Cyber Security and Software Updates

The automotive industry is facing new challenges.

AUTHOR

TOBIAS LÖHR
Project manager P3

EMAIL | PHONE

P3 PRODUCT AND PROCESS COMPLIANCE

Cyber security and software updates – the automotive industry is facing new challenges.

June, 23, 2020 | T. Löhr, N. Khosrawi-Rad, S. Dorsch

The approval of new vehicle types in the automotive industry is subject to numerous regulations. The regulations on cyber security and software updates are the focus of our team. If these requirements are not met, a complete sales stop for new vehicle types in more than 50 markets is threatened from mid 2022. The affected vehicles are already in development today.

Vehicle manufacturers are confronted with these new legal regulations, which aim to continue to guarantee adequate security standards with regard to cyber security and the installation of software updates as system complexity increases. The ability to install software updates in the vehicle fleet is an integral part of the security concept.

Through our previous experience we have often encountered similar challenges with our customers. These can be divided into the areas of design and implementation of management systems and type approval of vehicle models for both SUMS (Software Update Management System) and CSMS (Cyber Security Management System) and are mutually dependent. Thus, in addition to the fulfilment of product requirements, demands on the OEM’s organization represent an additional challenge.

We would like to present the solutions that have proven themselves as success factors here.

CYBER SECURITY

Challenges

As shown in the figure, the management system and type approval must be considered. When considering the management system, processes for dealing with security threats play a major role, these must be defined and rolled out. Furthermore, it is essential to develop and establish mechanisms for reacting to attacks and closing security gaps.

There are also numerous challenges in the field of type approval. In our opinion, the identification of critical system components and the technical risk assessment as well as the technical equipment for risk minimization in the vehicle (e.g. IDS/IPS) and the proof of a suitable technical protection should be mentioned here above all.

Success Factors

In dealing with the above-mentioned challenges, the following success factors have emerged in our projects. It is essential to identify the affected departments at an early stage, to generate concern and create awareness in these departments. In addition, on time provision of a continuous toolchain for the timely completion of work results (security artifacts) is an important success factor.

For type approval, early definition of test criteria for critical system components and checking the availability and use of suitable technologies for proactive and reactive protection against security threats can make a difference.

SOFTWARE UPDATE

Challenges

The challenges regarding regulations on software updates also relate to both the management system and type approval. Particularly noteworthy with regard to the challenges to the management system is the need to ensure the traceability of end-to-end processes for the development and delivery of software components and to guarantee the compatibility and dependencies of software components over the entire life cycle of the vehicle. Furthermore, the software components installed in vehicles must be documented and verifiable at all times.
For type approval, proof of the effectiveness of technical devices against the manipulation of software is of particular importance. A further challenge is that the installation of the update in the vehicle is secure at all times, leaves no scope for manipulation and that the vehicle owners and authorities are informed about it.

Success Factors

In order to meet these challenges, various approaches have proven to be success factors for us. Starting with the creation of an integrated implementation plan with all certification aspects including pre-audits, employee qualification, IT landscape and vehicle projects, the early establishment of the necessary technical infrastructure for a suitable asset management (VIN-accurate tracking of software components) has proven to be a critical success factor. In addition, the early introduction of technical requirements into vehicle/platform projects (RxSWIN, protection of diagnostic functions, …) has proven to be a successful approach.

CONCLUSION

Our customers are faced with the challenges of numerous new regulations and standards. Many current standards and regulations enable and condition each other. The orchestrated implementation is an important success factor where we can enable our customers with our experience for the certification capability in due time.