Safety and Security

Safety by design and security in-depth

A holistic approach to ensure confidentiality, integrity, and availability of connected vehicle data and software.

Schedule Demo
Safety and Security

Protection at every level

Functional Safety Icon
Functional Safety

Built-in redundancy and safety checks to ensure driver safety and vehicle functionality at all times.

Learn More →
Cybersecurity icon
Cybersecurity

Sophisticated, multi-layered security using the latest approaches to quickly identify, stop and mitigate the impact of cyber attacks.

Learn More →
Bootloaders Icons
Data Protection

Data privacy & security is designed into every solution, from in-vehicle software & firmware to encryption in the cloud.

Learn More →
Operation icon
Operations

Operational principles that follow rigorous internal procedures and industry best practices to keep every customer safe & secure.

Learn More →

Functional Safety

ISO 26262 Certified and ASIL-D Rated

The only ISO 26262 certified (by UL) over-the-air software update product with an ASIL-D rating for deploying software and firmware updates to any ECU with safety and confidence.

Vehicle Safe State Checks

Customizable "safe state" checks to ensure road vehicles are in a safe state (not in motion) before and after performing any ECU software updates that could result in a human safety hazard.

Firmware Assurance Checks

Sibros' system ensures only valid versions of OEM signed software or firmware can be installed to mitigate risks of incorrect parameter settings or malware intrusion.

Unprogrammed ECU Checks

Continuous monitoring of ECUs to ensure they are fully and correctly programmed, operating as intended.

Concept Testing

We ensure the functional safety of all new products and concepts with extensive concept testing and analysis prior to customer release.

Cybersecurity

ISO 21434 Certified

As one of the first and only connected vehicle platform providers with ISO 21434 certification, Sibros leads the way in integrating robust cybersecurity practices to ensure the highest levels of safety, security, and customer trust.

ISO 27034 Certified

Sibros has meticulously developed an application security framework that is secure by design and compliant with the stringent security protocols as outlined in ISO 27034.

WP.29 R155 & R156 Compliance

Technology features and mechanisms for Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS) to help OEMs achieve R155 and R156 regulatory compliance.

Learn More →

AIS-189 and AIS-190 Compliance

Technology features and mechanisms for Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS) to help Indian OEMs achieve AIS-189 and AIS-190 regulatory compliance.

Learn More →

IEEE Uptane Cybersecurity Standard

Our systems employ the compromise-resistant Uptane framework, designed to provide multi-layer cybersecurity and threat protection against bad actors for over-the-air software updates in ground vehicles.

Secure Communication

Utilization of HTTPS/MQTTS to ensure secure and reliable data exchange between vehicles and the cloud.

Multiple Signature Points

Approval and authentication of commands and updates to require signature keys across multiple access points and users to prevent tampering and unauthorized usage.

Unique Version Identifiers

All software versions, update packages, system changes, and associated vehicles utilize unique identifiers for consistency, transparency, verification, and traceability.

Full Cyberattack-Type Protection

Sibros’ multi-layer authentication & security approach protects against a multitude of malicious activities such as eavesdropping, drop-request, slow-retrieval, freeze attacks, rollback attacks, and more.

Data Protection

GDPR Compliance

Compliance with user privacy and data rights as outlined in the EU General Data Protection Regulation (GDPR) and other comparable international data protection standards.

CCPA Compliance

Compliance with customer consent and right-to-use requirements for data collection and storage as outlined in the California Consumer Privacy Act.

ISO 27001

Certified for Information Security Management Systems and best practices that safeguard all forms of information and protect the integrity, confidentiality and availability of data.

TISAX

Compliance with the European automotive standard for a consistent approach to enterprise information security systems.

Operations

SOC 2 Type II

Certification by the American Institute of CPAs (AICPA) Systems and Organization Controls (SOC) for internal controls and efficacy of how we safeguard customer data.

ISO 9001:2015

Certified for Quality Management Systems (QMS) and frameworks to continually improve our products and services we deliver to you.

Incident Response & Risk Management

Our dedicated Risk Committee oversees the detection, assessment, and documentation of potential threats per the guidelines outlined in our Incident Response Policy.

Continual Staff Training

Ongoing communication and training is required across the organization on all new operational procedures, obligatory compliance topics and related best practices.

Secure Onboarding & Offboarding

All employees undergo a thorough vetting process, including multiple interviews, a criminal background check, and introductory training. Upon departure, employee access to company systems, services, and applications is immediately disabled.

Global Regulation Compliance

Adherence to international cybersecurity, data protection, and functional safety standards.

UNECE WP.29 Compliant

Out-of-the-box ready with processes and mechanisms to comply with Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS) requirements.

Learn More →

ISO 26262 Certified

One of the only OTA software update products on the market with an ASIL-D functional safety rating, enabling OEMs to confidently and safely manage software and firmware update packages to every ECU across the full vehicle lifecycle.

