[Series] FESCARO's Automotive Cybersecurity FAQs ​ FESCARO has been operating the ‘FAQs Series’ to address cybersecurity issues for stakeholders in the automotive industry. We have conducted live webinars on four key topics, and the expert panel from FESCARO provided answers to the most commonly asked questions from industry professionals. If you missed a webinar on a topic that interests you, you can access both the recorded video and a text summary (FAQs) at the following link.   # FAQs Series 1. Cybersecurity Strategies for Tiers (Emerging-OEMs oriented) 2. Comprehensive Guide on Cybersecurity Solutions & Engineering 3. Cybersecurity Testing method based on VTA Success Stories 4. ECU Cybersecurity guidance : From production to post-mass productionThe last webinar of the year organized by FESCARO was successfully completed. This webinar, titled " ECU Cybersecurity guidance : From production to post-mass production," took place on October and attracted approximately 80 participants from more than 50 companies. ​Automotive controller developers should not only apply security solutions to their controllers, but also consider cybersecurity during and after the production. This webinar focused on both the KMS (Key Management System) required during production and the Security Control System required on the post-production phase.  Let’s check out the clear answers from the FESCARO’s expert panel.  ■ Expert Panels​ • Director Ku Seong-seo & Team Leader Choi Hee-sun : 20+ years of experience in embedded system SW development, including automotive controllers and security solutions • Director Lee Hyun-Jeong: A white hat hacker who is a question setter for 'CODE GATE CTF', an international hacking defense competition, and an IT/Automotive security expert.​  ■ QUESTION LIST■ Text Ver. 1. What kind of cybersecurity do OEMs require on their production lines?Typically, OEMs rarely explicitly request cybersecurity-related precautions for manufacturing controllers. This is due to the variations in controller characteristics, semiconductor types, required security functions for each controller, and the assets that need protection.​ From the supplier's perspective, it is crucial to establish an appropriate response strategy as they must effectively address these vague requirements. When automotive cybersecurity requirements are unclear, it is advisable to consult the international standard ISO/SAE 21434. The key is to develop a rational and consistent response plan tailored to the specific controller characteristics while aligning with OEM requirements. The table provides a summary of ISO/SAE 21434 in its entirety. Section 12 outlines the requirements that need to be considered when manufacturing controllers or vehicles. It establishes two primary objectives: first, the application of WP-10-02, which outlines the requirements that must be met during production after development phase, and second, the prevention of new vulnerabilities from entering the controller during production process. These requirements can be broken down into in three key aspects: the establishment of a robust control plan for production, the inclusion of four specific conditions within the production control plan, and the successful execution of production in accordance with this plan. WP-10-02, which pertains to the requirements on the production process after development includes the initialization actions such as safely injecting and activating security assets (e.g. encryption keys, passwords, certificates, etc.) used in the operation of the security solutions so that the cybersecurity solutions or controllers can operate properly in the vehicle after production.​The production Control Plan, mentioned in RQ-12-02, should include :  a. Procedure to meet the production requirements described above  b. Description of tools or equipment to be used for this purpose, e.g. KMS, key injection device, verification device, etc.  c. Measures to keep the production environment safe (e.g. firewall, VPN, etc.)  d. Measures to ensure reliable and proper fulfillment of production requirements​We looked in more detail on WP-10-02 and the four key components that must be incorporated within the Production Control Plan. In summary, two things are essential for meeting OEM’s cybersecurity requirements: One is to safely apply and activate security assets during the production process so that the cybersecurity measures applied to the controller can function effectively post-production, and the other is to provide environmental factors so that this process can be sufficiently protected from external intrusions.  2. What are security assets and KMS? To help you understand, let me begin by explaining the terms. An asset is something that requires protection since it possesses inherent value or contributes to the overall value. In the context of a controller, assets encompass controller functions, hardware (HW), software (SW), and the data stored or utilized within the controller. The security assets mentioned in the question refer to data, software, and various information used for cybersecurity functions. These are also critical assets that need to be protected. ​ Moving on to KMS (Key Management System), it refers to a device or equipment responsible for generating, securely storing, and managing security assets used in the controller's security functions. Additionally, it facilitates the distribution and injection of security assets into the controller during the production process. For those who may not be familiar with KMS, I will provide a more detailed explanation. The diagram above illustrates the process of applying security assets, whether provided by OEMs or independently created, to controller production. In total, there are three Key Management Systems (KMSs), all of which are responsible for managing security assets, such as certificates and security keys, and distributing them as needed. For instance, OEMs create, distribute, and manage security libraries or other keys required for security functions at the request of suppliers request. The suppliers, in turn, receive, manage, and securely maintain these assets, incorporating them into production when required. The controller suppliers themselves have to generate essential security keys, passwords, and other components, inject them into the controller, and activate the security functions, and collect, manage the information to be used when needed.​  Therefore, it is crucial to understand the OEM's requirements, identify the assets integrated into the controller, and make informed decisions regarding the configuration of the KMS and related processes. This necessitates professional judgment grounded in expertise and experience.FESCARO possesses a track record of constructing and delivering Key Management Systems (KMS) for OEMs. The KMS incorporates processes to create/distribute/manage security assets necessary for OEMs to cooperate with suppliers, and to carry out tasks appropriate to each role within the organization.  The KMS developed for suppliers was tailored to suit the unique attributes of both the controller and the supplier, and it was seamlessly integrated with the production line. Furthermore, we furnished a key injection system that interfaces with both the KMS and the controller during the actual production phase, allowing for the injection of security assets. Additionally, we have frequently created and supplied software (SW) capable of receiving these assets from the controller, securely storing them, and triggering security functions when needed.   3. Requirements for building KMS When selecting a Key Management System (KMS), it is vital to understand its intended purpose, namely, what data will be generated, managed, and distributed. This can differ significantly between various OEMs and controller types. This discussion outlines the fundamental factors that should be taken into account when dealing with KMS, even when their specific purposes may vary. Two key considerations must be addressed when developing KMS.  1. The robustness and reliability of the security assets generated by KMS need to be upheld.2. The environment where the KMS is located must be very safe from external access.  First, to ensure the robustness and reliability of security assets, it is imperative that only authorized individuals have the capability to execute actions in accordance with their granted permissions. The security assets should be created and stored securely, and the recipients requiring these security assets must be accurately specified to ensure precise distribution. Moreover, effective management of their expiration dates and change cycles is essential, and they should be restored or disposed of as necessary.   We will express the above five requirements technically so that practitioners can understand them more easily. We can assess compliance with the first condition by verifying whether the system aligns with the Key Management Interoperability Protocol (KMIP). KMIP serves as a client-to-server communication protocol utilized for the storage and maintenance of security assets, including security keys and certificates. The second requirement involves the use of Hardware Security Module (HSM) certified under FIPS 140-2 standards. This certification ensures the stability and reliability of the security logic within the system. As for the third condition, it's imperative to implement redundancy measures to protect the created assets and prevent operational disruptions. Lastly, the system should offer support for functions such as dashboards, enhancing convenience in terms of management and operations. First, to ensure the robustness and reliability of security assets, it is imperative that only authorized individuals have the capability to execute actions in accordance with their granted permissions. The security assets should be created and stored securely, and the recipients requiring these security assets must be accurately specified to ensure precise distribution. Moreover, effective management of their expiration dates and change cycles is essential, and they should be restored or disposed of as necessary.   We will express the above five requirements technically so that practitioners can understand them more easily. We can assess compliance with the first condition by verifying whether the system aligns with the Key Management Interoperability Protocol (KMIP). KMIP serves as a client-to-server communication protocol utilized for the storage and maintenance of security assets, including security keys and certificates. The second requirement involves the use of Hardware Security Module (HSM) certified under FIPS 140-2 standards. This certification ensures the stability and reliability of the security logic within the system. As for the third condition, it's imperative to implement redundancy measures to protect the created assets and prevent operational disruptions. Lastly, the system should offer support for functions such as dashboards, enhancing convenience in terms of management and operations. Usually, as part of quality activities, a process for managing security events is defined and operated according to a manual. However, today we will focus on collecting and managing security events that occur in the field. FESCARO is constructing security event monitoring systems for clients across the entire vehicle life cycle. The security event monitoring function is initially activated during the vehicle production on the assembly line. At this stage, details such as the software (SW) and hardware (HW) version information installed on the vehicle, and the occurrence of security events, are recorded on the server. Once the security event monitoring function is initiated on the production line, the Central Gateway (CGW) is tasked with collecting and storing data regarding security events for controllers equipped with cybersecurity functions within the vehicle.​Subsequently, when a manufactured vehicle is brought to a repair shop for maintenance, diagnostic equipment is employed to ascertain whether any security events have transpired in the vehicle. In the event of a security event, the security log is gathered and transmitted to the server to update the vehicle's status. ​In cases where a security event occurs in a connected vehicle equipped with an external communication controller, the controller communicates a security event notification to the server. The server can, if necessary, request comprehensive data from the vehicle for further analysis. Upon receiving such a request, the vehicle transmits detailed data, including CAN messages before and after a security event, to the server. Upon receiving a security event that has transpired in a vehicle through the three pathways previously described, the server undergoes an automatic process to determine the vehicle model, controller, and software (SW) in which the security event occurred. The server automatically categorizes the array of security events obtained from diverse vehicles, facilitating an environment where individuals can carry out their respective analysis tasks. The server may encounter security events of a type that it cannot classify. In such instances, these events are labeled as "Unknown" to enable human analysis. Next, one or more security events that are related to each other are grouped and managed as one security vulnerability. For example, security events identified as abnormal messages by CAN-IDS are amalgamated into a singular security vulnerability and collectively managed until the security vulnerability is resolved. Lastly, abnormal vehicles are managed. The status of each vehicle produced on the production line is recorded, and this status is continually updated through maintenance and connectivity activities. During this process, not only the vehicle that reported the security event but also those vehicles with a potential risk of encountering a similar security event are identified. This proactive approach enables preemptive measures to be taken, enhancing overall security. 5. Examples of building a security control system  FESCARO has successfully developed and maintained security control systems for global passenger and commercial automakers. The image above illustrates the security control system we've implemented for a global OEM. While there are numerous functions within the system, we will introduce some of the key features. First, let's discuss the dashboard. The dashboard provides a concise overview of the current security event status. It offers real-time updates on which security events have occurred in specific vehicles and compiles statistical data. This data includes insights into which security events on which vehicle type have been most frequent. It also includes a highly regarded feature among OEMs: the ability to 'Download as Report.' This feature generates reports detailing the status of security events, organized by month, week, vehicle type, and individual vehicle, all conveniently presented in Excel format. Next, we have a feature that allows to examine the status of security events in greater detail. It displays information about which events occurred on which vehicles, along with their timestamps, event specifics, and any mitigation actions taken. To simplify the analysis of raw data, this feature visualizes and presents CAN messages. Furthermore, the system provides a timeline of security events for a specific vehicle. This timeline aids in easily assessing which security events have taken place in a given vehicle. Importantly, the security control system goes beyond merely collecting security events from the field; it streamlines and visualizes tasks that would otherwise require manual handling, reducing the workload for human operators. Feedback from our customers attests to the convenience and efficiency that the security control system brings to the analysis process.  6. Do Tiers necessarily need a security control system? Wouldn’t quality activities be enough? Of course, we can manage security events through quality activities. However, there are practical limitations to manual management, especially for Tier suppliers who often work with multiple OEMs and their various vehicle variants. Instead of manually classifying and analyzing every security event, the adoption of a security control system can significantly enhance efficiency.