A Systematic Review on Security Attacks and Countermeasures in Automotive Ethernet

In the past years, the automotive industry has experienced a technological revolution driven by the increasing demand of connectivity and data to develop driver-assistance systems and autonomous vehicles, and improve the mobility experience. To provide higher bandwidth in in-vehicle communication networks, carmakers are choosing Ethernet technology, which becomes Automotive Ethernet (AE) when applied in in-vehicle communication networks. However, with the rise of vehicle connectivity, the cybersecurity of vehicle systems has become a primary concern for the automotive industry. To address this issue, we conducted a systematic review, deeply analyzing the impact of AE on security and safety, and comparing it with the current in-vehicle communication solutions like Controller Area Network protocol. We retrieved the key security attacks and mitigations proposed in the current literature to highlight their significance, including a mapping between the regulation UNECE WP.29 R155 and the retrieved answers. We found that the industry has only implemented some automotive-dedicated Ethernet solutions to date. In the near future, the vehicle and road ecosystems may require more exclusive automotive solutions to meet specific constraints such as low latency. Our results can provide a comprehensive baseline, both for industry and academia, for the current and future development of AE.


INTRODUCTION
In recent years, the automotive industry has undergone several revolutions to reduce vehicular pollution, enhance road safety, and provide a more comfortable driving experience for users.With the introduction of new technologies like electric engines and advanced driver assistance systems for autonomous driving, road vehicles are rapidly changing.To provide a significant network bandwidth, the industry is adopting Automotive Ethernet (AE) technology for In-Vehicle Networking (IVN) communications.Some of the most significant automotive revolutions in recent years are the offer of different vehicle features and the introduction of autonomous vehicles, which have led to an increase in the adoption of AE.The standard SAE J3061 [ 132 ] defines levels of driving automation with a scale from 0 to 5, where levels 4 and 5 indicate that the driver is no longer driving.In 2021, Honda became the first carmaker to sell its model Legend equipped with certified level 3 self-driving technology in Japan.The introduction of autonomous vehicles has resulted in the generation of vast amounts of data that can be called Vehicular Big Data .According to IBM, Big Data can be defined as follows: "Data sets whose size or type is beyond the ability of traditional relational databases to capture, manage and process the data with low latency.Characteristics of Big Data include high volume, high velocity and high variety" [ 61 ].In our vehicle context, data come from different sources (e.g., sensors or cameras) and have to be processed considering latency, especially for safety-related data.Following the definition, AE can be designed to address the three Vs (Volume, Velocity, Variety) [ 120 ].For this reason, to ensure the in-vehicle communication of Big Data, carmakers are largely adopting Ethernet technologies in IVN, borrowed from computer networking and industrial environments.For instance, the OPEN Alliance [ 140 ], a non-profit open industry alliance of some of the most important automotive-related industries, is setting industry standards for Ethernet connectivity and facilitating the transition from various closed applications to an open and scalable network based on Ethernet.
