Automotive Cybersecurity: UNEX, Upstream, Grimm DARPA, SafeRide, Green Hills, AUTOCrypt, NXP & Trustonic

In automotive cyber security news are UNEX, Upstream, Grimm DARPA, SafeRide, Green Hills, AUTOCrypt, NXP and Trustonic.

Unex Uses ISS

Unex, a leading provider of V2X (Vehicle-to-Everything) systems, and INTEGRITY SecurityServices (ISS), an embedded security solution expert, a wholly owned subsidiary of Green Hills Software LLC., have announced a new partnership in an effort to advance safer and smarter transportation. The partnership focus on ensuring all vehicles and roadside equipment can reliably exchange authenticated messages.

V2X is emerging as a key component in the rapid rise of connected and autonomous vehicles. Exchange of information and communication between vehicles and roadside infrastructure is the basis of smart traffic and transport systems. However, similar to other wireless technology, security issues are primary concerns in V2X. For example, hackers may tamper or send fake messages. Such attacks include fake red-light violation and traffic chaos attack, which might lead to traffic accident and traffic jam.

Secure V2X communications require the technology of digital signatures including Public Key Infrastructure (PKI) service for issuing certificates and credential management services of end entity for signing and verifying signatures. Signatures and certificates ensure the integrity of message content and authenticate the identity of the senders. The ISS Security Credential Management System (SCMS) for securely delivering V2X and C2X digital certificates is the only SCMS purpose built to be secure and scale to meet the needs of today’s largest transportation fleets, networks & eco-systems. The ISS product name for their SCMS is the Certificate Management Service (CMS) and it was designed to meet the latest Government and Industry standards, delivering vehicle-to-anything (V2X) and European car-to-anything (C2X) certificates to automotive and smart city product manufacturers and operators worldwide. ISS raised the first and to date only North American Root Certificate ensuring interoperability and security across any vehicle or device provisioned by the ISS CMS.

Unex’s builds a highly integrated V2X ecosystem from modules to on-board unit and roadside unit systems. Moreover, Unex V2Xcast® technology shortens development cycle for accelerated V2X deployment globally, greatly reduce the barriers to entry for all industries. To ensure the integrity and safety of communications, Unex have teamed up with ISS to mitigate any privacy risks. With ISS Security Credentials Management System (SCMS), V2Xcast® is able to manage bootstrapping, enrolment and acquisition of certificates and send protected messages.//

Upstream Releases Report

Upstream Security, a leading provider of cloud-based automotive cybersecurity solutions, released its 2021 Global Automotive Cybersecurity Report. The annual report shares in-depth insights and analysis derived by analyzing 633 publicly reported automotive cyber incidents spanning the last decade, highlighting vulnerabilities and threats identified during 2020.

For the first-time-ever, the annual report offers an in-depth mapping of all 2020 automotive cyber incidents to the threats listed in the UNECE WP.29 regulation as well as an analysis of the risk levels of specific incidents as required by the ISO/SAE 21434 regulation. The report also includes an inaugural segment focused on non-disclosed automotive-related cyber incidents discovered throughout the deep and dark web.

2020 has been a year of disruption in the automotive industry, both because of COVID-19 and the new automotive cybersecurity standards and regulations. The rising number of connected vehicles increases the entry points and vulnerabilities that hackers can leverage, and the ever-growing automotive cyber threat landscape continues to develop.

“With the continued rise of cyber attacks against the automotive industry and the regulatory requirements that were developed in response, now more than ever, automotive stakeholders must take heed of the cyber threat landscape,” said Oded Yarkoni, Upstream Security’s VP of Marketing. “Knowing and assessing automotive cyber threats both on the surface and on the deep and dark web is the first step in developing an effective cybersecurity management system and complying with the cybersecurity demands of both regulators and consumers.”

