The vehicle industry needs standard tools and methods for securing electronic vehicle components against attacks. This is increasingly required by existing and future international standards for the cyber security of vehicles such as SAE J3061 and ISO/SAE 21434. An important procedure in this regard is the regular pentest, in which authorised security experts attempt attacks on the product, in the same way as hackers would do. Vulnerabilities identified by this means are thus rectified even before the sales launch. According to best practice, the effectiveness of these measures should be demonstrated by a re-test after implementation. Up to now, all these tests have been performed by experts who, for resource-related reasons, are often only able to focus on the main features of the most critical control units.
With secunet redbox, the portions of pentests which can be automated only need to be implemented once by vehicle manufacturers, so that they can then be executed multiple times without security experts – and on more control units than previously, according to the required scaling, and with the required repetitions in different process steps. Relevant phases for security tests are initial agile development prototypes, supplier milestones (as part of incoming inspections or acceptance tests), final tests of integration stages and the start of series production. If information emerges about new types of attack or vulnerabilities in the software components used, situation-dependent tests can be utilised as part of ISMS/CSMS*.
The benefits for users include: increased efficiency, simplified test processes, faster speed of development and a steady increase in test coverage. If the benefits gained are reinvested in more security tests and countermeasures, this ultimately leads to a higher security level and higher quality. Eventually, the minimum standards can be raised through integration with existing infrastructures, and by establishing test catalogues. secunet supplies test catalogues for the supported protocols and technologies. Last but not least, comprehensive, continuous documentation of the tests and results offers additional added value. Based on the evaluations filed by experts in the results, users can introduce high-quality security tests directly without their own security competence centre.
To interested parties, secunet offers test installations of the product in advance. Training sessions are available as well.
*) Information security management system / cyber security management system