Ethernet provides the necessary bandwidth (up to 10 Gbit/s in its version 10GBASE-T1 [ 65 ]) to transfer larger amounts of data in the IVN backbone or in specific IVN domains than current IVN technologies like the Controller Area Network (CAN) , even in its CAN XL version (up to 20 Mbit/s) [ 16 ] or Local Interconnect Network (LIN) , cannot assure.However, the different protocols (CAN, LIN, AE) could work together in the same IVN according to the requirements of each IVN domain.Besides, Ethernet is currently the most applied technology in private and industrial wired networks, and has been extensively defined in the IEEE 802.3 [ 62 ] standards since 1983.The widespread adoption of Ethernet in other industries has made it a natural choice for IVN communications in the automotive.This technology ensures reliable and efficient communication in the vehicle, crucial for the advancement of autonomous vehicles.The standardization of Ethernet in IEEE 802.3 provides a common language for the automotive industry to communicate and ensure the reliability and efficiency of communication networks.To define AE, in this Systematic Review (SR) , we decide to adopt the definitions in the work of Matheus and Königseder [ 110 ], which clearly explains that the focus of AE is the IVN and that the automotive industry would like to reuse the existing technology, over all protocol layers.For this reason, it is not possible to limit the explanations to just the first two OSI (Open Systems Interconnection) layers, the physical and data link, that the Standard Ethernet (SE) usually covers, but, instead, "AE covers all layers of the OSI layering model."Therefore, AE can be defined as a protocol stack of Ethernet-based communications to assure an adequate data transfer rate in an IVN.The use of Ethernet in vehicles has introduced security issues similar to those found in computer and industrial applications.Vehicle cybersecurity has become increasingly important in recent years due to the rise of connections and vehicle attacks, such as the first well-known 2014 Jeep attack by Charlie Miller and Chris Valasek [ 29 ] or the vulnerabilities discovered by a German teen in 2023 in an app installed in some Tesla models [ 111 ].This context has led to the development of dedicated standards and regulations, such as ISO/SAE 21434 [ 69 ] and UNECE WP.29 R155/156 [ 152 , 153 ], both released in 2021.
New technologies in the automotive industry can have a significant impact on safety since they can directly affect the lives of drivers, passengers, and other road users.Security and safety in vehicles are closely linked, and a security threat can have an impact on safety as well [ 32 ].In our work, although we focus on security aspects, we also consider the potential safety consequences of attacks and the mitigations required to address them.Therefore, a review of the current State of the Art (SOTA) of Ethernet in automotive environments, with a focus on security and safety, can provide valuable insights for researchers and engineers.
As a result of our SR, AE can be considered at an early stage of implementation, inheriting both the technologies and vulnerabilities of SE.For example, AE can be subjected to a wide range of attacks, including Denial of Service (DoS) [ 35 , 73 , 147 ] and the Replay [ 108 , 129 , 169 ], which were the most commonly identified in our SR.At the same time, a wide range of mitigations are proposed like firewalls [ 13 , 73 , 107 ] or Intrusion Detection System (IDS) [ 47 , 73 , 131 ].However, we noticed that all of the proposed solutions, except for Secure Onboard Communication (SecOC) , are inherited from SE, and no new ad-hoc security solutions have been proposed for AE.In our third research question, we analyze the impact of security solutions on safety and identified the potential consequences-in particular, the latency could be an issue in safety-critical systems.The findings also suggest a collective work, involving all automotive stakeholders like in the OPEN Alliance [ 140 ], to provide AE-dedicated solutions for automotive to increase cybersecurity, without compromising safety, and keep the necessary bandwidth.To conclude, AE's widespread usage across automotive applications can have several advantages.To assure vehicle security, a comprehensive grasp of the technology, as well as a wealth of components, software, tools, and design resources, is readily available, which can accelerate the design process and lowers costs in the automotive processes.

