Securing the Software-Defined Vehicle
Securing the Software-Defined Vehicle Michael Lueke, & Dr. Moritz Minzlaff Regardless of what business a company is in, security for products, people, processes and/or technology is always a top concern. Successful security programs adhere to four principles: security by design, defense in depth, risk management and monitoring, and organizational security. However, the software-defined vehicle (SDV) challenges existing boundaries and mindsets for those in the automotive industry. As the risk space grows from the increased volume of software in the automotive ecosystem, the industry must re-think these four principles to adequately match risk and security. To do this and properly protect the SDV end-to-end along the lifecycle, ecosystem and software supply chain dimensions, manufacturers and suppliers must take their implementations of the principles to a new maturity level. (see Figure 1). Just as individual activities in the DevOps Cycle have limited impact in isolation, a company can only master SDV cybersecurity when they reach SDV-level maturity in all four principles. Principle 1: Security by Design Security by design means that security is built into the product from the very beginning. This is often a process-focused principle with a security-enhanced V-model implementation. Because SDVs are permanently exposed to potential attackers, automotive companies must expand their understanding that a relentless optimization of the mean time to repair vulnerabilities for the entire SDV lifecycle is needed. To achieve this and close the DevOps Cycle, high automation and a focus on resilience must occur. Principle 2: Defense in Depth Defense in depth is the practice of establishing multiple protection mechanisms without a single point of failure that compromises the entire product. Specific security technology (e.g., software and hardware) is a focus of this principle. Before the SDV, this often meant a layered approach from deeply embedded components to on-board domains to the entire vehicle network. The new vehicle-centralized architectures with computers and clouds require an ecosystem-level view with additional layers for on- and off-board components, including an evolution toward zero trust. Principle 3: Risk Management and Monitoring This principle, which focuses on information and data assets within the SDV ecosystem, must be at the heart of all security activities. Threat and risk analyses (TARA) identify the risk and measure whether mitigations reduce risk to an acceptable level (e.g., through consistent application of the security-by-design and defense-in-depth principles). They are one of the first steps companies take as they progress from initial to established maturity. However, the initial processes and tooling manufacturers and suppliers have established often do not lend themselves to the high-frequency changes demanded by the SDV. Continuous monitoring of the threat landscape, including vulnerabilities in the ecosystem, optimizing mean time to detect security events, and quickly updated TARAs throughout the SDV’s lifecycle, are distinguishing marks of organizations with advanced or optimizing maturity. Principle 4: Organizational Security Management A review of recent cyber incidents shows that security needs technical and organizational solutions, which is why this principle focuses on people and culture. Automotive manufacturers and suppliers must implement cybersecurity management systems in the so-called “three lines of defense” – operations, risk management and compliance, and internal audits. Building up all areas takes time and effort, so initial-maturity organizations typically focus on just one line of defense, for example with a clear focus on “compliance” and a related checklist mentality. This is understandable and can help a company initially stay in business, but the SDV’s data-centric business models requires an expanded security mindset covering all three lines of defense and integrating all stakeholders, including the software supply chain. (see Figure 2 below). Reaching SDV-Level Cyber Maturity Reaching SDV-level cyber maturity is a three-step process: Assessing the current cyber maturity of people and processes allows an organization to focus its resources where they contribute most to a timely and cost-efficient achievement of the targeted new maturity level. It’s also important to assess on a technical level, especially when E/E architectures are not designed from scratch and when legacy architectures potentially lack feature security measures. It’s crucial to also look at who and how you collaborate with throughout the ecosystem and the supply chain. Identifying the target maturity is necessary to match the increasing cyber risk of the SDV with higher capability to secure road users, customers and business models. If the growing capabilities and opportunities of potential attackers outpace the maturity of an organization, it will lead to unacceptable business risks. On the other hand, setting the new target maturity too high risks a failure of the cybersecurity program from wasted resources and overstretching the organization’s ability to absorb and implement the necessary changes. We have found that three main factors decide the target level: the company’s brand positioning and risk aversion, the complexity and risk exposure of its products, and requirements from target markets (e.g., regulations and compliance requirements). As each of these factors typically change over time, it’s helpful to introduce a stable interface between the requirements from each, along with organizational and technical security controls. When executing a gap closure program, the goal is to match increasing cyber risk with increasing cyber maturity. As mentioned in the previous section, gross misbalance between risk and maturity will lead to failure. While initial-maturity organizations can begin to achieve established maturity in a waterfall-style planned project, the leap from established maturity to SDV-level maturity introduces complexity typically found in large-scale organizational change initiatives. At initial maturity, technical security baselines (i.e., security architectures) have proven effective in aligning security controls internally as well as with suppliers and customers. When used with the product roadmap, the baseline can evolve and ensure security measures continue to adequately protect from an increasing attack surface. As organizations reach higher maturity levels, an iterative approach becomes more prevalent. Companies frequently assess their maturity and develop advanced capabilities through smaller, targeted changes, ensuring they can accommodate boundary conditions, such as broader digitalization strategies or rapid market developments. Working Together By partnering with ETAS, companies can better reduce cyber risk and realize the potential of SDVs. We have unique expertise in upgrading the