Learn More →

GDPR Compliant

Compliance with user privacy and data rights as outlined in the EU’sGeneral Data Protection Regulation (GDPR) and other comparable international data protection standards.

Learn More →

CCPA Compliant

Security checks, automotive-grade cybersecurity, and information best practices to ensure CCPA data protection compliance.

Learn More →

Cloud Security & Trust

Sibros solutions have undergone in-depth technical cloud architecture reviews by the world's most reputable cloud providers and utilize the same security principles, practices and technologies trusted by the largest enterprises in the world.

GCP

Google’s time-proven Android Automotive OS, Google apps, and cloud services utilize a multi-layered security defense system including, advanced encryption for data transfer and storage, 24/7 threat detection and response teams, and phishing-resistant security keys.

AWS

Amazon’s suite of native web services, including AWS IoT, Amazon RDS, Amazon S3, and Amazon Kinesis utilize automatic data encryption, network and application security controls, and vulnerability detection and analysis to ensure data privacy and protection.

Global Regulation Compliance

Adherence to international cybersecurity, data protection, and functional safety standards.

UNECE WP.29 Compliant

Out-of-the-box ready with processes and mechanisms to comply with Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS) requirements.

Learn More →

ISO 26262 Certified

One of the only OTA software update products on the market with an ASIL-D functional safety rating, enabling OEMs to confidently and safely manage software and firmware update packages to every ECU across the full vehicle lifecycle.

Learn More →

GDPR Compliant

Compliance with user privacy and data rights as outlined in the EU’sGeneral Data Protection Regulation (GDPR) and other comparable international data protection standards.

Learn More →

CCPA Compliant

Security checks, automotive-grade cybersecurity, and information best practices to ensure CCPA data protection compliance.

Cloud Security & Trust

Sibros solutions have undergone in-depth technical cloud architecture reviews by the world's most reputable cloud providers and utilize the same security principles, practices and technologies trusted by the largest enterprises in the world.

GCP

Google’s time-proven Android Automotive OS, Google apps, and cloud services utilize a multi-layered security defense system including, advanced encryption for data transfer and storage, 24/7 threat detection and response teams, and phishing-resistant security keys.

Learn More →

AWS

Amazon’s suite of native web services, including AWS IoT, Amazon RDS, Amazon S3, and Amazon Kinesis utilize automatic data encryption, network and application security controls, and vulnerability detection and analysis to ensure data privacy and protection.

Learn More →

Vehicle Systems Security

Safe and secure-by-design from the ground up.

Uptane Standard Cybersecurity

Sibros’ Deep Connected Platform utilizes a compromise resistant framework designed to provide automotive-grade OTA cybersecurity and threat protection.

Multiple Signature Points

Approval and authentication of commands and updates require signature keys at multiple access points and users to prevent tampering and unauthorized usage.

Unique Version Identifiers

All software versions, update packages, system changes, and associated vehicles utilize unique identifiers for consistency, transparency, verification, and traceability.

Concept Testing

We ensure the functional safety of all new products and concepts with extensive concept testing and analysis prior to customer release.

Operational Security 

A solution is only as secure as the people behind it.

SOC 2 Type I Certified

Internal procedures and practices in accordance with the five Trust Services Criteria: availability, confidentiality, privacy, security, and processing integrity

(Type II in progress)

ISO 9001:2015 Certified

We utilize established quality management systems to continually improve our products, operations, and customer relations.

Onboarding and Offboarding

All employees undergo a thorough vetting process, including multiple interviews, a criminal background check, and introductory training. Upon departure, employee access to company systems, services, and applications is immediately disabled.

Staff Training

Regular communication and education on new operational security procedures, compliance training, and related best practices.

Incident Response

We have a dedicated Risk Committee that oversees the detection, assessment, and documentation of potential threats per the guidelines outlined in our Incident Response Policy.

FAQ Safety and Security

Ecosystem / Foundation

What are management best practices regarding access to the system? How do we ensure background checks of employees?

All access needs authorization and is granted on a need-to-know basis. All employees are background checked as part of their onboarding process.

What is Sibros’ general security approach?

Sibros follows an approach of security designed from the ground up and built into the DNA of the product. This includes in-vehicle secure communications and secure storage / HSM integrations.

What are Sibros’ security compliance and certifications?

Our solution is assessed to TISAX, SSAE 16/18 SOC 2 Type 2, ISO 26262 (ASIL-D) in place with ISO 27001, ISO 21434, and ISO 24089 in progress. Sibros also addresses and supports security regulations such as UNECE WP.29 R155 and R156, with AIS 189, AIS 190 under review; as well as privacy regulations such as GDPR and CCPA, with Indian DPDP under review.

Privacy by Design

Is Sibros a data controller or a data processor in the framework of the GDPR?

Sibros acts as a data processor. The OEM is the data controller.

What happens when changes are made?

All changes for cloud and firmware are reviewed.

What is the coverage for incidents?

Sibros has a very well defined incident management process, and security incident management and breach response processes.

