The following are used: 

• Static analysis of code (SAST)
• Secrets review 
• Dependency checking (vulnerability assessments)
• OWASP Top 10 
• OWASP API Top 10
• OWASP IOT ASVS
• CI/CD review of SBOM

• Drop request: Attacks that block network traffic (in-vehicle or outside) to prevent vehicles from updating software
• Eavesdrop: Attacks that listen to network traffic to reverse-engineer ECU firmware.
• Freeze attack: Indefinitely sends an ECU the last known update, even if there may be newer updates on the repository.
• Mixed-bundles: Attackers force ECUs to install incompatible software updates to cause ECU interoperability failure.
• Slow-retrieval: Slows down delivery of ECU updates so that a known security vulnerability can be exploited.
• Partial-bundle: Causes some ECUs to not install the latest updates by dropping traffic to these ECUs.
• Rollback: Causes an ECU to install outdated software with known vulnerabilities. 
• Arbitrary software: Attackers use compromised repository keys to release an arbitrary combination of new images to cause ECUs to fail.
• Mix-and-match: Most severe of all attacks installing arbitrary software on ECU to modify vehicle performance.

Uptane is the first security framework for automotive OTA updates that provides serious compromise resilience, meaning that it can withstand attacks on servers, networks, keys, or devices. The differences are as follows:

• A single server that is compromised cannot compromise more of the system.
• It is possible to recover from a single key compromise.
• The complete vehicle IP address is not readily accessible.
• Network security is not the only security control.
• Delivery authenticity is validated separately from firmware authenticity.
• Vehicle manifest and vehicle component authenticity are validated.
• Component and ECU rollback and replacement attacks are easily detected and remediated.

The following measures are taken:

• Device provisioning
• HSM integration
• In-vehicle secure communications 
• Provisioning of EOL integrations and device provisioning 
• Uptane keys and component replacements

Security is designed into the solution. Additionally, it is assessed to TISAX, SSAE 16/18 SOC 2 Type 2, ISO 26262 in place with ISO 27001, ISO 21434, and ISO 24089 in progress.

Log files are archived and optionally compressed. They are also handled securely and not directly uploaded into the system. The only reference information is in the system, and the S3 bucket is only used for storage of files that are uploaded as GUID’s (Globally Unique Identifiers).

Sibros acts as a data processor. The OEM is the data controller.

All changes for cloud and firmware are reviewed.

Sibros has a very well defined incident management process, and security incident management and breach response processes.

With the following reviews and assessments: 

• Components vulnerability review (firmware and cloud software)
• Cloud infrastructure vulnerability review (cloud software)
• OWASP IOT ASVS assessment (firmware)
• Cloud posture assessments
• AWS GuardDuty, GCP SCC, and other cloud threat assessment tooling

Support for 0x27 and key exchange, secure storage and symmetric key handling to be determined by target ECU.

The following are used: 

• MQTT(s) over Mutual TLS 
• HTTPS over TLS

Sibros Armor includes the following checks and failsafes: 

• 2-way authentication of communication between vehicle and cloud
• Device provisioning framework incorporating secure integrations with manufacturing 
• DeviceID and Vehicle Identification (VIN) with a data abstraction framework that incorporates Privacy by Design
• Role-based Access Control (RBAC)
• Approval workflow for deployments and changes for systems
• SSO and MFA for user authentication
• In-vehicle secure communications
• Secure storage / HSM integrations

Sibros primarily uses a Globally Unique Identifier (GUID) to create a link between device identification information such as Vehicle Identification Number (VIN) / Electronic Serial Number (ESN) and the data collected by Deep Logger, Deep Updater, and Deep Commander.

All access needs authorization and is granted on a need-to-know basis. All employees are background checked as part of their onboarding process.

Sibros follows an approach of security designed from the ground up and built into the DNA of the product. This includes in-vehicle secure communications and secure storage / HSM integrations.

