Considerations for Vulnerability Management in the Automotive Industry

With the emergence of Software-Defined Vehicles (SDVs), more complex software and connectivity technologies are introduced to support new advanced use cases such as phone as a key, smart parking and vehicle management. However, complex software functionality and external connectivity also increase the attack surface of vehicles and its ecosystem. In this paper, we first perform a classification of recent automotive cybersecurity attacks. We further perform an analysis of these attacks and associated vulnerabilities considering the application of best practices of vulnerability management approaches including Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS), and Stakeholder-Specific Vulnerability Categorization (SSVC). CVSS is a standardized framework used to assign severity scores to known vulnerabilities and helps organizations prioritize vulnerability remediation based on severity. EPSS is a predictive model that estimates the probability of a vulnerability being exploited in the next 30 days and complements CVSS by focusing on real-world likelihood of exploitation rather than just severity. SSVC is a decision-making framework for vulnerability handling to help organizations make appropriate remediation decisions considering the specific situation based on, e.g., exploitation activity, mission prevalence and public well-being. We discuss the challenges and benefits of using these different vulnerability management approaches to help automotive organizations manage risks and prioritize handling of vulnerabilities. As auto manufacturers are responsible for the cybersecurity during the lifecycle of their fleet of vehicles, we stress the importance of analyzing and assessing vulnerabilities in a systemic way in order to timely address newly detected vulnerabilities with appropriate responses.