Cars Become Complex Computer Systems — How To Ensure That Vehicles Aren’t Just Safe, But Also Secure.
A project between BOSCH and Cybellum
EDITOR: DANIEL DILGER & JESSICA GARFIELD
When car manufacturers hand drivers the keys, they’re also making a promise — that every single component inside their vehicles is safe. But as cars become complex computer systems with vast collections of software components from different vendors, that promise is becoming harder than ever to keep. The Bosch team sees the Cybellum solution as one of the potential platforms, to be able to support that car manufacturers’ promise.
F or companies such as Bosch, product security and incident response has never been more challenging. Bosch needs to work together with OEM’s to secure the vehicles of today and tomorrow, manage known and unknown risks, juggle regulations and security policies, all while having limited visibility into the software of components that are received from suppliers. An automated way to see everything and do it all would be a big improvement and what this project teaser is all about.
The Tel Aviv based startup Cybellum and Bosch joined forces to automatically manage vulnerabilities and compliance in design, development and operation. The new standard is automatically exposing, assessing, prioritizing and mitigating vulnerabilities in context, all the while continuously monitoring for possible threats throughout the vehicle lifespan.
The Project
The two teams met on a meetup in the beginning of 2020 to discuss the security challenges in automotive space. One of the key challenges of OEMs and suppliers is to get a high-quality soft-ware bill of materials of automotive components, to be able to perform risk assessment. A secondary challenge would then be to filter out the big number of false positives. A participant from Cybellum explained that they already have a working solution to cover these two challenges and even more. Once both teams realized that they have similar views on vulnerability identification, management and mitigation as a critical issue for the automotive industry, they decided to join forces in tackling challenges around automating and scaling vulnerability management operations to allow for the development of secure automotive products.
Bosch has a central team which coordinates Proof of Concepts and performs tests. A second technical team is a project team, which is evaluating the results together with the central team. Bosch brought to the table a deep knowledge of the automotive industry, the cyber challenges its players are facing and the applicable processes and procedures. Cybellum as a cyber tech innovator brought its Cyber Digital Twins platform and a rich experience in cyber risk management. While working together, the two teams were challenged with integrating this platform into the Bosch environment and utilizing it for the benefit of Bosch’s automotive customers. Installing the system in the Corporate Network required innovative thinking, tech savviness and creativity as they were to identify, analyze and resolve complex technical issues. Those issues would directly impact the way joint customers are able to win over their cyber challenges.
Outcome
The goal of this first project was to evaluate and demonstrate key security factors like visibility of vulnerabilities and security issues, context-based filtering of security analysis results, continuous monitoring and ease of reporting. During the test, the teams analyzed components including open-source operation systems, where a clear challenge is the potential number of findings. It could be a high number of potential vulnerabilities for every component. Because the existingpublic vulnerability databases do not reflect the specific composition of every software component, one can expect many false positives. With help of Cybellum’s platform, Bosch was able in the Proof of Concept to reduce the number of findings and to focus the analysis effort on relevant findings only.
Future Outlook
The results will be presented internally in an anonymized way. Other teams / projects then can evaluate whether Cybellum’s platform should be integrated in the existing chain of tools. The central security team will support the individual projects with integration. This has been a first pilot project for the joint teams of Bosch and Cybellum. The STARTUP AUTOBAHN team will be happy to update interested parties about additional projects and initiatives happening in the future.
Acknowledgements
We would like to express our sincere thanks to Dirk Targoni (BOSCH), Eddie Lazebnik (Cybellum) and Thomas Escher (Cybellum).
About STARTUP AUTOBAHN
STARTUP AUTOBAHN powered by Plug and Play is a neutral innovation platform moderating an in-depth and curated collaboration between core partners from industry and young tech companies. The program is stage agnostic and designed to accelerate startups by connecting them to the right business units of our Corporate Partners in order to lay the groundwork of a successful cooperation and eventually outstanding pilot projects, implementations or investments.
Plug and Play Tech Center, Mercedes-Benz AG, ARENA2036, University of Stuttgart, ZF, DXC Technology, Porsche, BASF, Webasto, Motherson, DPDHL, Bosch, Schaeffler, STMicroelectronics, Murata, AGC, Hyundai, Linde, BP, Wieland, Faurecia, Eberspächer, ADAC, Sekisui, Plastic Omnium, Zenzic, Maxion, Novelis, ITT, Grupo Antolin, Huf Group, CEAT
Contact for this project
Daniel Dilger, Ventures Director, STARTUP AUTOBAHN powered by Plug and Play, daniel@pnptc.com
Sebastian Tietz, Open Bosch Mobility, Bosch, Sebastian.Tietz@de.bosch.com