​While security control systems may not be mandated for Tiers, an impact analysis process is crucial. A single security event may potentially affect multiple vehicles and vehicle types. Security control systems automatically conduct impact analysis and identify vehicles that haven't encountered a security event yet but are at risk, enabling proactive measures to prevent the propagation of damage resulting from security incidents.​Vehicles become increasingly interconnected with external networks and hackers' attack strategies continuously evolve. What may be cutting-edge security technology for controllers today may not be so in 10 or 20 years. Given that no security system is entirely foolproof, ongoing monitoring after production is essential. Rapid identification and analysis of security incidents, followed by appropriate mitigation actions, are vital. ​To achieve this, an appropriate security control system must be introduced to protect against security threats throughout the vehicle's entire life cycle. 7. How is the security events of the vehicle shared?  Security events that can occur in vehicles include intrusion detection events, software tampering events, and secure storage tampering events etc. When these events occur, related information is collected and stored.​In the case of connected vehicles, security event data is instantly relayed to a controller equipped with a telematics unit, such as a CCU. The contents of security events and related information are gathered by the CCU and then transmitted to the server. However, since connected services are optional for vehicles, not all vehicles transmit security event data to the server in real time. ​For vehicles that are not connected, there is currently no direct means to send security events to the server in real time. Nonetheless, the collection of security events from as many vehicles as possible is essential for addressing and preventing potential security incidents in the future. ​ To address this, non-connected vehicles rely on car repair shops to carry out this task. When a vehicle is brought to a repair shop and connected to diagnostic equipment, the diagnostic tools search for stored security events within the vehicle's gateway and subsequently transmit this information to the server. FESCARO is also actively developing and delivering a security solution for diagnostic equipment to facilitate the search and automated transmission of security events from the gateway to the server.Let's explore the details of the security event information transmitted to the server. In paragraph 7.2.2.2 of UN Regulation 155, the regulation doesn't specify the exact information to be managed. However, it does emphasize the need for a process to provide relevant data to support the analysis of attempted or successful cyberattacks. This process must be in operation and proven during the certification process.​To establish effective preventive measures, it is crucial to utilize security event information to understand the nature of intrusion attempts, identify issues, and pinpoint the timing of such events. Therefore, the necessary information must be collected for analysis. ​The information sent to the server includes the Vehicle Identification Number (VIN) to determine which specific vehicle the security event occurred in, the type of security event, a timestamp to track the time it occurred, and, a freeze frame (for intrusion detection events) containing the CAN messages that were involved in triggering the event.   8. How does the gateway protect vehicles?The gateway maintains vehicle security with the following functions:   1. Primary defense against intrusion attempted through the OBD diagnostic port connected from outside the vehicle 2. Monitoring abnormal behavior of vehicle controllers and reporting detected abnormal operations to the server 3. Detecting the operation of unauthorized software other than officially certified software through the VTA certification process and reporting it to the server​Let's begin by examining the concept of 'defense against intrusion from outside the vehicle'. Indeed, this concept is about shielding the vehicle from external intrusions that might occur through a diagnostic port with an external contact point. This protection is achieved by implementing security measures such as Secure Unlock, Secure Access, Secure Flash, etc. For more about security features, please refer to the ‘Comprehensive Guide on Cybersecurity Solutions & Engineering’ FAQs.​Second is about CAN-IDS, which upholds vehicle security by focusing on the ‘detection and reporting of abnormal behavior occurring inside the vehicle’ as specified in UN R155. This encompasses the following six key activities: · Undefined message detection· Undefined signal detection· Abnormal DLC message detection· Abnormal cycle message detection· Bus load detection· Signal rate of change detection​In the development of a gateway, CAN messages or signals are typically routed and processed according to a CAN DBC. The CAN-IDS function comes into play when a message is received that is not defined in the CAN DBC or when the signals fall outside the specified range. It is also utilized when the length of the actual message received differs from the DLC defined in the DBC or exceeds the defined cycle. Expanding on this functionality, the CAN-IDS can detect as abnormal conditions if it exceeds the defined range which the bus load of the CAN network defined and gets overloaded or if signals that should change gradually, such as RPM or vehicle speed, exhibit rapid and irregular changes. However, it's important to clarify that the gateway primarily detects and reports abnormal behavior rather than immediately implementing defense mechanisms. This is because vehicles operate on a broadcast CAN network, making it exceedingly challenging to identify the specific controller responsible for an abnormal operation. Attempting to immediately control the problematic controller can be hazardous during driving. Therefore, the current approach involves detecting abnormal behavior, reporting it to the server, and subsequently addressing the issue through software modifications and updates to ensure safety. Last is the 'detection of unauthorized software.' As previously discussed UN Regulation 155, we will now introduce UN Regulation 156, known as the Software Update Management System (SUMS). The gateway plays a vital role in maintaining vehicle security by guaranteeing that only safe and authorized software updates are applied and operated. This is achieved through a database that manages software and hardware versions, compatibility information, and other relevant data, which is linked to vehicle type certification and referred to as RxSWIN for all controllers within the vehicle.UN R156 requirements:  · 7.1 : Identify hardware and software versions and component information and check software integrity· 7.2 : Identify software (RxSWIN) related to Vehicle Type Approval (VTA) and check update compatibility;· 7.2.1.1 : Protect and prevent damage of the authenticity and integrity of software updates, and prevent invalid updates· 7.2.2 : Ensure safe execution of updates and demonstrate that vehicle users are aware of updates. The gateway plays a crucial role in ensuring that only software specified in the RxSWIN DB can be updated. It also verifies the integrity of the software to guarantee secure execution during the updating process, utilizing methods such as Secure Flash.​  FESCARO has proven outstanding capabilities in key management systems (KMS), security control systems, and security gateway controllers. For key management systems, we have provided security asset injection solutions to OEMs and Tiers. Additionally, we have developed and maintained security control systems for leading global automakers and commercial vehicle manufacturers. FESCARO's security gateway controller, encompassing development on both software and hardware, is employed in approximately seven vehicle models, including both passenger cars and commercial vehicles, recognizing for its reliability. ​  If you encounter challenges in meeting OEM cybersecurity requirements or face cybersecurity difficulties on production and post-production phase of controllers, please contact the FESCARO’s ‘Security Counseling Center'. Together, we can collaborate to identify and implement solutions to address your specific cybersecurity needs.■ Webinar Reviews* Cheol Lee "I hope that more specific and honest webinars focusing on cases like this continues. I was impressed by the difference from other webinars."* Hoon Noh “I think FESCARO's guidelines are a good strategy to respond to OEMs. It was beneficial as I had no experience communicating with OEMs.”* Ki Song “The issues our company was concerned about were covered well, and it was especially helpful to my business as it was a Q&A related to practical work.”* Kyo Jeong "I was curious about the security control system for monitoring and incident response after mass production, and it was easy to understand with actual application examples."* Seok Go "I liked that it went beyond controller security, such as production lines and security control. There was a lot of new content that couldn't be found anywhere else."* Mi Seung "It was good that production and post-production responses were also covered, and that the issues tiers were concerned about were explained from the OEM's perspective."* Cheol Kang "The talk format was refreshing. It was interesting to hear things I was curious about before but found it difficult to ask questions about openly."* Jun Lee "The TALK with the host and panelists was outstanding. I would like to hear about the cybersecurity system and preparations for SDV in future webinars."

FESCARO and NXP's Partner Program Logo Image (Source = FESCARO)FESCARO has now become the official partner of NXP, a world-leading automotive semiconductor company!We plan to cooperate more closely with the next-generation controller business required for automotive cybersecurity solutions and SDV (Software Defined Vehicle) through the partnership.FESCARO strengthened market competitiveness by installing NXP's latest high-performance semiconductors in self-developed security gateway controller. In just two years since the product was launched, FESCARO has achieved the success of winning a series of projects worth a cumulative 1 million units from passenger and commercial automakers.The security gateway controller is equipped with the latest security solution utilizing NXP Semiconductor's advanced security technology. This allows to detect security events that occur in vehicles in real time and quickly respond to security incidents. In addition, it is highly preferred by automakers as it responds to regulations related to cybersecurity and software updates (UN R155, R156) by managing the software and hardware configuration of all controllers deployed inside the vehicle.“By combining NXP’s latest semiconductor technology with FESCARO’s electronic system development know-how, we will contribute to helping our customers secure a competitive edge in the SDV market,” said Ku Seong-seo, CSO of FESCARO. He added, “FESCARO is also actively expanding the electronic controller solution business, which develops software, hardware, and controller platforms targeting the needs of controller developers.”FESCARO is a company specializing in future mobility software solutions. Automotive electronic system experts gathered up to develop automotive cybersecurity and next-generation controller businesses. Along with the software of electronic controllers, FESCARO designs and develops the hardware also, accelerating the development of next-generation controllers that create high added value in the SDV era.

[Series] FESCARO's Automotive Cybersecurity FAQs​FESCARO has been operating the ‘FAQs Series’ to address cybersecurity issues for stakeholders in the automotive industry. We have conducted live webinars on four key topics, and the expert panel from FESCARO provided answers to the most commonly asked questions from industry professionals. If you missed a webinar on a topic that interests you, you can access both the recorded video and a text summary (FAQs) at the following link. # FAQs Series1. Cybersecurity Strategies for Tiers (Emerging-OEMs oriented)2. Comprehensive Guide on Cybersecurity Solutions & Engineering3. Cybersecurity Testing method based on VTA Success Stories4. ECU Cybersecurity guidance : From production to post-mass productionThe webinar, <Cybersecurity Testing method based on VTA Success Stories>, hosted by FESCARO in September, ended successfully. We welcomed over 100 pre-registered attendees from about 60 companies to our webinar, which we prepared in response to consistent requests for security testing methods.Automakers request cybersecurity tests on ECUs and vehicles as part of the Vehicle Type Approval (VTA) process. They also expect controller developer companies to ensure a reliable level of cybersecurity. Have you wondered about the ins and outs of VTA cybersecurity testing Know-how? FESCARO's Red Team, with its proven success record, is here to provide clear insights. Let's dive in together.■ FESCARO's Red Team has,  • Achieved VTA in collaboration with global automakers  • Conducted security tests on 150 controllers and actual vehicles, both in stationary and driving environments  • Designed and implemented over 100 test items and 200 test cases, and are in continuous development■ QUESTION LIST■ TEXT Ver.   1. Various types of automotive security tests                  Before diving into the diverse types of automotive security tests, let's first look at the necessity of security testing. As mandated by UN R155, an international automotive cybersecurity regulation, automakers are required to secure certifications for both the Cyber Security Management System (CSMS) and Vehicle Type Approval (VTA). Section 5 of UN R155 delineates the cybersecurity requirements vehicles should adhere to and outlines the evaluation criteria.Specifically, Section 5.1.2 mandates that any approval authority (AA) that performs approval or technical service provider (TS) that performs approval on its behalf shall verify by testing of a vehicle of the vehicle type that the vehicle manufacturer has implemented the cybersecurity measures they have documented.' While security testing can be directly conducted by the AA or TS, or in collaboration with automakers, it's more typical for AA or TS to review and assess the testing performed by the automakers.In the end, the AA, TS, and automakers are required to conduct security testing. The specific tests that need to be performed are outlined in ISO/SAE 21434, a standard for automotive cybersecurity engineering. The tests are generally categorized into functional testing, vulnerability scanning, fuzzing testing, and penetration testing. Let's begin with functional testing. Functional testing might already be familiar to many Tier companies. Tiers typically receive and analyze security requirements from OEMs, subsequently integrate it into the design, and then embody it in the software or hardware of controllers. The essence of functional testing is to validate that these requirements have been properly implemented. Some automakers offer both design and evaluation specifications, and testing is performed according to the evaluation specifications.Moving on to vulnerability scanning. This test aims to detect any remaining known vulnerabilities in the controller's software or hardware. Given the prevalent use of open-source in controller SW development nowadays, this test becomes pivotal to ascertain that open-source vulnerabilities have been adequately addressed.The fuzzing test involves introducing random, undefined data, primarily targeting the vehicle's controller or its external interfaces. The purpose of this process is to discover potential flaws or vulnerabilities in either the software or hardware. Lastly, penetration testing is a type of mock hacking. It seeks to evaluate the robustness of existing security measures by mimicking real-world hacking attempts against vehicles or controllers. To secure a VTA in line with UN R155, one must demonstrate that vehicle cybersecurity has undergone rigorous validation via such tests. Now, you might wonder if all controllers need to undergo all four tests. Fortunately, the answer is no. ISO/SAE 21434 Annex E delineates specific testing approaches corresponding to each cybersecurity assurance level (CAL).Controllers classified under CAL 1 are required to undergo both functional testing and vulnerability scanning. For those under CAL 2, fuzzing testing is added to the mix. Meanwhile, controllers classified under CAL 3 and 4 must additionally undergo mock hacking. For reference, T2 refers to a more advanced testing technique. The specific CAL assigned is determined through a process called TARA (Threat Analysis and Risk Assessment), conducted at the controller level.2. Are there any security tests that examiners check for VTA?During the VTA process, what do examiners prioritize? They focus on determining if the actual vehicles have undergone testing according to the cybersecurity validation process established by the automaker and whether every activity within this validation process is traceable. They also scrutinize the validity of the previously submitted documentary evidence. Moreover, when conducting on-site inspections, they ensure that the previously submitted test results align with the actual test outcomes.Let's take a closer look at the VTA requirements as stipulated by UN R155 and what examiners focus on. UN R155 states that automakers should perform appropriate and sufficient testing to verify the effectiveness of their cybersecurity measures. Throughout the VTA process, examiners check whether automakers have performed the tests properly by posing seven questions below.The regulation doesn't offer explicit guidelines. The above questions serve as a reference, created by FESCARO based on our firsthand experiences during the VTA certification process. For those pursuing VTA, it's advisable to be well-prepared for these questions. 