The automotive industry needs standard tools and methods to secure electronic components in the vehicle against attacks. This is increasingly required by both existing and future international standards for the cyber security of vehicles, such as SAE J3061 and ISO/SAE 21434. One important approach is regular penetration testing, in which commissioned security experts attempt to attack the product in the way hackers would do. Vulnerabilities identified during these attacks can thus be eliminated even before the cars go on sale. It is best practice to prove the effectiveness of such measures by means of a retest after they have been implemented. Up to now, all these tests have been carried out by experts who, due to resource constraints, are often only able to focus on the main features of the most critical control units.
The secunet redbox enables vehicle manufacturers to implement the automatable parts of penetration tests only once, so that they can be used many times afterwards without security experts - according to the required scaling, on more ECUs than before and with the required repetitions in different process steps. The phases relevant for security tests are initial agile development prototypes, supplier milestones (as part of input or acceptance tests), final tests of integration stages, and the start of series production. If information about new types of attacks or vulnerabilities appear in software components in use, situation-dependent tests can be used as part of the ISMS/CSMS.
For users, there are advantages through increased efficiency, simplified test processes, increased development speeds and a permanently increasing test coverage. If the advantages gained are reinvested in more security tests and countermeasures, the result is ultimately an increase in the security level and quality. Finally, the minimum standards can be raised by integrating with existing infrastructures and compiling test catalogues.