The first post pandemic Vehicle Electronics and Connected Services, VECS, conference had its kick-off the 17th May 2022 in Gothenburg. This highly popular conference had over 1400 automotive professionals visiting from all over the world, with keynote sessions tackling topics such as “Trends and Drivers Shaping the Future of Mobility”, “Technical Challenges & Solutions” and “The future of Automotive Services”. The first day provided inspiring talks about future trends and impressive innovations, how we can succeed with software defined vehicles, CI/CD (Continuous Integration and Continuous Deployment) and connectivity. The second and final day, invited the participants to choose from seven different tracks, where one was dedicated to automotive cybersecurity. This track provided insights on the challenges that the automotive industry needs to address the upcoming years.
Here are my key takeaways from the Cybersecurity & Connectivity track from the 2022 VECS conference.
New compliance requirements
There were a lot of mentions of the new regulations, UNECE R155 and R156, which most of us within security in automotive have somewhat of a grasp on by now – since the first deadline regarding compliance for new Type Approval is coming up in July for vehicles within EU. But there are still clarifications that needs to be made regarding the regulation and standardizations impact on the automotive cybersecurity. Some new industry standards will be released to hopefully provide a clearer view on this, such as:
“ISO/SAE PWI 8474 Definition and Application of CAL /Enhancement to include TAF” (expected submission date July 2022)
“ISO PWI 8477 Verification and Validation in the context of Cybersecurity” (expected submission Q3 2022)
“ISO/IEC 5888: Security Requirements and Evaluation Activities for connected vehicle devices” (planned release March 2025).
The talks also provided a better understanding on how Safety and Cybersecurity in vehicle development should interplay, and how we better can align and improve the two areas. It highlighted the interoperability between the areas, the differences in perspective (antagonist vs. system fault), mitigation mechanisms (cybersecurity vs. safety mechanisms) and timelines to be considered (cybersecurity doesn’t end by start of production). But, there are interaction points between the two that needs consideration during the product development phase, and aligning the two processes can make development more efficient.
Continuous improvement and Continuous compliance will be key in the near future in order to work effectively with the new regulations and standard requirements.
Cybersecurity monitoring and incident response
There is no doubt that the increased amount of software in vehicles adds complexity and potential vulnerabilities within the vehicle and its associated services. A well-functioning monitoring process is needed to detect, analyze, respond to, and recover from incidents (and to be compliant to current regulations). But building a holistic monitoring and incident response ecosystem comes with challenges, such as a scalable onboard IDS that manages complexity, how to add context in IDS reports, key managing solutions etc. An example that was presented captures the massive amount of data that a VSOC (Vehicle Security Operations Center) potentially needs to handle; one connected car with 600 GB of log data per day resulted in circa 10 500 000 logs and events, where 210 was registered as abnormal behavior. Twelve of those went to analysis, and one needed action response. This is an enormous amount of data and highlights the importance of a carefully selected monitoring scope and limiting triggers.
When an incident occurs, it is required to have a well-planned incident response plan, with a dedicated incident response team. This, along with a well-documented asset inventory, will help the organization when (not if) an incident occurs.
OTA (Over The Air) functionality provides an immense advantage when updating and patching systems, though it is a double-edged sword which will introduce weaknesses and vulnerabilities by itself, being an eminent attack vector. It therefore needs to be handled with care and consideration.
Automate cybersecurity lifecycle
Automation is key. Those who manage to automate their cybersecurity lifecycle with an integrated solution and implement useful tools will have a big business advantage. The continuous update of software functionality (CI/CD) requires developers to quickly find the cybersecurity delta, adapt security by design and verify by automated cybersecurity tests (in addition to the SUMS-requirements in R156). The question regarding if automatization of risk analyses is a good idea, I will leave unanswered. It is though clear that easy-to-use tools (in combination with training and awareness) is needed in order to do risk analysis efficiently.
One interesting mention in the Q&A session was the potential of a cybersecurity classification. What if a vehicle in the future will be classified, in similarity with energy classification, in a scale from A to G. This would be, according to me working with cybersecurity, a potential fantastic selling point.
Final thoughts and reflections
In general, it is clear that the automotive industry is struggling with the same challenges that most of the software industry does – functions and feature development is trumping cybersecurity. The cybersecurity technical debt is stacking on for the benefit of innovation. But there is organizational attention on cybersecurity like never before. New regulation and standards will guide the automotive industry, increase awareness and put cybersecurity on executive’s agenda. The industry is on the way to set a good cybersecurity baseline – but more is needed. We will definitively need to collaborate both within and outside of organizations to develop secure vehicles.