3. Are there any dependencies between TARA and security tests?TARA (Threat Analysis and Risk Assessment) and security testing are closely related to each other. The TARA procedure in ISO/SAE 21434 is depicted in the above illustration. Notably, the processes in the blue box evaluate asset attack scenarios, attack path, and attack feasibility. Through these processes, the CAL (Cybersecurity Assurance Level) is decided by determining risk value with the target's threat.The expertise and experience in cybersecurity testing play pivotal roles in these processes. The steps of identifying threats, formulating scenarios, charting attack paths, and assessing feasibilities are grounded in hands-on experience rather than abstract concepts. In other words, only when various experiences are integrated into TARA, the comprehensive evaluation of potential cybersecurity threats to controllers and vehicles can be conducted.Furthermore, TARA is a significant benchmark in cybersecurity testing. TARA defines various assets within the controller and identifies potential security threats. Once threats are identified from TARA, security goals are derived, followed by attempts at implementing mitigation measures. The subsequent security tests ensure the system is safeguarded from these cybersecurity threats. By leveraging various test cases crafted based on the Red Team's experience, a variety of attacks are simulated to identify any other potential threats or vulnerabilities, ensuring comprehensive protection against cybersecurity threats.Essentially, since security testing benchmarks originate from TARA, performing both TARA and security tests within the same company results in enhanced synergy. FESCARO maintains distinct teams for TARA and security testing to ensure an objective approach.4. Trends on Attack surfaceModern vehicles are equipped with diverse communication capabilities, which means they present multiple potential attack surfaces. Let me explain this with some examples.Take, for instance, the RF/LF communication employed by a vehicle's smart key. It utilizes a rolling code as a protective measure against replay attacks. Through the vulnerability of a weakly designed/developed rolling code, attackers can sniff and replicate the victim's normal door lock/unlock signals and unlock the vehicle by bypassing the rolling code security features.If this rolling code is poorly designed or implemented, it can become a vulnerability. An attacker might be able to sniff and replicate the regular signals used to lock or unlock the vehicle, effectively sidestepping the rolling code's security protocols.Furthermore, if an attacker manages to enter the vehicle, it's possible to target the navigation system via the USB port. In such a scenario, malware could be introduced to extract sensitive personal data, such as contacts, call logs, and recent destinations, from the system.These attacks are entered through external access points. Yet, our studies have highlighted instances where intrusions were orchestrated from within the vehicle itself. In a particular case, an attacker accessed the vehicle's internal network by removing its bumper and connecting to the headlamp controller. By introducing a malicious message into this controller, the body control module was deceived into thinking the smart key was inside the vehicle. Consequently, the attacker was able to unlock the vehicle, start it, and drive, all without the actual smart key. This breach was feasible because both the headlamp and body control controllers operated on the same CAN bus.Lastly, Advanced Driver Assistance Systems (ADAS), which can be viewed as the early stage of autonomous driving, have controllers such as LIDAR/RADAR/CAMERA that also represent significant attack surfaces. If compromised, these can cause abnormal behavior during driving, endangering passengers. This aspect is of particular research interest to FESCARO.5. Automotive password-hacking scenarios/techniquesThe following is an explanation based on what the FESCARO's Red Team actually has done. Initially, the team accessed the CAN network within an actual vehicle and sent random messages to the remote key controller using our own CAN tool. Their actions led to a Crash out in the airbag controller, triggered by a particular message. This resulted in an issue where the cockpit indicated it as an accident and caused the emergency lights to blink without stopping.Subsequently, the team successfully infiltrated the vehicle's system via WiFi. They managed to restart the navigation system and tampered with both the video and audio through a backdoor in the navigation system. This attack revealed a vulnerability that could allow an attacker to alter every navigation function, including the Drive mode and air conditioning settings.Regarding a standard controller that lacks security at the debug port, there's a possibility of extracting its internal firmware through this port. Should someone dissect this firmware and pinpoint, modify, and then update its operational logic, it could lead to the controller malfunctioning or becoming inoperable.Furthermore, the GPS data of a vehicle in motion can be manipulated to falsely show it's in a different location. This is a grave concern; for instance, if the GPS data of an autonomously driving vehicle is changed to suggest it's in a child safety zone, the vehicle might suddenly slow down to the set limit, risking an accident.By examining all attack surfaces on the vehicle, the team designs attack scenarios. Based on these scenarios, we then develop test items and formulate test cases. 6. How is the security test carried out?The security testing process encompasses five primary stages. The first stage involves gathering relevant data, which consists of details related to MCU and AP chipsets, pinout information, functionalities tied to controller input/output, and specifics of CAN messages. These details can be sourced from functional manuals, design specifications, chipset data sheets, and discussions with staffs in charge.The subsequent stage involves identifying both attack surfaces and vectors. Attack surfaces refer to the attack points of the target controller, while attack vectors describe the techniques or methods employed for the attack. For controllers that use MCUs, attack surfaces encompass debug interfaces like JTAG, UART, and USB. Communication channels such as CAN, Ethernet, Wi-Fi, NFC, Bluetooth, and RF also serve as attack surfaces. Additionally, data storage units, including flash memory or storages can also be attack surfaces. Attack vectors include sniffing to analyze communication data, MITM to intercept messages or signals after sniffing, spoofing to falsify intercepted information, and desoldering to extract firmware. Once the firmware is accessed, a common attack vector is the reverse engineering of the binary code to uncover vulnerabilities.The third stage involves crafting a test case. This primarily encompasses details about the controller, the objective of the test, the strategies and procedures for the attack, and information about potential vulnerabilities. Furthermore, we evaluate the attainment of the cybersecurity objectives by referencing the criteria set out in TARA (Threat Analysis and Risk Assessment) and mapping them to the test case.The fourth and fifth stages are where the actual attack is performed. The objective is to gain control over the controller. After gaining this control, the aim is to breach the vehicle's internal network by altering its firmware, embedding malicious scripts and backdoors, and initiating denial-of-service attacks to broaden the scope of the attack.7. What should be conducted during security testing?Two primary tasks are essential. Firstly, we need to ensure a conducive environment for seamless testing. Two to three controllers to be tested, including spares, are required, and in this case, controllers with cybersecurity solutions applied are helpful for verification. Furthermore, providing specifications and manuals for the controller that can aid in discerning the harness connector information and controller relevant hardware information. Additionally, sharing the controller firmware binary and CAN DB information will help with quick and smooth testing.The following is a section on event response and recording of vulnerabilities discovered as a result of testing. This approach aligns with Section 8 (Continual cybersecurity activities) of ISO/SAE 21434. It's advisable to keep track of the details and history of identified vulnerabilities, conduct vulnerability analyses, create and disseminate response strategies, and oversee version management. 8. Difference between controller-based testing and actual vehicle testingEven if the same test case is used, testing individual controllers alone and testing them in an actual vehicle may produce different results. Often, a controller is designed to activate its features or function properly only when connected to a CAN network, receiving profile signals from other related controllers. In this case, when testing individual controllers alone, the proper checking of input/output signals and messages is unattainable, making testing within a real vehicle environment more effective.I'd like to particularly highlight the importance of testing based on actual vehicle driving. In the provided graph, the green solid line represents the engine speed (RPM) measured without any attack, while the orange dotted line represents the speed measured during an attack. Testing in a driving environment by injecting abnormal messages into PCAN might cause irregular shift timings, deviating from the reference engine speed and potentially compromising user safety. However, merely injecting an abnormal message in the IGN ‘ON’ state might only confirm a delay in CAN communication, without demonstrating the tangible effects seen in a driving test.Recently, FESCARO undertook a mock evaluation under diverse conditions in anticipation of a VTA evaluation demo for electric vehicles slated for mass production by an international automaker. During a driving test, injecting an abnormal message into the E-PT (electric powertrain) resulted in the vehicle halting and the accelerator pedal becoming unresponsive. This stark contrasted with a stationary test of the same attack, which only showed minor communication delays. After promptly sharing these findings with the OEM and the controller developer, followed by technical discussions and a software patch application, we verified that the issue had been addressed. This collaboration enabled us to successfully wrap up the VTA certification demonstration.The individual testing of a controller or an actual vehicle is valuable, but the greatest synergy is achieved when testing is conducted in a combined setting. Since outcomes might vary based on the test environment, it's beneficial to approach from a variety of perspectives.At FESCARO, our Red Team, comprised of white hat hackers, conducts cybersecurity testing that adheres to international standards and regulations for cybersecurity. Recently, in collaboration with a global automaker, we successfully consulted for achieving VTA certification. We have conducted security tests on 150 controllers and vehicles in both stationary and active driving conditions. With over 100 test items and 200 test cases, we are broadening our security testing horizons to encompass vehicle controllers and EV chargers.If you find it challenging to respond to the OEM's cybersecurity requirements, or if you have difficulty managing automotive cybersecurity testing experts or organizations, then a collaboration with FESCARO could be a good solution.■ Webinar Reviews* Hoon Noh "It was a valuable time as there had been no webinars on VTA cases before. It was interesting since the details were difficult to experience unless OEM."* Taek Jeon "The practitioners, especially the mock hacker, explained the cases in detail and were very helpful, and it was beneficial to learn how TARA and mock hacking are combined."* Gyu Kim “Through this webinar, I became motivated to understand and learn about cybersecurity in depth.”* Ki Song “It was great because it was an opportunity to ask practical questions that were not easily asked anywhere else in various industries and receive answers from experts.”* Gook Jeong "I think it would be better if the questions in advance were covered in more detail, and if the explanation of the technical aspects and the mock hacking process were also more detailed."* Gyo Jeong "I was very interested in the topic because it was highly related to the work I was doing (CSMS), and it was a helpful webinar. I would like to participate in following webinars as well."* Jun Lee "The format of the experts' answers to the preliminary questions was efficient, and I think this type of format can become a culture unique to FESCARO."* Soo Lee “In the future, I think it would be a good idea to hold paid seminars or training on more in-depth topics that are difficult to cover through webinars.”

Hyung-jin Kang, Vice President of HL Klemove (L), Seok-min Hong, CEO of FESCARO (R) (Source=FESCARO)On February 15, FESCARO and HL Klemove teamed up with a memorandum of understanding (MOU) on 'Automotive Cybersecurity Technology Collaboration.'This strategic partnership aims to cooperate in cybersecurity response for implementing SDVs (Software Defined Vehicles). The alliance will see FESCARO's cybersecurity solutions safeguard HL Klemove's autonomous driving products, paving the way for the global market.FESCARO, a future mobility software solution partner, develops automotive cybersecurity to next-generation controller business that creates high added value in the SDV era. FESCARO provides TARA (Threat Analysis and Risk Assessment), security solutions, custom engineering, and security testing to automakers and controller developers in response to cybersecurity regulations due to automotive electrification. In addition, by successfully consulting for the four certifications (CSMS, ISO/SAE 21434, SUMS, VTA) related to the United Nations (UN) automotive cybersecurity regulations (No. 155 and 156), we have secured various related success stories.HL Klemove, HL Group’s autonomous driving solution specialist, has secured over 2,200 patents and provides autonomous driving solutions to leading global automakers and electric vehicle startups. In addition, the company plans to complete the development of next-generation autonomous driving core products such as high-resolution cameras and high-performance autonomous driving integrated controllers by 2025.Seok-min Hong, CEO of FESCARO, said, “We expect that this collaboration, based on the autonomous driving and automotive cybersecurity expertise, will serve as an opportunity to lead innovation in future mobility.” Hyung-jin Kang, Vice President (CTO) of HL Klemove, said, “We will meet the needs of our customers and strengthen our global competitiveness through technological cooperation with FESCARO, a leader in automotive cybersecurity.”

