Category: Blog

13 January, 2023 . 6 mins read

The State of Level 3 Autonomous Driving in 2023: Ready for the Mass Market?

Autonomous driving technology has come a long way. In recent years, the automotive tech industry has made significant enhancements to the capability and reliability of sensors, cameras, and vehicle-to-everything (V2X) communication, driving road transport toward higher levels on the autonomous driving spectrum, as defined by the SAE’s Levels of Driving Automation.

SAE J3016 levels of driving automation
Source: SAE International

This spectrum has become an internationally recognized classification for automated driving systems. Its six levels can be divided into two broad categories: driver support systems from L0 to L2 (shown in blue), and automated driving systems from L3 to L5 (shown in green). For the past several years, industry players have been working to make the jump from L2 to L3.

From Level 2 to Level 3 Autonomous Driving, a Legal Matter

Clearly, the leap from L2 to L3 is the most significant leap on the spectrum. Whereas L2 is considered as advanced driver support features, L3 marks the beginning of conditional autonomous driving, where drivers can legally take their eyes off the road when conditions are met. Strictly speaking, only vehicles classified as L3 and above are truly autonomous vehicles.

By today, most major automotive OEMs have mastered their technologies for L2 autonomy. As of the beginning of 2023, L2 driver support systems include Tesla’s Autopilot with “Full Self-Driving”, Audi’s Traffic Jam Assist, GM’s Super Cruise, BMW’s Extended Traffic Jam Assistant, Ford’s Blue Cruise, Hyundai’s autonomous driving package, and many more.

Now, a problem arises when OEMs seek to introduce vehicles with Level 3 autonomous driving. Looking at SAE’s autonomous driving spectrum again, the levels of autonomy are not defined by a vehicle’s self-driving capability, but instead by the expected roles of the vehicle and the human driver. For instance, under L2, the human driver must pay full attention to the road even when all driver support systems are on, whereas in L3, the human driver can officially take their eyes off the road when the automated driving systems are switched on.

Therefore, if an OEM wants to officially introduce an L3 vehicle, it must be liable for all potential accidents that occur while the vehicle’s L3 systems are switched on. That is, no matter how advanced and sophisticated the technology inside a vehicle might be, if the OEM is not ready to claim responsibility for accidents caused by its systems, the vehicle can only be classified as high as L2.

The truth is, although the technology for Level 3 autonomous driving might be ready, many OEMs are not yet prepared to officially claim L3 for legal reasons. This explains why Tesla uses the name “Full Self-Driving” to market its L2 driver support systems without mentioning L3 autonomy. Some OEMs use the term “L2+” to show that their technological capabilities have surpassed L2, yet do not claim L3. Hence, the gap between L2 and L3 is more of a legal gap than a technological gap.

Official Certifications Needed for L3 Autonomy

Since L3 is the first level on the SAE’s spectrum to allow drivers to take their eyes off the road, official certifications and approvals are needed before OEMs can claim a vehicle to be L3. These certifications are often issued by regional transport authorities and highway safety agencies.

In May 2022, Mercedes-Benz became the world’s first manufacturer to get approved by German transport authorities to legally operate its L3 Drive Pilot on the country’s public roads, sold as an option on Mercedes-Benz S Class and Mercedes EQS. This means that those with L3 Drive Pilot are legally allowed to eat, draft emails, or watch videos on the Autobahn. Still, given that L3 autonomy is conditional, if the vehicle loses the environmental or locational conditions to operate at L3, it will prompt the driver to take control within ten seconds. If the driver fails to respond in ten seconds, the car will automatically turn on emergency lights and decelerate to a full stop on the side of the road, then unlock the doors in case first responders might need access to the cabin.

At CES 2023, Mercedes-Benz further announced that it has become the first manufacturer to receive L3 certification in the United States, from the state of Nevada. However, since L3 approval is granted at a state level in the US, the system is only considered L3 in Nevada for now. Nonetheless, the OEM says its Drive Pilot is fully ready to deliver L3 autonomous driving in all 50 states.

Is Level 3 Autonomous Driving Coming to the Mass Market in 2023?

Mercedes is the first manufacturer to make the bold move to bring L3 autonomy to the consumer market. Although Honda Legend won the title for the world’s first approved L3 vehicle back in 2021, only 100 limited-edition vehicles were available for lease only in Japan. Honda’s L3 road map suggests it may take much longer to reach the mass market.

