Reflections from VECS 2022
by Alexander Alasjö 2022-05-20
If you attended the Vehicle Electronics & Connected Services (VECS) exhibition in Gothenburg on May 17-18 2022, hopefully you visited our booth and got familiar with our services. If not, here we'll present some of our experiences and reflections from the event.
Assured was one out of many exhibitors and sponsors at VECS. Our booth showcased the "CAN Hack!" automotive security education platform, boosted by a motorized LEGO car controlled by CAN bus from our "CyCar" which triggered the curiosity of passers-by.
While a physical gadget is fun to play with and can start discussions, we wanted to highlight our range of services for the automotive industry: penetration testing; secure design and architecture; application security; review of cryptographic implementations; and security advisory. We had many interesting discussions and made several new acquaintances on the exhibitors' floor.
A brochure covering our automotive security services is available now. Contact us if you want a printed version mailed to you.
UN Regulation Nr. 155 and ISO 21434
An apparent and obvious theme of many questions and talking points during the event was adherence and compliance to security related regulations for the automotive sector, with focus on UNECE R155 and ISO 21434. These standards are aimed to extend the rigorous demands on personal safety in vehicles to cyber security requirements: if a vehicle hasn't been thoroughly tested, risk assessed and does not have a solid process for receiving updates and fixes for security related issues during the vehicle's lifetime, the vehicle cannot run on public roads. This poses a tough challenge on manufacturers and suppliers as the hardware and software need to be kept up to date and secure for tens of years, longer than most smartphones or laptops are expected to be operational.
Of course, Assured has a role in the type approval process for new vehicles' compliance with UNECE R155 and ISO 21434. As a security partner we assess and test cars, trucks and buses with our long experience in penetration testing of connected systems and services and an acquired specialty in automotive security. Our profession in infrastructure and application security combined with this makes us an excellent partner for security testing of the entire delivery: from end-user (mobile, web applications, Bluetooth and Wi-Fi interfaces); via the actual vehicle (infotainment, telematics, onboard systems, etc.); to backend services (cloud computing, over-the-air updates, fleet management, connected services, etc.). The penetration test reports we deliver provide developers, management and auditors with a clear view on the security posture of the tested vehicle and how well it adheres to best security practices.
Agile workflows and dynamic development
Another interesting theme we observed during VECS was discussions on development lifecycles, workflows and DevOps. Quicker releases and manageable deployment schemes are seemingly sought after. A welcomed topic, because for years we have assisted customers with security architecture and advisory, implementing and addressing security in all areas of the development lifecycle.
Security is on everyone's mind
As a final note, it was evident that security was a common theme overall throughout the exhibition. Not only since there was a security-focused speakers' track and a panel discussion on security - most exhibitors seemed to be showing their products and services with a security-driven mindset.
It was a fun and interesting couple of days, but now we're back hard at work while also making preparations for the next event as a sponsor of Security Fest in June.