Charlie Miller, the legendary hacker famous for hacking into a Jeep Cherokee, said eight years ago that computer hacking became boring and that hackers would turn their focus to devices such as cars, trains, power plants, and traffic signals. We are in the age of IoT (Internet of Things), a market of interconnected devices through the Internet. The V2X (vehicle-to-everything) era is just around the corner. The significance of cybersecurity testing cannot be overstated, as it serves as a foundational safeguard against scenarios like the "zombie car action sequence."Author | Kwon Dong-hoon, Security Vulnerability Analysis Team leader, FESCARO​Kwon Dong-hoon, Security Vulnerability Analysis Team Leader Began professional journey in security information sector back in 2001. Over the years, he dedicated countless nights as a security threat analysis/response specialist at AhnLab. Throughout various cybersecurity incidents, he's been actively involved in analyzing and addressing security breaches and malware (V3). This was part of his activities in the Threat Response Public-Private Council, collaborating closely with entities such as KISA, the police, and the prosecution. During the IT paradigm shift, he engaging in strategic planning at SK Shielders to improve understanding on cloud security. One day, he chanced upon the powertrain ECU of a Nordic car brand that no longer exists, and the car engine control mechanism captivated him. This interest persisted discreetly, leading him to join FESCARO as the leader of the red team. ​Figure 1. Still Image from ‘Fast and Furious: The Extreme’ (Source=Naver Movie)​Downtown New York, overrun By ‘Zombie Cars’Hundreds of cars equipped with self-driving software were hacked, paralyzing traffic in downtown New York. Fortunately, this is just a famous scene from the 2017 movie 'Fast and Furious: The Extreme'. A movie reviewer, identifying himself as a 'security enthusiast,', likened it to "a zombie car action sequence that visualizes a DDoS (Distributed Denial of Service) attack." As a 'security enthusiast' also, I wholeheartedly concurred with this depiction.1) ‘Upgrade (2018)’, an Australian film I recently enjoyed on Netflix, is also set in a near future where AI-based fully autonomous driving is the norm. The film showcases the use of autonomous driving technology to move a car to a crime scene, and hacking another to avoid being chased by the police. Some scenarios from these movies have already become a reality. A famous example is when Charlie Miller and Chris Valasek, well-known pioneers in automotive security research, succeeded in remotely hacking a Jeep Cherokee driving on the highway in 2015. Their successful demonstration highlighted the potential to control various vehicle functions, from steering and braking to temperature and lock regulation. As a consequence, Fiat Chrysler had to recall 1.4 million vehicles impacted by this vulnerability.2)​ Just over a year ago, David Colombo, a 19-year-old cybersecurity expert from Germany, revealed that he could remotely compromise 25 Tesla vehicles across 13 countries by using automotive software system vulnerabilities. This quickly gained traction on Twitter and became a hot topic in major news globally, underscoring the heightened cyber risks associated with technological advancements.3)​ The automotive industry is experiencing a transformative shift as traditional hardware-focused technologies merge with software-centric ICT technologies. Spearheaded by Tesla, global automakers are vying to showcase their visions for autonomous and connected vehicles, with electric vehicles (EV) at the forefront. Moreover, major tech giants, both domestic and international, such as Google, Microsoft, and Kakao, are actively participating in this evolution.​ Governments around the world are not standing idle. As the mobility industry becomes a key determinant of future competitiveness, countries are competing for leadership. They're implementing policies that align with their own interests and goals.4)  For instance, in 2018, the Korean government established 'K-City' (Figure 2) in Hwaseong, Gyeonggi-do. This 5G communication network-based city for autonomous vehicle testing replicates real-world environments. It aims to spearhead and commercialize global autonomous driving technologies. Proactively, K-City has embraced digital twin technology5) and entered into a partnership agreement with 'M-City' at the University of Michigan, USA, which is the world's inaugural experimental city devoted to autonomous driving.6)   Figure 2. Bird's Eye View of K-City (Autonomous Driving Experimental City), (Source=KATRI)As a security enthusiast, I hope that K-City will also feature a ‘cybersecurity demonstration center.’ ​ Technological progress is a double-edged sword. As autonomous driving technologies evolve, so will hacking techniques. Consider the future commercialization of V2X (vehicle-to-everything) technology7). Vehicles will engage in high-density communication with a variety of things, including other vehicles, pedestrians' mobile devices, and transportation infrastructures like roads and traffic lights. Beyond just the potential for vehicular hacking, this opens the door to the possibility of large-scale cyber-terrorism targeting networks and infrastructures. Such attacks could result in societal disruption far exceeding any prior incidents. ​  By proactively implementing technological solutions to address and preempt vehicle-related hacking, which poses significant risks to numerous lives, we can move closer to presenting a more well-rounded autonomous driving technology to the world. ​R155: The first international automotive cybersecurity regulation As autonomous driving and connectivity technologies progress, vehicles see a rise in electronic control units (ECUs) and heightened communication intricacies. This inevitably amplifies the potential for cybersecurity vulnerabilities and the risk of hacking. Recognizing this, an international consensus emerged on the importance of automotive cybersecurity, culminating in the establishment of the inaugural global regulations. In June 2020, UNECE WP.29 (World Forum for Harmonization of Vehicle Regulations under the United Nations Economic Commission for Europe) introduced UN Regulation No. 155 ("UN R155") addressing Cybersecurity and Cybersecurity Management System. This regulation officially took effect in January 2021.8)Figure 3. UN R155 (Source=UNECE) Per this regulation, automakers are mandated to implement a Cybersecurity Management System (CSMS) across the development, production, and post-production phases, and secure the necessary certification. Furthermore, as illustrated in Figure 4, they must achieve Vehicle Type Approval (VTA) by conducting cybersecurity assessments and validations, both at the individual controller and overall vehicle levels. This ensures that the vehicle models they intend to market adhere to CSMS standards.9)  Figure 4. VTA(Vehicle Type Approval) Process in UN R155 (Source=FESCARO​) All 27 EU member nations have either adopted this automotive cybersecurity regulation or integrated it into their domestic laws.10) As a result, starting from July 2022, every new vehicle model sold in these countries must conform to these stipulations. From July 2024, every new vehicle manufactured and sold will fall under this regulatory umbrella. Consequently, automakers will need to successfully undergo cybersecurity evaluations and validations for any new vehicle models they intend to market in Europe.​ The provisions concerning cybersecurity testing and validation can be found in Section 5 and 7 of UN R155. The key aspects of these articles are outlined below.11)​ Section 5 Approval1.2 The Approval Authority or the Technical Service shall verify by testing of a vehicle of the vehicle type that the vehicle manufacturer has implemented the cybersecurity measures they have documented.1.3 The Approval Authority or Technical Service shall refuse to grant the type approval with regard to cyber security where the vehicle manufacturer has not fulfilled one or more of the requirements referred to in paragraph 7.3., notably.​ Section 7 Specifications3 Requirements for vehicle types3.1 The manufacturer shall have a valid Certificate of Compliance for the Cyber Security Management System relevant to the vehicle type being approved.3.2 The vehicle manufacturer shall identify and manage, for the vehicle type being approved, supplier-related risks.3.3 The vehicle manufacturer shall identify the critical elements of the vehicle type and perform an exhaustive risk assessment for the vehicle type and shall treat/manage the identified risks appropriately. While assessing the risks, the vehicle manufacturer shall consider the risks related to all the threats referred to in Annex 5, Part A, as well as any other relevant risk.3.4  The mitigations implemented shall include all mitigations referred to in Annex 5, Part B and C which are relevant for the risks identified. (A related example is depicted in Figure 5 below.)3.6 The vehicle manufacturer shall perform, prior to type approval, appropriate and sufficient testing to verify the effectiveness of the security measures implemented. 3.7 The vehicle manufacturer shall implement measures for the vehicle type to a) Detect and prevent cyber-attacks against vehicles of the vehicle type b) Support the monitoring capability of the vehicle manufacturer with regards to detecting threats, vulnerabilities and cyber-attacks relevant to the vehicle type c) Provide data forensic capability to enable analysis of attempted or successful cyber-attacks.  Figure 5. Schematic Diagram of Automotive Cybersecurity Threats (Source=KATRI)​Response to Automotive Cybersecurity Regulations​As per KATRI, Korea actively engaged in the development discussions and validation tests for cybersecurity standards within the UNECE WP.29 Cybersecurity Expert Technical Group (CS/OTA IWG, Informal Working Group on Cyber Security & OTA). Moreover, through a series of meetings and feedback sessions involving various stakeholders and experts, including prominent domestic and international automakers, it formulated the 2020 Automotive Cybersecurity Guidelines. ​Korea is currently updating its domestic regulations in alignment with international standards like UN R155. These changes are anticipated to take effect by the end of July 2023 and be enforced from the end of July 2024. Nonetheless, based on the fit with existing structures, it is expected that the current self-certification approach will continue, rather than adopting the type approval (VTA) method as seen in UN R155.​ Looking at the stances of major countries, the United States is contemplating a self-certification system12)while Japan has adopted UN R155 like the EU13)​​ ISO/SAE 21434: International Standard for Automotive Cybersecurity EngineeringISO/SAE 21434 serves as the international benchmark for automotive cybersecurity engineering. This standard outlines cybersecurity processes spanning the full product lifecycle of a vehicle—from planning and development to production, maintenance, and eventual disposal. It can be used by a diverse group of stakeholders, including automakers, component suppliers, and software companies.14)​ The UNECE recommends referring to ISO/SAE 21434 when setting up and managing the cybersecurity management system (CSMS) as stipulated by UN R155. Essentially, ISO/SAE 21434 can be employed to implement a CSMS encompassing cybersecurity risk management and governance for automotive electrical/electronic controllers and their associated interfaces. Figure 6 depicts the comprehensive structure of ISO/SAE 21434.15)  ​  ​Figure 6. Comprehensive Structure of ‘ISO/SAE 21434 Cybersecurity Engineering' (Source=ISO)​  The ‘cybersecurity testing’ process based on ISO/SAE 21434 is shown in Figure 7. It is similar to the typical regulations/standards response processes of automotive cybersecurity companies. Once a professional consulting team finishes consulting for CSMS certification, white hat hackers from the red team carry out TARA, security tests on ECUs and vehicles(penetration testing, fuzzing testing, and vulnerability scanning), and security function test. This rigorous testing ensures compliance with security standards, leading to the creation of a final validation report.Figure 7. ISO/SAE 21434 Based ‘Cybersecurity Testing’ Process (Source=FESCARO)Section 15 TARA(Threat Analysis, Risk Assessment)To begin with, a range of modeling techniques are utilized to analyze threats and evaluate risks associated with the vehicle's ECU. While the ISO/SAE 21434 standard suggests modeling approaches such as EVITA, TVRA, and STRIDE, STRIDE modeling tends to be the preferred approach.​ Section 9 Concept After completing TARA, the next step is to identify the cybersecurity requirements of the designated ECU, referencing Section 9. Subsequently, a security control concept should be devised to fulfill those requirements. Common cybersecurity control measures implemented for automotive ECUs include:​1) Access Control: Secure boot, Secure access, Secure flash, Secure debug, Memory protection, etc. 2) Hardware Security: Implementing HSM, eliminating JTAG/UART debug ports, utilizing BGA type chips, bonding, etc.3) Software Security: Secure coding, encryption, OS security, etc.* Here I’ll focus on cybersecurity testing and will not delve into detailed descriptions of each individual cybersecurity control.​ Section 10 Product Development Section 10 outlines the product development phase, which implements the cybersecurity requirements specified in Section 9. This section encompasses activities to verify whether the requirements have been properly implemented, and also highlights four verification test methods, as detailed below:​1) Security function test to ensure the implemented security features function correctly2) Penetration test from a hacker’s perspective3) Vulnerability Scanning to determine if potential vulnerabilities have been adequately reduced4) Fuzzing Test, which assesses for irregularities by inputting random values​ Section 11 Cybersecurity Validation Section 10 details verification activities performed on individual ECUs, while Section 11 is about the cybersecurity validation process applied to actual vehicles. Assessing cybersecurity within the vehicle's operational environment, combined with its mass production setup, is vital. This ensures that the primary cybersecurity objectives are met and that no outstanding undue risks remain.  ​‘Non-functional testing’ for proactive security Automotive cybersecurity validation testing primarily encompasses both functional and non-functional testing. 'Security function testing' involves confirming that the functions for automotive cybersecurity control measures (or security solutions) are correctly implemented. 'Non-functional testing' consists of the three methods outlined in the ISO/SAE 21434 standard. ​   1) Penetration Test The test aims to assess the implemented cybersecurity measures, identify gaps, and take complementary measures by attacking target vehicle systems from a hacker's perspective (ethical hacking). The primary focus is on uncovering unnoticed vulnerabilities using a range of hacking methods.   2) Fuzzing Test The test evaluates the software's robustness by repeatedly sending random or adaptive inputs, often at escalating frequencies.   3) Vulnerability Scanning The test aims to identify recognized security vulnerabilities in embedded operating systems like Android/Linux and open sources utilized in application development, subsequently implementing supplementary actions such as patches or hardening.​​Cybersecurity testing methodology to increase reliability (feat. five know-hows)  It has now been a year since the first international cybersecurity regulations came into force. Global governments are advancing legislative efforts, including enacting and amending laws, while affiliated organizations strive to define more explicit institutional benchmarks for specific regulatory prerequisites. The materials presently available offer a general roadmap, but specifics concerning security test design and execution often hinge on the discretionary interpretation and strategy of cybersecurity-specialized companies.​I am leading the Red Team at FESCARO, a company dedicated to automotive cybersecurity, and have a track record of successfully navigating security tests to secure CSMS and VTA certification for global automakers. FESCARO stands out as the sole automotive cybersecurity company in Korea that has achieved a grand slam16) in cybersecurity-related certification consulting, including CSMS, ISO/SAE 21434, SUMS, and VTA. Moreover, we've garnered commendable reviews from global technical service assessors who handle hundreds of cases. Now, let’s delve into the strategies to enhance cybersecurity test reliability, spotlighting the “Five Know-Hows Learned by the FESCARO Red Team” that facilitated this success.​ 1) Exploration in preparation for attack Security testing commences by pinpointing attack surfaces visible from the car's exterior and discerning attack vectors. Typically, attack classification frameworks encompass the Cyber Kill-Chain and the MITER ATT&CK Matrix, emphasizing the attacker's actions, as well as Threat Hunting, which categorizes attacks from the defender's perspective. The initial phases of security testing correspond to Reconnaissance and Initial Access methods in the COMPROMISE category in the MITER ATT&CK Matrix (Figure 8).Figure 8. MITRE ATT&CK Matrix (Source=MITRE ATT&CK)​  Figure 9 shows an example of attack surfaces accessible from outside the car. “Attack surfaces” refer to various contact points in a vehicle system or software where an unauthorized user or attacker can exploit potential vulnerabilities to gain unauthorized access or control of the system. These contact points are categorized into Network, Adjacent, Local, and Physical based on their points of access. For instance, cellular networks for OTA (Over The Air) updates, Wi-Fi for Car-to-Home or Home-to-Car interactions, and GPS are categorized under “Network,” LF/RF for keyless entry and Bluetooth for media connections, and NFC for payment are classified as “Adjacent.” Meanwhile, the CAN and Automotive Ethernet, which facilitate internal connections between car electronic ECUs, are placed under “Local.”  