affecting the industry in the recent Porsche announcement. The company stated that they will be discontinuing the combustion-powered 718 Boxster convertible and the 718 Cayman models in certain countries, due to not meeting the cybersecurity standards outlined in UN R155 legislation.

UN R155 is a set of regulations developed by the United Nations Economic Commission for Europe (UNECE) pertaining to cybersecurity in vehicles. The regulation establishes cybersecurity requirements for the vehicle manufacturing process and vehicle type approval, aimed at enhancing the security of connected vehicles and increasing resilience against cyber threats.

Essential Approval Requirements

The essential UN R155 approval requirements for automotive cybersecurity, address standards and protocols for securing connected vehicles against cyber threats. However, UN R155 does not only focus on vehicle cybersecurity. The regulation oversees the entire vehicle manufacturing process, enforcing cybersecurity measures to be incorporated on an organizational level and throughout the vehicle’s entire lifecycle.

OEMs wishing to receive UN R155 approval must implement a cybersecurity management system that verifies secure operations throughout the vehicle development, production, and post-production phases.

Upon CSMS implementation OEMs must go through a CSMS assessment process, also known as a CSMS audit, that will be conducted by an appointed Approval Authority. During a CSMS audit, the Approval Authority assesses and verifies the manufacturer’s compliance with the requirements outlined in UN R155. If the assessment deems cybersecurity management system implementation successful, the OEM obtains the Certificate of Compliance for CSMS. The Certificate of Compliance is valid for three years and can be extended upon expiration.

Requirements for CSMS

The requirements for the Cybersecurity Management System are holistic in nature and call for vehicle manufacturers to follow cybersecurity-by-design principles. From a grander organizational perspective to granular vehicle attack vector assessments, the CSMS requirements seek appropriate cybersecurity measures that continuously monitor, detect, and respond to cyber threats across the vehicle development lifecycle According to UN R155, vehicle manufacturers should ensure that their Cybersecurity Management System complies with the following stipulations:

1. The vehicle manufacturer shall demonstrate that their CSMS applies to the vehicle development, production, and post-production stages.

2. The vehicle manufacturer shall demonstrate that the processes used within their CSMS to ensure security is adequately considered and implemented continuously. This requirement entails cybersecurity management processes, risk identification, assessment, and mitigation.

3. OEMs are expected to stay on top of new cyber threats and vulnerabilities, keeping their security measures current.

4. Vehicle manufacturers must be able to provide relevant data to support analysis of attempted or successful cyberattacks to their designated Approval Authority.

5. OEMs shall demonstrate that the processes used within their CSMS will ensure that cyber threats and vulnerabilities are addressed and mitigated within a reasonable time frame.

6. Vehicle manufacturers must be able to demonstrate how their CSMS will manage dependencies that may exist with suppliers, service providers, or manufacturer’s sub-organizations. This means that OEMs are accountable for implementing and verifying cybersecurity practices along their supply chains.

Requirements beyond the CSMS

Meeting cybersecurity management system requirements and obtaining the CSMS Certificate of Compliance is the first step of the regulatory compliance process. UN Regulation 155 also includes an array of cybersecurity requirements for vehicle type approval. The type approval process focuses on the effectiveness of the security measures implemented in the actual vehicle and its components.

Our latest ebook delves into the key vehicle components to focus on for UN R155 type approval and can offer insight into how different vehicle components require different types of cybersecurity measures. 

Download eBook

UNR155 download button

Automotive cybersecurity implementation cannot be done in a one-size-fits-all manner. Different OEMs will have different cybersecurity and testing needs based on their organizational structures, vehicle manufacturing processes, and supply chains. With industry-leading expertise accumulated through years of experience in cybersecurity implementation, AUTOCRYPT offers professional consulting services for automotive OEMs and suppliers in establishing the CSMS.

To learn more about our CSMS Consulting Services and cybersecurity regulation compliance, contact global@autocrypt.io.

22 February, 2024 . 4 mins read

The Role of Penetration Testing in the Automotive Industry

The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.

During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.

As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.

Understanding Automotive Penetration Testing

Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment. 

Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.

Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.

Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.

For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.

Why Automotive Penetration Testing Matters

By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.

Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.

To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.

The Importance of Collaboration for Cybersecurity Testing

Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.

AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).

As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.

24 January, 2024 . 6 mins read

Vehicle Tech at CES 2024: The Official Introduction of Software-Defined Vehicles

CES 2024 introduced the world to the new era of software-defined vehicles, signifying the beginning of a massive technology transition in the automotive field. At its CES debut, AUTOCRYPT emphasized the importance of automotive cybersecurity for software-defined vehicles, while demonstrating its security solutions and testing tools for in-vehicle systems and V2X communications.

