SOFTWARE SECURITY

Green Hills Software Expands Leadership in Automotive Cybersecurity

prnewswire | October 28, 2020

Green Hills Software Expands Leadership in Automotive Cybersecurity
Green Hills Software, the worldwide leader in embedded safety and security, announced today it has adopted the two new international security standards and regulations for automotive cybersecurity – ISO/SAE 21434 and UNECE WP.29  for the INTEGRITY real-time operating system (RTOS) and associated products and services. For decades, Green Hills has been an industry-recognized leader helping electronics manufacturers create and deploy embedded systems at the highest levels of safety and security. By offering compliant products and associated evidence reports for these new standards, Green Hills will build upon its proven pedigree as the foundational run-time software provider trusted by OEMs and their Tier 1 suppliers for automotive electronics. Utilizing these new security standards enables manufacturers to design and deploy purpose-built, secure, software-defined systems in connected vehicles, including highly automated driving, high performance compute clusters, domain controllers, vehicle gateways, telematics, keyless entry, diagnostic connections and electric vehicle charging stations, to name a few.
As reliance on vehicle connectivity grows and demand for software-defined services rises, the risk of cyberattacks against connected vehicles continues to rise. With over 100 ECUs and hundreds of millions of lines of code, connected vehicles are a target-rich platform for cyberattacks. Multiple points of entry to modern connected vehicles provide opportunities for malicious vehicle control, fraud, and data-breaches that threaten companies, drivers, and road users. A single exploited security vulnerability could put an entire fleet of vehicles at risk, numbering in the millions. With nearly 80% of new cars connected1 to the internet, cybersecurity breaches have the potential to put billions of dollars in sales and lawsuits at risk – not to mention the damage to brand reputation.
As a result, governmental bodies and independent regulators are drafting two related measures for managing cybersecurity threats throughout a connected vehicle's lifecycle. Green Hills is collaborating with its customers and adopting cybersecurity assessment policies for the following:
The draft ISO/SAE 21434 "Road vehicles – Cybersecurity engineering" Standard was recently published by SAE International and ISO (Organization for Standardization). It is a baseline for vehicle manufacturers and suppliers to ensure cybersecurity risks are managed efficiently and effectively from both a product lifecycle and organizational perspective spanning concept, development, production, operation, maintenance, and decommissioning.
The WP.29 regulations from the United Nations Economic Commission for Europe (UNECE) make OEMs responsible for cybersecurity mitigation in four cybersecurity areas spanning the entire vehicle lifecycle: managing cyber risks; securing vehicles by design; detecting and responding to security incidents; and providing safe and secure over-the-air (OTA) software updates. While WP.29 defines concrete examples of threats and mitigations, OEMs can choose how they show the threats are addressed, such as complying with ISO/SAE 21434. The regulation is expected to be finalized in early 2021 and applied initially to many member nations including European nations, South Korea, UK, and Japan, and will likely influence vehicle homologation polices in the US, Canada and China.
WP.29 will be legally binding within adopting countries, and while the ISO/SAE 21434 standard is not a regulation, it is expected to be widely accepted in the global industry like ISO 26262 is today.
"Connected cars bring significant risks and rewards to OEMs and their suppliers," said Chris Rommel, Executive Vice President, IoT & Industrial Technology at VDC Research. "Green Hills has earned a high stature in the industry for supplying security-critical foundational software to companies building life-critical systems like aircraft avionics, vehicle ADAS and medical equipment, and its support of these new cybersecurity standards is noteworthy."

"ISO/SAE 21434 and WP.29 are valuable additional steps towards protecting connected vehicles from cybersecurity vulnerabilities," said Dan Mender, VP of Business Development at Green Hills Software. "Green Hills has decades of experience developing and delivering security-certified technologies at the highest levels. Adopting these standards expands our offerings to global automotive OEMs and their suppliers bringing the industry's leading secure software run-time environment to next-generation connected vehicle electronics."

Reference
(1) Source: VDC Research Group, Inc.: Automotive Cybersecurity Software & Services Market report, 2019 Strategic Insights Security & The Internet of Things Research Program.

About Green Hills Software
Founded in 1982, Green Hills Software is the worldwide leader in embedded safety and security. In 2008, the Green Hills INTEGRITY-178 RTOS was the first and only operating system to be certified by NIAP (National Information Assurance Partnership comprised of NSA & NIST) to EAL 6+, High Robustness, the highest level of security ever achieved for any software product. Our open architecture integrated development solutions address deeply embedded, absolute security and high-reliability applications for the military/avionics, medical, industrial, automotive, networking, consumer and other markets that demand industry-certified solutions. Green Hills Software is headquartered in Santa Barbara, CA, with European headquarters in the United Kingdom.
Green Hills, the Green Hills logo and INTEGRITY are trademarks or registered trademarks of Green Hills Software in the U.S. and/or internationally. All other trademarks are the property of their respective owners.

Spotlight

The Communiqué issued at the March 2017 meeting of the G20 Finance Ministers and Central Bank Governors (FM&CBG) in Baden-Baden noted that the malicious use of Information and Communication Technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence and endanger financial stability. With the aim of enhancing cross-border cooperation, the FSB was asked, as a first step, to perform a stock-take of existing relevant released regulations and supervisory practices in G20 jurisdictions, as well as of existing international guidance, including to identify effective practices.