Our solution is assessed to TISAX, SSAE 16/18 SOC 2 Type 2, ISO 26262 (ASIL-D) in place with ISO 27001, ISO 21434, and ISO 24089 in progress. Sibros also addresses and supports security regulations such as UNECE WP.29 R155 and R156, with AIS 189, AIS 190 under review; as well as privacy regulations such as GDPR and CCPA, with Indian DPDP under review.

The procedure for customer communication of the end of cybersecurity support for an item or component should include information on how and when the cybersecurity support will end, any necessary steps that the customer needs to take, and any recommendations for replacement or upgrading of the item or component.

The end of cybersecurity support and decommissioning phase is where methods and procedures are enacted to communicate the end of cybersecurity support and decommission relevant items and components.

The purpose of developing updates and relevant capabilities within the vehicle during the operations and maintenance phase is to ensure that the vehicle stays updated and secure in accordance with ISO 21434 and WP.29 R156.

A cybersecurity incident response plan is important for every cybersecurity incident as it provides remedial actions based on vulnerability management procedures, a communication plan involving all relevant internal and external parties, designated responsibilities for remedial actions, procedures for recording new and relevant information pertaining to the cybersecurity incident, a method or measure for determining progress, and cybersecurity incident response closure criteria.

The production control plan for post-development includes the application sequence for post-development cybersecurity requirements, any equipment and production tools, production cybersecurity controls to prevent unauthorized access or alteration, and confirmation methods to ensure post-development cybersecurity requirements are met.

The production phase is the phase in cybersecurity development where cybersecurity requirements are applied and new vulnerabilities are prevented during production.

Cybersecurity validation involves confirming and validating cybersecurity goals and claims and eliminating any unreasonable risks. It considers the configurations for series production and includes confirming the adequacy of cybersecurity goals for threat scenarios and corresponding risks, achieving item cybersecurity goals, and validating operational environment requirements.

Methods used for the testing of integration and verification include functional testing, vulnerability scanning, fuzz testing, and penetration testing.

Integration and verification in product development involve verifying that all defined cybersecurity specifications are met in the implementation and integration of components, and performing testing to confirm, minimize, and manage unidentified weaknesses and vulnerabilities in the component. The purpose is to ensure that cybersecurity goals and claims are validated and any unreasonable risks are eliminated.

In product development, design involves defining cybersecurity specifications based on existing architectural design and assigning the defined cybersecurity requirements to components of the architectural design. It also includes applying established and trusted design and implementation principles to prevent or reduce cybersecurity vulnerabilities and verifying cybersecurity specifications to ensure completeness, correctness, and consistency with specifications from higher levels of architectural abstraction.

During the product development phase, the organization must have processes in place to test and assess whether a product or component identified in the concept phase is secure and resistant to cyber attacks. This includes identifying the item information such as its intended behavior, architecture, and operational environment, as well as performing an analysis to determine cybersecurity goals and risk treatment decisions.

The purpose of verifying the results is to ensure completeness, correctness, and consistency with respect to cybersecurity goals and claims.

A description of the technical and operational cybersecurity controls in place to achieve cybersecurity goals. This includes considerations for functional dependencies in the item and/or cybersecurity claims and defines the cybersecurity requirements of the item and the operational environment needed to achieve the cybersecurity goals.

The purpose of performing an analysis in the cybersecurity goals stage is to identify assets, threat scenarios, impact ratings, attack paths, attack feasibility ratings, risk values, and determine risk treatment based on analysis results for each threat scenario.

Item definition requirements in the cybersecurity management concept phase include identifying item information such as item boundary, intended behavior, preliminary architecture, and operational environment.

The concept phase is the initial phase in cybersecurity management where the item to be developed is defined along with its relation to cybersecurity goals and concepts.

Examples include ransomware attacks, compromise of internal user credentials + MFA, and compromise of security framework (for example Rippling).

A risk treatment decision is the process of selecting one or more risk treatment options. These might include risk avoidance, risk reduction, division of risk through sharing, and risk retention.

Risk value determination is the process of assigning a risk value between 1 and 5 to each threat scenario based on its impact and attack feasibility.