On January 9, 2024, AUTOCRYPT made its first appearance at CES, the world’s most influential tech event. Taking place conveniently at the beginning of the year, CES is the biggest stage for tech companies across the globe to showcase their innovations of the year. This year, more than 4,000 exhibitors and over 130,000 industry attendees gathered in Las Vegas for the show.

Originally known as the Consumer Electronics Show, the scope of CES has expanded far beyond consumer electronic products and now encompasses all types of technologies used throughout all stages of the value chain. Starting in 2019, the automotive tech industry has been playing an increasingly dominant role at the show, showcasing advanced automotive technologies like electric vehicles and autonomous vehicles.

Vehicle Tech Trend at CES 2024: Software-Defined Vehicles

At CES 2024, vehicle and mobility-related technology accounted for nearly half of the entire exhibition. The automotive industry has now become the center of technology innovations, a phenomenon driven by two major transitions in the industry:

  1. The shift from internal combustion engines to electric motors
  2. The switch from hardware-centric to software-centric vehicular architecture

The first transition was shown in previous CES exhibitions, where manufacturers showcased their latest electric vehicle models and concepts. The share of electric vehicles on the roads has also increased significantly throughout the past few years. CES 2024 brought the focus to the second transition, which has been less apparent to the public. Automotive OEMs and suppliers are now showcasing the latest software-centric architecture, operating systems, platforms, and applications, all of which are based on the fundamental concept of software-defined vehicles.

Breaking Down the Software-Defined Vehicle

What is the SDV?

The term “software-defined vehicle”, or “SDV”, has been widely used within the automotive industry to describe cars whose functionality and features can be upgraded over time through software updates. These cars provide a user experience comparable to smartphones and computers, often equipped with a tablet-like central console that controls all features.

Standardized middleware

The transition to SDVs requires a complete overhaul of the automotive manufacturing process. The transition not only requires the decoupling of hardware and software, but also the ability to perform software updates to specific components without impacting the interoperability of these components with the rest of the vehicle. The AUTOSAR Adaptive Platform is a middleware built for this purpose, allowing different manufacturers to build and update software on a standardized platform. In the end, automotive OEMs will need to dedicate most of their resources to software consolidation rather than hardware assembly.

Growing range of communication protocols

The growing diversity of vehicular applications leads to a growing need for dedicated communication protocols. The fundamental CAN (CAN FD) and FlexRay buses are signal-based communication channels necessary for real-time safety-critical (ASIL-D) use cases, such as braking, steering, airbag activation, and engine control. Yet, these protocols do not carry enough bandwidth for multi-tasking and large-size data transfer. This led to the implementation of many new communication protocols. Ethernet, for instance, is becoming increasingly prevalent in cars as it offers extremely high bandwidth at a cheap cost, best suited for advanced applications. SOME/IP is used to connect ECUs with different sizes, such as the in-vehicle infotainment (IVI), head unit, telematics control unit, and cameras.

Centralized E/E architecture

With the growing number of advanced features, a high-end car can have up to 300 ECUs. This is overly complex to build on a conventional distributed E/E architecture—there is simply not enough room to fit all the cables and wires.

A conventional distributed E/E architecture

To reduce the number of cables and wires while accommodating all the advanced applications, advanced processors like zonal controllers and high-performance computers (HPC) must be adopted. Different from controller-based ECUs, these processor-based ECUs consolidate a wide range of software from different domains and process them on a single central computing unit. Since they can communicate via multiple protocols, functional domains like ADAS, IVI, and body control can all be executed on a single HPC.

A centralized (zonal) E/E architecture
CES 2024: Major chipmakers now making automotive processors for SDVs.

Automotive OS

The complete software stack of a software-defined vehicle is commonly referred to as the “automotive OS”. This contains the HPC, the hypervisor—which allows the HPC hardware to execute both backend applications and the frontend UX, the backend OS (OSEK OS, Linux, QNX), the user OS (Android Automotive – not to be confused with Android Auto), the AUTOSAR Adaptive stack, and the applications—often placed in containers for easy management and update.

CES 2024: Automotive OEMs and suppliers showcase their SDV OS, HPCs, and platforms.

Automotive cybersecurity

As automotive OEMs become software companies, cybersecurity becomes essential. In fact, cybersecurity is an integral component of SDVs, as standardized by ISO/SAE 21434 and regulated by UN Regulations 155/156. When implementing the automotive OS, end-to-end encryption, two-way authentication, and threat detection mechanisms must be incorporated to secure the in-vehicle network and monitor abnormal ECU activities.

