U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Freeway traffic.
Workshop

Software Integrity in the Automotive Sector

The push to automated vehicles and automated driving systems have increased the importance of software and firmware integrity in the automotive industry. With each passenger vehicle having an increasing cyber footprint to support these automated functions, NIST is considering developing guidance on security techniques and processes to help assure the integrity and authenticity of this software during development, distribution, and update processes. This workshop will focus primarily on the use of cryptographic techniques, including digital signatures in a secure software development lifecycle, to reduce cybersecurity risks in both the supply chain and the operations phase of vehicles’ lifecycle. Subject matter experts in the automotive industry will share the existing challenges, industry standards, and proposed approaches for addressing software integrity. The findings from this workshop will be documented to inform the development of security guidelines for the automotive sector.

The average vehicle is the result of a complex, global supply chain with the vehicle companies (commonly referred to as original equipment manufacturers – OEMs) working with suppliers and purchasing off-the-shelf components. The code that is used in vehicles are often not created by the OEMs and their tier 1 suppliers but is either created farther down the supply chain or not in the automotive space at all. 

Once the vehicle has been developed, the code has to be distributed to the manufacturing facilities. Often, large systems are sent from the suppliers to the manufacturing facilities, including the software and firmware. The OEMs and their suppliers have taken steps to secure their supply chain but they face a growing threat as the chain is both global and diverse.

Once a vehicle has been manufactured and purchased, there is on-going maintenance which includes software updates. At one time, all such updates were downloaded through tools supplied by the OEMs and largely applied by mechanics in garages. Now, the OEMs are looking to take advantage of ubiquitous telecommunications to start over the air updates into vehicles. As with IT equipment, such updates represent an attractive target for adversaries. Concerns about updates as a source of attacks have led to substantial standards work over the last few years such as ISO 21434:2023 Road vehicles – software update engineering and UN regulation No. 156 – Software update and software update management system.