Integrating ISO/SAE 21434: A Comprehensive Analysis and Practical Implementation of Functional Cybersecurity Testing in Automotive Systems

Integrating ISO/SAE 21434: A Comprehensive Analysis and Practical Implementation of Functional Cybersecurity Testing in Automotive Systems The automotive industry faces numerous cybersecurity challenges, highlighted by several high-profile incidents. In 2015, hackers exploited vulnerabilities in the Jeep Cherokee's infotainment system, gaining control of critical functions like braking and steering. In 2016, researchers remotely hacked the Tesla Model S's CAN bus, manipulating various systems, including the brakes. In 2020, hackers exploited the Tesla Model X's keyless entry system, allowing vehicle theft. These incidents emphasize the need for robust cybersecurity measures to prevent unauthorized access and ensure occupant safety. To mitigate identified risks, it is essential to implement a series of security requirements and to test their implementation. Authenticated boot ensures that the software running on the vehicle’s ECUs is genuine and unaltered, providing a root of trust for the entire system. Secure updates implement mechanisms for the distribution and verification of software updates, ensuring their authenticity and preventing their tampering. Authenticated diagnostic access (ADA) restricts access to diagnostic functions to authorized personnel only, preventing malicious exploitation of diagnostic interfaces. Secure communication ensures that data exchanged between vehicle components and external systems are protected from unauthorized access and manipulation. At least but not last, the secure logger grants the availability of encrypted and untampered failure logs, crucial for diagnosing problems and investigating incidents coming from tampering and unauthorized access attempts. Through functional cybersecurity testing the expert verifies that these security requirements are met. A structured process involves developing a comprehensive test plan that includes all the tests cases, describing each test to be performed step by step, and a test report consisting of a test execution list and its corresponding result useful to evaluate the effectiveness of the implemented security measures. To optimize the testing process, this thesis presents test automation using Python. The automated test framework interfaces with vehicle ECUs via the controller area network (CAN) interface, using the Innomaker and a Raspberry Pi 4 connected to a PC. This setup facilitates efficient communication with ECUs and automated test execution and result collection. The framework includes Python test scripts that perform security tests, such as verifying secure communication, performing software updates to validate their secure implementation, and ensuring that diagnostic access is correctly authenticated. Before testing, a test plan is prepared in accordance with the Python script specifications, outlining the test sequence and expected outcomes. The user can then generate test reports detailing the results, identifying problems, and assessing the security measures' effectiveness.