The following article was originally published in eeNews Automotive. It is reprinted here with permission.
In the wake of increasing connectivity, the electronic systems of cars are increasingly becoming the focus of malicious hackers. The problem is exacerbated by the fact that cybersecurity must be guaranteed not only at the time of delivery, but throughout the entire life of the vehicle.
Israeli security specialist Karamba Security now has presented a concept for the comprehensive protection of entire vehicle fleets. An interesting aspect here is that it can be applied not only to vehicles, but generally to many types of networked embedded systems.
For the development phase of devices and components, new software called VCode from Karamba offers security validation to manufacturers. This ensures that the product software can be checked for security gaps and logical errors during the design and development phase, and that it complies with current compliance guidelines. By integrating security testing into the continuous deployment process, companies save time and money on penetration testing at the end of the development cycle and on any costly post-test adjustments, the vendor claims.
VCode improves the protection of networked products by allowing developers to take security measures during the development process. “Customers—in this case the developers of advanced driver-assistance systems (ADAS) and other vehicle systems at automotive OEMs and Tier 1s—want to be informed about potential security vulnerabilities in their products and expect them to be addressed according to risk levels and compliance standards,” said Tal Ben David, co-founder and VP R&D at Karamba. “In the complex, multi-tiered supply chain of software development, it is critical that all stakeholders work together on safety issues. VCode verification accelerates the entire development process and ensures improved security for automotive networked systems and ECUs.”
In addition, Karamba is now launching another product, the XGuard Monitor, to complement and extend its existing XGuard Runtime Integrity software. It’s an embedded intrusion detection system (IDS)—a software agent that continuously monitors embedded systems for potential threats. The agent reports suspicious activities at both the device and fleet level to the respective company's cloud or back-end systems, creating the greatest possible transparency.
The system benefits from integration and runtime analysis at the binary code level. XGuard Monitor is thus able to detect data manipulation and so-called “low and slow”" attacks. This is a hacker method in which external data packets can be introduced into systems because the security system considers them to be legitimate traffic due to their low data rate and size.
Because the software is active throughout the entire lifecycle and remains connected to the back-end, the system can guarantee embedded security throughout the entire lifecycle of devices. According to Karamba, the solutions presented can be integrated into the development process without significantly affecting hardware resources such as CPU or flash memory. Currently, 11 real-time operating systems (RTOS) and six types of CPU architectures are supported. In addition to its products, Karamba Security offers a variety of cybersecurity services, including TARA analysis according to ISO 21434 and penetration tests for the validation phase of products.
With the expansion of its portfolio, the company is also reacting to the increased security situations in the areas of Industry 4.0, consumer IoT, and medicine that have arisen as a result of networking these systems. “All these areas are looking for security solutions that can be seamlessly integrated into the lifecycle of networked devices,” said Ami Dotan, co-founder and CEO of Karamba Security.