In recent years, we’ve been talking about the fundamental changes in the automotive industry, such as electrification, connectivity, autonomous driving, or software defined vehicles.
What is particularly interesting in these trends - especially from the perspective of this article - is that many of them are driven by information technology and connectivity.
Connectivity in the automotive industry refers to the integration of vehicles with digital networks, enabling communication between cars, infrastructure, and external systems. This connectivity facilitates features like navigation, real-time data sharing or autonomous driving. However, with this integration comes a critical need for robust cybersecurity measures to protect vehicles and their data from potential cyber threats, ensuring the safety and privacy of passengers and road users.
Cybersecurity is crucial to prevent unauthorized access, tampering, or malicious actions that could compromise vehicle functionality and jeopardize public safety or reputation of the brand.
More ECUs and more interfaces:
The number of interfaces between vehicles and their environments, the number of functionalities implemented in software, the number of in-vehicle and off-board systems started to increase dramatically. Connected car supports the drivers, passengers, enables remote maintenance or upgrade the vehicle’ software. As a result, high-end vehicle might have 70 to 100 small computers (known as ECU, Electronic Control Units) and approximately 100 million lines of software code.
You do not have to be a cybersecurity expert to immediately understand the significant challenge that the industry faces and necessity to ensuring the appropriate cybersecurity in such a complex system. Adding to this challenge, in the past, the automotive engineers did not have to focus on the cybersecurity, and the cybersecurity experts did not focus on vehicles, thus a knowledge gap existed between them when the change accelerated.
The automotive industry recognized this risk early and began working to close this knowledge gap, enhance the vehicle cybersecurity, and introduced two cybersecurity regulations in 2020.
Consequently, the ISO/SAE 21434:2021 (Road vehicles — Cybersecurity engineering) standard was also introduced. It describes the processes should be followed to ensure the proper cybersecurity risk management from the concept phase to decommissioning.
In the world of cybersecurity, penetration testing is seen as one of the most effective method to validate the implemented cybersecurity controls. The ISO 21434 standard also recommends it as one of the validation activities. However, integrating penetration testing in the automotive product development is not a straightforward task. Developing a new vehicle takes years, and the complexity of the connected vehicle ecosystem requires a lengthy and convoluted testing process, especially if the testing only starts close to the production phase. There are many questions that a well-designed penetration testing process should consider:
Setting up a good penetration testing program is a complex task which requires specific capabilities in the company.
The structure of penetration testing program should be able to handle the complex nature of the automotive development process.
A project, depending on the testing scope, can incorporate various testing types. The difference between the project types and testing types is that the project types use the testing types to fulfill goals as shown on the diagram below.
Deloitte is supporting its clients with a team of experts. Our extensive years of experience in automotive penetration testing, specially purposed Automotive Lab located at Budapest, Hungary and necessary software and hardware create unique value for many OEMs and Suppliers.
Through the Automotive / Hardware hacking lab, Deloitte provides:
To be able to help our clients with this complex agenda Deloitte has developed unique training and demonstration environments which are ideal for practicing automotive security testing tools and techniques.
Specialized trainings are recommended for: