A Comprehensive Training Approach for Automotive Cybersecurity Engineering

Cybersecurity assumes a major role in the context of the automotive domain, where both existing and forthcoming regulations are heightening the need for robust security engineering. A significant milestone in advancing cybersecurity within the automotive industry is the release of the first international standard for automotive cybersecurity ISO/SAE 21434:2021 ‘Road Vehicles — Cybersecurity Engineering’. A recently published type approval regulation for automotive cybersecurity (UN R155) is also tailored for member countries of the UNECE WP.29 alliance. Thus, the challenges for embedded automotive systems engineers are increasing while frameworks, tools and shared concepts for cybersecurity engineering and training are scarce. Hence, cybersecurity training in the automotive domain necessitates an understanding of domain-specific intricacies and the unique challenges at the intersection of cybersecurity and embedded systems engineering, elevating the need for improving the skill set and knowledge of automotive cybersecurity engineers. This paper delves into an automotive cybersecurity training concept aimed at enhancing the proficiency of development engineers. In that context, we also consider the framework to train over CAN. While the presented work primarily addresses technical aspects, we recognize the importance of aligning development within the framework of relevant standards. This is crucial because any training courses must adhere to the expectations set by standardization boundaries. The presented PENNE¹ framework simulates a network of CAN controllers, which enables the testing and hands-on experiences for attack vectors and mitigation methods in a simulated environment, providing basic implementations for the most common attack types of this network. The framework is extendable for training and testing purposes with series controllers and real-world demonstrators.