There is no doubt that more and more manufacturers will follow Mercedes’ move towards L3 autonomy. Major OEMs like Hyundai-Kia, Stellantis, BMW, GM, and Honda are continuously reporting progress and plans for L3 rollout. However, it is always easy for OEMs to announce plans and schedules but difficult to make the final decision to obtain L3 approval. Even Mercedes’ L3 Drive Pilot is available for the S Class only, and legally approved in very limited regions (Germany and Nevada). Apart from legal concerns, sensitive public reactions toward flaws in automated driving systems make OEMs more reluctant to introduce L3 vehicles on a large scale.

Hence, although the news is filled with press releases and announcements on launching L3 systems, it is unlikely to see L3 vehicles being available to the mass market within 2023. Nevertheless, following the path of Mercedes-Benz, more and more OEMs will likely launch L3 options for their high-end vehicles in limited regions within the year.

Addressing the Challenges Ahead

Achieving Level 3 autonomy is beyond a matter of technological capability, but a matter of confidence – the confidence that OEMs possess towards their automated driving systems. Before OEMs can gain full confidence in taking responsibility for their automated driving systems, several potential risks need to be addressed. One of them is cybersecurity risk.

Since automated driving features are run by software, these software-defined vehicles (SDV) must not be vulnerable to cyberattacks. If a threat actor were to gain access to a vehicle’s embedded systems and applications, they could gain the ability to tamper with driving data and potentially take control over crucial functions of the vehicle.

AUTOCRYPT has always envisioned a world of L3 and L4 autonomy. Since its inception, it has been working with OEMs and software providers to secure the in-vehicle systems and communication endpoints of SDVs through its industry-leading encryption and authentication technologies, offering solutions from vulnerability testing to intrusion detection and protection.

To learn more about how AUTOCRYPT secures the SDV, download the white paper below.

white paper sdv thumbnail

“The changing tides of the automotive industry into more software, and less hardware, indicate that vehicles will be a possible target for cyberattacks. This is why holistic, comprehensive cybersecurity is essential in securing the next generation of SDVs.”

Download White Paper

 

22 December, 2022 . 2 mins read

Infographic: 2022 Year in Review

Post-pandemic 2022 has been a busy and exciting year for AUTOCRYPT, filled with innovative new product launches and accomplishments. We wanted to thank all our investors, partners, clients, and visitors for all your support over the year. Have a wonderful holiday and see you in 2023!

See below for a summary of AUTOCRYPT’s accomplishments in 2022.

Download PDF

(Accessibility version below)

Red Herring – AUTOCRYPT was selected as “2022 Red Herring Top 100 Global” by Red Herring magazine

2022 Cybersecurity Breakthrough Awards – AutoCrypt IVS won “Automotive Cybersecurity Solution of the Year”

2022 AutoTech Breakthrough Awards – AutoCrypt EQ was awarded “Ride Hailing Innovation of the Year”

Events – We had some meaningful conversations and discussions with our partners and clients at international events this year, including ITF Summit, AutoTech: Detroit, EVS35 Oslo, and ITS World Congress

WebTrust Accreditation – AUTOCRYPT was officially accredited by the WebTrust program as a root CA for the V2X-PKI ecosystem

Series B – AUTOCRYPT closed its Series B financing round with $25.5 million, bringing its total valuation to $120 million

EVIQ – In the summer, we launched EVIQ, an all-in-one EV information and charging platform that comprises a charger locator map, a charging station management system (CSMS) for CPOs, a smart-billing Level 1 EV charger for residential use, and a Plug&Charge security module for secure and seamless charging

AutoCrypt V2X-Air – Launched in Spring, AutoCrypt V2X-Air is a portable OBU for vulnerable road users, enabling pedestrians and micromobility users to easily join the V2X ecosystem

Security Analyzer and Security Fuzzer – We launched a set of vulnerability testing tools utilizable during any stage of the software development lifecycle, dedicated to software-defined vehicles

Integrated Management System for SCMS – IMS for SCMS allows OEMs to view all their entire SCMS certificates on one centralized GUI.

Plug&Charge – AutoCrypt PnC was integrated into Hyundai Motor’s E-pit charging service platform, an ultra-rapid EV charging network across South Korea.

15 December, 2022 . 7 mins read

From EV to Autonomous Driving: A Look Into the Mobility Industry in 2022

2022 was a turbulent year for the mobility industry. As the economy has been recovering back to its pre-pandemic state, we have seen a surge of technological advancements that are shaping the industry.

To commemorate the end of the year we have carefully analyzed the market and gathered four key insights to discuss the biggest trends of 2022 and see what the trajectory for the future of the mobility industry looks like. 

