Long-term software maintenance

As connectivity and the amount of software in modern vehicles rises, keeping them secure throughout their lifetime becomes both more important and more challenging. Recent cybersecurity regulation increases the pressure on car makers and suppliers to find solutions for long-term cybersecurity support, not to mention other drivers for software maintenance beside cybersecurity. In this paper, we examine the challenge of providing long-term updates for in-vehicle software. We review current automotive software development practices and their constraints regarding long-term updates. Furthermore, we examine the collaboration and business models, and propose extending them to include the vehicle operations phase. Looking ahead, we find that a two-fold approach is required to solve these challenges. In the short-term, binding maintenance agreements are needed to provide assurance to OEMs and to help suppliers plan ahead and preserve the capabilities to provide software updates. This is essential to react quickly in case of an incident. The maintenance duration must be carefully selected as effort and cost rise sharply over time and excessive maintenance periods may bring unacceptable costs to end users. In the long-term, we observe an industry trend moving towards continuously developed software platforms that are deployed regularly even to older vehicles, potentially requiring hardware upgrades where performance is no longer sufficient. This model will alleviate the need to maintain many different software branches at the same time and will make long-term updates more efficient

Safety goals in vehicle security analyses

Ensuring safety is the most important objective of security in the automotive domain. However, security analyses often lack systematic input from functional safety. We provide a method for integrating safety goals identified in the Hazard Analysis and Risk Assessment (HARA) from functional safety in a well-established Threat Analysis and Risk Assessment (TARA) for security. Our method treats safety goals as additional security goals and analyzes them in the same way as the other security goals identified by the TARA. By this means, violations of safety goals by a malicious attack are evaluated with respect to their feasibility in terms of attack potential according to Common Criteria. Furthermore, we propose a metric to quantify the security risk with safety impact based on the severity and controllability values from the Automotive Safety Integrity Level (ASIL) ratings done by safety experts in the HARA. We apply our proposal to an Automated Emergency Braking system to demonstrate how it increases the completeness and accuracy of security analyses with respect to vehicle/system safety based on expert safety ratings