Considerations for Vulnerability Management in the Automotive Industry

With the emergence of Software-Defined Vehicles (SDVs), more complex software and connectivity technologies are introduced to support new advanced use cases. These use cases include, e.g., phone as a key, smart parking, summon vehicle, remote diagnostics and vehicle management. However, complex software functionality and external connectivity also increase the attack surface of vehicles and its ecosystem. As such we have seen various cybersecurity attacks targeting vehicles and OEM backends in the past few years. In this paper, we first perform a classification of recent automotive cybersecurity attacks. We further perform an analysis of these attacks and associated vulnerabilities considering the application of best practices of vulnerability management approaches including Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS), and Stakeholder-Specific Vulnerability Categorization (SSVC). CVSS is a standardized framework used to assign severity scores to known vulnerabilities and helps organizations prioritize vulnerability remediation based on impact and exploitability. EPSS is a predictive model that estimates the probability of a vulnerability being exploited in the next 30 days and complements CVSS by focusing on real-world likelihood of exploitation rather than just severity. SSVC is a decision-making framework for vulnerability handling to help organizations make appropriate remediation decisions considering the specific situation based on, e.g., business impact, exploitation activity and public safety concerns. We discuss the challenges and benefits of using these different vulnerability management approaches to help automotive organizations manage risks and prioritize handling of vulnerabilities. As auto manufacturers are responsible for the cybersecurity during the lifecycle of their fleet of vehicles, we stress the importance of analyzing and assessing vulnerabilities in a systemic way in order to timely address newly detected vulnerabilities with appropriate responses.