Commercial vehicles threat model and risks are vastly different than those of passenger vehicles. Here details the specific risks and solutions relevant to heavy duty vehicles.

1. 1
Is cybersecurity protection of commercial
vehicles harder?
Gilad Bandel
Cymotive Technologies

2. 2
Commercial vehicles’ unique risks:
Passenger vehicles account for 60% of
the while commercial vehicles account
for the remaining 40%. However:
• Commercial vehicles travel by far
longer distances than passenger
vehicles
• The lifespan of a commercial
vehicle is longer than a passenger
vehicle
• Many commercial vehicles are part
of national critical infrastructure,
especially during times of crisis and
military conflict
• Many enemies: terrorists, criminals
and owners

3. 3
Unique cyber risks to
commercial vehicles:
Focus on trucks &
agriculture equipment
Motives: Transporting tens of $
billions of goods, threats to
disrupting services resulting in
considerable financial and legal
damages.
Risk to mission-critical or
military equipment transported
by trucks motivated by political
or criminal reasons

4. 4
The differences in attack surfaces and threat models
Viral effects of modular attachments
Agricultural vehicle attachments and trailers can serve
as a vector, as easily accessible and compromised
One trailer/attachment may serve many vehicles
Compromised vehicles can, in turn, serve as a vector to
attack yet to be compromised attachments and trailers

5. 5
Service, tools and the right to repair
Consideration
• Diagnostics and testing tools connected
through the OBD connector require
cryptographic authentication usually
from the gateway
• The right-to-repair compound risks
imply keys should be made available to
vehicle owners
• This opens new opportunities for
hackers to attack vehicles

6. 6
Why do we need a different approach for commercial vehicles?
Tailored solutions
are vital to low
bandwidth
networks
Reduce network
overhead
Limit the need for
costly hardware
investment
Threat models & attack
vectors vary by protocol
– SAE J1939
standardized usage
across many OEMs
Potential casualties and damages of a
commercial vehicle are much higher than
passenger vehicles

7. 7
SAE J1939 - Frame format

8. 8
SAE J1939 – Transport protocol

9. 9
How do attack surfaces and threat
models differ to regular CAN?
Attack surfaces and threat
models
• Remote attacks as a preferred
methodology
• Routine maintenance deters physical
attacks, though still possible
• Standardized protocol across
manufacturers, little to no variation in
component design and integration
• Component interoperability leaves
multiple OEMs/Tiers open to attack by a
single kill-chain

10. 10
Attack vectors and scenarios
Addressing
• SAE J1939 uses a 29-bit, extended CAN
addressing, proprietary format. No way to truly
authenticate the origin of the message.
• Any spoofing or impersonation attack is possible
 ECUs can send any message ID
 No authentication
 Man in The Middle (MiTM) also a
possibility
Vehicle Configuration
• Commercial vehicles have a complex and
dynamic life-cycle with many opportunities
for rogue actors to integrate compromised
components or upload malicious software.
• Interoperability means components can be
mixed and matched.
• Attachments and other equipment may be
shared by many vehicles.

11. 11
11
Attack vectors and scenarios
Aftermarket Fleet Management & Equipment
installation
Devices added by fleet owners to monitor and control
their fleet. In some cases, regulation requires the
installation of driver-hours recording ELDs (Electronic
Logging Devices) and other telematics equipment.
• Not part of the OEM cybersecurity control process
• Usually not part of the OEM supply chain
• Cyber-protection cannot be guaranteed
Specific Embedded Software Issues
There are several types of vulnerabilities when
implementing a protocol or a standard:
• Inherent protocol vulnerabilities
• Defined in a vulnerable way
• Implementation vulnerabilities
• Buffer Overflow (BoF)
• Badly defined/complex protocol
• Or bad code flow exposing the protocol to
attack

