Stress Tests for Automotive Cybersecurity

Posted By
Kristie Pfosi
Director, Cybersecurity

The automotive industry is used to putting equipment through grueling tests to ensure that it can stand up to harsh environments and punishing use cases. For example, at Aptiv we use specialized ovens to see how components tolerate high temperatures and conduct bending stress tests to see how charging cables hold up under heavy use. We bring the same thorough mindset to cybersecurity and use penetration testing to find vulnerabilities in our systems.

So-called white-hat hacking is common in cybersecurity, but testing security on vehicles presents certain challenges, given that they are mobile and rely on a variety of wireless technologies to connect with the world around them.

For example, we might want to test how a particular vehicle responds to a falsified GPS signal. We could use a signal generator to broadcast that signal – but without the proper precautions, that would risk interfering with anything near the test facility that uses a GPS signal to get its bearings. Imagine if delivery trucks were getting rerouted, phones in passing cars were suddenly telling their owners that they were on a different continent, or planes overhead were being momentarily disrupted.

To conduct tests on vehicles without affecting the environment around our facility, Aptiv has installed one of the largest commercial Faraday cages in North America. A Faraday cage is a container made from metal mesh that effectively blocks electromagnetic radiation from getting in or out. Our entire 8,200-square-foot cybersecurity lab in Troy, Mich., is encased in the Faraday cage. Doors into the lab contain metal conductors that make contact with the door frames, metal honeycombs continue the cage through air vents, metal sheets lie underneath the carpets, and a metal mesh fabric forms a tent over the ceiling.

We can bring a vehicle into the lab through a garage door and throw all sorts of signals at it — GPS, cellular, and Wi-Fi, including the types used in V2X (vehicle-to-everything) applications — without worrying about those signals escaping the facility.

New frontiers

Testing wireless communications is one mission of the lab, but it also houses an array of tools to help us improve the cybersecurity of our products. One is an X-ray machine that allows us to see into a microchip and identify physical vulnerabilities, including development tools such as debug ports that should not be included in production boards. Another is a forensics lab, which we can use to examine hardware and software if something goes wrong in order to determine the cause. And of course we have tools to ensure that any software we create takes an “assume harm” stance with defense in depth.

To use these tools to their full potential, we have brought in a very diverse group of experts. Automotive cybersecurity is a nascent profession, so we have recruited people with backgrounds not only in IT cybersecurity but also in areas like criminal justice, for help in forensics, and physics for help in reverse-engineering hardware. We employ threat-intelligence experts to monitor for threats that might affect our equipment, and we leverage cybersecurity professionals from the financial industry to learn from their best practices.

Automotive cybersecurity is vastly different from IT cybersecurity, and it requires a different approach. With automotive technology, there is no option to discontinue support after, say, three years. Automakers have to think in terms of supporting embedded systems for 10 or even 20 years after production to ensure their ongoing safety. With that in mind, our team will continue to work closely with OEMs through labs like our Troy facility for decades to come.