Structure of the Article
In our SR, we identify and describe AE vulnerabilities and mitigations through four research questions.Then, we study the impact that the introduction of security solutions may have on safety aspects, and, finally, we analyze whether AE contributes to add more security than the current IVN protocols.In particular, our SR can be divided into four main sections: -The first is Section 2 , which serves as the framework for describing the needed background.
-The second is Section 3 , which contains all the different phases of the SR: Section 3.1 with the research questions, Section 3.2 with inclusion/exclusion criteria, Section 3.3 with the description and the results of the reading process, and Section 3.4 with the answers to the research questions.-The third is Section 4 , which contains three deep discussion on AE topics starting from the findings of the SR: in Section 4.1 , we discuss the current usage of AE and possible improvements that the solution retrieved in our SR can bring; in Section 4.2 , we categorize and compare the retrieved articles; in Section 4.3 , we map the retrieved possible security attacks with the retrieved mitigations; and, finally, in Section 4.4 , we map the UNECE WP.29 R155 attack/mitigations with our AE findings to define if there is a correspondence between UNECE WP.29 R155 and AE literature.-The fourth is Section 5 , where we discuss some open issues and propose possible future AE research.

Related Works
AE is a relatively new topic, so the main related reviews for the SR are two surveys respectively dated 2019 and 2022.The first was published by Van Cleave [ 78 ], and it provides an overview of AE, the possible implementations, and a description of other existing protocols.Concerning this work, our SR is a more detailed survey with a specific focus on security, whereas in Van Cleave's article, this topic is not addressed.The second survey [ 35 ] focuses on real-time AE protocols, particularly the modeling from Audio Video Bridging (AVB) to Time-Sensitive Networking (TSN) .
They propose a complete survey on TSN, but they addressed only this protocol, whereas in our work, we discuss the security aspects of a complete AE protocol stack.However, the contributions and studies that describe AE security solutions and implementations are relevant, especially in the past few years.The main source to retrieve information on AE is the book by Matheus and Königseder [ 110 ], which can be considered the most complete guide to AE to date.In particular, they describe in detail AE layers, the application context, and possible security problems.This book is a technical description of any aspect of AE, whereas our contribution is an objective SOTA, which provides answers to significant security aspects of AE and that can be seen as a more comprehensive collection of solutions retrieved in the available literature.Typically, the other work focuses on just one layer or protocol of AE.For example, Zhang et al. [ 166 ] and Donahue [ 40 ] describe solutions for the physical layer, and Carnevale et al. [ 25 ] focus on Message Authentication Code (MAC) solutions for data link layer.Other studies describe security solutions for the upper layers.For instance, Alkhatib et al. [ 6 ] describe an anomaly detection system for AVB, whereas Alkhatib et al. [ 5 ], in a different work, and Zelle et al. [ 164 ] propose security solutions for SOME/IP (Scalable-Oriented MiddlewarE over IP) protocol.Other related works, focused on specific aspects or layers of AE, are the articles retrieved in the next sections for the SR.

Motivations and Contributions
AE can be considered an emerging solution to manage Big Data in IVN.Today, it is usually applied inside the vehicle in some specific network areas like the backbone or the infotainment domain.Similar to Tesla's implementation in the Model 3 and S, several vehicle manufacturers are already incorporating AE technology to varying degrees into their products [ 22 , 135 , 159 ].AE is being used to interconnect different domains while replacing CAN as the backbone technology.Another common application is connecting infotainment components where Media-Oriented Systems Transport (MOST) has been used in previous-generation vehicles.Additionally, AE is used in diagnostic ports as well as connecting sensors that require high-bandwidth communication like high-resolution cameras.Regarding the various applications of AE, it is used to transfer every type of data from multimedia and diagnostic messages to safety-critical data like sensor and actor information which are transferred between domain controllers.However, to the best of our knowledge, AE seems to be still understudied, and there is a lack of contributions that summarize the SOTA and fully answer some important open questions like possible security and safety threats.
In this context, we decide to conduct an SR to provide an overview for AE stakeholders to develop an Ethernet technology that can address the specific automotive requirements.We choose the SR format because the systematic approach allows us to reduce the likelihood of bias and to identify a complete objective body of knowledge on AE.Following recommendations of Booth [ 15 ], we perform an SR, which has to be explicit, transparent, objective, structured, and reproducible with also the possibility to include research findings and recommendations for future research.Our work is a starting point for the development of an automotive-oriented Ethernet and not only an inheritance from other industrial applications.With this SR, we provide an objective and trustworthy overview of AE security aspects.From an industrial point of view, the AE stakeholders, which can be the carmakers and their suppliers, can find in Section 4.4 , a mapping among the regulation UNECE WP.29 R155, mandatory for new vehicles from July 2022, and the AE security vulnerabilities and mitigations that the literature identifies.Besides, the stakeholders can find in Section 3.4.1 a list of possible security threats, which they can consider in their risk assessment.In Section 3.4.1 , they can retrieve some possible mitigations to implement, and in Section 3.4.1 some consequences of security solutions on safety.From a research point of view, our work is a landmark that summarizes the contribution of AE in the past 20 years, and it can be used to identify future research lines.

