Secure software development for modern vehicles

In the automotive industry today, software-defined vehicles (SDVs), electric vehicles (EVs), and connected and autonomous vehicles are becoming increasingly popular. As the development of vehicles with improved safety features, better operation, and enhanced user experience progresses, it is important to recognize that all of these advancements require more-advanced and complex software. And that increases the risk of vulnerabilities, which in turn increases the attack surface. Further, these vehicles contain valuable assets, making them more sought-after as targets.

Cybersecurity trends and standards

In recent years, the automotive industry has seen several new standards and regulations introduced, including ISO/SAE 21434 Cybersecurity engineering, Automotive SPICE for Cybersecurity, and UN-R155 Cybersecurity and Cybersecurity management system. As more organizations establish cybersecurity policies, processes, and activities for product development, there has been an increased maturity of cybersecurity in the industry.

These features have four main areas to consider for threats and security challenges.

• Wireless interfaces include Wi-Fi, Bluetooth, cellular communication, and V2X. Moreover, autonomous vehicles can contain over 40 cameras and sensors including front cameras, surround cameras, side cameras, rear-view cameras, front radar, rear radar, lidar, and multiple ultrasonic sensors.
• Wired interfaces include one common attack vector, the diagnostic port in the vehicle. For EVs, the charging port is an additional attack vector.
• Target systems for connected vehicles include externally facing systems such as in-vehicle infotainment systems, telematics control units, and V2X connectivity units. Additionally, systems can contain valuable assets such as personally identifiable information and cryptographic keys/credentials. There are also systems controlling important or critical functionality such as keyless entry systems (via body control module), passive entry passive start systems, and battery management systems. For autonomous vehicles, target systems include safety-critical systems related to advanced driver assistance systems and autonomous driving that are responsible for steering, acceleration, and braking.
• Ecosystems involve other vehicles, the users' mobile devices, OEM backends, cloud solutions, and over-the-air update platforms. For EVs, the ecosystem also involves V2G entities such as charging stations, smart homes, and the electric grid. Besides securing the vehicles themselves, it is imperative that all security-critical entities in the ecosystem are also secured.