Cybersecurity for External Human-Machine-Interfaces of Autonomous Vehicles

April 24, 2025 – Reading time: 6 minutes

As part of the SALSA (Smart, Adaptive and Learnable Systems for All) research project, we carried out a detailed Threat Analysis and Risk Assessment (TARA) in accordance with the ISO/SAE 21434 standard to ensure cybersecurity in autonomous vehicles with eHMI (external Human Machine Interface) from the ground up. This procedure ensures that security aspects are already taken into account in the design phase, which is essential for the development of trustworthy and safe autonomous vehicles.

Importance of cybersecurity in the autonomous vehicles sector

As vehicles become increasingly connected and automated, their vulnerability to cyberattacks increases exponentially. Autonomous vehicles are highly complex cyber-physical systems based on a large number of sensors, electronic control units (ECUs) and communication interfaces. A successful cyberattack could not only compromise the confidentiality of data, but also compromise the integrity and availability of critical vehicle systems, which would have serious consequences for the safety of passengers and other road users.

In the context of SALSA, which aims to increase the safety and acceptance of automated vehicles with eHMI systems in complex mixed traffic, cyber security plays a key role. The implementation of security-by-design principles ensures that these systems are not only functional, but also resilient to potential threats. This promotes user confidence in the technology and contributes significantly to overall traffic safety.

Implementation of TARA according to ISO/SAE 21434

In order to meet the defined security requirements, we have carried out a TARA in accordance with the ISO/SAE 21434 standard. This standard provides a structured framework for the assessment of cyber risks in the automotive industry. A TARA comprises several essential steps:

Identification of assets: Determination of all eHMI components and data within the vehicle system that are critical for functionality and safety. This includes the analysis of cybersecurity properties such as confidentiality, integrity, availability, authenticity and authorization.
Impact rating: Analysis of the potential consequences that a compromise of these assets could have on various stakeholders, including aspects such as functional security, financial losses, operational security and data protection. Damage scenarios are developed to show the potential impact.
Identification of threat scenarios (threat scenario identification): Identification of possible attack scenarios that could jeopardize the integrity, confidentiality or availability of the identified assets. This includes analyzing potential attack vectors and methods.
Analysis of the attack paths (Attack Path Analysis): Investigation of the possible paths an attacker could use to realize the identified threat scenarios. This includes the consideration of attack paths and the assessment of their feasibility
Evaluation of attack probabilities (attack feasibility rating): Assessment of the likelihood that an identified threat scenario can be successfully exploited by an attacker, based on factors such as required resources, knowledge and access options.
Risk Determination: Combination of the results from Impact Rating and Attack Feasibility Rating to determine the risk value for each threat scenario. This serves as the basis for prioritizing countermeasures.
Risk treatment (risk treatment decision): Development and implementation of security controls and measures to mitigate or effectively eliminate identified risks completely. This can include technical measures, organizational processes or a combination of both.

It should be noted that although this TARA has gone through all the necessary steps in accordance with ISO/SAE 21434, it is an orientation analysis. It serves as a basis and guide to identify potential threats and vulnerabilities in the early stages of development, but does not represent a final security concept. Instead, the TARA forms a solid basis on which a detailed risk analysis for the specific system design can be built.
This approach allows potential security vulnerabilities to be identified at an early stage and appropriate countermeasures to be planned, which then need to be further refined and adapted in later design phases. As a result, the cybersecurity strategy remains flexible and adaptable to the requirements of the specific system design.

Contribution to the overall objectives of SALSA

The TARA we carried out makes a significant contribution to achieving SALSA’s overarching project objectives:

Increasing safety in mixed traffic: By identifying and securing potential weak points in the eHMI system, we ensure that autonomous vehicles interact reliably and safely with other road users.
Increasing the acceptance of automated driving functions: A high level of cybersecurity strengthens user confidence in the technology, which is crucial for the broad acceptance of autonomous vehicles.
Holistic approach: Taking security aspects into account early on in the design process enables us to respond proactively to potential threats and thus improve the overall quality and security of eHMI systems.

Relevance of cybersecurity in the context of SALSA

Addressing the topic of cybersecurity within the framework of SALSA is of central importance for several reasons:

Complexity of mixed traffic: In scenarios where misunderstandings in mixed traffic can lead to potentially fatal accidents, it is essential to ensure the integrity and reliability of the communication systems, especially the eHMI system.
Innovative vehicle functions: SALSA develops new technologies and concepts for automated driving. The introduction of such innovations, such as the eHMI system, requires a thorough safety assessment in order to identify and address potential risks at an early stage.
Responsibility towards users and society: As developers of autonomous vehicle systems, we have a responsibility to protect our technologies against misuse and attacks