11th International VDI Conference - Cyber Security for Vehicles

Conference chair: Dr. Mathias Dehm, Chief Product Security & Privacy Officer, Continental AG

• Vulnerability impact in relation to public attention
• Changes of cyber attacks over time and outlook into the future
• Approach and Proposal for an Automotive End of Security Service
  Herbert Tschinkel, Volkswagen Security Officer Operations, Head of Security Operations & Maintenance, Volkswagen, Germany

• Overview of ISO 21434 and the Cyber Resilience Act (CRA)
• Synergies and Differences
• Practical Alignment Strategies
  Patrick Faye, Cybersecurity Manager, co-author: Hamza GUEFIF, Cybersecurity Consultant, both: UTAC, France

• ASPICE®, ISO 26262 and ISO 21434 have overlapping areas, benefits arise in consolidating the assessments and audits
• Advantages for a combined approach, e.g. reduced effort for project
• Focusing on the CS aspects for details on showcase
• Lessons learned from Infineon and UL
  Janine Funke, Strategic Area Cybersecurity Leader, co-authors: Alexander de Jong & Bhaskar Vanamali, all: UL Solutions, Germany, Sandeep Chandrashekar, Infineon, India

• New regulations like the Cyber Resilience Act or UNECE R155 demand cybersecurity for products
• There are synergies and differences between product and information security management
• Re-use of information security practices for product (vehicle) cybersecurity
  Florian Stahl, Team Leader Cybersecurity, AVL, Germany

• Differences between SDVs and traditional vehicles, and how immobilizer requirements change in SDVs
• The advantages of applying SOA to immobilizers, including interoperability, modularity, and scalability
• Challenges and best practices for implementing SOA-based immobilizers, addressing complexity, reliability, and security concerns
  Alexander Harlass, Senior Product Manager Cybersecurity, co-author: Nils Kaiser, both: Bosch Engineering, Germany

• Security analysis of SecOC communication in a commercial semi-trailer truck scenario
• Implementation of SecOC with authentication mechanism and pseudo-random function based on the ASCON algorithm
• Performance evaluation in relation to AES based SecOC regarding security and efficiency
  Leon Pascal Olejar, JOST-Werke Deutschland GmbH & Prof. Dr. Marc Stöttinger, Professor, Hochschule RheinMain, Germany

• Promoting Cybersecurity in the Supply Chain: From Culture and Collaboration to Proactive Cyber Risk Management in Development
• From TARA to Practice: Strategies for Translating TARA Methodology Insights into Collaborative Cybersecurity Activities in Development, Deployment, and Incident Response
• Measuring Cybersecurity Performance and Metrics: KPIs, Levers, and Strategies to Strengthen Cybersecurity Resilience
  Falk Mayer, Founder and Managing Director, CYMETRIS GmbH, Germany

• Consistent maintenance of CSMS documents is challenging when a product has several variations.
• Our proposal: Splitting CSMS work products into reusable building blocks with standardized interfaces.
• Reusability and a higher degree of automation lead to less maintenance overhead in the CSMS.
  Tobias Oder, Expert Consultant Hardware Security, Alter Solutions Deutschland GmbH, Germany & Tatiana Senkova, SMR Automotive, Germany

• Technical and Organizational challenges and how to address them
• Prioritization of vulnerabilities and different factors to consider for risk calculation
• Best practices for establishing the project archival strategy
• Incident Response drills and the benefits of conducting them
  Santosh Mudhol, Product Security Expert, MAHLE International GmbH, Germany

Optimizing Cybersecurity Validation in Automotive Development: Enhancing Penetration Testing Efficiency Through In-House Preparation
CYEQT

At the end of the first conference day we kindly invite you to use the relaxed and informal atmosphere for in-depth conversations with other participants and speakers.

• Vehicle manufacturers must validate that the security measures in place to protect systems are effective
• Overview of risk-based penetration testing tailored to ECU-specific assessment
• Layered testing strategies for ECUs, ranging from interface testing to securing memory
• Variant-specific testing to ensure robust cybersecurity across vehicle lifecycles
  Dr. Gurchetan Grewal, Office of CISO, Jaguar Land Rover, UK

• Current State and Challenges of Common Cybersecurity Testing Practices
• Coordination of Fuzzing and Penetration Testing Efforts
• Discussion of Benefits and Pitfalls
  Nico Vinzenz, Senior Engineer Security and Privacy, Continental Engineering Services, Germany

• The role of MPUs in microcontroller defense strategies, and why they are critical for the security, reliability and safety of automotive ECUs
• Proper configuration and verification of MPUs are vital for safeguarding against vulnerabilities and ensuring robust protection in automotive systems
• Hardware mechanisms designed to enforce access controls are essential security features - automotive software designers should verify the relevant security claims in microcontroller hardware documentation through testing or external penetration testing
  Nimrod Stoler, Security Researcher, PlaxidityX, Israel

Panelists to be announced

• The unique cybersecurity challenges faced by AVs & the threat landscape for AVs is continually evolving
• Effective risk management begins with a comprehensive risk assessment framework
• Layered security architectures are essential for protecting automated vehicles
• Proactive testing methodologies play a vital role in identifying vulnerabilities in AV systems before they can be exploited
• Collaboration across the automotive industry is vital for addressing cybersecurity challenges effectively
  Abdulrahman Yacoob, R&D Product Cybersecurity Manager, Valeo North America, USA

• AI-powered TARA enhances accuracy and efficiency in cybersecurity processes
• Automated identification, assessment, and mitigation of risks with minimal human intervention
• Flexible model adapts seamlessly to multiple use cases without reconfiguration
• Significant time savings compared to manual methods, optimizing resources and risk management
  Dr. Bastian Holderbaum, Director solution management functional safety & cybersecurity, co-authors: Timo Förster & Dr. Hendrik Ruppert, all: FEV.io GmbH, Germany

• Why the switch to post-quantum cryptography is necessary and urgent
• Technological challenges for the migration
• Current state of the standardisation efforts in post-quantum cryptography
  Tudor Soroceanu, M.Sc., Department Secure Systems Engineering, Fraunhofer Institute for Applied and Integrated Security AISEC, Germany