Figure 9. Example of Attack Surfaces, (Source=FESCARO)​ Once the attack surfaces are identified, the next step is to pinpoint the attack vectors. An 'attack vector' refers to the means or method by which an attacker attacks a target vehicle. Figure 10 summarizes attack vectors by attack surface.​   While attackers perceive these as their means and methods of assault, defenders view them as security threats. ISO/SAE 21434 recommends using STRIDE explained above, for threat modeling.​​ ​Figure 10. Major Attack Vectors (Source=FESCARO)Figure 11. STRIDE-Based Identification of Security Threats (Source=Institute of Energy Efficient Mobility)​ 2) ‘Continuous management,’ the valid standard of security testingBefore delving into the detailed design of test cases for launching an attack, it is necessary to derive cybersecurity test items that serve as a higher standard. Over the years, FESCARO's Red Team has set robust benchmarks for cybersecurity testing by conducting tests under a variety of conditions. By consistently crafting and executing hundreds of test cases, we've continually enhanced and fortified these benchmarks while refining our test cases. This has endowed us with a stereoscopic and dense cybersecurity testing framework. In scenarios where explicit guidelines are lacking, the effective benchmarks we've established to date offer a significant competitive edge.​ Cybersecurity is closely related with instability, making it challenging to lay down clear and specific guidelines. As a result, it's vital to maintain a continuous cycle of learning and deriving insights through research and development such as data collection, and analysis, and subsequently incorporating those insights into the workflow for enhancement. In other words, it's crucial to apply the CD (Continuous Development) cycle, often referred to as CI (Continuous Integration), CT (Continuous Testing), and CX (Continuous Exploration), to security testing.​ 3) Integrated environment testing (different results with the same test case)What we believe is most important in security testing to obtain UN R155 certification is “conducting verification within an integrated environment, including the actual vehicle-based driving environment.” I stress the importance of this, having personally witnessed its impact on outcomes. Even if the same test case is used, different results appear depending on the test environment, such as individual ECUs and actual vehicle-based stationary and driving environment. While each test environment holds its own value, a synergy emerges when testing is performed in an integrated environment, expanding the scope and depth of the verification process. Let's delve into two illustrative examples to see how cybersecurity test results affect in driving environments such as driving, steering, and braking. ​  First, Figure 12 shows the results of an actual vehicle-based driving test in a graph. The solid green line represents the engine speed (RPM) measured without any attack, while the orange dashed line indicates the engine speed recorded during an attack. For testing, fuzz data was input to Powertrain CAN while the vehicle was in motion. As a result, an abnormal shift timing led to a deviation from the standard engine speed. Yet, when the fuzz data was input in a stationary setting after the IGN was turned ‘ON’, there were no disruptions in CAN communication or any other effects. Despite all other test conditions remaining consistent, the outcomes varied with the driving environment.Figure 12. Driving Test Results (Source=FESCARO)​ Recently, in preparation for a global automaker's demonstration of VTA evaluation for electric vehicles slated for mass production, FESCARO conducted mock evaluations under various conditions to identify and address security vulnerabilities. However, during testing in a driving environment, an issue arose: when an abnormal message was input to the E-PT (electric vehicle powertrain), driving halted and the accelerator pedal became unresponsive. Under the same conditions but in a stationary environment, the only observed effect was a minor communication delay. This information was immediately relayed to the ECU developer company and after thorough technical discussions with the relevant stakeholders, it was agreed that mass production would commence after applying a software patch. By conducting a comprehensive test in an integrated environment and ensured the effectiveness of security measures before the final evaluation, we proactively identified and rectified potential vulnerabilities, and ultimately successfully completed the VTA certification demonstration.​ 4) Design and implementation of customized test cases　After establishing the criteria such as direction for security testing and cybersecurity test items, it's time to draft a test case for the attack.​ Over the past few years, FESCARO has designed and implemented more than a hundred custom test cases. The test case template example shown in Figure 13 encompasses factors commonly acknowledged in the industry, along with the "essential elements" I've identified based on our success stories. With a well-tailored test case that considers the unique features of both the automakers and vehicle models, we anticipate positive feedback when undergoing CSMS and VTA certification processes. For reference, details of the test case design may be reflected in the validation report when the test is completed.Figure 13. Example of Testcase Template (Source=FESCARO)​ 5) Internal Penetration (INFILTRSTION) and complete control By performing non-functional penetration tests based on various attack vectors targeting the attack surfaces, white hat hackers can successfully gain access and execute both local and remote code. This phase corresponds to the Execution and Persistence steps in the COMPROMISE category of the MITER ATT&CK Matrix (Figure 8).​The ultimate objective is lateral movement for infiltration and dissemination. Once internal control is secured, the desired outcome is realized through data gathering, command and control mechanisms. During this phase, techniques like Privilege Escalation, Defense Evasion, Credential Access, and Discovery from the INFILTRATION category of the MITER ATT&CK Matrix are employed. ​Outlook of virtualization technology for security testing Cybersecurity testing in a real vehicle driving environment also has drawbacks. Given considerations such as weather conditions, safety, testing duration, and costs, integrating virtualization technology into cybersecurity testing can be a viable approach. Virtual simulation systems called HIL17) and SIL18) are already being used for software development and testing of vehicle electronic ECUs. With recent advancements in digital twin and virtualization technologies, the introduction of the Vehicle-in-the-Loop (VIL) simulation concept, which allows for the virtual simulation of vehicles, is gaining traction. It is able to create an integrated vehicle simulation system by virtualizing the vehicle's sensor and actuator system, vehicle dynamics system (driving-steering-braking), and even the driving environment.19)​ To add cybersecurity testing here, it’s essential to further develop security testing tool linkage interfaces and test case integration etc. Depending on the stakeholders, consideration of cost, usability, and versatility will clearly be necessary. Nevertheless, cybersecurity testing in a VIL environment emerges as a compelling alternative that could partially supplant some aspects of vehicle testing in an actual driving environment.​Test automation to improve efficiency Test automation is also receiving as much attention as virtualization technology.​ Even if minor functions are changed in the vehicle, it is essential to re-verify the cybersecurity effectiveness through security testing to ensure there are no side effects or newly discovered vulnerabilities. Since no one knows what kind of butterfly effect it could have. Given that automated testing is more efficient than manual checks by engineers or white hat hackers for every minor alteration, this technology is undoubtedly valuable for companies aiming to optimize the use of their skilled workforce. ​Block Harbor in the United States is often referenced as a good example of cybersecurity test automation. They provide cybersecurity design and operation services such as TARA and Vehicle Security Operation Centers(VSOC), as well as the 'UNR155 Mitigation Test Suite System' tailored for UN R155-related testing of vehicles and individual ECUs.20) Additionally, they are collaborating with the American Center for Mobility (ACM) to develop cybersecurity solutions for future vehicles.21)​Block Harbor collaborates with FESCARO, the cybersecurity company I work for in Korea. Together, we are engaged in multiple national cybersecurity projects promoted by the Korea Transportation Safety Authority under the Ministry of Land, Infrastructure and Transport. As we approach the enforcement of the Automobile Management Act in July 2024, projects like 'Establishment of Cybersecurity Support and Response System' and 'Test Automation for Cybersecurity Verification and Evaluation' are underway concurrently, all intricately connected to optimize operational synergy. ​Conclusion As the shift towards Software Defined Vehicle (SDV) gains momentum, issues of recalls stemming from software defects often make the news. In San Francisco, having recently earned the title of the ‘world’s first 24-hour robotaxi city’, is witnessing various challenges.​According to automotive cybersecurity trends reported by UPSTREAM, an international security specialist, the incidence of automotive breaches has surged over the past three years. Additionally, new vulnerabilities are emerging at a rate two to three times higher annually.22)23) Cybersecurity is a vital field. To address the escalating and increasingly sophisticated hacking threats, white hat hackers persistently and, at times, sporadically evaluate the robustness of cybersecurity measures, continually refining and bolstering existing countermeasures. Charlie Miller, the legendary hacker famous for hacking into a Jeep Cherokee, said eight years ago that computer hacking became boring and that hackers would turn their focus to devices such as cars, trains, power plants, and traffic signals. 24)​We live in the Internet of Things (IoT) era where all devices are connected to the Internet, and the era of Vehicle-to-everything (V2X) communication is on the horizon. Cybersecurity testing holds immense value and impact, serving as a bare minimum to prevent the “zombie car action sequence” from becoming a reality.​Global automakers tend to internalize technologies, including cybersecurity, but continue to partner with specialized companies for cybersecurity testing. I hope that automotive technology will continue to advance within a stable environment, based on reliable cybersecurity testing.    References​1) “Cars in movies turned into 'zombies' by hacking. Is this possible?”,< OhmyNews>, 28.11.20172) ““Automotive information technology security, if breached, it’s over”... Jeep Cherokee ‘recalled’ due to hacked driving, <Sports Kyunghyang>, 26.07.20153) “19-year-old claims he hacked into over 25 Teslas in 13 countries”, 12.01.2022 4) Take the lead in the future mobility competition based on ‘electrification and autonomous driving, <New Daily Economy>, 22.06.20235) Digital Twin: A technology to create objects (twins) identical to the real things in virtual space and verify them through various simulations6) [Analysis] “Tesla had 424 self-driving accidents last year alone”...K-City drawing attention to virtual space integration’, <Daily Korea>, 12.06.20237) Vehicle-to-everything (V2X) communication : The act or technology of a vehicle exchanging information by communicating with various objects such as other vehicles, pedestrians, and infrastructure8) Automotive cybersecurity is becoming important with the increase in advanced vehicles, Press release from the National Assembly Research Service, 28.12.20229) UN Regulation No. 155 (E/ECE/TRANS/505/Rev.3/Add.154), UNECE, 04.03.202110) Automotive cybersecurity is becoming important with the increase in advanced vehicles, Press release from the National Assembly Research Service, 28.12.202211) UN Regulation No. 155 (E/ECE/TRANS/505/Rev.3/Add.154), UNECE, 04.03.202112) Automotive cybersecurity guidelines, Korea Transportation Safety Authority & KATRI, 12.202013) Automotive cybersecurity is becoming important with the increase in advanced vehicles, Press release from the National Assembly Research Service, 28.12.202214) Hankyung Economic Terms Dictionary: ISO/SAE 214347, Naver Knowledge Encyclopedia, 02.202315) ISO, 2021.08, ISO/SAE 21434:2021 Road vehicles - Cybersecurity engineering16) Grand slam in cybersecurity certification: Originally, it refers to sweeping all major competitions in sports, but here, it refers to having success stories for all four cybersecurity certifications (CSMS, ISO/SAE 21434, SUMS, VTA).17) Hardware in the Loop: Software is included in the ECU, but the environment surrounding the ECU is virtualized (in a simulation environment).18) Software in the Loop: Testing software in a simulation environment without real hardware19) Virtual verification technology for vehicle SW quality innovation [Video], Hyundai Motor Group Developer Conference, 202220) Breakwater, UNR 155 Mitigation Test Suite for Common Interfaces in Vehicle Systems, Blockharbor, 09.202221) American Center for Mobility and Block Harbor Collaborate to Develop Cybersecurity Offerings at ACM's Global Development Center, 01.08.2023 22) Upstream's 2023 Automotive Cyber Trend Report, Upstream, 202323) AutoThreat® Intelligence Cyber Incident Repository, Upstream, 08.202324) [Special interview for the inaugural special issue] Charlie Miller, a car hacker, “We must recognize the risks and deal with them”, <Electronic Newspaper>, 21.09.2015​Source: AEM (https://www.autoelectronics.co.kr)  

In January 2024, a team of hackers who successfully hacked a Tesla and took control of the car received a total reward of $450,000. What's even more surprising is that Tesla directly participated in paying the prize money. Let’s find out what happened.In 2023, a whopping 95% of software-defined vehicle (SDV) cybersecurity incidents were caused remotely, with even half of them being large-scale attacks that could affect tens of millions of vehicles. Accordingly, the role of white hat hackers is becoming more important by identifying and proactively responding to automotive software vulnerabilities and preventing the spread of subsequent damage.Pwn2Own Automotive LOGO (Source = VicOne)Against this background, the global automotive hacking competition, Pwn2Own Automotive was held. It was significant in that it was the first exclusive automotive event of ‘Pwn2Own,’ a world-renowned hackathon famous for publicly discovering and demonstrating security vulnerabilities in various fields. It was implemented in earnest to provide a venue for discovering new automotive vulnerabilities and to publicize them to respond jointly with global automotive industry officials.This event was operated as part of the Zero Day Initiative program of the global software security company Trend Micro. It is designed to discover zero-day vulnerabilities (new vulnerabilities for which no computer patches exist) and respond quickly to them. As it is a hacking competition specializing in automotive, it was co-hosted with VicOne, Trend Micro's automotive cybersecurity subsidiary. Also, TESLA, which has been willing to provide vehicles to Pwn2Own, appeared as the main sponsor and got together to provide prize money worth $450,000.At the first Pwn2Own Automotive, which attracted attention globally, 9 major countries including the United States, Germany, and France participated. In addition, as future mobility was the focus, in-vehicle infotainment (IVI), electric vehicle chargers, and operating systems (OS), including Tesla vehicles, became targets of hacking, and as many as 49 new security vulnerabilities were discovered in a total of 3 days. The winning team, Synacktiv (Source = businesswire)An information security company from France, Synacktiv won the competition by successfully hacking the Tesla modem (data signal conversion device), EV charger, and in-vehicle infotainment (IVI) sandbox system through vulnerability chain (a method of linking multiple security vulnerabilities). In particular, they successfully hijacked Tesla's entire IVI and gateway system over two days, vividly demonstrating the dangers of automotive cyberattacks.FESACRO was able to get in touch about this event through the global automotive cybersecurity association ‘Auto-ISAC.’ Auto-ISAC is a professional association where leading global companies such as Hyundai Motor Company, Kia, GM, and Mercedes-Benz share the latest information on automotive cybersecurity and cooperate to respond. Government agencies such as the FBI and CISA (Cybersecurity and Infrastructure Security Agency) in the United States are also participating as stakeholders and are actively working on future mobility security. FESCARO, which has great expertise in automotive cybersecurity, is at the forefront of the latest information as an Auto-ISAC community partner. By participating in various activities such as the association's technical seminars, monthly forums, and annual conferences, we feel the growing influence of white hat hackers.FESCARO's own red team, comprised of white hat hackers, has various success stories of effectively responding to the international automotive cybersecurity regulations (UN R155) by discovering various security vulnerabilities through professional security testing. We have secured over 100 test items and 200 test cases and are continuously developing and strengthening various simulation environments. If you're curious about the details, keep an eye out for FESCAO’s presentation at Auto-ISAC’s Annual Cybersecurity Summit this fall. In addition, FESCARO's red Team, which is being recognized widely in the automotive cybersecurity field, will also soon participate in various hackathons.

