NRI SecureTechnologies, Ltd. (President: Jun Odashima, hereinafter NRI Secure) has established a new team focused on information security diagnostics and assessments of automobiles and their onboard devices, and will now be providing a “Automotive Penetration Test” service (hereinafter the Service).
- Cyber-attacks on Automobiles a Growing Threat
Recently, the quest to improve fuel efficiency and make automatic driving a reality has made it increasingly common for automobiles to be equipped with information communication equipment that connects with external networks, smartphones, USB memory sticks, and other devices. With these items attracting attention as potential targets for cyber-attacks, any unauthorized remote access could lead to serious problems and may potentially jeopardize human lives.
In the U.S., the National Highway Traffic Safety Administration (NHTSA) released guidelines*1 last year requiring the automotive industry members to conduct penetration tests to simulate intrusions attempts by attackers. In response to this, many Japanese automobile manufacturers and auto-parts manufacturers that deal mainly in the North American market are currently looking into conducting such tests.
- Security Service for Automobiles Provided by a Dedicated Team
NRI Secure has provided numerous security assessments for automobile and related systems in the past and has created a detailed assessment criteria based on extensive experience with vehicle systems. Using this assessment criteria and past experience NRI Secure has now developed a new “Automotive Penetration Test” service that clients can use to help adhere to NHTSA guidelines and reduce overall risk.
The Service involves conducting penetration tests based on various guidelines for incorporated devices and on the expertise that NRI Secure has cultivated thus far through “Device Security Diagnostics*2” for IoT (the Internet of Things) equipment. NRI Secure is launching a dedicated team comprised mainly of members with extensive backgrounds and achievements in vehicle system penetration testing, who will identify risk scenarios and intrusion pathways through offline threat analysis and then run security assessments and diagnostics on the actual vehicles and their onboard devices. In addition, the dedicated team can support automobile manufactures or other clients who prefer to perform the diagnostic in-house.
For more information on the “Automotive Penetration Test” service, please contact: firstname.lastname@example.org
NRI Secure will continue to innovate and provide products and services to support companies and organizations in their information security goals, and contribute to the creation of a safer information system environment and society on a global scale.
*1 Guidelines: Cybersecurity Best Practices for Modern Vehicles (https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf)
*2 Device Security Diagnostic: A service that detects, to the extent possible, any existing or unknown vulnerabilities affecting gaming devices, electronic book readers, digital appliances, wearable devices, IoT equipment, and the like. Launched in November 2012.
About NRI Secure
NRI SecureTechnologies is a subsidiary of Nomura Research Institute (NRI) specializing in Cybersecurity, and a leading global provider of next-generation managed security services and security consulting. Established in 2000, NRI SecureTechnologies is focused on delivering high-value security outcomes for our clients with the precision and efficiency that define Japanese quality.
For more details, visit us at http://www.nri-secure.com
Visualizing the “Automotive Penetration Test” Service
The equipment installed in automobiles (ECU*3) and its systems can be classified broadly into three categories: “information systems” which connect to external networks or devices, “control systems” which control the vehicle body, and “gateway (GW)” technology which separates these two systems. If an information system is attacked by an external network or device, there is a risk of intrusion into the control system via the GW, which could ultimately allow an attacker to manipulate the vehicle.
With the Service, assessments are done in the following two phases in order to verify how robust the security is against such threats.
1) The security of the information system and control system equipment and the GW is assessed individually, both on review and penetration test.
2) After any vulnerabilities detected in phase 1 are compiled together, a penetration test is done using the entire vehicle to determine whether an attack from an external network or device could allow the attacker to manipulate the vehicle.
*3 ECU: Electronic Control Unit. This refers to the computing devices installed in automobiles, which control the engine and transmission, as well as the anti-lock braking system (ABS) and electronic brakeforce distribution (EBD) system.