Upstream’s 2021 Global Automotive Cybersecurity Report introduces key findings of the Upstream AutoThreat Intelligence research team as well as cybersecurity recommendations for automotive stakeholders:

  • Connected vehicles are here to stay: The rising number of connected vehicles leads to increased vulnerabilities and entry points for hackers to leverage; more than 200 automotive cyber incidents were publicly reported in 2020 alone.
  • Most automotive cyber hacks were carried out by hackers with malicious intent: In 2020, 54.6% of hacks were carried out by black-hat hackers to disrupt business, steal property, and demand ransom. 39.1% of hacks were committed by white-hat hackers and researchers, including those as part of an automotive bug-bounty program.
  • There was a growth of servers targeted in 2020: The three most common attack vectors over the last decade were servers, keyless entry systems, and mobile apps, with a 73% growth in server attacks in 2020. All three top attack vectors are attacked remotely, and as seen in 2020, 77.8% of all incidents were remote attacks.
  • The number of automotive-related CVEs is growing: To date, there have been 110 CVEs (Common Vulnerabilities and Exposures) related to the automotive industry, 33 in 2020 compared to 24 in 2019.
  • Theft of data and vehicles were among the top impacts of cyber attacks in 2020: 36% of incidents in 2020 involved data and privacy breaches, and 28% of incidents involved thefts or break-ins.
  • Standards and regulations indicate an industry-wide recognition of cyber threats: When mapping cyber incidents from 2020 to threats indicated by the UNECE WP.29 regulation, 89.9% of incidents related to threats to vehicles regarding their communication channels and 86.7% related to threats to vehicle data/code, the top two threat categories.
  • While COVID-19 slowed down many automotive operations, cyber attacks were on the rise: OEMs and automotive suppliers were prime targets during the pandemic, with a cyber attack even shutting down a major OEM. The pandemic also led to factory closures, assembly-line shutdowns, supply chain interruptions, and even some OEMs pivoting their activities altogether.
  • The deep and dark web contains a noticeable amount of automotive-related hacks and threats: The most frequent and significant automotive hacks discussed on the deep and dark web include ECU tuning, infotainment hacking, selling stolen identities to access OEM and smart-mobility accounts, and leaking automotive source code or data.
  • Automotive cybersecurity has been recognized as vital: The automotive cybersecurity market is expected to grow over the next decade, with OEMs recognizing that security-by-design, automotive cyber threat intelligence, and a well-established VSOC (vehicle SOC) with an integrated cybersecurity solution is integral to the safety and security of their vehicles and assets.

A full copy of the free report is available for download at the Upstream Security website: www.upstream.auto/2021Report

Grimm Awarded DARPA Contract

Grimm a cybersecurity research firm, has been awarded a DARPA subcontract to research Assured MicroPatching (AMP). The research is intended to advance the generation of custom security patches, with the added benefit of improving the binary analysis tooling required for such cybersecurity research.

GRIMM is part of the AMP Technical Area 3 (TA3) team, which is responsible for developing and providing vulnerability-patching challenges created to test the wares of other contract performers on both TA1 and TA2, which are responsible for taking vulnerability research, patch generation and patch testing to a new level. GRIMM’s role on the team will help validate the cybersecurity elements of the project. In doing so, GRIMM will be providing a heavy-trucking Electronic Control Unit (ECU) simulator, emulating a PowerPC system, while leveraging real-world firmware.

GRIMM’s Principal Security Researcher, Matthew Carpenter, says, “The virtual ECU will allow the performers access to ECUs wherever they are, without needing to manage custom and closed hardware, and will support power systems and networking modules.” This work is based on research and PowerPC emulation GRIMM developed in 2019.

Carpenter also states, “In addition to making software patching more of a reality, this project is advancing the very tools used to identify cybersecurity vulnerabilities, making high-tech bug hunting easier and more powerful.”