Besides embedded security software, automotive cybersecurity must begin at the vehicle development stage, where vulnerability tests like software composition analysis and fuzzing have become legal requirements.

As an industry-leading automotive cybersecurity company, AUTOCRYPT offers a comprehensive cybersecurity solution for software-defined vehicles, covering vulnerability testing, TARA, and embedded security, all of which are custom-built to support all types of communication protocols and platforms. Its latest development – AutoCrypt Security Fuzzer for HIL – enables fuzz testing in hardware-in-the-loop (HIL) simulation environment.

CES 2024: AUTOCRYPT demonstrates its cybersecurity solutions for SDVs.

The Future of SDVs: Autonomous Driving, In-Car Shopping, Shared Mobility

The transition to SDVs is fundamental to autonomous driving, given that autonomous driving software needs continuous updates. Autonomous vehicles continue to be a major topic at CES 2024. What’s different from the past is that there is now a much wider array of use cases for autonomous mobility, from last-mile delivery vehicles to remote-driving tractors.

Other trends that accompany the SDV evolution include the growing number of in-vehicle infotainment features such as online shopping and media consumption, as well as the emergence of purpose-built vehicles made for specific use cases.

CES 2024: The IVI dashboard of an autonomous vehicle (left) and a last-mile delivery vehicle (right)

Ultimately, SDVs are creating a new ecosystem that is attracting all types of technological innovations and opportunities, an ecosystem that is more scalable and adaptable than smartphones. Therefore, SDV-related technologies are expected to dominate the tech industry for many years to come.

28 December, 2023 . 3 mins read

Infographic: 2023 Year in Review

This year was full of innovation and exciting new partnerships. We want to thank our investors, partners, clients, readers, and visitors for your support in 2023. We are looking forward to what 2024 will bring!

Have a Happy New Year !

See below for a summary of AUTOCRYPT’s accomplishments in 2023.

Download PDF

(Accessibility version below)

New solutions:

AutoCrypt TEE – an ASPICE CL2-certified in-vehicle systems security solution that utilizes the trusted execution environment to secure advanced applications like ADAS, IVI, and CCU

AutoCrypt Security Fuzzer for HIL  – an add-on version to the existing Security Fuzzer, the “AutoCrypt Security Fuzzer for HIL” is fuzz test solution optimized for vehicle HIL simulations that helps OEMs detect and report vulnerabilities for safety validation

“TARA Template for Automotive” – a project management tool for conducting Threat Analysis and Risk Assessment (TARA), a process crucial to the development and maintenance of automotive software

EVIQ CSMS for Plug&Charge an add-on tool that will seamlessly guide the deployment and management of Plug&Charge operations, available for charge point operators and e-mobility service providers

AutoCrypt KEY – a tool that enables OEMs and suppliers to efficiently manage all types of cryptographic keys used for the components of connected and electric vehicles. AutoCrypt KEY provides all the key management features needed for automotive production

Major partnerships:

AUTOCRYPT and RWTH Aachen University jointly developed “AutoCrypt Security Fuzzer for HIL”, enabling smart fuzzing in HIL simulations.

AUTOCRYPT and V2ROADS entered a cooperation agreement to deliver a full-stack secure V2X solution to Europe, North America, and South Asia.

AUTOCRYPT joined forces with Hitachi Solutions, Ltd. to provide joint offerings and consulting services covering V2X and in-vehicle systems security to Japanese automotive OEMs and tier suppliers.

AUTOCRYPT partnered with a world-renowned Tier-1 telematics supplier, where AUTOCRYPT integrated its V2X security library into the supplier’s OBU.

AutoCrypt V2X-PKI, a tri-standard compliant SCMS platform, was adopted by a global automotive OEM to manage its SCMS operations under the EU CCMS standard.

Certificates:

ASPICE → AUTOCRYPT was recognized with an ASPICE Capability Level (CL) 2 certification for its AutoCrypt TEE software security platform and its well-established processes in securing in-vehicle systems and software.

Events:

This year we had the chance to connect with partners and clients, as well as showcase our solutions, at some of the most coveted global events in automotive industry.

  • UITP Global Public Transport Summit 2023
  • ITF 2023 Summit
  • ITS European Congress 2023
  • AutoTech Detroit 2023
  • Electric Vehicle Asia 2023
  • IAA Mobility 2023
  • Aachen Colloquium 2023
  • Expand North Star Dubai