Attack feasibility rating is the process of determining the feasibility of an attack path using various rating methods such as an attack potential-based approach, a common vulnerability scoring system (CVSS)-based approach, or an attack vector-based approach.

Attack path analysis is the process of analyzing potential threat scenarios for the identification of potential attack paths.

Impact rating is the process of analyzing potential damage scenarios and assessing their impact on road users. This includes safety, financial, operational, and privacy categories.

Threat scenario identification is the process of identifying potential threat scenarios, including the targeted product or component, which cybersecurity property is compromised, and the source or cause of compromise.

Asset identification is the process of identifying potential damage scenarios that could result from the compromise of the cybersecurity properties of a specific product or component.

TARA stands for Threat Analysis and Risk Assessment. It is a method used to analyze potential threats to the cybersecurity properties of a specific product or component and assess the risk of each threat scenario.

The customer and supplier should communicate to determine the appropriate course of action to remedy the issue. Responsibilities for the customer and supplier should also be specified using a responsibility assignment matrix.

Processes and procedures required for cybersecurity activity maintenance and monitoring include: comprehensive collection of cybersecurity information from internal and/or external sources, definition and maintenance of triggers for cybersecurity information triage, assessment of collected cybersecurity information to determine if any cybersecurity events have taken place, assessment of any cybersecurity events for product or component weaknesses, vulnerability analysis to identify potential attack paths and feasibility, and vulnerability management to treat cybersecurity risks in accordance with national and international standards.

A cybersecurity interface agreement specifies how cybersecurity activities will be distributed between the customer and supplier, including cybersecurity activity responsibilities, joint tailoring of activities (if applicable), information and documentation to be shared, distributed cybersecurity activity milestones, and a clear definition of the end of cybersecurity support for the product or component in question. It is important for both the customer and supplier to mutually agree upon the agreement prior to the start of distributed cybersecurity activities.

When requesting a quotation from a potential supplier, a formal request to conform with national and international cybersecurity requirements, expectations of cybersecurity responsibilities, and any cybersecurity goals requirements relevant to the specified product or component should be included.

When evaluating potential suppliers, their capacity to develop and/or perform post-development activities in accordance with national and international cybersecurity engineering standards should be taken into consideration. Evidence of organizational cybersecurity preparedness and adequacy, continual maintenance and improvement of cybersecurity activities and incident responses, and a summary of previous cybersecurity assessment reports may be included.

To release the product or component for post-development, the cybersecurity case must provide a valid and thorough argument, the cybersecurity assessment must confirm or agree with the cybersecurity case, and the post-development cybersecurity requirements must be accepted. All of these must be available before product release for post-development.

A responsible party must be appointed to oversee the planning and performance of a cybersecurity assessment. The assessment must include the cybersecurity plan and include all products and components in the plan, processes and procedures utilized to address cybersecurity risks, a review of the appropriateness and effectiveness of the implemented cybersecurity controls and activities, and rationales that demonstrate compliance with the requirements outlined in International Standards, such as ISO 21434. The assessment report must also include a recommendation for acceptance, conditional acceptance, or rejection of the product or component's cybersecurity.

A cybersecurity case is a document that provides evidence to ensure the cybersecurity of the product or component in question is per national and international standards. It is important to create a cybersecurity case to comply with cybersecurity requirements.

A reuse analysis is an evaluation conducted when a product or component is developed and meets certain criteria such as planned modifications or reuse in a different operational environment.

Yes, cybersecurity activities can be tailored. The rationale behind why an activity is tailored must be sufficient to achieve relevant protection objectives as outlined in ISO 21434.

The first requirement is to assign, communicate, and share cybersecurity activity responsibilities with relevant parties based on information security requirements and best practices. A cybersecurity plan must also be created for each product, which includes objectives, dependencies, responsible personnel, resources, starting and endpoints, intended outcome, and required activities for concept and product development phases per relevant requirements. Cybersecurity plans must be assigned to personnel with the necessary training, certifications, and awareness. They must be updated for any changes or refinements, and adhere to configuration and documentation management procedures.