SafeRide Reveal Insights in VInSight

SafeRide Technologies, a leading provider of AI-based vehicle health management (VHM), data analytics, and cybersecurity solutions unveiled today vInsight™—an AI-based VHM development platform for OEMs, Tier 1 suppliers, aftermarket telematics vendors, and fleets. The vInsight platform includes a VHM development tool and inference engines targeted for in-vehicle and remote AI-based vehicle health monitoring.

vInsight Developer is a tool that enables customers to develop, train, optimize, test, and deploy state-of-the-art deep learning algorithms for VHM using a rich library of production grade models and design templates for major vehicle systems such as engine, transmission, emission, braking, battery management, and more. vInsight Developer can generate compressed and optimized models for embedded deployment onboard vehicles.

vInsight Edge is an embedded VHM runtime engine that is designed for gateway modules, domain controllers, and telematics modules. vInsight Cloud is a VHM runtime engine that supports legacy vehicles and aftermarket deployment. These runtime engines enable real-time inferencing using the trained VHM algorithms created by vInsight Developer.

“Advancements in autonomous driving, electrification, fuel efficiency, and emissions regulations are increasing vehicle complexity,” said Gil Reiter, SafeRide’s Vice President of Product Management and Marketing. “Traditional diagnostics methods can no longer describe the complex state and performance of the vehicle. This limitation creates an abundance of challenges, including vehicle quality issues and increasing costs of warranty claims, recalls, maintenance, and downtime.”

Existing VHM solutions rely on diagnostic trouble codes (DTCs) and telematics data to detect and predict malfunctions. DTCs can only detect failures after they occur, and they provide limited insights about the problem. This leads to a complex and expensive repair process, and sometimes a wrong diagnosis. Telematics solutions are limited by network bandwidth and access to data; therefore, they fail to address the growing complexity of modern vehicles.

“Artificial intelligence, and specifically deep learning, is extremely efficient in processing data from complex systems and extracting valuable insights,” said Dr. Sasha Apartsin, SafeRide’s Head of Data Science. “Using advanced neural networks, SafeRide’s vInsight platform enables the early detection of malfunctions and helps predict failures and identify the root cause of problems. vInsight Edge enables efficient deployment of these advanced health management capabilities onboard the vehicle, where access to thousands of signals is available in real time.”

AI technology is vital for delivering advanced VHM capabilities. Nevertheless, domain knowledge and electromechanical expertise are also critical in configuring and tuning the AI algorithms. SafeRide’s vInsight platform is designed with a hybrid approach that combines AI with physics and domain knowledge to deliver optimal performance. vInsight Developer enables customers and partners with vehicle domain expertise to combine their knowledge with SafeRide’s models, templates, and design flows to deliver the required results in a short time, with little or no AI expertise.

vInsight uses SafeRide’s award winning unsupervised and self-supervised deep learning technology. While other AI-based solutions learn from labeled data sets with abnormal health conditions, vInsight can learn from unlabeled data sets with only normal health conditions. This dramatically simplifies the data collection and training processes and enables VHM applications that were not possible before.

The vInsight Edge Runtime is pre-integrated with >NXP Semiconductors’ S32G Vehicle Network Processor for service-oriented gateways and domain controllers that can provide the processing performance and access to the vehicle-wide data needed for advanced VHM. NXP and SafeRide will present a webinar to discuss and demonstrate the vInsight platform on November 16th at 11am EST.

“Real-time monitoring of vehicle health is of key interest to the automotive industry to address faults before they occur and reduce costs,” said Brian Carlson, Global Marketing Director for Vehicle Control and Networking Solutions at NXP. “The NXP S32G processor combined with SafeRide’s vInsight platform enables carmakers to realize advanced VHM for safer and more reliable vehicles, offering better user experiences for their customers.”

SafeRide’s vInsight solution is currently being deployed in pilot projects with several major OEMs and fleets.

Green Hills Adopts Standards

Green Hills Software, the worldwide leader in embedded safety and security, announced it has adopted the two new international security standards and regulations for automotive cybersecurity – ISO/SAE 21434 and UNECE WP.29 – for the INTEGRITY® real-time operating system (RTOS) and associated products and services. For decades, Green Hills has been an industry-recognized leader helping electronics manufacturers create and deploy embedded systems at the highest levels of safety and security. By offering compliant products and associated evidence reports for these new standards, Green Hills will build upon its proven pedigree as the foundational run-time software provider trusted by OEMs and their Tier 1 suppliers for automotive electronics. Utilizing these new security standards enables manufacturers to design and deploy purpose-built, secure, software-defined systems in connected vehicles, including highly automated driving, high performance compute clusters, domain controllers, vehicle gateways, telematics, keyless entry, diagnostic connections and electric vehicle charging stations, to name a few.