1. The tipping point in EV adoption 

In 2022 we have seen the catastrophic impact of the climate crisis on our planet. The world was struck by extreme heatwaves in Europe, hurricanes across multiple US states, and monsoon floodings in Asia. The intensity of these devastating climate disasters has been increasing as a result of climate change. And as the global climate crisis continues to unfold governments are taking action to tackle the dangers of climate change by rolling out net-zero carbon emission policies to accelerate the road to decarbonization.

One of the largest industries contributing to the climate crisis is transportation, which is responsible for 20% of carbon emissions worldwide. Decarbonizing the mobility and transportation sector is imperative in reaching net-zero goals, and electrifying the roads is the most effective way to do so. Electric vehicles have been at the forefront of the transition in the mobility industry. As the world strives toward net-zero emissions, governments are increasingly pushing for electric vehicle (EV) adoption through subsidies and related policies. Europe and the United States are leading way with regulatory targets of reaching a 50% EV market share by 2030. On the other side of the spectrum, consumers are becoming more environmentally conscious and increasingly willing to make the switch in favor of electric vehicles. And as the technology gets more advanced the supply side is catching up with the demand.

The EV adoption rates are signaling a positive change in the market and bringing us closer to reaching net-zero goals in the transportation sector. However, we are still far from achieving decarbonization and need to take drastic measures in accelerating EV adoption across the board. Continuing to expand the charging infrastructure, supporting change with government policies and subsidies, as well as encouraging innovation are some of the key steps we need to take to meet decarbonization targets.

2. Autonomous driving

Electrification on the roads lays down the groundwork for further innovation opportunities in the mobility industry. To accommodate EV production, manufacturing facilities had to be redesigned and rebuilt from scratch, this allowed OEMs to trial new technologies and software in their vehicles. As the EV market grows, we can see the expansion in related automotive technologies, with innovations ranging from connectivity to autonomous driving.

The buzz around autonomous driving technologies has been around for a while; rightfully so, as autonomous driving technologies are extremely beneficial in increasing road safety and access to mobility. And 2022 was a notable year for the collective movement toward achieving higher levels of autonomy. Currently, major OEMs have achieved Level 3 autonomy, or conditional autonomy, where the vehicle can drive itself under appropriate conditions, but a human driver must always be present in the car. The main technology that allowed us to achieve Level 3 autonomy is Advanced Driver Assistance Systems or ADAS. ADAS uses radars, cameras, ultrasound, and a variety of different software to achieve vehicle automation. While ADAS is an essential element in providing autonomous driving, it is simply not enough to achieve higher levels of autonomy.

Autonomy Levels 4 and 5 entail high levels of autonomy with minimal to no intervention from the driver. To achieve these advanced autonomy levels, we need more comprehensive technologies such as connectivity. At the heart of vehicular communication technologies, we have vehicle-to-everything (V2X) technology that connects the vehicle to the network, infrastructure, other vehicles, and passengers around it. V2X communication utilizes wireless communication between the vehicle and the environment around it to gather real-time data on traffic conditions, road signs, warnings, and much more. V2X technologies are also very beneficial in ensuring road safety as they include connectivity with other vehicles (V2V) and pedestrians on the road (V2P).

This technology can greatly improve the effectiveness and accuracy of existing ADAS technologies and fast-track the path to full automation. 

3. Universal mobility

EV passenger vehicle numbers are growing, but so do the numbers of EV commercial fleets. In the past years, we have seen governments deploy electric buses, trams, and taxis in attempts to decarbonize public transport systems as well as increase access to mobility. Universal mobility entails having access to transportation for all members of society. The ultimate goal is to achieve universal basic mobility (UBM) and democratize the sector so everyone can access safe and efficient transportation. Among the latest technologies aimed to provide UBM are mobility-as-a-service (MaaS), robotaxis, and carsharing services.

The emergence of MaaS is not surprising, as it allows access to transportation for everyone who owns a smartphone. MaaS is currently on the rise with multiple successful cases worldwide, namely Kakao Mobility, Uber, and Lyft. These companies have been able to integrate multiple modes of transportation into a user-friendly mobile application, making transportation easily available to people at the tap of their fingers. 

As MaaS continues to grow businesses will need assistance in rolling out their own mobility services. AUTOCRYPT launched its mobility service solution AutoCrypt® MOVE, integrating its fleet management system with big data analysis and demand-oriented service modeling to help businesses and NGOs easily establish their own mobility services and reach universal basic mobility. 

