AESIN attended the CYBER UK conference last month to see how the automotive industry featured at the UK government’s flagship cyber security event. There were fascinating sessions on the use of AI for both attack and defence and a great talk by The Lazarus Heist podcaster. In addition to a branded bottle, there were two standout takeaways:
1. Automotive Applications were all but Absent
This was astonishing because the automotive industry is one of the world’s largest consumers of integrated semiconductors and the possibility for widespread disruption of transport and society is embedded throughout our supply chains, infrastructure, and vehicles. The demand for Electronic Control Units (ECUs) in vehicles will continue to grow rapidly – from $72.1Bn last year to $127.6Bn in 2033[1] – driven by the move to electric vehicles and increasing software features.
Connected vehicles, powertrain electrification, and automation are driving a 7% compound annual growth rate in automotive software and electrical/electronic components – to $469Bn by 2030 – which will vastly outpace the 3% CAGR in the overall automotive market[2].
In addition, almost every new vehicle is connected to the cloud.
In 2023, 95% of automotive cyber-attacks were done remotely, over the air, and 64% were executed by black hat actors. Analysing these also reveals a massive rise in scale. Attacks targeting thousands or millions of vehicles made up around 20% of incidents in 2022, but more than 50% in 2023[3].
If the lack of focus of sessions, and presence in the exhibition is anything to go by, these significant automotive trends seem to be passing the UK cyber community by!
2. But Memory Vulnerability was a Very Hot Topic!
Speakers from NCSC, GCHQ, the US White House National Cyber Director, the German Federal Office for Information Security, Japan’s Deputy National Security Adviser, and several others took the stage to highlight the decades-old problem of memory safety that continues to this day in software used in a vast array of applications, including vehicles. The US White House emphasize the urgent adoption of memory safe technology such as the Rust programming language and the CHERI hardware architecture.
We’ve previously reported that AESIN is working with network members Thales and WMG to investigate the potential of CHERI for the automotive electronics community. A key focus for the RESAuto project is the economic impact of adopting CHERI on software engineering processes. Well-written MISRA C or CERT C software, proven in safety-critical vehicle functions over many years, is likely to contain very few memory vulnerabilities. However, compiling for CHERI-enabled hardware has picked some issues in automatically generated code, an approach which is likely to be increasingly used as ADAS and Automated Driving functions demand more and more complex software running on more powerful platforms.
WMG will talk about what the project has found at the AESIN Conference at the British Motor Museum on 11th July.
The RESAuto team will present our findings and demonstrate a CHERI-enabled braking system linked to a driving simulator demonstrate, at our industry workshop on 20th November 24. Put the date in your diary and plan to come along!
[1] Source: Copyright © 2024 Precedence Research: Global Automotive Electronic Control Unit Market 2024-2033 https://www.precedenceresearch.com/automotive-electronic-control-unit-market
[2] Source: Copyright © McKinsey & Company: Automotive software and electronics 2030
[3] Source: Copyright © 2024 Upstream Security Ltd: Global Automotive Cybersecurity Report 2024
https://upstream.auto/reports/global-automotive-cybersecurity-report/