As reliance on vehicle connectivity grows and demand for software-defined services rises, the risk of cyberattacks against connected vehicles continues to rise. With over 100 ECUs and hundreds of millions of lines of code, connected vehicles are a target-rich platform for cyberattacks. Multiple points of entry to modern connected vehicles provide opportunities for malicious vehicle control, fraud, and data-breaches that threaten companies, drivers, and road users. A single exploited security vulnerability could put an entire fleet of vehicles at risk, numbering in the millions. With nearly 80% of new cars connected1 to the internet, cybersecurity breaches have the potential to put billions of dollars in sales and lawsuits at risk – not to mention the damage to brand reputation.

As a result, governmental bodies and independent regulators are drafting two related measures for managing cybersecurity threats throughout a connected vehicle’s lifecycle. Green Hills is collaborating with its customers and adopting cybersecurity assessment policies for the following:

  • The draft ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” Standard was recently published by SAE International and ISO (Organization for Standardization). It is a baseline for vehicle manufacturers and suppliers to ensure cybersecurity risks are managed efficiently and effectively from both a product lifecycle and organizational perspective spanning concept, development, production, operation, maintenance, and decommissioning.
  • The WP.29 regulations from the United Nations Economic Commission for Europe (UNECE) make OEMs responsible for cybersecurity mitigation in four cybersecurity areas spanning the entire vehicle lifecycle: managing cyber risks; securing vehicles by design; detecting and responding to security incidents; and providing safe and secure over-the-air (OTA) software updates. While WP.29 defines concrete examples of threats and mitigations, OEMs can choose how they show the threats are addressed, such as complying with ISO/SAE 21434. The regulation is expected to be finalized in early 2021 and applied initially to many member nations including European nations, South Korea, UK, and Japan, and will likely influence vehicle homologation polices in the US, Canada and China.

WP.29 will be legally binding within adopting countries, and while the ISO/SAE 21434 standard is not a regulation, it is expected to be widely accepted in the global industry like ISO 26262 is today.

“Connected cars bring significant risks and rewards to OEMs and their suppliers,” said Chris Rommel, Executive Vice President, IoT & Industrial Technology at VDC Research. “Green Hills has earned a high stature in the industry for supplying security-critical foundational software to companies building life-critical systems like aircraft avionics, vehicle ADAS and medical equipment, and its support of these new cybersecurity standards is noteworthy.”

“ISO/SAE 21434 and WP.29 are valuable additional steps towards protecting connected vehicles from cybersecurity vulnerabilities,” said Dan Mender, VP of Business Development at Green Hills Software. “Green Hills has decades of experience developing and delivering security-certified technologies at the highest levels. Adopting these standards expands our offerings to global automotive OEMs and their suppliers bringing the industry’s leading secure software run-time environment to next-generation connected vehicle electronics.”

Reference
(1) Source: VDC Research Group, Inc.: Automotive Cybersecurity Software & Services Market report, 2019 Strategic Insights Security & The Internet of Things Research Program.

AUTOCrypt Partners with NXP

AUTOCRYPT Co., Ltd., a leading V2X and autonomous vehicle security solutions provider, announced its partnership with NXP Semiconductors in several automotive security related applications beginning with secure V2X.

As an official partner of NXP, support for AutoCrypt V2X will be streamlined across NXP’s V2X-related offerings, including the SAF5X00 modem chipsets and the SXF1800 Secure Element IC for V2X Communication, as well as the i.MX 8 Series Application Processor. By integrating AUTOCRYPT’s IEEE 1609.2-compliant V2X security solution onto NXP’s platform, secure exchange of V2X messages as well as performance optimization can be achieved more effectively.