4. Increasing need for cybersecurity

As vehicles become increasingly automated and connected, the need for effective cybersecurity measures becomes more important. With the proliferation of connected vehicles, hackers have more opportunities to gain access to vehicle systems and potentially cause harm. In addition, the increased use of automation in vehicles means that there are more potential points of failure that could be exploited by malicious actors. 

One of the main reasons for the increasing need for cybersecurity in the automotive industry is the growing number of connected vehicles on the road. Many modern vehicles are equipped with internet connectivity, which allows them to communicate with other vehicles and with external systems, such as traffic control systems and other infrastructure. This connectivity opens new possibilities for vehicle operation and convenience, but it also creates new vulnerabilities that can be exploited by hackers. For example, a hacker who gains access to a connected vehicle could potentially take control of the vehicle’s systems, including its brakes, steering, and acceleration. This could result in dangerous situations, such as collisions or loss of control. In addition, a hacker could potentially access sensitive personal information stored in the vehicle, such as location data or information about the vehicle’s owner. Exactly that happened in January of this year when a researcher was able to hack into 25 Tesla vehicles and gain access to vehicle control and the personal information of car owners. 

Another reason for the increased need for cybersecurity in the automotive industry is the growing use of automation in vehicles. Many modern vehicles are equipped with ADAS and vehicular communication technologies, which can assist with tasks such as lane keeping, automatic braking, and adaptive cruise control. While these systems can improve safety and convenience, they also introduce new potential points of failure that could be exploited by hackers.

Overall, the increasing use of automation and connectivity in vehicles is creating new challenges for cybersecurity. To protect against these challenges, it is important for the automotive industry to develop and implement effective cybersecurity measures. This may include measures such as encryption, secure authentication, and regular over-the-air (OTA) software updates to protect against known vulnerabilities. 

This year has seen positive strides in the mobility industry. The expansion of electric vehicle adoption, autonomous driving, universal mobility, and cybersecurity points to an industry-wide trend toward electrification, decarbonization, and innovation. However, in order to achieve the full potential of the technological shift within the sector we must remember to support this expansion with government policies, investments, and innovation.

As an automotive cybersecurity and mobility solutions provider, AUTOCRYPT offers secure connectivity technologies that support the expansion of the mobility sector. From securing V2X communications to embedded vehicular systems, AUTOCYRPT ensures that all connections are secured before vehicles hit the road. 

1 December, 2022 . 8 mins read

From Safety to Sustainability: A Look at the Short-Term Benefits of V2X

There are two major approaches to achieving autonomous driving. The first is ADAS (advanced driver-assistance systems). And the other is V2X (vehicle-to-everything). Although the public is now quite familiar with ADAS, V2X remains a relatively unknown field. Even among industry stakeholders, a common misconception about V2X is that it must be deployed on a mass scale to provide meaningful benefits. In this blog, we explain why V2X deployment might not be as big an investment as it might seem, by looking at some of the short-term benefits of V2X.

Why It Doesn’t Need to Be Mass Deployment

Indeed, the ultimate objective of V2X is to create a fully connected mobility ecosystem that enables a state of full driving automation (Level 5), where vehicles seamlessly communicate with their surrounding vehicles and infrastructure through exchanging messages in real-time, overcoming the shortcomings (e.g., blind spots, failed object recognition) of cameras and sensors. This approach towards autonomous driving is also referred to as Vehicle-Infrastructure Cooperated Autonomous Driving (VICAD).

However, establishing an entire V2X ecosystem is a long process, as it can take many years to transform an entire city’s transport infrastructure into V2X-enabled systems. Therefore, industry players shouldn’t solely focus on the final objective of VICAD, but instead, work towards deploying V2X for its immediate benefits. This way, consumers can start benefiting from V2X sooner, which helps generate momentum to accelerate further investment and deployment.

Imaging planning and building a subway network from scratch. Of course, the final goal is to create an interconnected network that covers the entire city. However, if the public must wait until an entire network to be completed before benefiting from it, there would be very little interest in moving the project forward. Instead, cities start by building and operating a single line to allow at least some consumers to benefit from it in the short term.

The same is true for V2X. It doesn’t need to be mass deployment before we can start to see benefits. Some case-specific applications, including Signal Phase and Timing (SPaT) and emergency vehicle preemption (EVP), have already generated some promising short-term benefits in terms of road safety and efficiency.