FESCARO was honored as ‘2023 Best Partner’ by the global automaker KG Mobility (KGM) at ‘KGM PARTNER’S DAY 2024’, the event to foster collaboration with its partner companies.Source = FESCAROThe event featured KGM’s key policy presentations, including development plans and 2024 purchasing strategies, with 250 partner companies on site. Among those companies, 10 Best Partners were awarded with plaques.Source = KG MobilityFESCARO, specializing in future mobility software solutions, received the award in ‘technology innovation.’ The honor recognized FESCARO's contribution to the early acquisition of automotive cybersecurity certifications (CSMS, SUMS, VTA) and technology internalization, contributing to KGM's development and product competitiveness.Seok-min Hong, CEO of FESCARO, said, “It was a great honor to be selected as the Best Partner of KG Mobility,” pledging deeper partnership to sustain a global level of quality. FESCARO, recognizing the value of deep collaboration, will continue to strive for high synergy with our partners.

    CES 2024, the tech industry's global showcase, capped its Las Vegas run with a buoyant closing after four days of innovation. CES 2024 offered a glimpse into a near future where AI (Artificial Intelligence) permeates all industries. We delved into the key takeaways from this transformative technology in the mobility field.   CES 2024 at a glance   ​ ■ CES 2024 in Numbers Marking the 100th year of CTA (Consumer Technology Association), the organizer of CES, it yielded remarkable and intriguing data reflecting a century of innovation. CES drew various leading companies globally, including the field of mobility, with Korea (850) ranking third behind the US (1,148) and China (1,104) in participation. KG Mobility, which selected FESCARO as the ‘Best Partner in technological innovation,’ also participated showing wireless charging technology.   • 2.5+ million net square feet of exhibits, 15 percent bigger than CES 2023   • 4300+ exhibitors, including 1400+ startups within Eureka Park   • 60% of Fortune 500 companies   • 135,000+ attendees, a record 40+ percent from 150 countries, regions, and territories   • CES 2024 Innovation Awards program received 3000+ submissions, a record high ​  ■ All Together, All On   The theme of CES 2024 was “All Together, All On,” which means solving problems by combining innovative technologies across all industrial fields in a turbulent era where the boundaries between industries are collapsing. The five key themes were:   • Artificial intelligence (AI)   • Mobility   • Food & Agricultural Technology   • Health & Wellness Technology   • Sustainability & Human Security   The CTA has forecasted that artificial intelligence (AI) will be the leading trend across all industries, with its related technologies expected to be showcased in nearly every booth at the exhibition. Observations from numerous esteemed academics and business leaders have echoed this sentiment, underscoring the pervasive influence of AI. Notably, SK Group's Chairman, Chey Tae-won, remarked, "Whether we welcome it or not, it appears we have entered the era of AI." Additionally, the spotlight has turned to 'on-device AI,' a technology enabling AI models to operate directly on devices such as smartphones and cars. Qualcomm's CEO, Cristiano Amon, hailed this development, stating, "PCs equipped with on-device AI represent a revolutionary step forward." ​  ■ CES 2024 Keynotes    Keynote speech by HD Hyundai Vice Chairman Jeong Ki-sun / Source: CES     The keyword 'AI' also stood out in the CES keynote, symbolizing change and innovation. It was also impressive that HD Hyundai's Vice Chairman Chung Ki-sun made a successful debut as a keynote speaker three years after the company participated in CES. You can check out the full keynote videos here to see what visions were presented in various industries.     • Qualcomm CEO | Cristiano Amon : How to interact with our devices in the age of AI   • Siemens CEO | Dr. Roland Busch : Technology that enables leading brands to improve the way we live, work, move, and make   • HD HYUNDAI CEO | Chung Ki-sun : How comprehensive innovation in building smart infrastructure will shape a more sustainable future   • Intel CEO | Pat Gelsinger : The role of silicon and software in making AI more accessible    Mobility Companies @ CES 2024​   Unlike last year, which saw many automotive companies in attendance, reminiscent of a motor show, this year witnessed a notable reduction in car manufacturers showcasing actual vehicles and concept models. The spotlight was on a few, including Mercedes-Benz, Vietnamese electric vehicle maker VinFast, and Turkish electric vehicle brand TOGG. In contrast, the integration of mobility technology with AI took center stage. The global automotive AI market is expected to grow from $2.7 billion in 2023 to $27 billion in 2025.Source: The Economist (The Business Research Company)     Let's explore the innovative technologies that leading mobility companies showcased at CES, across various fields from mobilities (including vehicles and electronics) to air mobility, construction, and agricultural machinery.​■ Automakers   1) Hyundai Motors Emphasizing software and AI, the company envisions a user-centric, AI-powered mobility ecosystem built on SDx technology, extending beyond SDV.   Source: Hyundai Motor Company     The company also unveiled the HTWO Grid solution, a strategic initiative designed to hasten the shift towards a hydrogen-based society. The 'HTWO' concept leverages the collective strengths and capabilities of the company's affiliates, offering tailored packages that are finely tuned to meet customers' diverse environmental conditions and demands throughout the entire hydrogen lifecycle—from production, storage, and transportation to utilization. ​ 2) KIA The company introduced PBV (Purpose Built Vehicle) as its upcoming core business, with a strategic vision to position itself as a frontrunner in the evolving future mobility market through distinctive PBV offerings. It also redefined the concept of PBV as a Platform Beyond Vehicle’. ​ Source: Kia     The innovation of PBV is set to reach its full potential with the ‘Easy Swap’ and ‘Dynamic Hybrid’ technology. Easy Swap is a technology that enables the seamless replacement of life modules to align with the consumers' preferences and needs, while Dynamic Hybrid is a technology that adapts to various customer requirements by adjusting size and height, and has the potential to revolutionize small-scale production of multiple varieties. KIA has partnered with Uber, a global ride-sharing service company, and agreed to cooperate to develop and supply PBVs optimized for Uber mobility. ​ 3) KG Mobility The company unveiled the Torres EVX, featuring technology for commercializing wireless charging platforms. KG Mobility revealed its collaboration with WiTricity, an American wireless charging company, and WITS, a developer of wireless power transmission and reception antenna modules, in the development of wireless charging technology. ​ 4) Mercedes-Benz Mercedes-Benz unveiled the MBUX Virtual Assistant based on generative AI and advanced software. This helps drivers communicate naturally through voice assistance services and high-resolution graphics. ​ 5) Volkswagen The company unveiled the first vehicle to integrate ChatGPT into its IDA voice assistant. It can control infotainment and navigation or answer simple questions. To ensure information security, ChatGPT does not access vehicle data, and questions and answers are deleted immediately. ​ 6) BMW The company has teamed up with tech startup XREAL to unveil its Augmented Reality (AR) glasses. The AR glasses provide drivers with a variety of information, including route guidance, hazard warnings, entertainment content, charging station information, and parking assistance visualization, all integrated into AR. ​ 7) HONDA The company introduced two concept cars, the ‘0 Series’ electric vehicles. The interior rear seat is designed with two seats facing each other, considering future autonomous driving. ​■ Electronics Companies ​ 1) Hyundai Mobis    Source: Hyundai Mobis     The company unveiled ‘MOBION’, a demonstration vehicle equipped with the ‘e-Corner System’. The e-Corner System is a technology that individually controls the four wheels to enable crab driving, diagonal driving, and turning in place. ​ 2) Samsung Electronics The company announced a collaboration with Tesla for ‘SmartThings Energy’. This initiative aims to connect Samsung’s SmartThings to Tesla's solar panels, Powerwall (home energy storage device), electric vehicles (EVs), etc. to monitor the amount of power and easily control it through the app. Additionally, Samsung Electronics has entered into a business agreement (MOU) with Hyundai Motors and KIA Motors to foster a 'Home-to-Car and Car-to-Home' service partnership. ​ 3) LG Electronics The company introduced the future mobility concept ‘LG αble’. Depending on the passenger's condition and situation, it changes into a space where you can relax like at home or work like an office, providing a unique experience.   It also collaborated with Magna, a global auto parts company, to develop and unveil a standalone platform that integrates the In-Vehicle Infotainment System (IVIS) and Advanced Driver Assistance System (ADAS). ​ 4) LG Display​   Source: LG Display     The company unveiled the 57-inch Pillar to Pillar (P2P) LCD, the world's largest automotive display, which won the ‘CES 2024 Innovation Award’, and the 32-inch slideable OLED, the largest of the existing slideable panels. The 57-inch P2P LCD extends across the dashboard from the driver's seat to the passenger's seat. ​ 5) Continental    Source: Continental     The company, together with Swarovski Mobility, presented a center display with a crystal structure. This display is made of crystal and has a frameless, translucent appearance that exudes minimalistic luxury. ​ 6) U Power The company introduced an electric car skateboard that only requires designing a body on the board without developing an electric car. Olympian Motors, an American electric vehicle startup, unveiled an electric vehicle using this U-Power's skateboard. ​■ Air Mobility, Construction & Agricultural Machinery ​ 1) Supernal    Source: Hyundai Motor Company     Supernal, an independent entity under the Hyundai Motor Group focused on Advanced Air Mobility (AAM), has revealed the physical model of their upcoming aircraft, the 'S-A2,' for the first time. Alongside this unveiling, they have announced their strategic vision for constructing the future AAM ecosystem. The S-A2 represents an eVTOL (electric vertical takeoff and landing aircraft) being developed by Hyundai Motor Group, with plans for commercialization by 2028. ​ 2) HD Hyundai Under the theme of 'Xite Transformation,' the company demonstrated its commitment to innovation to realize smart construction sites featuring unmanned and autonomous construction equipment, digital twins, eco-friendliness, and electrification. K-pop artist G-Dragon's appearance and VR experience with LG Vice President Chung Ki-sun drew significant attention. ​ 3) DOOSAN BOBCAT The company unveiled an unmanned, electric articulated tractor that will be used at future work sites. By incorporating AI, the equipment can detect pre-designated obstacles as well as obstacles without information and can stop work at its discretion if necessary. ​​ CES Innovation Awards - Mobility ​ Let's introduce the companies and products that have earned the prestigious CES Innovation Awards in the mobility sector this year! We take great pride that many of FESCARO's customers and partners have been honored with these awards. Congratulations to all! (The full list of CES Innovation Awards can be found here.)   Best of Innovation (Highest rated products in all categories) ​ • Honda | Motocompacto : Ultra-compact electric bike • AUO | Interactive Transparent Window : Transparent display integrated into side windows and controllers • HL Mando | Parkie (Parking Robot) : Autonomous robot valet parking solution   Honoree (Highest rated products in each category) ​ • VinFast | MIRRORSENSE : AI-based automatic mirror adjustment technology • HL Klemove | Tire-Sync : Smart tire sensors that provide road surface and tire condition information • HD Hyundai | XiteSolution : Active safety system that detects objects around the excavator • LG Display | 57" Oxide Pillar to Pillar LCD : The world's largest automotive LCD • Motrex | InCabin XR BOX : XR (AR/VR) platform for electric vehicles and L3/L4 autonomous vehicles • Magna | ClearView™ Vision System : Vehicle camera monitoring system • Continental | Radar Vision Parking : Innovative automated parking solution for SDVs • Ambarella | Centrally Processed 4D Imaging Radar Architecture : Centralized 4D imaging radar architecture • BANF | iSensor Real-time tire profile for fleets and Avs : Tire sensor-based real-time analysis system for tires and road conditions • CP6 | ACAT (Automated-driving Car Accident-analysis Tool) : Autonomous vehicle accident analysis system • Hisense Visual Technology | Vehicle Using Laser Projection Display : Display of vehicle data and road information through holographic AR HUD     At CES 2024, the dominant keywords that left a profound impact on the mobility sector were undoubtedly 'AI' and 'SDV.' The event provided a remarkable opportunity to witness the extensive applications of artificial intelligence across diverse industries, including personalized and modular products and platforms geared towards realizing SDV (Software-Defined Vehicle). Looking ahead, the future of automotive manufacturing appears poised to strike a balance between simplification and sophistication. Anticipations run high as we await the implementations and innovations stemming from the technologies unveiled at CES.   Embracing the "Hack the Mobility" spirit, FESCARO will also run forward in developing the mobility ecosystem through the most practical tech breakthroughs.

