Automotive Product Cybersecurity

What measures protect a system against unauthorized manipulation and attacks in a resource-saving, effective and long-term manner?

Increasingly complex system functions and the growing number of interfaces and networks are creating more and more potential threat scenarios.

Cybersecurity by design – from identified risks to customized countermeasures

Some of these typical cybersecurity countermeasures are, for example:

• Use of so-called secure flash and secure boot mechanisms to prevent unauthorized changes to the device firmware through forged updates or direct manipulation of the device memory
• Additional authentication of messages and signals using Secure Onboard Communication (SecOC) to protect security-critical bus networks (e.g. CAN/CANFD, FlexRay or Automotive Ethernet) from manipulation by attackers
• Use of a hardware security module (HSM) for the hardware acceleration of cryptographic algorithms and for the protection of security-critical information such as key material or private user information
• Additional physical protection of the hardware by deliberately planning an installation location that is difficult to access, using special screws or sealing the housing to make attacks on devices more difficult and unauthorized tampering more clearly identifiable

It is important that the available measures are selected according to requirements and are combined sensibly with each other to ensure the highest possible level of security without compromising the actual functionality of the product.

Automated robustness or fuzz tests and systematic pen tests are also often necessary to ultimately prove the effectiveness of the countermeasures. In addition to the classic module, integration and system tests, these should be considered directly when planning a complete test strategy.

Cybersecurity lifecycle – a continuously protected product from production to disposal

A product must be protected against possible misuse and manipulation by unauthorized third parties throughout its entire lifecycle. This begins with the manufacture of the individual sub-components and the assembly of the system, right through to its disposal after up to 15 – 20 years of operation.

Any potential weak point within the production chain can be identified and exploited by attackers. For this reason, production planning should take cybersecurity aspects into account right from the start. Product cybersecurity must work closely with the teams responsible for IT & OT cybersecurity to establish a seamless security concept for the production process.

Fundamental questions need to be clarified here:

• Where are security-critical data such as key material or passwords stored?
• How can security-critical data be transferred securely between different production parties?
• How can access to flash or end-of-line stations be restricted through appropriately secured areas?
• How can these secured areas be protected from unauthorized access, e.g. by automated access controls?
• In which production step are key material and passwords written into the device and at what point are specific cybersecurity functions activated?
• What measures can be taken to effectively protect the subcomponents and products from theft and manipulation during transportation and storage?

Even after the product has been placed on the market, it must be ensured at all times that safety-relevant diagnostic access or service functions can only be carried out by authorized specialist personnel and that safety-critical diagnostic data can be stored in the system in a tamper-proof manner. This requires an authorization and role system for the necessary service functions, for example, and appropriate authentication should also be integrated into the diagnostic devices of the service teams involved.

Even for the final disposal, known as decommissioning, the necessary steps for data erasure must be planned in order to prevent misuse of the product and the reading of personal data or key material.