New automotive cybersecurity regulatory frameworks and standards, such as UNECE WP.29 R155 and ISO/SAE 21434, require cybersecurity to be addressed throughout the vehicle’s entire lifecycle. A key component of the regulation is the establishment of a cybersecurity management system that includes the analysis of threats and risks, the development and implementation of appropriate countermeasures, as well as monitoring and logging to analyze incidents. Additionally, sufficient testing must be performed on the cybersecurity measures implemented to validate the cybersecurity objectives. This includes both functional testing to ensure correct behavior according to a specification, and offensive testing to minimize unidentified vulnerabilities and weaknesses that could be exploited for malicious purposes.
Currently, the automotive industry is faced with the challenge of keeping up with the demands imposed by cybersecurity regulations and standards. Often, cybersecurity issues are discovered late in development due to a lack of integration of cybersecurity testing into existing testing strategies, a lack of guidelines on what and how to test, and a lack of an adequate testing environment . Late results can be very costly and even delay the start of production. Therefore, recently the automotive industry is “shifting left” by integrating cybersecurity aspects into the established testing infrastructure to avoid costs following late results and reduce the costs of additional testing platforms and personnel.
An important milestone to address current cybersecurity challenges is to harmonize the cybersecurity process with the processes of standards such as functional safety (ISO 26262) and (SOTIF ISO 21448) through a risk-based methodology. Therefore, verification and validation activities should be aligned within a holistic testing strategy. From a testing perspective, this means using existing hardware-in-the-loop (HIL) and software-in-the-loop (SIL) platforms to continuously conduct various types of cybersecurity testing during development, e.g. conformity tests (example: Validating TLS-secured Ethernet communication), safety-security dependency testing (example: From HARA and TARA to risk-based safety and dependency testing), interface fuzzing (example: HIL and SIL based fuzzing with PlaxidityX and dSPACE) and penetration testing.
HIL systems are widely used as test platforms in the development cycle of electronic control units (ECUs), especially in the automotive industry where a single vehicle contains dozens of ECUs. As modern vehicles become increasingly software-defined, it is critical to test and validate software as early as possible. As a result, SIL testing becomes more important as it allows the user to test software functionality already without any ECU hardware. Using established HIL and SIL platforms for cybersecurity testing brings numerous technical and operational benefits.
dSPACE and PlaxidityX (formerly Argus Cyber Security) recently joined forces to introduce new cybersecurity test automation capabilities based on dSPACE’s established SCALEXIO HIL and VEOS SIL platforms as well as PlaxidityX Security AutoTester. The joint solution provides ready-to-use fuzzing test cases for commonly used automotive bus and network protocols. Interface fuzzing focuses on the communication interfaces of the system under test and allows you to search for and identify vulnerabilities and weaknesses, such as buffer and integer overflows, dynamic allocation issues, denial of service issues, security and others. Additionally, fuzzing verifies the robustness of target interfaces and provides automatically generated negative test cases when run in a functional test environment.
The basic principle of fuzzing is to provide invalid, unexpected or random data to the system under test (real or virtual ECU) and monitor its response behavior. Importantly, effective fuzzing must be sufficiently protocol aware to be able to successfully transition into the system under test and at the same time carry enough invalid data to detect edge cases. Since fuzzing can be highly automated, it is suitable to serve as an efficient cybersecurity quality gate at different stages of development using HIL and SIL testing platforms. As one of the recommended testing methods mentioned in ISO/SAE 21434, fuzz testing is an important pillar in an overall cybersecurity testing strategy.
By integrating the use of HIL and SIL systems as cybersecurity testing platforms, dSPACE Consulting supports cybersecurity management and the development of test strategies with a holistic approach to achieve process compliance regardless of individual standards. The main focus is a customer-specific solution for the required processes and standards compliance, as well as standards-compliant development and V&V workflows, including corresponding and qualified tool chains. dSPACE consultants are experts in cybersecurity, functional safety, ASPICE and SOTIF projects.
In conclusion, the joint dSPACE and PlaxidityX solution for HIL and SIL-based cybersecurity testing enables test early and often during development using existing functional testing infrastructure and processes. This approach reduces costs related to additional test personnel, simulation hardware and laboratory space, and supports compliance with automotive cybersecurity regulations and standards.
Visit the dSPACE 4500 booth at CES to see the technology in action and learn more here: dSPACE-CES 2025