The Short-Term Benefits of V2X

1. Road safety

Even with selective, small-scale deployments over the short term, V2X opens the opportunity for many creative approaches to enhance road safety. For instance, V2X roadside units (RSU) can be installed onto traffic signals at selected intersections where car accidents frequently occur, enabling Signal Phase and Timing (SPaT). SPaT is a V2X application where the traffic signal informs incoming vehicles of the remaining time of the signal. When vehicles receive that information, they can automatically determine whether to continue to cruise through the intersection, slightly accelerate to pass through prior to the signal change, or gently decelerate to a full stop. Having machines do the timing and calculation can help reduce human misjudgments at intersections.

It might be tempting to think that SPaT is only beneficial when all vehicles are equipped with V2X onboard units (OBU). Of course, the more V2X-enabled vehicles there are, the more effective the use case becomes. Still, if only a quarter of vehicles were to be equipped with V2X OBUs, SPaT would make a significant difference by improving the safety record of the intersection. This is because drivers have a natural tendency to move with the flow. The behaviour of V2X-enabled vehicles will influence the behaviours of surrounding drivers, encouraging them to comply with the coordination as well, hence reducing the likelihood of dangerous acceleration and braking during yellow lights.

Installing RSUs at intersections enables another common use case known as emergency vehicle preemption (EVP), which is currently deployed in many major cities across the globe. This is where OBUs installed in ambulances and fire trucks communicate with RSUs at intersections, prompting the traffic signal to change in favour of their direction, making it a very useful application in dense city streets where emergency vehicles can easily get stuck in gridlocks.

As such, localized V2X applications like SPaT and EVP do not require mass deployment. Hence, infrastructure operators and automotive OEMs can focus primarily on these short-term benefits.

2. Traffic efficiency

Besides safety, traffic efficiency is one of the other short-term benefits of V2X. A promising V2X-enabled solution that helps increase traffic efficiency is truck platooning. This is when a fleet of trucks cruise in a row at the same speed in the formation of a train. Given that trucks take up a significant percentage of the highway, having trucks travel individually at different speeds across different lanes can slow the overall traffic and lead to potential safety hazards. By lining them up in a lane at a consistent speed, a significant amount of space can be freed up, enabling faster travel speeds, and reducing the level of congestion during peak times. Furthermore, truck drivers in the follower trucks will be able to rest during the trip, reducing the likelihood of driver fatigue, hence enhancing road safety as well.

Another localized application of V2X is smart parking. This is when RSUs equipped in parking lots communicate with OBUs in nearby vehicles to inform them about parking space availability. In busy urban centers, a great amount of aggregated time is spent on searching for parking space. Not only is it a frustrating experience to circle around a busy block looking for the nearest available parking space that doesn’t cost a fortune, but those in search of parking can add up to the existing traffic and cause further congestion. With V2X-enabled smart parking, there will be no need to roam around urban streets for parking.

3. Cost saving

Road transportation comes with a cost. Apart from fuel and maintenance costs, every minute spent sitting in traffic is an opportunity cost that can be measured in the form of lost productivity. According to the 2021 INRIX Global Traffic Scoreboard, traffic congestion in the United States costs the average driver $564 in lost productivity throughout the year, and an aggregated $53 billion to the country.

When RSUs are deployed in critical areas such as frequently congested intersections and highway merges, V2X-enabled traffic coordination like SPaT and lane merge assists can reduce congestion remarkably, thus cutting unnecessary fuel consumption and productivity loss.

4. Environmental sustainability

When it comes to sustainable transport, electric vehicles (EV) are the most effective solution that contributes directly to a reduction in carbon emissions. However, many do not realize that V2X is another promising technology that can make a positive impact on environmental sustainability.

This is because V2X is an effective energy saver. As aforementioned, since V2X applications can help coordinate traffic and reduce congestion, the average vehicle spends less time on the road, with less unnecessary acceleration and braking. This results in not just less emission, but also less electricity consumption for EVs. Although this might seem like a subtle difference for a single vehicle, the accumulated energy savings and emission cuts can make a meaningful impact on the environment.

Additionally, just like emergency vehicle preemption, OBUs can also be installed on buses and street cars so that traffic signals can give priority to public transit, making traveling by public transit more efficient and convenient, thus encouraging greater usage.

5. Convenience

Regardless of its application, a common benefit that V2X brings across all use cases is convenience. Through real-time communications, road users will be able to benefit from a smart and connected mobility environment.

Start Small, Think Big

Back to the point — V2X connectivity isn’t all about the big picture of full autonomous driving. Through vehicle-infrastructure cooperation, V2X can be utilized for a wide range of localized use cases that do not require much time and effort to deploy. Eventually, these local deployments will naturally accumulate to shape an interconnected V2X ecosystem, enabling a complete VICAD experience. Therefore, policymakers, infrastructure operators, OEMs, and investors should push forward V2X deployment by focusing primarily on its immediate benefits.