AUTOCRYPT’s offerings across V2X, V2D, and V2G security are a natural match for NXP’s expansive automotive portfolio, paving the way for further joint solution development as global interoperability continues to become a crucial factor for enabling safe transportation and mobility.

Trustonic Trusted by Tier A

Trustonic announces that its security platform has been chosen by Tier 1 automotive service provider, Megatronix, to secure its intelligent operating system, SmartMega OS+, which brings next generation connected services to smart vehicles. The first vehicle model to integrate SmartMega OS+, the Hycan 007, is now on sale across China.

With a predicted surge in demand for connected vehicles, automotive makers are under pressure to provide enhanced features to vehicle users, while guaranteeing security, privacy and data protection. Megatronix’s SmartMega OS+ software has been designed to ensure the deployment and regular upgrade of new, customisable in-vehicle services to enable secure, reliable user experiences. SmartMega OS+ provides real-time cloud-based features which connect the vehicles to the outside world, and protects communications from the Telematic Control Unit (TCU) all the way through to the connected cloud.

“Connected, autonomous, shared and electrified uses cases are driving the automotive market forward and we’re working to empower OEMs and Tier 1s to innovate while protecting data, IP and brands,” comments Dion Price, CEO of Trustonic. “Modern vehicles present new and complex challenges and we are delighted to be working with industry visionary Megatronix to put security at the heart of millions more connected vehicles.”

“It’s no longer enough to simply provide basic entertainment solutions, users are demanding connected experiences that integrate into their digital lifestyles,” said Li Zhuang, Ph.d, CEO of Megatronix . “It is essential that data, applications and services are all protected to ensure user trust. With SmartMega OS+ we have a unique offering for the world’s automotive market, a smart operating system that has security built-in by design. By integrating Trustonic’s world leading automotive security platform, our customers can focus on building rich services in the knowledge that they are fully protected. We are delighted that the first vehicle containing this technology, the Hycan 007, is now rolled out across China.”

In the era of software-defined hardware, whether the operating system of intelligent car can bring extraordinary experience to users has become the biggest factor of a product’s success.

Hycan 007 is not only the first product of GAC NIO New Energy Automotive Technology, but also the first product launching of Megatronix. Hycan 007’s futuristic appearance and the leading intelligence fully demonstrate a combination of technology and design.

Report Finds Key Reasons for Automotive Cybersecurity

– According to the market research report published by P&S Intelligence, the adoption of connected vehicles, integration of artificial intelligence in the automobile industry, and rising demand for in-vehicle connectivity are the key reasons behind the rising demand for cybersecurity solutions for vehicles. As a result, the automotive cybersecurity market revenue is predicted to grow to $7,280.2 million by 2030 from $1,152.7 million in 2019, at a robust 18.5% CAGR between 2020 and 2030. Such solutions protect the connected infrastructure, vehicle, and information that is processed, stored, and transmitted by automobiles by detecting and responding to cyber threats.

One of the most-prominent trends in the automotive cybersecurity market is the increasing data breach and cyberattack threat. With the advent of the connected vehicle technology, a variety of information, such as location, address books, and credit card numbers, is being stored and transmitted by automobile systems. To thwart cyberattacks, the government of several countries has implemented strict regulations to have cybersecurity features in automobiles. Moreover, using vehicles’ connected systems, even the infrastructure the automobile connects to can be harmed, which is driving the deployment of cybersecurity solutions.

The major reason behind the increasing demand for automotive cybersecurity solutions is the rising preference for connected vehicles. Such automobiles offer smartphone connectivity, traffic and collision warnings, roadside assistance, and real-time traffic monitoring, which is why they are becoming rapidly popular. Securing the ADAS system against cyberattacks is essential for the success of fully autonomous vehicles, in which the IT infrastructure plays an equally important role as the mechanical infrastructure. Thus, with the rising number of connected automobiles on the roads, the installation rate of cybersecurity solutions in them will also increase.

COMMENT: Let Us Know What You Think