12. 12
Reducing risk
• ISO/SAE 21434
• AUTOSAR best practice, and many others
• This translates to a set of activities:
• Process and procedures
• Cybersecurity management systems
• Secure by design approach of all the systems
• Secured software development lifecycle
• Compliance with standards such as A-SPICE
and MISRA
• Dedicated cybersecurity protection
mechanisms such as XDR (eXtended
Detection and Response) IDS/IPS, end point
protection, cryptographic solutions
Mitigating cyber-attacks on SAE J1939 commercial vehicles
Proactive Action is Required
Tier-1s and OEMs need to take proactive
action to protect the commercial vehicle for
many reasons, including:
• Regulations such as the UN R155
• Growing awareness within professional
bodies in the automotive industry
• Top management aiming to protect their
firm’s reputation, preventing loss of life
and damage to property
• Insurance companies requiring
cybersecurity adoption to minimize risk

13. 13
13
SAE J1939 Layers scope
J1939-91 Network Security (WIP)
Layer 2
In-Vehicle Network
Layer 3
EE Architecture
Layer 4
Connected Vehicle
Layer 1
Individual ECU
ISO 14229-1
SAE J3101

14. 14
14
Layer 1 security
Individual ECU
ISO 14229-1 and SAE J3101
• ECU Protected Boot, Secure Flash
• Authorization and Authentication
Note: many ECUs “standard” thus are
interchangeable between numerous makes and
models. This implies that a vulnerability detected on
a specific ECU can be exploited across many vehicle
types across the industry!

15. 15
15
Layer 2 – J1939-91 Part “C”
In-Vehicle network security
J1939-91C defines recommendations for:
• Secure on-board communications between ECUs
• Update General Vehicle Network Gateway
recommendations and network topology reference
related to J1939-31

16. 16
16
Layer 3 – J1939-91 Part “A”
Foundation layer security
J1939-91A Defines THE RECOMMENDATIONS FOR SECURITY OF THE VEHICLE
SIDE OF THE J1939-13 connector
• Recommendations for vehicle communications functions with a device which
is connected to J1939-13 interface - diagnostics interface security. [Similar
to SAE J3138 diagnostics link security and SAE J3005-2 “dongle” device
security]
• General requirements for “Imposter Reporting” for devices that may spoof
J1939 Source Addresses.

17. 17
17
Layer 4 – SAE J1939-91 Part “B”
Connected vehicle security
Scope of SAE J1939-91B: Bi-Directional secure Over The Air (OTA)
communications via a telematics interface to the vehicle
• Extended Vehicle (ExVe) Systems and Intelligent Transportation Systems
(ITS)
• ISO 20077, ISO 20078, ISO 20080, etc.
• UN R156
• ISO 24089
• ISO TC204 work items (ITS)

18. 18
Future trends
 SAE J1939-91 network security parts A, B and C are still WIP (Work in Progress)
 SecOC and message authentication
 UN R155 and GB/T certification for vehicle type approval
 ISO/SAE 21434 “cookbook” including the V-model, SecSDLC (Secured Software
Development Life Cycle), A-SPICE (Automotive Software Performance
Improvement and Capability dEtermination)
 V-XDR (Vehicle eXtended Detection and Response) systems a.k.a. IDPS (Intrusion
Detection and Prevention System) connected to a SIEM (Security Information and
Event Management) system at the V-SOC (Vehicle Security Operations Center)
 CSMS and continuous vulnerabilities management automated tools
 V2X including message plausibility and misbehavior detection
 Automotive Ethernet
 Connected and Automated Driving – platooning, etc.
 Cooperative Intelligent Transportation System

19. 19
About
A global
footprint
Israel, North
America, Europe &
Asia
Industry
certifications
A growing
workforce
~220 employees
85% cyber experts
A full lifecycle
smart mobility
platform
ISO 9001, ISO/IEC 90003,
TISAX
Following A-SPICE Level 2
Founded in 2016 by leaders of
Israel’s National Security Services
—
Selected cyber partner of
the Volkswagen Group
—
Financially Strong & Profitable

20. 20
cymotive.com
gilad.bandel@cymotive.com