How to reduce software vulnerabilities in Cyber-Physical Systems

Recommended Report: Risks and Vulnerabilities of the connected vehicle

We come across a lot of very good information from contacts at PEDCO with Applied SAFe and the application of scaled agility in regulated environments. Usually we are not allowed to speak about such information. Recently we just came across the work of Dan J. Klinedinst and Christopher King from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University’s Software Engineering Institute (SEI). This publicly available report describes cyber security risks and vulnerabilities in modern connected vehicles. With this recommendation, we would like to spread the word about software engineering and its application in scaled agility as for example with Applied SAFe.

In this document the authors introduce to the complexity of modern cars. As stated that ‘The modern vehicle is often referred to as a “computer on wheels.” With over 100M lines of code, the complexity is greater than your desktop operating system (85M lines of code) and slightly less complex than the genome of a mouse (120M base pairs of DNA).’  The authors also talk about risks involved as these vehicles become more advanced, semi-autonomous, and connected. The authors point out that this opens the automobile to the same risks as any other computer—only with physical effects.

Cyber-Physical Systems are open to the same risks as any other computer—only with physical effects.

PEDCO likes the qualifications of vulnerability impacts as they are used throughout the document and listed in appendix ‘D’. The authors describe that unlike the traditional PC, vehicles are heavily regulated. With this, new impacts come into design, testing and implementation of such systems. The authors describe then how such requirements can have an impact on safety-critical functions and how this is connected with the smartphone revolution, the availability of sensors and microprocessors and its use to develop aftermarket OBD-II plugin devices that contain (via wireless internet) cellular connectivity, and even GPS. The authors acknowledge that this provides consumers with useful features, but they also expose the vehicle to potential risks that were never considered when it was originally designed. The document closes with a recommendation that freedom to provide consumers with choice and control over their purchase must be balanced with thoughtful conversations on how to limit adversaries’ access to vehicle internals.

PEDCO recommends this paper if you are interested in an example of a methodical approach to assess risks and vulnerability of cyber physical systems. The example from the Automotive Industry with its OBD-II and CAN architecture helps to design processes in order to comply with regulated requirements and its use in the application of scaled agility as for example for practices within Applied SAFe.