One of the main challenges for the automotive supply chain is to ensure that it can keep up with the vulnerabilities that its products might carry. With some cars having several electronic control units (ECUs) and others carrying multiple components, both OEMs and Tier-1 suppliers face the daunting task of keeping up with a broad attack surface.
The key to facing this challenge head-on lies in a comprehensive cybersecurity strategy. Software and vulnerability management that covers a vehicle’s entire life cycle and provides high visibility over vehicles and their ECUs would be essential to the cars of tomorrow.
The following are today’s market trends that corroborate just how important cybersecurity will be in the future of the automotive supply chain.
- More connected cars, software-defined vehicles, software-based components, and greater use of open systems. Modern vehicles use more open operating systems and open-source software. The greater the connectivity, the more data cars are able to transmit, which organizations must learn to secure.
- Supply chain compliance with regulations. In order to comply with cybersecurity regulations such as UN Regulation No. 155 (UN R155) and ISO/SAE 21434, the modern vehicle and its components must pass the guidelines set by these regulations. Notably, OEMs often require ISO/SAE 21434 compliance from their suppliers. This necessitates a software bill of materials (SBOM), a list of open-source components in a piece of firmware.
- Cyberthreats. Susceptibility to cyberthreats is one of the trade-offs of greater connectivity — be it in cars themselves or in the supply chain. The more connected the industry becomes, the more it appears as a lucrative target for cybercriminal activity. In turn, cybersecurity incidents hurt the reputation of OEM vendors.
Challenges to the supply chain
In short, stakeholders would need to account for an overwhelming number of connected cars and components. While these changes mean growth, they can also widen security gaps. Here are immediate challenges:
- Too many electronic control units (ECUs) within a vehicle. At present, a connected car is said to have an average of 60 to 70 ECUs, which might be difficult for OEMs to manage.
- Too much open-source software used in ECUs. With the amount of open-source software used in ECUs, suppliers might find vulnerability assessment and prioritization overwhelming. In this industry, suppliers are used to only ensuring that their products work, with no cybersecurity facet to account for. However, the advent of the connected car calls for a for a shift away from this mindset.
- The need for SBOM management. SBOM management is a key security requirement for OEM and suppliers to securely manage open-source software in ECUs. More importantly, proper SBOM management would help them keep track of outdated or vulnerable components.
- The reality of new vulnerabilities. Vulnerabilities are a constant in the automotive industry. With connected cars becoming more commonplace, OEMs and suppliers need to constantly monitor for new vulnerabilities. Once a new vulnerability is discovered and published, OEM and suppliers must exhaust their efforts to identify its corresponding impact on and scope in a vehicle or ECU, after which they would then need to provide an action plan.
VicOne Solution: xZETA
In the face of these hurdles, OEMs and Tier-1 suppliers would need a cybersecurity solution that can help mitigate risks to software-defined vehicles (SDVs) and software-based components like ECUs.
Figure 1. How xZETA helps OEMs and suppliers handle vulnerabilities
xZETA allows OEMs to scan vendors' firmware by using static and dynamic analysis to figure out vulnerabilities and potential malicious behaviors. Here are its detailed capabilities that can help OEMs and suppliers with the aforementioned challenges:
- Present in the entire vehicle life cycle. xZETA identifies threats from the development to post-production phase of a connected car.
- Helps manage multiple vehicles and ECUs. For OEMs, xZETA can help to manage multiple vehicles or ECU firmware while providing centralized visibility for their vulnerability management.
- Prioritizes vulnerabilities in ECUs. For suppliers, xZETA can assess the vulnerability in ECUs in the form of the VicOne Vulnerability Impact Rating, which helps in prioritizing the risk of each vulnerability relative to the supplier’s environment.
- Provides an SBOM list. xZETA provides an SBOM list for every piece of ECU firmware and supports the standard exchange format SPDX.
- Dynamic analysis. For third-party applications, dynamic analysis simulates the ECU environment, which helps in monitoring for suspicious behavior and detecting potential malware or backdoor behaviors.
- Threat expertise. Local vulnerability threat experts provide recommendations to reduce the effort of OEMs and suppliers in prioritizing and finding the solutions.
To read more about VicOne solutions and learn best security practices, visit our resource center.