Securing V2X Communications

An integral component of V2X deployment is cybersecurity. Encryption and PKI-based authentication measures must be preestablished within the communication end-entities (OBU/RSUs) to ensure that the messages communicated via V2X are securely protected from unauthorized access and tampering. Conversely, with more and more localized V2X deployments, cybersecurity capability will continuously improve with enhanced regional security policies.

AUTOCRYPT’s secure V2X communications solution strengthens both privacy and safety for V2X applications, including a security module installable onto OBU/RSUs, a Security Credential Management System (SCMS) that issues, revokes, and manages digital certificates for end-entities, as well as an Integrated Management System (IMS) for SCMS that allows automotive OEMs to easily manage all their V2X certificates across all vehicle fleets via a graphical user interface.

To learn more about AUTOCRYPT’s V2X security solutions and offerings, contact global@autocrypt.io.

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s quarterly newsletter.

16 November, 2022 . 6 mins read

Cooperation in the New Automotive Software Supply Chain: An Emphasis on Cybersecurity

While there have been many changes within the automotive industry, since Toyota invented Just-in-Time (JIT) manufacturing in the 1960s, the automotive supply chain hasn’t seen much change within the past 60 years. The supply chain has been a solid vertical structure: Tier 2 suppliers provide subcomponents and materials to Tier 1 suppliers, who then supply OEMs with ready-to-install parts for assembly. This supply chain structure has been universally adopted because it is highly streamlined and efficient, both important attributes of vehicle production. Under this structure, automotive OEMs do not need to communicate directly with lower-tier suppliers, while every supplier focuses solely on fulfilling the orders of the upper-tier supplier. This all worked out great – until automotive software takes over the vehicle.

This vertical structure made perfect sense in the past when the automotive E/E architecture consisted of independent parts and domains. However, we are now approaching a different era of in the automotive supply chain where, fueled by the growing need for connectivity and automation, in-vehicle systems are becoming more and more sophisticated and interconnected, with software now acting as a core component of the vehicle. 

OEMs today are beginning to realize that the conventional manufacturing model no longer serves its purpose in the new era of software-defined vehicles. And with more and more EV startups entering the manufacturing game, conventional OEMs may need to redefine their supply chain to incorporate software development and cross-domain cooperation.

Growing Complexity of the Automotive Software Supply Chain

Name any car feature – more likely than not it is enabled by software. The modern vehicle runs on electronic systems and software that are stitched together to communicate with each other via the in-vehicle network. A typical vehicle today consists of up to 150 electronic control units (ECU), which are essentially minicomputers equipped with processors. System software needs to be embedded in each of these ECUs to control a particular domain of functions, such as powertrain, sensor, and infotainment.

As such, it would be an understatement to refer to the software-defined vehicle as “a computer on wheels.” A more accurate description would be “a computer network on wheels.” That’s because today’s vehicles run an average of 100 million lines of code. That is two to three times that of a PC operating system. And in fact, the level of complexity will only increase as more and more automated features and security systems are incorporated.

Under the current software supply chain structure, software vendors supply software development kits (SDK) and modules to chipmakers, which supply the chips (e.g., ECUs) to OEMs or Tier 1 suppliers, who then stitch all these chipsets onto the parts and components, putting them in place within the in-vehicle network. However, most OEMs have very little experience in software integration. Although vehicular software has been around for decades, nothing was at the magnitude and complexity of the software structure today.

Moreover, OEMs and Tier 1 suppliers are accustomed to the vertical supply chain structure. Many are overwhelmed by this growing need for direct external communications and cooperation.

Therefore, just like what many with a strategic mind would do, OEMs are outsourcing the work.

The Emergence of Software Providers and the Need for Cybersecurity

Due to the sheer volume and quick influx of software components, many OEMs choose to outsource software integration to a comprehensive software provider, acting as a “Tier 1 software supplier.” Many existing Tier 1 suppliers have seen this as an opportunity to expand their software division, and because of this many OEMs have chosen to establish or acquire their own dedicated software provider. Some take it a step further by making plans to establish a proprietary operating system and platform where all applications can be developed on. CARIAD from the Volkswagen Group is one such example. As the dedicated software provider for the Volkswagen Group, the company has announced plans to release the Volkswagen Operating System.