 FESCARO was honored as one of the ‘TOP 10 Automotive Solutions Providers 2023’ by CIOReview APAC. Source : CIOReview APAC An APAC-based tech magazine, CIOReview APAC recognizes top tech solution companies across diverse industries. FESCARO was honored alongside Elektrobit and Ambarella for top automotive IT solutions in 2023, recognizing the advanced technology that has produced notable achievements in the automotive cybersecurity solution field.  (Full list of awardees here)Source : CIOReview APAC FESCARO, specializing in software solutions for future mobility, leverages white hat hackers and automotive electronic system developers to focus on next-generation controller business oriented to automotive cybersecurity and SDV (Software-Defined-Vehicle). To meet with cybersecurity regulations emerging from automotive electrification, we provide automakers and tier companies with a one-stop solution including TARA (Threat Analysis and Risk Assessment), security solutions, tailored engineering, and security testing. We have proven our expertise by obtaining the titles of ‘first in Korea’ and ‘only in Korea’ for the major international certifications related to automotive software and cybersecurity.Please check the article below for more details. It was written based on an interview with Hong Seok-min, CEO of FESCARO.  (Link to original article) Source : CIOReview APAC■ FESCARO : Enhanced Automotive Cybersecurity Solution for Future MobilityAutomotive technology has evolved to the extent where vehicles are often referred to as 'running computers.' With software defined vehicles (SDVs) becoming more prevalent, the imperative for robust cybersecurity solutions has never been more pressing. This urgency is amplified by the intricate interconnectivity of modern car infrastructure and the widespread adoption of autonomous driving, both susceptible to an array of potential hacking threats. In the face of these challenges, FESCARO has emerged as an unparalleled leader in automotive cybersecurity dedicated to advancing 'Mobility for All.' FESCARO recognizes that cybersecurity is the first gateway to safe mobility innovation and the final gateway to future mobility. SDV cannot exist without cybersecurity. Due to this, automotive cybersecurity is being legislated internationally, and FESCARO is helping automakers and tier companies adapt accordingly.Its commitment is grounded in hands-on experience and successful cases, with optimized solutions for its customers. By playing the role of cybersecurity tier 0.5, FESCARO's comprehensive solution is being preferred by global SMBs and emerging automakers even more.“We stand as a trusted partner to support them with software solutions and tools for securing in-built vehicle systems against cyber-attacks,” says Seok-min Hong, CEO of FESCARO.To address the inadequacy of the existing hardware-centric approach to the evolving threats of cybersecurity, FESCARO has developed a one-stop software-based solution that can adapt as per cybersecurity needs. They have achieved a Grand Slam with the four major international automotive cybersecurity certifications (CSMS, SUMS, VTA, ISO/SAE 21434) related to UN R155 and UN R156.  ■ Redefining the Future of Automotive IndustrySDVs signify a pivotal departure from traditional automotive models. Unlike static functions in conventional vehicles, SDVs operate on a flexible software platform, allowing continuous updates and additions akin to smartphones. This necessitates continuous development even after mass production, a significant departure from the hardware-centric approach.FESCARO, born from the collaboration of an automotive electronic system developer and a white hat hacker, leads this transformative shift. It focuses on solutions for automotive cybersecurity, next-gen Electronic Control Unit (ECU), and SDV, catering to the evolving market demands with practical and tailored methods. It does so by addressing the widening technological gap between large corporations and SMBs, ensuring ongoing development post-mass production in this software-centric automotive era. ■ How Does FESCARO’s Solution Protect the Vehicle? FESCARO underscores the necessity of analyzing all internal and external aspects of a vehicle’s environment to ensure robust cybersecurity and advocates for a defense-in-depth system with a multi-layered strategy. The first layer employs a Security Gateway (SGW) for filtering inbound communication from external elements, scrutinizing and permitting only authenticated and valid messages. The second layer focuses on End-Point Electronic Control Units (ECUs), ensuring firmware authentication and validity. The third layer extends to external vehicle elements, including Vehicle-to-Everything (V2X) communication crucial for autonomous driving. Highlighting cybersecurity as an ongoing process, FESCARO emphasizes continuous response management. This involves a real-time incident response system integrated with IT infrastructure, featuring SGW and a security management system (vSIEM). The subsequent process includes analysis, research, and development, driving advancements in security technologies based on collected data. FESCARO's automotive cybersecurity solution, supported by internationally patented technology, is the first in South Korea to achieve FIPS 140-2 certification from the U.S. National Institute of Standards and Technology (NIST). This certification validates its security reliability for deployment by the U.S. Department of Defense. FESCARO also holds Automotive SPICE Level 2 certification, enhancing its software quality. The solution has successfully applied to 11 vehicle types from five global automakers.  ■ A Seamless Collaboration for the Best Results FESCARO understands and addresses automotive cybersecurity challenges across the vehicle lifecycle and value chain. The company actively responds to cybersecurity needs from development through production to post-production, engaging in in-depth interviews with client’s teams to comprehend their work status and interests. Using these insights, FESCARO crafts optimized workflows, leading end-to-end system development and operational management. It creates comprehensive IT-based systems that automate operations from the production line to maintenance, ensuring real-time vehicle connectivity. This collaborative approach has yielded notable successes, such as assisting K Group, a global automaker, in achieving three UN certifications (CSMS, VTA, SUMS) from 2021 onwards. FESCARO's comprehensive services include regulatory consulting, threat analysis and risk assessment, security solutions, engineering, testing, deployment, and IT infrastructure. In another achievement, FESCARO secured ISO/SAE 21434 certification for Kanavi Mobility, a global controller development company, in April 2023. These successes solidify FESCARO's expertise in the four major international automotive cybersecurity certifications. Success is rooted in the company’s goal, ‘Making practical breakthroughs to realize Mobility for All.’Winning the award became a great opportunity to promote FESCARO's technology onto the global stage. We will actively expand overseas business, focusing on automotive cybersecurity essential to the SDV era and the development of next-generation controllers that create high-added value. 

Until five years ago, carmakers were hesitant to introduce cybersecurity measures in vehicles despite being aware of their necessity due to cost issues.However, when the European Union introduced cybersecurity regulations in 2022, it became virtually impossible to enter the European market without meeting the new standards. The change has made cybersecurity an essential element to ensure the survival of carmakers.The advancements in vehicle software, diversification of vehicles’ functions and increase in communication have made software-defined vehicles a hot topic for the car industry, and cybersecurity is the final element in building SDVs.The fact that United Nations Economic Commission for Europe World Forum for Harmonization of Vehicle Regulations adopted UN Regulation No. 155, No. 156 in June 2020 to lay the foundations for the cybersecurity ecosystem is widely known.This final article in our series on automotive cybersecurity focuses on the last stage of the strategic approach to cybersecurity regulations. It specifically addresses the concept of Software Update Management System, exploring associated challenges and the strategies to effectively manage them.1. Software updates and SUMSAs the automotive industry shifts toward SDVs, demand is on the rise for post-production software updates. These updates are key to improving vehicle features and extending customer service. Polestar Korea's response to a dashboard speed display issue last year is a case in point. The company promptly addressed the discrepancy of 1 to 3 kilometers per hour through a voluntary recall and free over-the-air updates, enhancing customer convenience and trust.The significance of software updates further aligns with the global regulatory focus. In June 2020, the aforementioned global forum on motor vehicle regulations adopted UN Regulation No. 156 to ensure safe software update policies and procedures. Compliance with this regulation requires automakers to obtain Software Update Management System certification and Vehicle Type Approval. Encompassing a wide range of products from passenger vehicles to agricultural machinery, Regulation No. 156 places particular emphasis on Article 7 ("general specifications") for automakers, detailing requirements for SUMS and vehicle types.2. Requirements for SUMSThe establishment of SUMS requires adherence to Article 7, Section 1 subparagraph 1, focusing on the initial assessment process. This involves secure documentation of all software versions and the management of Regulation X Software Identification Number, which is crucial for identifying and managing software versions for regulatory compliance. A vehicle with a RXSWIN must meet several criteria: consistency with type approved software, interdependency with other System, identification of vehicles requiring updates, compatibility between new software and vehicle configuration and the ability to record and assess the update’s impact on type-approved System.3. Requirements for vehicle typeFor vehicle types, the focus is on software and over-the-air updates. Under Article 7, Section 2, subparagraph 1 of Regulation No. 156, manufacturers must ensure the authenticity and integrity of updates, while preventing compromised or invalid ones. They must also guarantee that each vehicle type’s RXSWIN is uniquely identifiable. When updating RXSWIN to modify type approved software, automakers must either extend the existing type approval or seek a new one based on the impact of the changes. Additionally, they need to ensure that RXSWIN is accessible through standardized System like the on-board diagnostics interface and protected from unauthorized modificationsFor vehicles with over-the-air updates, manufacturers must adhere to guidelines stated in Article 7, Section 2, subparagraph 2. These include the ability of the vehicle to restore its system post-update and maintain sufficient power to ensure proper execution of the update. Automakers are required to inform users before initiating an update, prohibit driving if the update cannot be safely launched, and disable any features that may compromise vehicle safety or interrupt the update process. Upon completion of the update, users should be clearly informed about the outcomes and any changes made.4. Strategies for SUMS certification preparationIn preparing for SUMS certification, automakers must first evaluate the impact of software updates on each type approval by establishing an effective evaluation process and procedure. Depending on the update's impact, a normal software update may suffice, but thorough validation may be essential in cases of significant changes. This can be a time-consuming and complex process, given the interconnected nature of various vehicle System and domains.Fescaro, a leading cybersecurity specialist, has developed an automated vehicle software update management system to facilitate this process. Fescaro’s system enables automakers to verify the integrity of each update and evaluate its implications on vehicle type approval, contributing to their path to successful SUMS certification.The next step involves applying a feature within the cybersecurity-specialized electronic control unit. This system manages software configuration and certification information linking vehicle domains and electronic control units. It plays a crucial role in fulfilling SUMS certification and type approval requirements by enabling vehicle validation, managing software updates, and ensuring safe over-the-air execution.The cybersecurity-specialized electronic control unit also performs essential security functions, enabling effective compliance with Regulation No. 155’s cybersecurity management system requirements. These functions include protecting the in-vehicle network, detecting abnormal messages in real time and monitoring security information and event management – all of which are instrumental in addressing potential cyberthreats.5. Key insights of SUMS certificationAchieving SUMS certification requires a comprehensive assessment of the software update’s impact and software configuration management.However, tracking each type approval, vehicle and electronic control unit poses a real challenge. The key to successful SUMS certification lies in "orchestration" – an integrated approach enhancing workflow productivity. The diagram below illustrates an example of orchestration in the certification process, which involves a seamless integration of vehicle software management System with a cybersecurity-specialized electronic control unit:An example of orchestration in the SUMS certification process (Fescaro)Understanding the automotive industry’s complex value chain and the vehicle’s production cycle is equally crucial. This understanding forms the basis for a system that responds effectively to customer needs and regulatory requirements. Close coordination with tier companies, through workshops and seminars, may also facilitate the certification process and ensure regulation compliance.This article concludes our series on the automotive cybersecurity certification process under UN regulations. A leader in vehicle cybersecurity certification consulting with expertise in all four major certification processes, Fescaro remains committed to providing well-organized, high-level assistance to automakers and tier companies in the field.(Ku Seong-seo is Fescaro's head of global business sales)Fescaro is a vehicle cybersecurity specialist that has gone through all major certification processes (CSMS, ISO/SAE 21434, VTA, SUMS). It is the only company in Korea to have obtained what is referred to in the field as the "grand slam of vehicle cybersecurity certification consulting.” - Ed.<Source : Korea Herald (https://www.koreaherald.com/view.php?ud=20231127000319&ACE_SEARCH=1)>

