CONNECTED VEHICLE TESTING
Today’s vehicles are more complex and more connected than ever before. This results in a significantly increased attack surface and, for the typical vehicle, a weaker security posture. Vehicle security is now about more than just physical security and connected vehicle cybersecurity testing is a requirement for every manufacturer.
The impact of automotive vehicle cybersecurity issues can be large and affect personal safety. Criminals are using increasingly sophisticated attacks to steal vehicles, compromise their systems, compromise privacy and safety, and more.
There are a large number of points of ingress for an attacker. Modern vehicles typically have USB connections, connected entertainment systems, advanced navigation capabilities, various wireless systems and more. This presents an opportunity to compromise a connected vehicle both locally and remotely. Further, most manufacturers are now providing mobile applications that interact with the vehicle; both tracking and functional interaction is possible.
GDPR
Connected vehicles often measure and store telemetry which includes personal data. Mobile applications often have vehicle tracking capabilities. It is highly likely that such data will be in scope for GDPR, thus a connected vehicle security breach could have significant repercussions.
Automotive cybersecurity standards
There are currently no commonly accepted standards for automotive cybersecurity. This is likely to change, though. EDGENETIC are closely following ISO 26262. This standard is titled “Road Vehicles – Functional Safety” and applies to the functional safety of electric systems in production automobiles. It is likely that version two of the standard, which is in development, will address the issue of automotive cybersecurity.
Likewise, J3061 by SAE is a standard in development for cyber-physical vehicle systems which EDGENETIC consider to be a useful resource. Between these work in progress standards and EDGENETIC’s own experience, it is possible to provide leading connected vehicle assurance services.
Connected vehicle cybersecurity services
EDGENETIC have a wealth of experience assessing the security posture of a connected vehicle. Specifically, we will focus on:
- Design flaws
- Specification flaws
- Implementation flaws
The approach will vary depending on the requirement, but we recommend including all components of the connected vehicle system, assessing:
- Dynamic analysis, including fuzzing and manual probes
- Static analysis, including code review and coding standard review
- Unit testing, hardware testing, integration testing
- Using awhite box approach where maximum information sharing occurs
This mix of architectural, procedural and implementation reviews allows maximum levels of assurance. EDGENETIC have discovered critical vulnerabilities in connected vehicle systems and have worked with global automotive manufacturers for a number of years.
Frequently Asked Questions about Data Privacy Security
What is an incident response policy?
An Incident response plan or policy is a process you create before you experience a cyberattack. This is so that your team has a procedure to follow when you do experience a data breach. EDGENETIC follows the CREST Cybersecurity Incident Response process which is broken down into 3 phases: preparation, response, and follow up. Having a breach plan gives you the confidence to quickly nullify any threat to your data privacy security.
Why is data privacy security important?
Although it has always been important, the implications and need for higher security are coming into play now that technology is indispensable to everyday life. Using apps, browsing websites, and shopping online are all examples of how your data will be stored and managed online. For organisations today, the threat of cyber theft is a pertinent one. Having comprehensive data privacy plans in place can reduce and mitigate the risks of such events.
Does EDGENETIC practice sustainability?
As a company with a global footprint, sustainability is an area of importance to us. We are a registered ‘Investor in People’ organisation. Taking a cue from ISO 14001, we have strong sustainability practices put in place. Our organisation also hires fairly and equally, across gender and race. By working with us, you can rest assured that we implement data privacy security measures with ethics at the core of our mission.