It might be tempting for OEMs to maintain their old way of doing things by having software providers take charge of all software integration, while focusing solely on inventory management, assembly, and quality control. However, the new supply chain landscape isn’t as straightforward, with quality control being the key difference. 

While hardware components are very easy to standardize and inspect, rules are different in the software game. Since there exists a cybersecurity risk in every connected computer – in the age of connected vehicles, software and cybersecurity must come hand in hand. This means that a large part of software quality control is making sure that it is free of vulnerabilities and flaws that may hinder its functionality and pose a cybersecurity risk. To do so, every piece of software needs to be rigorously tested prior to the release of a vehicle batch.

Additionally, similar to how OEMs are responsible for issuing hardware recalls, regulations are now holding OEMs accountable for software cybersecurity mismanagement and loopholes. The UN R155/R156 regulations set out by UNECE WP.29 mandate that all OEMs maintain an automotive cybersecurity management system (CSMS) and a software update management system (SUMS) for their vehicle fleets. This means that even after a vehicle is passed onto the consumer, software performance must be continuously managed, monitored, and updated and patched in real-time.

The bottom line: whether it is the OEM or the software provider in charge, the OEM will ultimately be responsible for cybersecurity management.

The Importance of Cooperation for Secure Software Implementation

At the end of the day, the jobs of both the OEM and software provider are to ensure that cybersecurity risk within the automotive ecosystem is well managed and minimized. However, this should not be taken lightly because cybersecurity management isn’t simply about buying security software from vendors and installing it into the systems.

In the sophisticated automotive software ecosystem, security measures must be incorporated and custom-built in the manufacturing process to ensure both secure implementation and cross-region interoperability.

Therefore, both OEMs and software providers must take an active role in cybersecurity and cooperate with firms specializing in automotive cybersecurity to facilitate secure software integration and implementation across all domains, from the embedded systems within a vehicle to the vehicle-to-everything (V2X) connections for autonomous driving and vehicle-to-grid (V2G) applications for EV charging.

The takeaway is this: the automotive industry has entered a new era – an era where value is no longer added step by step through vertical supply chains but generated from horizontal cooperation, and an era where the automobile is no longer a product, but a combination of services stacked on wheels.

To succeed in the new era of smart mobility, cooperation is the key.

To learn about how AUTOCRYPT’s in-vehicle systems (IVS) security solutions can help OEMs secure software integration and connectivity, contact global@autocrypt.io.

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s quarterly newsletter.

10 November, 2022 . 6 mins read

Vehicle Cybersecurity by Design: A Look at NHTSA’s 2022 Cybersecurity Best Practices

As more and more software components and connected technologies make their way into vehicles, cybersecurity has rapidly become a crucial aspect of vehicle design, manufacturing, and maintenance. However, in the century-old automotive industry, cybersecurity can be an unfamiliar field of expertise. Many automotive OEMs have found it challenging to implement security by design and integrate vehicle cybersecurity into functional safety.

To promote standardized practices in vehicle cybersecurity, the National Highway Traffic Safety Administration (NHTSA) – the United States’ federal agency dedicated to transport safety – drafted a guideline in 2016 on Cybersecurity Best Practices for the Safety of Modern Vehicles. The guideline helps automotive OEMs and suppliers establish a set of procedures to minimize cybersecurity risks and effectively manage threats throughout the vehicle lifecycle.

NHTSA’s guideline is centered around the voluntary standard of ISO/SAE 21434: “Road Vehicles – Cybersecurity Engineering”, a vehicle cybersecurity standard co-published by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). Although compliance with the standard isn’t enforced by law like the United Nation’s R155 and R156 set out by UNECE WP.29, most automotive OEMs across the globe refer to ISO/SAE 21434 as a guide to establishing a secure procedure for vehicle manufacturing and post-production management.

In September 2022, NHTSA published the finalized version of the Cybersecurity Best Practices guideline, five years after the initial draft was released in 2016. The updated guideline contains more detailed descriptions of implementing appropriate cybersecurity procedures with respect to an OEM’s corporate process, as well as modifications based on the feedback and comments provided by industry experts.

Most importantly, the finalized Cybersecurity Best Practices contains updates to reflect the finalized version of ISO/SAE 21434, which was still under development when the 2016 draft was released.

A Summary of Key Practices Outlined by NHTSA

NHTSA’s Cybersecurity Best Practices contains a comprehensive corporate guide from as broad as leadership priorities and employee education to as specific as technical manuals on cryptographic techniques and credentials. In this blog, we extract some of the key practices relating to the establishment of vehicle cybersecurity by design, along with some of AUTOCRYPT’s tips that can help save corporate resources during the implementation process.

