Advanced science.  Applied technology.

Search

Automotive Cyber Evaluation Framework, 10-R6329

Principal Investigators
Diego Alducin
Vic Murray
Inclusive Dates 
02/01/23 to 06/01/23

Background

Modern automobiles include multiple computers networked with each other and even connected to the internet. As with any computer networks, they may contain security vulnerabilities. In perhaps the most famous demonstration of such vulnerabilities, two security researchers accessed a vehicle using its built-in cellular connection and leveraged that access to remotely disable the brakes and kill the engine. As the number of computers and their network connections continues to grow, cybersecurity testing will only become more critical.

However, automotive cybersecurity testing is hampered by a lack of consistency. Vehicle manufacturers, component developers, and cybersecurity testers each approach the problem from different perspectives. Two automakers may require entirely different tests to evaluate the same component. Additionally, different evaluation companies may test to different standards to determine system security. The SwRI automotive cyber evaluation framework is a response to these issues.

Approach

Block diagram of the proposed ion optics coupling Web-based list of cybersecurity components

Figure 1: Detail of Automotive Cyber Test Framework Prototype.

The framework, shown as Figure 1, is a web-based system listing vehicle components relevant to cybersecurity, such as electronic control units, internal networks, and external interfaces. The different perspectives of different groups are accommodated by allowing users to select the relevant components. For a given component, the framework lists possible vulnerabilities and suggested tests. It also ties appropriate standards from the automotive and cybersecurity worlds to the vulnerabilities and tests, which provides consistency across the user base. The modular and web-based nature of the framework allows it to be easily updated as new components, vulnerabilities, tests, and standards are developed.

Accomplishments

The framework was developed after consultation with various members in the automotive cybersecurity community, including vehicle manufacturers, component providers, and test organizations. SwRI has continued to engage the industry for feedback on the prototype, and for suggestions on how best to expand the limited number of components developed as part of this internal research. With support from industry partners, SwRI will be able to present the framework to the community. Wider adoption, with SwRI as an independent developer, will improve vehicle cybersecurity, and thus safety, for every driver and passenger on the road.