Safety vs Security – in regulatory compliance, who wins? And do we need a winner?
Vehicles are becoming more complex, more software-driven, and more autonomous. Many of these changes make our cars safer and more comfortable. But what happens when safety and security regulations conflict?
Let’s talk
We at Humaxa are planning to speak about this topic at the AutoTech Conference in Novi, MI in June. (Home | AutoTech 2025) I’d love to hear your thoughts about this topic.
What can go wrong
Let’s look at CAN Bus Vulnerabilities. The Controller Area Network (CAN) bus, a standard protocol for vehicle communication, lacks built-in security features like encryption and authentication. This design choice, made to ensure real-time performance and reliability for safety-critical functions, has been exploited in various attacks. For instance, attackers have used CAN injection techniques to disable safety features such as airbags and anti-lock brakes without detection. These vulnerabilities stem from the protocol’s original focus on safety and efficiency over security.
Avoiding conflicts
When vehicles or parts are designed, how do engineers make sure they are following both safety AND security standards? And what should engineers do when the two conflict?
In July of 2015, two security researchers demonstrated the ability to remotely control a particular SUV’s critical functions, including steering and braking, by exploiting vulnerabilities in the vehicle’s infotainment system. Everyone loves having a sophisticated infotainment system, but one can wonder… at what cost to safety? This “hack” was possible due to the lack of authentication and encryption in the vehicle’s CAN bus communication protocol, which was originally designed with safety and efficiency in mind, not security. The incident led to a recall of 1.4 million vehicles. The cost of this recall was thought to be between $50 million and $100 million USD.
Prevention is the best medicine
But how do you prevent such incidents from happening?
Shift left
For starters, manufacturers can implement a multi-layered, proactive approach that tightly integrates security and safety into the entire automotive development lifecycle. Some call this technique: SHIFT LEFT. What can – and should – be done?
- Start security early in concept and design phases—not just at the end. For example, you can incorporate Cybersecurity in the earliest product planning phase while defining the boundaries, functions, and context of the item or system. Make sure to include potential threat surfaces and connectivity vectors (e.g., CAN, Ethernet, Bluetooth, LTE) when describing the item. This allows early risk evaluation before requirements are locked.
- Integrate cybersecurity requirements into safety-critical systems (brakes, steering, powertrain). Threat modeling early in the process can help identify how security threats could lead to safety hazards, like an attacker spoofing LiDAR sensor data that leads to incorrect emergency braking.
- Utilize an AI-powered regulatory and compliance platform (like Humaxa’s) that’s well-trained on both security and safety standards to look for conflicts. Ideally, this system would also be trained on the manufacturer’s internal specifications to look for similarities and potential problems.
AI to the rescue
AI is a fantastic tool to look for potential problems that haven’t even happened yet; it’s part of why computer programs are so good at chess. They can instantly look hundreds of moves ahead – whether it’s part of a game, or part of designing a secure, safe part or vehicle.
What are you doing to avoid safety vs. security issues?
Are you ready to try AI to avoid safety vs security conflicts?
Reach out to us now and take the first step towards transforming your compliance strategy.