To meet organizational cybersecurity audit requirements, organizations must perform periodic audits, provide evidence and documentation of all procedures, processes, incidents, and remediations, and judge whether their processes achieve the objectives outlined in relevant national and international cybersecurity standards.

An organizational cybersecurity audit is an independent evaluation of an organization's cybersecurity processes, procedures, and policies to judge whether they achieve the objectives outlined in relevant international cybersecurity standards.

To meet management system requirements, organizations must establish a quality cybersecurity management system in accordance with international standards, make configuration information available for maintaining vehicle cybersecurity, establish a cybersecurity management system for production processes, and manage tools that can influence the cybersecurity of a product or component.

A management system is a set of processes, procedures, and policies that an organization puts in place to manage and address cybersecurity risks and requirements.

Information sharing requirements include defining situations and circumstances under which cybersecurity information sharing is relevant, permitted, and prohibited, as well as specifying information types to be shared, establishing approval processes, and defining relevant parties.

Information sharing means exchanging relevant information about cybersecurity risks, threats, hazards, and conflicting requirements within and outside of an organization.

Establishing and maintaining a strong cybersecurity culture involves ensuring that everyone with assigned cybersecurity roles has the necessary training, certifications, and awareness to fulfill their responsibilities. This includes providing risk management, functional safety, and privacy training and implementing continuous improvement processes for all cybersecurity activities.

A strong cybersecurity culture means that everyone in the organization shares the same beliefs, values, and behaviors that promote and support cybersecurity best practices.

To meet cybersecurity governance requirements, organizations must define a cybersecurity policy that both acknowledges road vehicle cybersecurity risks and commits to managing those risks. They also need to assign responsibilities and organizational authority to achieve comprehensive cybersecurity, as well as provide resources for cybersecurity risk management, development, and incident management.

Cybersecurity governance is a set of rules and policies that organizations put in place to manage and address cybersecurity risks.

OEMs must establish rules and implement processes that adhere to national and international cybersecurity requirements, including assigning cybersecurity responsibilities, providing resources to address cybersecurity risks, and establishing a cybersecurity management system for relevant activities.

The autonomous vehicle market is growing rapidly and is projected to reach significant size in the coming years. According to some estimates, the global market size of autonomous vehicles was around $54 billion in 2020 and is expected to reach over $173 billion by 2026, growing at a compound annual growth rate (CAGR) of over 25%. However, the actual size of the market can vary depending on various factors, including the adoption rate of autonomous vehicles, regulatory barriers, and technological advancements.

The peer-to-peer car sharing industry has been growing rapidly in recent years, with some reports estimating the global market size to be around $11 billion in 2020 and projected to reach $24 billion by 2026. However, the size of the industry can vary depending on the region and the specific services offered by each company.

The exact number of automotive software-related recalls each year worldwide is not publicly disclosed, as different countries have varying regulations and reporting requirements. However, it is widely acknowledged that the increasing reliance on software in vehicles has led to a rise in the number of software-related recalls in the automotive industry. Some reports suggest that the number of software-related recalls has increased significantly in recent years due to the growing complexity of software systems and the increased risk of cyber threats. As connected and autonomous vehicles become more widespread, it is expected that the number of software-related recalls will continue to increase.

The V2X (Vehicle-to-Everything) industry size is rapidly growing and expected to become a multi-billion dollar market in the coming years. According to recent market research reports, the global V2X market size was valued at around $1.3 billion in 2020 and is projected to reach $17.4 billion by 2026, growing at a compound annual growth rate (CAGR) of 52.1% from 2021 to 2026. The increasing demand for connected and autonomous vehicles and the growing demand for improved road safety and traffic efficiency are among the key factors driving the growth of the V2X market.

The global two-wheeler market size was valued at approximately USD 123 billion in 2020 and is expected to grow in the coming years. The growth of the market can be attributed to the increasing demand for affordable and convenient personal mobility solutions, especially in developing countries. Additionally, the growth of urbanization and rising concerns about traffic congestion and air pollution are also driving the demand for two-wheelers. However, the market has been impacted by the COVID-19 pandemic and the subsequent economic slowdown, which has led to a decline in sales in some regions.

