SA8710A Automotive Cybersecurity Test Platform

In today’s interconnected world, any device linked to an information stream is susceptible to cyberattacks. Cars are more connected than ever before, making them for hackers. From infotainment systems to engine control units, nearly every part of a vehicle relies on computer-based subsystems — creating an sprawling attack surface of interconnected vulnerabilities.

The modern connected car offers multiple entry points for attackers. Vehicles connect through various interfaces — USB, CAN bus, Wi-Fi, Bluetooth, cellular, and automotive ethernet — offering cybercriminals plenty of attack options. Securing these interfaces is an important — and ongoing — challenge for automakers.

In short, automakers need to proactively test their own vehicles before cybercriminals can exploit vulnerabilities. The best way to do this is to think like a cybercriminal, who aims to exploit system and component weaknesses.

By performing controlled cyberattacks, automakers can test vehicular security in line with their Cybersecurity Management System (CSMS). This practice, known as automotive cybersecurity testing, includes functional cybersecurity testing, fuzz testing, and vulnerability testing. These tests must cover a wide range of potential threats and account for all possible points of entry, such as cellular, Wi-Fi, Bluetooth, USB, CAN, and automotive ethernet interfaces.

However, testing is only part of the solution. Software updates, the preferred method for mitigating vulnerabilities, require thorough verification. This iterative process relies heavily on automation. Compliance with industry standards and government regulations requires a repeatable, scalable, and well-documented testing approach. Given the extensive attack surfaces, emerging threats, and mandatory compliance processes, integration and automation are essential.

The World Forum for Harmonization of Vehicle Regulations (UNECE WP.29) is a strategic initiative to align OEMs across various regulations. In 2020, WP.29 introduced new cybersecurity frameworks for passenger vehicles.

This framework requires automakers to:

• Manage vehicle cybersecurity risks. 
• Mitigate supply chain risks by securing vehicle design. 
• Detect and respond to security incidents across the vehicle fleet. 
• Provide secure software updates without compromising vehicle security. 

The main regulation to come from this, UN R155, mandates that automakers integrate cybersecurity throughout the vehicle’s lifecycle. In simple terms: they must establish a Cybersecurity Management System (CSMS) that uses risk-driven engineering processes for vehicle components, subsystems, and assemblies.

Automakers must demonstrate CSMS compliance to obtain “type approval” from the UN. Without this approval, vehicles cannot operate on public roads. UN R155 applies to major markets like the EU, UK, Korea, and Russia, and all vehicles in production must comply.

ISO / SAE 21434 is a standard that guides automakers and component manufacturers on implementing a Cybersecurity Management System (CSMS) — as required by regulations such as UN R155.

Similar to functional safety, automotive cybersecurity follows the “V Model” of engineering, where all component and system testing must be verified and validated. However, cybersecurity is a moving target. Unlike functional safety, which requires a one-time test per component, cybersecurity testing must be ongoing due to constantly emerging threats, exploits, and vulnerabilities. A CSMS addresses this by conducting a Threat Analysis and Risk Assessment (TARA) to evaluate applicable threats. TARAs help OEMs identify, implement, and verify mitigations before deploying software updates.

When new threats arise, engineering teams need a repeatable, fast, and accurate response. A CSMS provides the tools to quickly evaluate and mitigate new threats while ensuring that corrective actions do not introduce new vulnerabilities.