Even though vendors strive to keep software up to date until production begins, none of them would willingly replace a complete operating system kernel in the middle of development. This means that several months' worth of hidden bugs, fixes, vulnerabilities, security measures, and communication channels will go unnoticed.
FREMONT, CA: The number of Electronic Control Units (ECUs) and overall complexity continue to rise as vehicle technology progresses to include more autonomy and higher degrees of connectivity. A modern vehicle may have over 100 million lines of code that control and monitor a wide range of subsystems, such as Advanced Driver Assistance Systems (ADAS), infotainment, collision avoidance, and engine/vehicle management. This opens the door to cybersecurity issues.
vendor_logo_first]Regrettably, manufacturers have done very little to add cybersecurity safeguards. There are currently no associated automotive standards; ISO 26262, the automotive functional safety standard, simply states that the vehicle's security is the manufacturer's responsibility. This general lack of focus translates to increased danger to safety-critical systems and a growing liability that must be handled.
Time to Market
From concept to vehicle production, it takes an average of four years. This means that significant decisions affecting architecture, security principles, and operating systems are made roughly four years before vehicles come off the manufacturing line. Even though vendors strive to keep software up to date until production begins, none of them would willingly replace a complete operating system kernel in the middle of development. This means that several months' worth of hidden bugs, fixes, vulnerabilities, security measures, and communication channels will go unnoticed. If any of the new components fail during testing or threaten to cause a production delay, the OEM will fall back on an old ECU rather than risk the new one.
IT Cyber Solutions Do Not Readily Transform to Automotive
IT cybersecurity standards (for example, ISO/IEC 27001 and 27002, NIST, NERC/CIP) have been around for decades. Why not simply map cybersecurity solutions from the IT world to the automobile sector, given the similarities; both IT and automotive involve robust networks of connected devices? There are significant distinctions and corresponding obstacles, although they are conceptually similar.
Multiple Interconnected Systems
Sensors, simple logic circuits, complicated onboard computers, embedded operating systems, and proprietary chipsets are all part of a vehicle platform. Combining Windows, macOS, Linux, and Java Virtual Machines into a single unified configuration is difficult.