New automotive cybersecurity regulatory frameworks and standards, such as UNECE WP.29 R155 and ISO/SAE 21434, require cybersecurity to be addressed throughout the complete vehicle’s lifecycle. A key component of the regulation is the establishment of a cybersecurity management system that includes the analysis of threats and risks, the development and implementation of appropriate countermeasures, and monitoring and logging to analyze incidents. Additionally, sufficient testing of implemented cybersecurity measures must be performed to validate cybersecurity goals. This includes both functional testing to ensure correct behavior according to a specification as well as offensive testing to minimize unidentified vulnerabilities and weaknesses which could be exploited for malicious purposes.
Currently, the automotive industry is facing the challenge to keep up with the demands imposed by the cybersecurity regulations and standards. Often, cybersecurity issues are spotted late during development due to cybersecurity testing not being process-integrated enough into the existing test strategies, lack of guidelines what and how to test and missing proper test environment. Late findings can be very expensive and even delay start of production. Therefore, the automotive industry recently is “shifting left” by integrating cybersecurity aspects into the established test infrastructure to avoid follow-up costs of late findings and reduce costs of additional test platforms and personnel.
A major milestone towards tackling the current cybersecurity challenges is to harmonize the cybersecurity process with processes from standards such as functional safety (ISO 26262) and (SOTIF ISO 21448) through a risk-driven methodology. Hence, verification and validation activities should be aligned within a holistic test strategy. On the testing side, this means utilizing existing hardware-in-the-loop (HIL) and software-in-the-loop (SIL) platforms to conduct various cybersecurity tests types continuously during development, e.g. conformance testing (example: Validating TLS-Protected Ethernet Communcation), safety-security dependency testing (example: From HARA and TARA to Risk-Based Safety and Security Dependency Testing), interface fuzzing (example: HIL-Based and SIL-Based Fuzzing with PlaxidityX and dSPACE), and penetration testing.
HIL systems are widely used as test platforms in the development cycle for electronic control units (ECU), especially in the automotive industry where a single vehicle contains dozens of ECUs. With modern vehicles becoming more software-defined, it is crucial to test and validate software as early as possible. As a result, SIL testing becomes more important since it allows the user to test software functionalities already without any ECU hardware. Utilizing the established HIL and SIL platforms for cybersecurity testing comes with several technical benefits as well as operational benefits.
dSPACE and PlaxidityX (formerly Argus Cyber Security) recently joined forces to introduce new cybersecurity test automation capabilities based on dSPACE’s established SCALEXIO HIL & VEOS SIL platforms as well as PlaxidityX Security AutoTester. The joint solution provides ready-to-use fuzzing test cases for commonly used automotive bus and network protocols. Interface fuzzing focuses on the communication interfaces of the system being tested and it enables searching for and identifying vulnerabilities and weaknesses, such as buffer and integer overflows, dynamic allocation issues, denial of service issues, security misconfigurations, and others. Additionally, fuzzing tests the robustness of the target interfaces and it provides automatically generated negative test cases when executed in a functional test environment.
The basic principle of fuzzing is to feed invalid, unexpected, or random data to the system under test (real or virtual ECU) and monitor its response behavior. Importantly, effective fuzzing needs to be protocol-aware enough to successfully pass into the system under test and at the same time carrying data which is invalid enough to spot edge cases. As fuzzing can be highly automated, it is well-suited to act as an efficient cybersecurity quality gate at different stages of development utilizing HIL and SIL test platforms. As one of the recommended test methods mentioned in the ISO/SAE 21434, fuzz testing is an important pillar in an overall cybersecurity test strategy.
Complementing the usage of HIL and SIL systems as cybersecurity test platforms, dSPACE Consulting supports cybersecurity management and test strategy development with a holistic approach to reach process compliance independent of individual standards. The main goal is a customer-specific solution for processes and required standard compliance as well as standard-compliant development and V&V workflows including matching and qualified tools-chains. dSPACE consultants are skilled in cybersecurity, functional safety, ASPICE and SOTIF projects.
In conclusion, dSPACE and PlaxidityX joint solution for HIL- and SIL-based cybersecurity testing allows testing early and often during development by utilizing the existing functional testing infrastructure and processes. This approach reduces costs on additional testing personnel, simulation hardware and lab space and supports complying with automotive cybersecurity regulations and standards.
Visit the dSPACE booth 4500 at CES to see technology in action and learn more here: dSPACE - CES 2025