The micro mobility industry is growing rapidly and has become a multi-billion dollar industry in recent years. In 2020, the global micro mobility market size was estimated to be worth around US $16 billion and is expected to grow significantly in the coming years, driven by the increasing demand for sustainable and convenient mobility options. However, the exact size of the industry can vary depending on the sources used and the definitions and scope of "micro mobility".

As of 2021, the global market size for commercial fleet vehicle manufacturing was estimated to be around $100 billion. This figure is expected to grow in the coming years, driven by factors such as increased demand for commercial vehicles, technological advancements, and government initiatives to promote fleet modernization. However, it's important to note that the actual market size can vary depending on various factors, such as the state of the economy, changes in consumer preferences, and fluctuations in raw material costs

1. Electric and Autonomous Vehicles: The development and deployment of electric vehicles (EVs) and autonomous vehicles (AVs) is a key trend in the transportation industry.2. MaaS (Mobility as a Service): MaaS refers to the integration of various transportation services, including public transportation, car sharing, bike sharing, and ride-hailing services, into a single platform.3. Micro-mobility: The popularity of e-bikes, e-scooters, and other micro-mobility options is increasing as people look for more sustainable and convenient modes of transportation.4. Connected and Shared Transportation: Connected cars, shared mobility services, and smart city initiatives are transforming the way people move in urban areas.5. Blockchain in Transportation: Blockchain technology is being used to improve supply chain transparency, secure data sharing, and streamline payment systems in the transportation industry.6. Space Tourism: The development of reusable rockets and other space technologies is making space tourism a reality, with companies like SpaceX and Blue Origin leading the charge.7. Sustainable Transportation: The growing awareness of the environmental impact of transportation is driving the demand for more sustainable modes of transportation, including EVs, hydrogen fuel cell vehicles, and alternative fuels.

Electric and Hybrid Vehicles: The adoption of electric and hybrid vehicles is expected to increase as companies look to reduce their carbon footprint and operating costs.Autonomous Fleet Vehicles: The deployment of autonomous fleet vehicles is expected to increase, leading to improved safety and efficiency, and reduced labor costs.Telematics and Connectivity: The use of telematics and connectivity technologies, such as GPS tracking and remote diagnostics, is expected to increase in order to improve fleet management and optimize vehicle utilization.Fleet Management Software: The use of fleet management software, such as fleet management systems (FMS) and fleet management solutions (FMSs), is expected to increase in order to improve the efficiency and productivity of commercial fleets.Shared Mobility Services: The trend towards shared mobility services is expected to continue, with companies looking to maximize vehicle utilization and reduce the size of their fleets.Sustainable Fleet Management: Companies are increasingly focused on sustainable fleet management, including the adoption of alternative fuels, energy-efficient vehicles, and environmentally friendly practices.Increased Use of Data Analytics: The use of data analytics is expected to increase in order to improve decision-making, reduce costs, and enhance fleet performance.These trends are expected to shape the future of the commercial fleet vehicle industry and drive innovation and growth in the sector.

Micro mobility refers to a category of transportation that encompasses small, light, and often electric vehicles, such as e-scooters, e-bikes, hoverboards, and similar modes of transportation. These vehicles are designed for short trips in urban and suburban areas, typically for distances less than 10 miles, and provide an alternative to traditional modes of transportation like cars, buses, and taxis. The concept of micro mobility has gained popularity in recent years due to the need for more sustainable and convenient mobility solutions in densely populated urban areas, where traffic congestion and parking issues are prevalent.

V2X refers to Vehicle-to-Everything communication, a technology that enables vehicles to communicate with other vehicles, road infrastructure, and other devices in real-time. The aim of V2X is to enhance safety, efficiency, and mobility on the roads by enabling vehicles to share information and collaborate with each other to prevent accidents and improve traffic flow. There are two types of V2X communication: Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I).

