Why are OEMs and Tier-1 suppliers outsourcing the pen-testing process?
In the past, pen testing typically took place when the development phase was complete or close to it, right before production commenced. However, with the emergence of EVs and SDVs, as well as the need to adhere to the ISO/SAE 21434 standard, the UN R155 regulation, and the recently ratified Chinese GB/T regulation, OEMs are advocating for pen testing to begin much earlier. This would involve testing a broader selection of ECUs, which could have a notable impact on speed, efficiency, and cost-effectiveness, while ensuring that this does not affect projected release dates.
Automotive pen-testing is evolving in several ways. We are seeing dedicated cybersecurity labs emerging, re-organization of in-house red-team personnel, and a more efficient approach to defining the scopes and goals of the process.
Cybersecurity testing labs
One of the emerging trends in cybersecurity is the development of penetration testing labs strategically located in proximity to large concentrations of OEMs and Tier-1 suppliers. Cybersecurity labs allow organizations to take ownership of their cybersecurity process, simulate real-world attacks, test their products, and test new security technologies and techniques. One of the main benefits is education. Engineers and cybersecurity experts can obtain hands-on experience in these labs, to help educate and improve their organization’s overall cybersecurity proficiency.
Lab teams pen-test vehicles, subsystems, components, software images, and interfaces, identify and prioritize weaknesses, and assess vulnerabilities and misconfigurations. A typical pen-test process involves various techniques, an assortment of dedicated software programs that scan for issues, and proprietary software platforms that find and remediate all issues.
Accessing a cybersecurity lab improves the overall security posture, and makes available guidance and education on a daily basis.
The problem with in-house red-team personnel
We are all aware of the growing scarcity of automotive cybersecurity professionals. There is high demand, in the automotive industry, for expert cybersecurity personnel that are versed and experienced in both the R&D processes for vehicles and the growing regulatory demands of the industry. Some organizations don’t have a cybersecurity team in place at all, and are just now understanding the importance of creating in-house capabilities.
Constructing a Product Security Incident Response Team (PSIRT) is crucial for ongoing cybersecurity issues, such as security-control development and vulnerability management functions. In-house red teams offer several advantages, including their deep understanding of the company’s specific infrastructure and technologies. They can tailor their efforts to address industry-specific risks, compliance requirements, and emerging threats. Additionally, having a dedicated internal team enables more efficient communication, collaboration, and integration with other departments, facilitating a proactive and holistic approach to cybersecurity across the organization.
Outsourcing pen-testing services helps organizations reduce labor costs while building in-house capabilities, but maintaining a discrete outsourcing methodology is a welcome practice, to enhance productivity and to utilize existing talent professionals.
Choosing the right method and defining scopes and goals
When approaching pen testing, it is imperative to understand the targets and home in on the method. Pen-testing can be a lengthy and costly process, and focusing on the most accurate method, scope, and goals can reduce costs substantially.
A “Gray Box” approach allows pen-testers to identify findings with reasonable efforts and costs, while a “Black Box” method mimics the attack on a vehicle and provides a superficial status report. This method is usually more expensive, and it does not provide all work products required by the standard.
The testing location – whether the process will take place in-house, or in an external dedicated lab – can be a significant factor.
Defining the scope of the test is also important, and is expected to deliver the most value in addressing the standards and expectations, and in reducing risk levels. The scope recommended takes into account:
- In-vehicle connectivity (CAN, Lin, Ethernet)
- Firmware upgrade process
- HSM + Key management
- Secure Boot
- Diagnostics
- OS/BSW, VM, and external libraries
By uncovering critical cyber vulnerabilities and validating the final release, OEMs and Tier-1 suppliers can focus on the highest severity issues, prioritizing fixes according to possible exploit impact and likelihood.
Karamba Security’s Pen-testing is just one of our End-to-End Product Security Portfolio elements that enable our partners to discover, mitigate and manage security vulnerabilities in their ECUs and vehicle types. Enabling organizations to expedite their compliance with cybersecurity standards without slowing down innovation, Karamba leverages automated tools, dedicated labs, and a cost-effective pragmatic approach to delivering a complete cybersecurity journey.
