3 Ways of Testing Automotive Cybersecurity Management Systems

The future looks bright for connected and autonomous vehicles (CAVs) – in fact, analysts at McKinsey say that by 2030, 45% of new vehicles will be at SAE level 3 or higher, with market share value at 450 to 750 Billion USD. But as the market grows, so does the risk for cybercrime for new automotive technologies. This is precisely the reason that governments and manufacturers are on edge, implementing regulations like the 2020 WP.29 regulations mandating cybersecurity management systems be in place. In the next couple of years, manufacturers will have to ensure that their vehicle models meet the requirements to obtain type approval for cybersecurity measures. However, what many tend to forget is that implementation of cybersecurity management systems (CSMS) is not the end of the road. Testing is a major part of ensuring that the CSMS is fulfilling its duties. After all, there is really no point in implementing a system if you cannot be sure that it is working properly.

Here are the tests that will help make sure that the CSMS is really safeguarding your vehicle, defending your car and its systems from potential attacks.

1) Vulnerability Scanning

In any cybersecurity management system, assessing and mitigating any vulnerabilities is a key responsibility to ensuring that the product is functioning at the maximum secure level. Vulnerability scanning is not a one-stop check, but should be executed at each level of the product development process to allow for maximum mitigation and comprehensive analysis of additional threats.

Now, there are two specific testing analyses that should be taken note when vulnerability scanning, and both are just as important.

Software Static Testing

Software static testing is testing the source or object code without executing it to find and eliminate errors or ambiguities. It is usually done in the early stages of development. This step is crucial as it can uncover major issues like leaks, buffer overflows, and deviations from standards. Because testing is done at an early stage, it can ward against increased development timescales, and allow for fewer issues to be found at later stages of development, which can often be much more costly and time-consuming to fix.

Software Dynamic Testing

Static testing’s counterpart, dynamic testing tests with execution of code in order to find weak areas in runtime environments and in the behavior of dynamic variables. The main goal of dynamic testing is to make sure that the system is functioning properly without any flaws. Since the codes are actually executed, dynamic testing can take a bit longer than static testing and can increase the costs of the final product as the flaws that are found will take more resources to mitigate. However, dynamic testing will find the issues that were missed by static testing, usually finding more complex defects.

2) Fuzz Testing, or “Fuzzing”

The next step is “fuzzing” or fuzz testing. Fuzz testing is basically providing “fuzz” or invalid or random data into the application or software in order to monitor for crashes, potential memory leaks, or failed code. Generating this invalid or random data is usually done via an automatic program that generates the fuzz.
Fuzzing can be useful because it adds an element that cannot be generated by a human. However, there are limitations as it usually detects simple or basic threats, meaning it needs to be combined with other testing techniques to fully secure your security management system.

3) Penetration Testing

While fuzzing uses random or invalid data to test the system, penetration testing (also known as “pentesting”) utilizes known cyberattacks or vulnerabilities to initiate simulated attacks, identifying potential vulnerabilities and selecting countermeasures to mitigate those vulnerabilities. Think of pentesting as getting someone to act like a car thief to try to break into your car and gain access: through this “ploy” to take over, the manufacturer can learn a lot about how they can better secure their vehicle’s access systems.

Through pentesting and finding flaws within the cybersecurity infrastructure, manufacturers can upgrade their security systems to remediate any flaws in the system.

Testing is a major part of CSMS; arguably, it is just as important as the CSMS itself. However, as seen through the many different techniques, there is no single test that will ensure that a cybersecurity management system is perfectly foolproof. By utilizing regular different testing techniques like fuzzing or pentesting, manufacturers can ensure comprehensive security. As technological developments are constantly being applied in a vehicle, the system will need to go through multiple rounds and various types of tests to ensure that the risk is as minimal as possible.

If working with a security solutions provider to implement your CSMS, ensure that they will be routinely testing and working with you as the client long-term. For more information about AUTOCRYPT’s testing services as part of our WP.29 solutions, click here or contact us here.