The Importance of Security by Design

Speaking of cybersecurity, most people tend to think about cybersecurity systems and tools like firewalls and threat detection software. However, the scope of cybersecurity in the IoT age stretches beyond these traditional definitions. For the automotive industry in particular, cybersecurity isn’t simply about threat detection and response, but covers an end-to-end process that begins from a vehicle’s development stage all the way to its everyday usage in the consumer’s hand. Therefore, a vehicle must be designed and developed with security in mind, and an OEM must continuously monitor and manage threats throughout the entire lifecycle of the vehicle.

Below is a summary of NHTSA’s suggested practices for achieving cybersecurity by design.

1. Risk Assessment and Removal

To incorporate vehicle cybersecurity by design, risk assessment must be performed at an early stage of a vehicle’s development process. This is done by evaluating a vehicle’s potential entry points from a threat actor’s perspective, predicting their motives and intrusion methods, then listing out the risks the vehicle faces. Of course, it can be difficult to pinpoint all prospective risks at an early stage. Hence this assessment should primarily focus on identifying risks that could potentially threaten the safety of passengers and other road users.

Our Tip: Cybersecurity risk assessment should be conducted by a team of security experts that specialize in automotive systems and architecture. To fill this gap, AUTOCRYPT provides Threat Assessment and Remediation Analysis (TARA) to automotive OEMs, generating an accurate assessment of the potential risks of a vehicle model. A professionally conducted TARA enables an OEM to make early adjustments to its system design and architecture to remove safety-critical risks, creating a solid foundation to build upon.

2. Security Testing and Vulnerability Identification

At the next stage, NHTSA recommends a full evaluation of both commercial off-the-shelf (COTS) and open-source software components used in embedded vehicle systems such as ECUs. This allows the OEM to identify all known vulnerabilities in their software. After known vulnerabilities are removed and patched, fuzzing and penetration testing should be conducted to further eliminate any zero-day vulnerabilities and software development flaws. To enable security by design, automotive OEMs need to ensure that their vehicles are vulnerability-free before moving into mass production.

Our Tip: AUTOCRYPT offers a range of advanced cybersecurity testing tools and solutions for manufacturers to identify flaws and vulnerabilities within their systems. Starting from AutoCrypt® Security Analyzer, which utilizes an SBOM (Software Bill of Materials) approach to scan the source code and break down the components of open-source software by different units of analysis, enabling accurate patching with minimal modifications required. This is followed by AutoCrypt® Security Fuzzer, which feeds the tested system with randomly generated, invalid, and unexpected inputs in an attempt to trigger errors and expose its vulnerabilities. Lastly, AUTOCRYPT’s security validation experts conduct penetration testing on the targeted program to eliminate any remaining flaws and vulnerabilities.

3. Monitoring, Containment, Remediation

After all the preventative measures are implemented, an OEM needs to integrate a set of security monitoring and management systems into the vehicle architecture. The NHTSA emphasizes that automotive OEMs must maintain their capability to monitor, contain, and respond to any attacks against their vehicle fleet after they are sold to consumers, with rapid incident detection and remediation capabilities being of paramount importance. This means that when a cyberattack occurs, the OEM must be able to detect it in real-time and prevent it from causing any safety-related impacts to its vehicle fleet.

Our Tip: An effective intrusion detection and prevention system (IDPS) should be equipped on every vehicle to defend it from all types of intrusions and internal threats. AutoCrypt® IVS is an advanced firewall for in-vehicle systems, capable of detecting any signs of intrusion and contain them from spreading inside the vehicle. To make things more visible for the OEM, all this fleet information can be visually monitored and managed on AUTOCRYPT’s Vehicle Security Operations Center (vSOC).

The Growing Importance of Vehicle Cybersecurity

Legally speaking, even though NHTSA’s Cybersecurity Best Practices and the ISO/SAE 21434 standard are not enforced as of today, they are extremely helpful to OEMs that want to succeed in the market of software-defined vehicles. Putting legalities aside, since many embedded systems inside a vehicle are directly related to its physical functionality, vehicle cybersecurity and functional safety are no longer separable, with cybersecurity becoming a crucial evaluation criterion for quality. Therefore, whether it is for regulatory compliance or quality assurance, OEMs and software providers must work together with cybersecurity providers to implement security by design and pave a safe future for every road user.

To learn more about AUTOCRYPT’s in-vehicle systems (IVS) security solutions and offerings, contact global@autocrypt.io.

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s quarterly newsletter.