In this second installment of our series on automotive cybersecurity, we delve deeper into the strategic approach to regulatory compliance, focusing on Vehicle Type Approval (VTA) and its challenges.Until five years ago, carmakers were hesitant to introduce cybersecurity measures in vehicles despite being aware of their necessity due to cost issues.However, when the European Union introduced cybersecurity regulations in 2022, it became virtually impossible to enter the European market without meeting the new standards. The change has made cybersecurity an essential element to ensure the survival of carmakers.The advancements in vehicle software, diversification of vehicles’ functions and increase in communication have made software-defined vehicles (SDVs) a hot topic for the car industry, and cybersecurity is the final element in building SDVs.The fact that UNECE WP.29 adopted UN Regulation No. 155 (UN R155) in June 2020 to lay the foundations for the cybersecurity ecosystem is widely known.1. CSMS and ISO/SAE 21434The core of UN R155 is that carmakers need to obtain a cybersecurity management system (CSMS) and vehicle type approval. CSMS refers to the process and management system for protecting vehicles from cyberattacks and managing cybersecurity risks. ISO/SAE 21434 is the international engineering standard for vehicle cybersecurity that defines the cybersecurity policies and processes throughout all phases of a vehicle’s development, production and postproduction, and sets the standards for CSMS.The UN R155 outlines its aims, while the ISO/SAE 21434 provides the requirements and details about assessment standards. In other words, ISO/SAE 21434 is essential to properly implement CSMS.2. Understanding VTA's purpose and requirementsAs previously explained, the Cyber Security Management System is integral to protecting road vehicles against cyberthreats. The VTA process begins with the technical service (TS) evaluating the automaker's technical documentation and conducting initial vehicle tests. Following TS approval, the approval authority (AA) issues a final CSMS certificate following its own review. VTA ensures each vehicle adheres to the prescribed cybersecurity standards, with both TS and AA validating the implementation.UN R155's cybersecurity certification process (FESCARO)VTA necessitates comprehensive risk assessment, effective cybersecurity measures, and thorough validation testing. This includes identifying risks to road vehicles and determining the adequacy of the risk management strategy, which could involve removal, improvement, avoidance, or acceptance of risks. The specifics of these cybersecurity measures are detailed in UN Regulation No. 155 (UN R155) Articles 5 ("approval") and 7 ("specifications"), with the specific testing protocols outlined in ISO/SAE 21434.3. Conducting cybersecurity testing for VTAThe ISO/SAE 21434 outlines a four-step validation process for road vehicles: functional testing, vulnerability scanning, fuzzing testing and penetration testing. Each step has a specific focus, from verifying the operation of cybersecurity elements to actively simulating attacks to identify potential vulnerabilities. The type of testing required for each Electronic Control Unit (ECU) is determined by its Cybersecurity Assurance Level as specified in Annex E of ISO/SAE 21434, shown in the table below:Cybersecurity Assurance Level assigned to each Electronic Control Unit (ISO/SAE 21434, Annex E)4. Key insights of VTA and FESCARO's expertiseEnsuring the correct setup and application of cybersecurity measures is crucial for the safety of ECUs and vehicles. FESCARO emphasizes a comprehensive approach, integrating threat analysis and risk assessment (TARA), robust cybersecurity solutions, rigorous testing, and effective cybersecurity control management.FESCARO’s success story with an internationally renowned automaker highlights the importance of choosing a competent cybersecurity partner. During a recent penetration test for a world-renowned automaker, we identified a critical issue in an electric vehicle's powertrain system -- when tested in motion, the drivetrain failed and the gas pedal became unresponsive. Our team of experts swiftly reported this issue to the automaker, and after a thorough review, we successfully applied a cybersecurity patch to resolve the problem.5. Essential takeaway from VTA experienceThe essence of VTA lies in thorough verification and validation of cybersecurity measures. This process must be both rigorous and continuous in order to prevent unforeseen cybersecurity events.FESCARO's three-year journey underscores the importance of exhaustive testing and consistent technology application. Real-vehicle testing is critical for comprehensive validation as stipulated in UN R155. Our strategy for successful VTA includes meticulous TARA documentation, extensive ECU testing, real-life vehicle trials, comprehensive VTA evaluation checklists, and seamless integration of cybersecurity testing with IT infrastructure.In our next article, we will explore the final step of automotive cybersecurity certification: SUMS certification, and discuss the prerequisites for achieving it.[Ku Seong-seo, Fescaro head of global business sales at fescaro.com ]Fescaro is a vehicle cybersecurity specialist that has gone through all major certification processes (CSMS, ISO/SAE 21434, VTA, SUMS). It is the only company in Korea to have obtained what is referred to in the field as the "grand slam of vehicle cybersecurity certification consulting.” - Ed<Source : Korea Herald (https://m.koreaherald.com/view.php?ud=20231116000844)>

Excerpt from article 7 of UN Regulation No. 155Until five years ago, carmakers were hesitant to introduce cybersecurity measures in vehicles despite being aware of their necessity due to cost issues.However, when the European Union introduced cybersecurity regulations in 2022, it became virtually impossible to enter the European market without meeting the new standards. The change has made cybersecurity an essential element to ensure the survival of carmakers.The advancements in vehicle software, diversification of vehicles’ functions and increase in communication have made software-defined vehicles (SDVs) a hot topic for the car industry, and cybersecurity is the final element in building SDVs.The fact that UNECE WP.29 adopted UN Regulation No. 155 (UN R155) in June 2020 to lay the foundations for the cybersecurity ecosystem is widely known.1. CSMS and ISO/SAE 21434The core of UN R155 is that carmakers need to obtain a cybersecurity management system (CSMS) and vehicle type approval (VTA). CSMS refers to the process and management system for protecting vehicles from cyberattacks and managing cybersecurity risks. ISO/SAE 21434 is the international engineering standard for vehicle cybersecurity that defines the cybersecurity policies and processes throughout all phases of a vehicle’s development, production and postproduction, and sets the standards for CSMS.The UN R155 outlines its aims, while the ISO/SAE 21434 provides the requirements and details about assessment standards. In other words, ISO/SAE 21434 is essential to properly implement CSMS.2. Requirements and Points of Note in CSMS certificationHow is CSMS approval obtained? To receive approval, Article 7 Clause 2 sub paragraph 2 of UN R155 must be followed. An automaker must apply the cybersecurity management system to all phases of a vehicle’s lifespan – development, production and postproduction – and demonstrate that security is adequately considered in processes such as cybersecurity management within its organization, threat identification, risk assessment and cybersecurity testing. An automaker also must ensure that threats and vulnerabilities requiring a response from the vehicle manufacturer shall be mitigated within a reasonable timeframe, and that field monitoring for detecting and responding to threats is being carried out continuously. The automaker must also demonstrate how the CSMS will manage dependencies that may exist with contracted suppliers, service providers or manufacturer’s suborganizations.The above requirements must be validated by a technical service provider, and the final approval is given after an assessment by an approval authority.An automaker that has yet to establish a CSMS must be aware of the following two elements. The first is to follow Europe and related countries’ time frames for implementing the regulations, and the second is to utilize existing elements as much as possible in order to find ways to meet the requirements in the shortest time span possible.Building a CSMS requires identifying and analyzing a vehicle’s security vulnerabilities. To do this, a threat analysis and risk assessment should be carried out, and the ECUs need to be categorized into security levels according to their importance.The trend is to use hardware security module-fitted semiconductors that meet international standards in ECUs categorized into high security levels, as concerned organizations usually provide cyber security solutions compatible to HSMs, and carmakers using different chips need to replace the chips.This process can lead to significant costs, but there is a case where the issue was solved by analyzing the situation faced by carmakers and ECU developers. In that case, cybersecurity specialist Fescaro developed a software solution that meets HSM security requirements. By doing so, Fescaro assisted in a Korean carmaker meeting all European cybersecurity requirements without replacing over 50 types of chips used in the company’s vehicles. Fescaro’s solution contributed to reducing the development costs and production time. The security solution has since been implemented in producing 150 types of ECUs in seven vehicle types produced by domestic and foreign carmakers.The most important element in CSMS approval is keeping the timetable. Since July 2022, a new vehicle type can only be introduced in Europe after meeting all cybersecurity requirements. From July 2024, the measure will be applied to all new vehicles produced and sold in relevant markets.A misstep in obtaining the approval can lead to setbacks in launching new models, or have a detrimental impact on a carmaker’s quality competitiveness. The time required in all processes from suppliers’ sourcing to quality verification must be taken into consideration.A carmaker has the option of working with a company that provides all-in-one services in meeting CSMS requirements. But the carmaker must assess whether the company has the technological capability to provide the necessary solutions throughout the lifecycle of a vehicle.Such a partner must be capable of dealing with all related areas, from certification consultation services and Threat Analysis and Risk Assessment (TARA) to cyber security solutions, cyber security tests, cyber security gateway ECU to security management system.3. Differences between OEM and tier companies’ approvalDo carmakers and tier companies have to respond to the regulations? UN R155 states CSMS approval should be obtained by the carmaker. However, as a carmaker should be able to manage the cybersecurity activities of tier companies, an ECU developer needs to establish a CSMS if required by the carmaker.If an ECU developer has established a CSMS in accordance with Article 7, "Distributed cybersecurity activities," of ISO/SAE 21434, the ECU developer can obtain ISO/SAE 21434 certification through a technical service provider.As the ISO/SAE 21434 certification proves an ECU developer’s cybersecurity capabilities, it can aid the company in strengthening its competitiveness in the global market.In short, CSMS approval is essential for carmakers under UN R155, while ECU developers can obtain ISO/SAE 21434 certification as necessary.Carmakers and ECU developers across the world are moving quickly to respond to related regulations. Mercedes-Benz was the first carmaker to obtain cybersecurity certification, followed by Volkswagen.In Korea, Hyundai Motor Group obtained CSMS certification in December 2021, followed by KG Mobility in December 2022.As for ISO/SAE 21434 certification, Kanavi Mobility obtained it in February 2023 and Hyundai Motor Group’s global software center 42dot was certified in August 2023.4. Core of CSMS certificationAs a cybersecurity expert who has experienced carmakers obtaining CSMS certification and ECU developers receiving ISO/SAE 21434 certification, the vehicle life-cycle is at the core of CSMS.If in the past, developing a vehicle was the most important phase, in today’s world, the postproduction phase must be considered as software vulnerabilities keep evolving.In other words, all processes across the life cycle of a vehicle must be optimized and a cybersecurity system that is linked to all phases of the life cycle must be built and operated.To this end, numerous discussions and negotiations among the concerned departments and outside partners must be carried out. Only then can a company obtain CSMS certification.[Ku Seong-seo, Fescaro head of global business sales@fescaro.com ]Fescaro is a vehicle cybersecurity specialist that has gone through all major certification processes (CSMS, ISO/SAE 21434, VTA, SUMS). It is the only company in Korea to have obtained what is referred to in the field as the "grand slam of vehicle cybersecurity certification consulting.” - Ed<Source : Korea Herald (https://www.koreaherald.com/view.php?ud=20231114000120&ACE_SEARCH=1)>