At this year’s symposium of Scalable Open Architecture for Embedded Edge (SOAFEE), solutions engineer Amadou Kane discussed VicOne’s security assessment tool, the company’s contribution to SOAFEE’s security-driven software-defined vehicle (SDV).

The tool is in part an answer to two challenges that the automotive industry faces: the low entry barrier for attacks and a vulnerable supply chain. Attacks on vehicles are currently easy to implement and replicate. For example, car-hacking tutorials can be found online, while supply-chain attacks can have a devastating effect on the automotive sector — especially since the industry relies on firmware with different electronic control units (ECUs).

Regulations like the ISO/SAE 21434 reiterate the urgent call for improved security. This mandate pushes the secure-by-design principle that necessitates conducting security validation. However, this is a difficult endeavor for suppliers, as they might be ill-equipped to conduct attack scenarios and reproduce or perform attacks.

VicOne’s security assessment tool

This security assessment tool aims to help OEMs and Tier 1 suppliers with these challenges. It supports stakeholders by leveraging SOAFEE’s SDV, which allows manufacturers to host their whole electrical and electronic architecture (EEA) in a cloud-native architecture. VicOne has essentially set up a container-based assessment tool that helps integrate development pipelines.

The tool is made of three main components: threat intelligence, a Controller Area Network (CAN) attack generator, and an attack simulator. These features are packed as a container and can be run on SOAFEE architecture in order to perform attack scenarios.

Users can conduct experiments by simulating different attack scenarios. For example, they can adjust the sequence of attack vectors to perform different combinations of attack cases. As of this writing, the latest version has six built-in attack scenarios. VicOne encourages users of the tool to perform their own attack cases as both the script and format are customizable. Where and how the malicious CAN is injected to the bus are also definable, so users can simulate attacks at any point in the cloud deployment cycle.

Amadou Kane discusses other functions and capabilities of the tool in his presentation.

Next phases and future plans

More plans are in store for the next phases of VicOne’s security assessment tool, chief of which is to eventually leverage polluted CAN messages based on real data. Currently, the tool only supports the CAN protocol, but VicOne plans to introduce Ethernet support in the near future.

At present, the automotive industry faces the task of creating secure-by-design products amid an expanding attack surface. As vehicles become more advanced and connected, they also become more susceptible to cyberthreats. In the face of new threats down the road, security assessment and attack simulator tools are useful resources.

To read more about VicOne solutions and research on connected cars, visit our resource center.