Panasonic Automotive Systems Co., Ltd. (“Panasonic Automotive Systems”) has developed VERZEUSE™ for SIRT (Security Incident Response Team) to analyze the security risks of vulnerabilities in vehicle software after shipment, in collaboration with Panasonic Holdings Corporation.
VERZEUSE™ for SIRT is an innovative system that analyzes the security risks of vulnerabilities identified in software installed in vehicles after shipment and determines the priority of response. It aims to automatically narrow down high-risk vulnerabilities from the vast amount of ever-increasing vulnerability information, and to significantly reduce the time required for risk analysis and vulnerability response.
This system will be exhibited at the 30th ITS World Congress 2024 in Dubai*1 to be held from September 16 to 20, 2024.
<Development background>
With the evolution of automated driving technology, the expansion of digitalization, and the proliferation of Internet connected cars, the risk of cyber attacks on automobiles is increasing.
As cyber attacks have become more sophisticated in recent years, the number of reported vulnerabilities in vehicle software has been on the rise, particularly for open source software (OSS). Furthermore, the number will surely continue to grow alongside the evolution of software-defined vehicles (SDVs), in which vehicles are enhanced with software.
Under these circumstances, there is an urgent need in the automotive industry to create systems that can monitor and protect against cyber attacks on vehicles. Both during the design and development phases and after vehicles have shipped, it is vital to continuously monitor for new vulnerabilities in the wide array of software installed in each vehicle and take measures according to the security risks of identified vulnerabilities.
However, if all vulnerability information is analyzed exhaustively and countermeasures are taken without considering the specifics of each security risk, cost issues may arise when work scope becomes too large. The large number of vulnerabilities that occur every day are a mixture of high and low security risks. Since vehicles consist of many Electronic Control Units (ECUs), each equipped with its own software, a vulnerability in software poses different security risks to each vehicle depending on the ECU on which it is installed, so the number of analyses to be performed can be estimated by multiplying the number of software components, vulnerabilities, and ECUs. With the evolution of SDVs, functions that link multiple ECUs are on the rise, and we expect it to become even more difficult to accurately grasp the security risks that a single vulnerability poses to the entire vehicle.
It is thus essential to properly identify and respond to vulnerabilities that pose high security risks to automobiles, not just at the level of individual ECUs but also at the overall vehicle level, from the vast amount of vulnerability information available, in order to maintain a high level of security.
<VERZEUSE™ for SIRT features>
1. Vulnerability analysis based on vehicle-level risk estimation
VERZEUSE™ for SIRT uses the results of the vehicle security threat analysis during design, a list of software installed in each ECU called the Software Bill of Materials (SBOM), the connection information between each ECU, and our proprietary analysis algorithm to calculate the possible cyber security attack routes and impacts. Security risks are analyzed for the entire vehicle, not just the ECUs.
2. Threat information collected by the Panasonic Group from various industries
Working together with Panasonic Holdings Corporation, we will improve the accuracy of security risk assessment by collaborating with Cyber Security Intelligence, which accumulates threat information collected by the Panasonic Group from various industries such as factory automation, home appliances, and IoT devices.
3. ISO/SAE 21434-compliant vulnerability analysis support
Vulnerability analysis in VERZEUSE™ for SIRT is performed in accordance with the ISO/SAE 21434 process and the results are saved. These results can be used as evidence to be submitted for audits.
*1 Panasonic Automotive Systems Exhibit at the 30th ITS World Congress 2024 Dubai
https://news.panasonic.com/global/press/en240909-2
*2 VERZEUSE™ was coined by combining the Spanish word “ver” meaning “look” and the god Zeus. The name is meant to inspire the feeling of a protective god of the sky watching over the safety of society.
SOURCE: Panasonic
