Software has become an increasingly crucial part of vehicle functionality, enabling digital services in the automotive industry and making modern vehicles dependent on millions of lines of code. With autonomous vehicles growing exponentially, a Goldman Sachs report suggests the average lines of software code per vehicle doubled from 100 million in 2015 to 200 million in 2020, driven by wider adoption of electrified vehicle control and autonomous driving. The report believes that growth could accelerate in the next few years, with each car requiring as much as 650 million lines of code by 2025. This represents a far different order of complexity compared to a typical smartphone operating system or fighter aircraft, with an average of 20-40 million lines of code.
With this dynamic shift toward software-defined vehicles, the complexity and importance of automotive software have grown, underlining the need to manage secure and compliant software releases. Ensuring that software updates are deployed safely and securely is essential for maintaining the performance and reliability of vehicles and meeting industry regulations to ensure protection against security threats. Managing software releases with security and compliance is an essential aspect of modern automotive software development and maintaining a safe and secure transportation environment.
Key considerations for OEMs
With unparalleled reliance on software comes the need for effective software release management practices that prioritize security and compliance. Automotive companies must ensure that software updates are delivered to vehicles such that they are secure and compliant with industry regulations, new features and capabilities can be seamlessly introduced to be at par with industry standards, and risks of cyberattacks and legal and financial penalties are minimized. Here are key considerations which OEMs must keep in mind to ensure that the software used in their vehicles poses no security/compliance-related risks.
• Compliance check at the source: With Tier 1, Tier 2, and Tier 3 vendors producing and supplying the software, OEMs must ensure it adheres to industry-specific regulations such as ISO 26262, which sets standards for the functional safety of automotive systems.
• Supply chain audit: The automotive industry relies on a complex supply chain, and security must be addressed at every level. This includes verifying the security of third-party components, ensuring secure communication between suppliers and automakers, and implementing secure development practices across the entire supply chain. There could be instances where certain open-source components delivered are prohibited for use as they are non-compliant for a certain category of vehicles, a certain category of OEMs, a certain category of geographies, or the intended use of the vehicle. This can be mitigated with a supply chain audit, which inspects the software delivered at every chain and has certain checks and balances to ensure compliance from a licensing and security perspective.
• Release management process: Another critical aspect of automotive software release management is ensuring that software updates are delivered to vehicles in a timely and efficient manner. This requires a well-defined release management process that includes testing, validation, and deployment. By following a structured release management process, automotive companies can minimize the risk of errors and ensure that software updates are delivered quickly and efficiently.
• Regular security assessments: Implementing secure coding practices involves using coding techniques that prioritize security. This may include techniques such as input validation, error handling, and cryptography. By using secure coding practices, developers can minimize the risk of vulnerabilities in the software. Regular security testing is also critical in ensuring the security of software updates. This involves performing regular security assessments to identify vulnerabilities early, so developers can address them before they can be exploited by attackers.
Streamlining secure software release management
Managing automotive software security and compliance can be a complex task, and managing it through a platform can help streamline and simplify the process. Such a platform should have the following capabilities:
• Automated security assessments: The platform should have the capability to conduct automated security assessments, including vulnerability scanning, open-source penetration testing, and code reviews. Automated assessments can help identify security weaknesses and vulnerabilities quickly and efficiently.
• Ability to define policies: The platform must enable software code scanning for open vulnerabilities, security, and licensing. It should identify any use of open-source components that have been integrated within the vehicle and their associated licenses. Depending on the policies defined, the source code should be validated to be compliant with those policies.
• Establishing rules engine: The platform should enable automakers to manage compliance with industry standards and regulations, including reporting and documentation requirements. Referred to as a rules engine, this feature will allow you to define policies, wherein a business user is able to configure acceptable license types and can define workflows in case of exceptions.
• Reporting and dashboarding: To ensure compliance and adherence to safety and security criteria, the platform should integrate with industry standards and regulations such as ISO 26262 and the AUTOSAR framework. AUTOSAR enables a business user to view the software's supply chain, including which vendors are compliant/non-compliant with the defined policies, as well as corrective actions taken to ensure that subsequent releases of the software do not contain those exceptions.
By implementing best practices, following industry standards and regulations, and staying informed about the latest security threats, automakers can develop software that is both safe and secure. It can also provide a centralized view of security and compliance across the entire organization, enabling automakers to identify and address security and compliance risks more effectively. Prioritizing security, compliance, efficiency, and user experience throughout the release process will ensure that software update deliveries maximize the benefits and minimize the risks across the industry. With the right software release management practices, the automotive industry can continue to benefit from the latest technological advancements while maintaining the safety and security of its vehicles.
About the Author
Jitendra Thethi is Head of Cloud Platform Solutions at Cyient. He has 27 years of experience delivering technology-led innovation for customers across multiple industries. In his current role, he is responsible for building digital platform solutions leveraging cloud, data, and AI. Prior to Cyient, he worked with Capgemini and Infosys.