Automotive Cybersecurity Symposium

Oliver Huppenbauer | Marquardt

 

Experience of Tier 1 how to implement ISO/SAE 21434 into company and  how to integrate Cybersecurity into existing management systems.

Grey-Box Penetration Testing for Full Life-Cycle Cybersecurity
Dr. Christof Ebert | Vector Consulting Services

 

Automotive electronics and enterprise IT are converging and thus open the doors for advanced hacking. With classic security testing, vulnerability detection is inefficient and incomplete. In this presentation, we show how an enhanced Grey-Box Penetration Test (GBPT) needs less test cases while being more effective in terms of coverage and indicating less false positives. We will show the systematic approach to GBPT and underline with industry experiences the take-aways.

Automotive Safety and Security – Current Trends and Challenges
Stefan Kriso | Bosch

 

With the current trend towards automated driving, connectivity, and electrification we have to deal with new challenges in the area of vehicle safety. In the past we had a strong focus on functional safety (ISO 26262), but this will be no longer sufficient in future – other aspects of vehicle safety will become more and more important, for example SOTIF (safety of the intended functionality), security (especially the safety relevance of intended manipulations), safety regulations etc. Especially the trend that more and more support and functionality will come from the infrastructure leads to new safety and security questions. For example, what if someone manipulates not the vehicle itself, but the environment of the vehicle? This presentation will give an overview over the current activities in the area of standardization and regulations and the activities which are required to ensure safe vehicles in future. It will give some examples how to deal with upcoming safety questions and how the different safety aspects could interact.

André Weimerskirch | Lear
Sven Schran | Bosch
John Heldreth | Automotive Security Research Group (ASRG)
Dr. Christof Ebert | Vector Consulting Services

 

Cybersecurity and functional safety are closely related and must be implemented together. However, this is challenging due to lack of combined methods but also due to different responsibilities in companies. This panel shows how cybersecurity and safety can be effectively implemented: Sustainably and cost-effectively.

Scalable Automotive Intrusion Detection Systems: From the ECU To the VSOC
Justus Reich | IBM und Dr. Eduard Metzker | Vector

 

Automated Threat Evaluation of Automotive Diagnostic Protocols
Nils Weiß | OTH Regensburg

 

Diagnostic protocols in automotive systems can offer a huge attack surface with devastating impacts if vulnerabilities are present. This presentation shows the application of active automated learning techniques for reverse engineering system state machines of automotive systems. The developed black-box testing strategy is based on diagnostic protocol communication. Through this approach, it is possible to automatically investigate a highly increased attack surface. Based on a new metric, introduced in this presentation, we are able to rate the possible attack surface of an entire vehicle or a single ECU. A novel attack surface metric allows comparisons of different ECUs from different OEMs, even between different diagnostic protocols.

Fuzz Testing the ISO 15118 Protocol Stack
Tobias Schöneberger | Vector

 

The charging port is a new, externally accessible gateway for vehicle attacks, which requires systematic robustness and security tests of the ISO15118 interface.

The presentation displays how IP, TCP, TLS and EXI protocols can be tested automatically with the combination of fuzz and security tests. In focus is the test of TLS handshake and X509 certificates.

Keeping Your ECU Secure Against Compromised Adaptive Applications
Udo Neitzel | ITK Engineering

 

The AUTOSAR Adaptive Platform (AP) enables the implementation of multiple tasks with different security objectives on a single ECU. Identity and Access Management (IAM) allows the assignment of access permissions on platform resources and services. We present the principles, architecture and application of IAM.