How Canada's Cybeats Technologies catalogues code that makes up auto software

From headlight assemblies to rear bumpers, every physical component in a modern vehicle can be traced back to the precise location it was built.

The same can’t be said for automotive software. But Cybeats Technologies Corp. is working on it, starting with the Automotive Parts Manufacturers’ Association’s (APMA) new electric concept vehicle, Project Arrow.

“This is actually the first vehicle that will have software supply-chain transparency,” said Dmitry Raidman, chief technology officer at the Toronto-based company.

Cybeats catalogues the origins of the underlying code that makes up the software used by each component on Project Arrow.

“For every single device that runs on software, there will be a list of ingredients,” he said.

Software is typically assembled from a range of underlying elements as opposed to being built from scratch.

OPEN-SOURCE ISSUES

Cybeats’ tool provides a “strong sense” of where the software running on the vehicle comes from and whether it poses any risks to either the operation of the vehicle or the data the vehicle collects, said APMA President Flavio Volpe.

“We think about 75 per cent of software in this business is open-source,” Volpe said. “Well, the amount of open-source software makes the data that you create potentially at risk, or suspect.”

Unlike proprietary closed-source software, the code of which is tightly guarded, the underlying code for open-source software is readily available. This shortens development times by giving programmers the ability to edit or build on code that’s already proven, but also exposes the code to bad actors.

Software supply-chain transparency will become more of a priority in the coming years, Volpe said, as EVs have a “dramatically larger” digital footprint than their internal-combustion-engine cousins and thus a greater number of open-source vulnerabilities.

A BILLION LINES OF CODE

The typical vehicle today contains 10 million to 50 million lines of code that allow disparate components to function in a vehicle, Raidman said. By the time fully autonomous technology emerges, Cybeats expects that will grow to one billion lines.

For each vehicle part that runs software, Cybeats’ technology keeps an ingredient list known as a software bill of materials (SBOM). The company’s management platform, called Studio, does not sift through every line of code but monitors the open-source dependencies for vulnerabilities.

Because about 80 per cent of automotive software is built from open sources, it is a “very significant attack vector” within the software supply chain, Raidman said.

A vendor going out of business and no longer updating its software is just one instance that would put the underlying software at risk, he said.

“You want to know about this because if software’s not supported, there is a new risk, a new bug, new vulnerabilities that will not be fixed.”

Armed with an SBOM for each auto part, Cybeats’ monitors for any such vulnerabilities. Every hour, the management platform keeps track of global cybersecurity events and threats from multiple sources of security advisories. When a potential new risk to the open-source code used in an auto part is spotted, the supplier or automaker is alerted.

“You need to be proactive about it,” Raidman said, adding that response times are also quicker and corrective actions easier when software developers can be directed to precisely what code needs to be fixed.

INDUSTRY TAKES NOTICE

While Project Arrow, launched Jan. 5 at CES in Las Vegas, is leading the way for SBOM use in automotive, Raidman said Cybeats is talking with automakers and parts suppliers about the technology, though it has not disclosed any deals to date.

There are also nonautomotive applications for the technology, Raidman said. Cybeats already has contracts with companies involved in industrial control, medical devices and energy infrastructure.

Regulators in Europe and the United States are also taking note. In mid-2021, for instance, U.S. President Joe Biden issued an executive order aimed at bolstering cybersecurity practices, including a directive to federal agencies to explore standards for SBOMs.

“It’s going to be universal; everyone will use [SBOMs],” Raidman said. “Every single company that builds software will not be able to sell software without it.”

The global focus on cybersecurity has led to rapid growth since Cybeats was founded in 2016, Raidman said. The company employs 55 people.