Related News

New Security Challenges for Organizations Having Larger Remote Workforces

Tripwire | August 18, 2020

At the outset of the global coronavirus 2019 (COVID-19) pandemic, many organizations decided to enforce social distancing by requiring that their employees begin working from home. This decision changed the fundamental way in which many employees were accustomed to working. It also created new security challenges for organizations that had larger remote workforces. Tripwire wanted to learn the specifics of these challenges, so it commissioned Dimensional Research to 345 IT security professionals about them in mid-April 2020. As reported by Business Wire, a majority of respondents (58%) indicated that employee home network security was one of their areas of higher concern followed by increased attacks (45%), difficulties in keeping remote systems configured securely (41%) and obstacles with keeping remote systems compliant (38%). Reflecting on the difficulties of keeping remote workers safe, 89% of survey participants said their job was harder as a result of the new work-from-home policy. Nearly half (49%) blatantly said they couldn’t effectively secure employees’ home offices, leading 65% of respondents to admit their belief that their security was worse because of COVID-19.

Read More

To seamlessly incorporate digital security into the product manufacturing process, PTC and Cybellum partner

prnewswire | January 14, 2021

PTC and Cybellum, an innovator in Automotive Cybersecurity Risk Assessment, today declare an association to convey a mix between PTC's Windchill RV&S and Cybellum's foundation. The joint arrangement will give computerized network protection checking to programming created utilizing Windchill RV&S, to guarantee consistence with all the necessary wellbeing and security guidelines. PTC's Windchill RV&S joins prerequisites designing, thorough programming setup control and test the executives to guarantee makers assemble the correct items. The product source code and assembled executables are overseen inside Windchill RV&S, and during registration, Cybellum's complete stage flawlessly directs network protection assessments. Joint clients would now be able to characterize programming security contemplations right off the bat in the item life cycle, one next to the other with their entire item designing cycle. They would then be able to design their execution, compute and deal with the related network protection chances with regards to the entire item. Programming engineers can likewise proactively test and fix the distinguished security or wellbeing dangers utilizing the consequently created, itemized direction. This can guarantee that basic wellbeing and security weaknesses are recognized, overseen, organized and relieved all through the designing cycle, ensuring that your items are free from any and all harm. The joint arrangement additionally encourages clients to plan for and conform to existing and forthcoming network protection guidelines, (for example, ISO 26262 Road Vehicles Functional Safety, UN WP29 (World Forum for harmonization of Vehicle Regulation), and ISO 21434 DIS Road vehicles Cybersecurity Engineering). "We are excited about the partnership with PTC, helping product development teams shift left by embedding cybersecurity risk assessment processes and prevent vulnerabilities early in the delivery process of software-intensive products," said Michael Engestler, co-founder and CTO of Cybellum. "Through the unique integration with PTC Windchill RV&S we empower manufacturers to control, trace and mitigate safety and security issues early on, ultimately delivering safe and secure products." "We see this integration as a significant enhancement for PTC customers who are particularly concerned about the cybersecurity of the software they manage with Windchill RV&S," said Hedley Apperly, VP SSE Products, PTC. He continued, "This automated security scanning and remediation mentoring will be invaluable to any manufacturer building software intensive products, which are vulnerable to cyber-attack." About Cybellum Cybellum empowers automotive OEMs and suppliers to identify and remediate security risks at scale, throughout the entire vehicle life cycle. Our agentless solution scans embedded software components without needing access to their source code, exposing all cyber vulnerabilities. Manufacturers can then take immediate actions to eliminate any cyber risk in the development and production process, before any harm is done, while continuously monitoring for emerging threats impacting vehicles on the road. About PTC PTC enables global manufacturers to realize double-digit impact with software solutions that enable them to accelerate product and services innovation, improve operational efficiency, and increase workforce productivity. In combination with an extensive partner network. PTC provides customers flexibility in how its technology can be deployed and drive digital transformation – on premises, in the cloud, or via its pure SaaS platform. At PTC, we don't just imagine a better world, we enable it.

Read More

DATA SECURITY

Deloitte to Acquire Digital Terbium Labs, Risk Protection Solution Provider, to Expand its Offerings towards Threat Intelligence

Deloitte | June 21, 2021

Deloitte has announced its acquisition of assets of Terbium Labs, a Baltimore-based digital risk protection company. Terbium Labs helps organizations detect and remediate data theft, exposure, or misuse across the digital landscape. All services and solutions of Terbium Labs will join the cyber practice of Deloitte in its Detect & Respond operation services. These services by Terbium Labs include a platform for digital risk protection for leveraging artificial intelligence and patented data fingerprinting technologies and machine learning for identifying illicit use of sensitive online data. Including Terbium Labs, in 2021, it is the third cyber acquisition of Deloitte. It has previously acquired Root9B, LLC (R9B), a cyber-threat hunting provider, and CloudQuest, a cloud security posture management provider. Deloitte demonstrates its commitment to aiding global clients in managing all the cyber threats in running the businesses smoothly in all digital platforms through these acquisitions. According to Deloitte & Touche LLP’s Deloitte Risk & Financial Advisory's infrastructure solution leader and principal, Kieran Norton, finding complex or exclusive data once it leaves an establishment's limit can be exceptionally challenging. Advanced online threat intelligence, paired with remediation of data risk disclosure, needs a balance of progressive technology, a keen understanding of monitoring compliance, and acceptable alteration with an establishment's commercial needs and risk outline. Adding to it, Deborah Golden, Deloitte & Touche LLP’s Deloitte Financial and Risk Advisory Cyber and Strategic Risk leader and the principal said that their industry-leading cyber practice is dedicated to providing our customers with novel and ground-breaking ways to alter their cyber risk postures as they endeavor to reinforce their conviction equity, flexibility, and safety.

Read More

Spotlight

The Communiqué issued at the March 2017 meeting of the G20 Finance Ministers and Central Bank Governors (FM&CBG) in Baden-Baden noted that the malicious use of Information and Communication Technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence and endanger financial stability. With the aim of enhancing cross-border cooperation, the FSB was asked, as a first step, to perform a stock-take of existing relevant released regulations and supervisory practices in G20 jurisdictions, as well as of existing international guidance, including to identify effective practices.