How are vulnerabilities assessed?

With the following reviews and assessments: 

  • Components vulnerability review (firmware and cloud software)
  • Cloud infrastructure vulnerability review (cloud software)
  • OWASP IOT ASVS assessment (firmware)
  • Cloud posture assessments
  • AWS GuardDuty, GCP SCC, and other cloud threat assessment tooling
What security/function is implemented inside the target ECU or client?

Support for 0x27 and key exchange, secure storage and symmetric key handling to be determined by target ECU.

How is data in transit secured?

The following are used: 

  • MQTT(s) over Mutual TLS 
  • HTTPS over TLS
What is the Sibros Armor framework?

Sibros Armor includes the following checks and failsafes: 

  • 2-way authentication of communication between vehicle and cloud
  • Device provisioning framework incorporating secure integrations with manufacturing 
  • DeviceID and Vehicle Identification (VIN) with a data abstraction framework that incorporates Privacy by Design
  • Role-based Access Control (RBAC)
  • Approval workflow for deployments and changes for systems
  • SSO and MFA for user authentication
  • In-vehicle secure communications
  • Secure storage / HSM integrations
How does Sibros link devices and data?

Sibros primarily uses a Globally Unique Identifier (GUID) to create a link between device identification information such as Vehicle Identification Number (VIN) / Electronic Serial Number (ESN) and the data collected by Deep Logger, Deep Updater, and Deep Commander.

Deep Logger

How could a breach affect Deep Logger and Deep Commander and what preventive measures has Sibros taken?

Security is designed into the solution. Additionally, it is assessed to TISAX, SSAE 16/18 SOC 2 Type 2, ISO 26262 in place with ISO 27001, ISO 21434, and ISO 24089 in progress.

Could an infected ECU use Deep Logger to send attacks to the cloud? If so, what has been done to mitigate this risk?

Log files are archived and optionally compressed. They are also handled securely and not directly uploaded into the system. The only reference information is in the system, and the S3 bucket is only used for storage of files that are uploaded as GUID’s (Globally Unique Identifiers).

Deep Updater

Examples of automotive cybersecurity incidents that can be mitigated using Sibros’ OTA solution?
  • Drop request: Attacks that block network traffic (in-vehicle or outside) to prevent vehicles from updating software
  • Eavesdrop: Attacks that listen to network traffic to reverse-engineer ECU firmware.
  • Freeze attack: Indefinitely sends an ECU the last known update, even if there may be newer updates on the repository.
  • Mixed-bundles: Attackers force ECUs to install incompatible software updates to cause ECU interoperability failure.
  • Slow-retrieval: Slows down delivery of ECU updates so that a known security vulnerability can be exploited.
  • Partial-bundle: Causes some ECUs to not install the latest updates by dropping traffic to these ECUs.
  • Rollback: Causes an ECU to install outdated software with known vulnerabilities. 
  • Arbitrary software: Attackers use compromised repository keys to release an arbitrary combination of new images to cause ECUs to fail.
  • Mix-and-match: Most severe of all attacks installing arbitrary software on ECU to modify vehicle performance.
What are the differences between OTA systems with or without Uptane?

Uptane is the first security framework for automotive OTA updates that provides serious compromise resilience, meaning that it can withstand attacks on servers, networks, keys, or devices. The differences are as follows:

  • A single server that is compromised cannot compromise more of the system.
  • It is possible to recover from a single key compromise.
  • The complete vehicle IP address is not readily accessible.
  • Network security is not the only security control.
  • Delivery authenticity is validated separately from firmware authenticity.
  • Vehicle manifest and vehicle component authenticity are validated.
  • Component and ECU rollback and replacement attacks are easily detected and remediated.
What are the security considerations/measures when integrating Deep Updater in the TCU (external communication device)?

The following measures are taken:

  • Device provisioning
  • HSM integration
  • In-vehicle secure communications 
  • Provisioning of EOL integrations and device provisioning 
  • Uptane keys and component replacements

Cloud

How can it be ensured that the cloud side is not compromised via API, login, etc.? What best practices are implemented?

The following measures and practices are implemented:

  • Access is restricted to authorized personnel; SSO and MFA are enforced.
  • Access is monitored with alerts triggered for unauthorized access.
  • Keys are segregated and signatures are firmware validated.
  • Mutual Transport Layer Security (TLS) with certificate for all command and control processes is used.
  • Permitted actions and values are configured via protobuf, which is controlled and managed with approvals.
What validations for cloud security are in place?

The following are used: 

  • Static analysis of code (SAST)
  • Secrets review 
  • Dependency checking (vulnerability assessments)
  • OWASP Top 10 
  • OWASP API Top 10
  • OWASP IOT ASVS
  • CI/CD review of SBOM
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept
Products
Solutions
Company
Resources
Ready to Get Started?
Book Demo
Contact Us
Copyright @ 2024 Sibros Technologies Inc.
All Rights Reserved.
Get Connected