Finding, Managing, Preventing Vulnerabilities: An Automotive Perspective

Andreas Weichslgartner (CARIAD SE, DE), Joyabrata Ghosh (CARIAD SE, DE), Vineeth Bharadwaj (CARIAD SE, DE) Mr. Andreas Weichslgartner is currently working as a Senior Technical Security Engineer at CARIAD SE in the product security department. Joining the Volkswagen Group in 2017, he since then has been developing an embedded intrusion detection system, evaluating security testing technologies, managing vulnerabilities, enabling crypto agility, and working with machine learning in the area of security. Before, he had been a researcher at the Department of Computer Science, Friedrich-Alexander University Erlangen-Nürnberg (FAU), Germany, from 2010 to 2017. He received his diploma degree (Dipl.-Ing.) in Information and Communication Technology and his Ph.D. (Dr.-Ing.) in Computer Science from the FAU, Germany, in 2010 and 2017, respectively. Mr. Joyabrata Ghosh is presently working as a Connectivity products security owner at CARIAD SE. Before that, he was responsible for security and legal technical manager for the Elektrobit Automotive Linux platform for the series production of several automotive OEMs. He started his automotive journey with Direct HMI development for BMW ID7 platform. Over a decade ago, his development journey began in embedded and telecom security domains across many OEMs. He supports EO-14028 CISA SBOM working groups and contributed publications: Types of SBOM, Minimum Requirements for VEX. He contributes to [email protected] and [email protected] for open-source triage. He was co-presenter of Cybersecurity Expectations in Automotive World, 2021, in ELISA Linux safety workgroup. Likewise, he is open-source enthusiast. He has Master’s Degree from the Illinois Institute of Technology in Computer Science, a BS in Computer Science from RCCIIT. Mr. Vineeth Bharadwaj Prasanna is currently working as a Senior Technical Security Engineer at CARIAD SE in the product security department. Vineeth joined the Volkswagen Group in 2018, as a security engineer for Audi AG. Since 2020, he has been a member of the offensive security team and has also been working on building up the vulnerability management system, end-to-end security engineering for China GB-T homologation project for the new PPE/PPC platform for the new Audi and Porsche cars at CARIAD SE. Vineeth received his Master’s degree in Simulation Science from RWTH Aachen University in 2019 with special focus on optimization, and artificial intelligence. --- As the automotive industry undergoes a paradigm shift towards software-defined vehicles, the imperative for robust software security becomes obvious. This talk explores the nuanced landscape of identifying, managing, and preventing vulnerabilities from the perspective of an OEM software company. Starting with an exploration of the escalating role of software in modern vehicles, the talk illuminates the complex software ecosystems that underpin contemporary automobiles. A thorough analysis follows, unraveling the primary sources of vulnerabilities and their potential ramifications on vehicle safety and security. Central to the discussion is the challenge of handling vulnerabilities within the complex supply chains inherent to the automotive industry. The talk elucidates the difficulties in navigating this multifaceted network of suppliers, emphasizing the necessity for collaborative approaches and effective risk management strategies. We detail best practices for developing automotive software along the software development life cycle along with various regulation requirements. Especially we highlight the significance of SBOMs in fostering transparency and traceability across the supply chain. The talk delves into how SBOMs can fortify cybersecurity measures by providing a comprehensive understanding of the software components integrated into automotive systems. Looking forward, the presentation anticipates future challenges and outlines viable solutions confronting the automotive industry, including crypto agility and the incorporation of cryptographic bills of materials (CBOMs).