About the Customer:
Our customer is a leading automotive OEM with a keen eye on integrating efficient cybersecurity solutions to access restricted features of their Electronic Control Units (ECUs).
Business challenge:
Security tokens play a critical role in controlled access to sensitive ECU functionalities. ECUs implement advanced protections such as software integrity verification, intrusion detection & protection mechanisms. While essential for system security, these measures can hinder development tasks like system-level testing, debugging, or in-depth analysis of field-returned units.
To bypass such restrictions without compromising system integrity, authorized engineers require cryptographically signed tokens that temporarily unlock specific ECU functions. Therefore, the token generation process must be secure, verifiable, and traceable.
The customer faced growing inefficiencies and risks with their existing process of generating and distributing security tokens via email. Their manual generation and distribution process introduced bottlenecks, increased the risk of unauthorized access, and lacked sufficient traceability.
Embitel Solution:
To address the customer’s need for secure and scalable token management, our cybersecurity experts at diconium Germany developed a web-based PKI-as-a-Service platform.
During the strategy meeting, the team decided to target the following core areas to ensure efficient and traceable token generation:
- Secure Infrastructure
- Security & Access Control Mechanisms
- Operational Transparency & Traceability
- Monitoring, Compliance, and Support
The following measures and features were integrated into the PKI solution to strengthen core areas
- Role-Based Access Control: Access is tightly controlled through well-defined roles and permissions, aligned with each user’s job function, to enforce the principle of least privilege.
- Secure PKI Infrastructure: The solution’s infrastructure uses a combination of cloud-based and physical Hardware Security Modules (HSMs) to safeguard cryptographic keys and ensure secure digital signing.
- Mutual Authentication: To prevent impersonation and unauthorized access, both the user and the server must verify each other’s identity before any transaction can take place.
- Web-Based Token Generation Interface (GUI): Authorized users interact with a secure web portal that allows them to request and download tokens based on their access level and assigned responsibilities.
- Backend Token Signing System: A dedicated backend engine handles the generation and signing of security tokens.
- Audit Logging & End-to-End Traceability: Every token transaction is logged with complete metadata. This includes who initiated it, what it was for, when it happened, and which ECU it applied to. This enables full transparency and support for security audits.
- High Availability & Scalability: The architecture is designed to allow the system to serve teams working on different ECU types across multiple geographies without disruption.
- Monitoring & Incident Response: Continuous monitoring tools and incident response protocols are in place to quickly detect, investigate, and respond to any suspicious activities or system anomalies.
- Regular Security Assessments: The solution undergoes routine penetration testing and vulnerability scans.
- PKI Infrastructure Audits: Continuous system audits ensure that key management processes, certificate lifecycles, and system configurations comply with best practices and security standards.
- Responsive Support Framework: A dedicated support team is available to assist with onboarding and to troubleshoot issues. They also ensure that the service runs smoothly for users around the globe.
Embitel Impact:
The PKI solution delivered the following measurable improvements:
- Over 20,000 tokens securely generated, eliminating the need for manual email-based processes.
- Complete visibility and traceability across token issuance workflows, ensuring compliance with security protocols and audit requirements.
- Faster access for engineering teams, enabling secure and immediate interaction with ECUs during testing, debugging, and field return analysis.
- Deployed across five countries, supporting global teams with a consistent, centralized infrastructure.
- Scalable support for multiple ECU types, making the platform adaptable across current and future vehicle architectures.
Tools and Technologies:
Backend technologies
- Python
- PostgreSQL
- FastAPI
- REST API
- SQLAlchemy
Frontend technologies
- TypeScript
- React
- ESLint
- NPM
DevOps and Infrastructure
- Microsoft Azure
- Kubernetes
- Docker
- Github workflows
- mTLS
- 1Password
Vulnerability Management
- SonarCube
- BlackDuck
- Dependabot
Hardware
- On-prem Hardware Security Module
QA and Testing
- Pytest
- Cypress
- Chromatic