Mobility as a Service (MaaS) is a concept multi-modal transportation integrated into a seamless service, allowing users to access a range of transportation options through a single platform. The goal of MaaS is to provide a more convenient, efficient, and sustainable transportation system, while reducing the need for private car ownership.MaaS typically encompasses a variety of transportation options, such as public transit, ride-hailing, car-sharing, bike-sharing, and more. Users can access these services through a single app or platform, and often pay a subscription fee for access to the entire network of transportation options.The main idea behind MaaS is to provide users with a flexible, multi-modal transportation system that is easy to use, cost-effective, and environmentally friendly. By integrating various modes of transportation, MaaS aims to reduce congestion, emissions, and the need for personal vehicle ownership.

Trucking as a Service (TaaS) refers to a business model where a company provides trucking services to its customers as a service, rather than a product. In this model, the company owns and manages a fleet of trucks, and customers can access and use these trucks on-demand, without having to purchase or maintain their own vehicles. This can include various transportation services such as delivery, logistics, and supply chain management. TaaS aims to improve the efficiency and cost-effectiveness of the transportation industry by reducing the need for individual businesses to invest in their own fleets and provide a more flexible and scalable solution to meet their transportation needs.

Vehicle Control Unit (VCU) - the central computer that manages and controls the various systems and components of a vehicle.Over-the-air (OTA) updates - the ability to remotely update the software of a vehicle without physically accessing it.Automated Driving System (ADS) - the set of technologies and systems that enable a vehicle to drive itself without human intervention.Vehicle-to-everything (V2X) communication - the exchange of information and data between a vehicle and its surroundings, including other vehicles, infrastructure, and devices.Sensor Fusion - the process of combining data from multiple sensors to provide a more complete understanding of the vehicle's environment.Autonomous Driving Levels - a standardized classification system used to describe the level of autonomy in a vehicle, ranging from Level 0 (no automation) to Level 5 (fully autonomous).Advanced Driver Assistance Systems (ADAS) - technology that enhances the safety and convenience of a vehicle, such as lane departure warning, adaptive cruise control, and automatic emergency braking.

The notion of a connected vehicle only implies the existence of at least one module in the car that can communicate bidirectionally with other systems outside of the car. The software-defined vehicle, on the other hand, is operated, controlled and underpinned by software. So these two aspects, the connected vehicle architecture and the software defined architecture, are independent. However, in reality, they influence each other, because as an optimum, they will interact, communicate and enable each other, for numerous use cases.

Sibros Deep Logger product performs automotive data logging by enabling real-time connected vehicle data collection directly from the vehicle's telematics control unit. This data is then relayed to the cloud portal where it can be utilized for troubleshooting faults, performing vehicle health analytics, alanylzing collision data, assessing preventive maintenance needs, and innovating novel features or vehicle enhancements.

The Deep Connected Platform leverages a compromise resistant IEEE Uptane cybersecurity framework along with Sibros Armor to comply with international cybersecurity regulations, such as ISO 21434 and WP29 R155 and R156. Sibros' products include mechanisms to aide in early threat detection and mitigation, prevent surface area attacks and unauthorized backend access, and ensure all cybersecurity measures and processes are up to date.

A software defined vehicle (SDV) is any vehicle that relies primarily on software for its functionality. This differs from a hardware defined vehicle, where functionality was based predominantly on hardware components, with minimal or basic software involvement.

Sibros leverages comprehensive cybersecurity mechanisms and information best practices to ensure data protection and data privacy for its customers in compliance with international standards such as GDPR and CCPA, among others.

Sibros provides a connected vehicle platform that enhances the connected mobility experience for consumers by enabling original equipment manufacturers with a full suite of connected vehicle services, including over-the-air updates, configuratble data logging, and remote commands.

As a hardware agnostic solution, Sibros' products integrates seemlessly with domain architectures, zonal architectures, and even supports domain centralization, to enable updates to every electronic component and sensor in the vehicle.

Sibros places functional safety at the forefront of its product offerings. Along with implementing its Safe Rollout Approach, Sibros provides one of the industry's only OTA solutions that is ISO 26262 ASIL-D certified for a safety element out of context (SEooC).