OSI MODEL AND AUTOMOTI VE I VN PROTOCOLS
As stated in the work of Matheus and Königseder [ 110 ], SE technology was invented in 1973 and patented in 1975, whereas in 1983, IEEE started its definition with the 802.3 standards.Actually, Ethernet can be considered the most applied wired networking technology in computer networks.During its relatively long history, Ethernet has also become attractive for other fields of application like industry or avionics for its relatively low cost, flexibility, and relative significant bandwidth.The IEEE 802.3 standards can be considered the most significant documents to define Ethernet, and they mainly define the physical and data link layers of the OSI model, so SE can be mainly considered a layer 2 technology to enable the wired transport of data.
In our work, as defined by Matheus and Königseder [ 110 ], the ISO/OSI model seems to be the best choice to represent and describe AE.Unlike the TCP/IP model, ISO/OSI takes a vertical approach and offers a clear distinction between interfaces, services, and protocols.This allows us to distinguish between data link and physical layers and to identify some protocols like SOME/IP-SD and Message Queuing Telemetry Transport (MQTT) specifically at layers 6 and 7, which would not be possible with TCP/IP.Although TCP/IP is the most widely used model for describing SE and Internet communications today, we chose to take a more theoretical and detailed approach using the ISO/OSI model in our work on AE as suggested by Matheus and Königseder [ 110 ].The OSI model is a conceptual model to describe the communications of a computing system over a network.The definition of the standard starts in the 1970s and it brings to the definition of the model in 1984 with ISO 7498, then revised in 1994 [ 68 ].The model is composed of seven stacked layers, and each layer provides services to the layer above it and is served by the layer below it.As reported in Figure 1 , from the bottom, the first three layers can be considered the network layers, which transmit data and structure multi-node networks.The other four layers are the host layers, which manage the transmission, communication sessions, translate data, and, with the last layer, interact directly with the software application.Each layer is self-contained and has a suite of protocols that can be used according to the application scenario.The main advantages of the OSI model are that each layer has a specific function in the network communication, so it reduces the complexity, and it enables the standardization of the communications interface.
In the automotive sector, the OSI model could be seen as a relevant description of the communication stack to define not only the structure but also the security, identifying the used protocols and their layers.Figure 1 reports the current schema with the protocols used in today's vehicles.In particular, the protocols are reported for each layer, which sometimes, as with MOST, cannot only be assigned to one layer but extend over several layers.Actually, in the automotive sector, the most applied protocols like CAN or LIN work in the network layers, whereas fewer protocols are defined for the host layers.
The current automotive protocols have been developed in the past decades to satisfy the carmakers' requirements, which are often flexibility and low cost.Besides, all the protocols were created in a period like 20 years ago, when vehicle security was not necessary and considered due to the lack of vehicles' connection.Another relevant aspect, which is one of the main motivations for the introduction of AE, is the protocol bandwidth.In particular, current protocols have a low bit rate to answer to the demand for data.For example, CAN-FD, which is an extension of the original CAN, has a bit rate up to 10 Mbit/s [ 4 ] and CAN-XL, another extension, up to 20 Mbit/s [ 16 ].MOST is a high-speed protocol that can reach in its MOST150 configuration the 150 Mbit/s.However, AE can offer higher bandwidth than most of the current protocols, reaching in its physical 1000BASE-T1 configuration the bit rate of 1 Gbit/s and with other under-development configurations 10 Gbit/s [ 65 ].AE can be considered a particular application of Ethernet, and it has grown in the past years alongside the increasing request for bandwidth for IVN.However, Ethernet does not provide any confidentiality of the messages, so without, for example, a MACsec or any high-level confidentiality solution, it could be vulnerable to sniffing attacks.
As stated in the work of Matheus and Königseder [ 110 ], it is not possible to limit the explanations of AE to just the physical and the data link layer, even if IEEE 802.3 mainly deals with these layers.AE covers all layers of the OSI layering model.At the physical layer, AE is implemented with various PHY solutions like 100BASE-T1, 1000BASE-T1, or 10GBASE-T1.At level 2, we have the Ethernet MAC with the possibility to create VLAN (IEEE 802.1Q).At network level 3 and transport layer 4, we respectively have the usual IP and TCP/UDP protocols.The most significant improvements of AE are at the last three ISO/OSI layers where different application protocols like DoIP, Data Distribution Service (DDS) , or SOME/IP are designed and modified specifically for IVN.For example, DoIP is an automotive diagnostics protocol based on IP, so it enables communications directly between the vehicle and the Internet for diagnostic purposes.Furthermore, MQTT, a lightweight messaging protocol commonly employed on the Internet of Things (IoT), can also be effectively utilized for Vehicle-to-Infrastructure communications.AE eases the connections between the vehicle and the external networks, but it also increases the attack surfaces of the vehicle, inheriting all the vulnerabilities of the SE.Currently, AE has been implemented mainly for the backbone of the IVN.Each domain like chassis or the infotainment communicates internally with its protocol (e.g., CAN, LIN, MOST), and then, to communicate to the others vehicle domains or the external nodes, the message is translated and routed in an Ethernet backbone.This solution enables a higher bandwidth and easy communications with the Internet.Besides, AE can also be applied in some single domains like infotainment where a large quantity of data is transmitted.

SR FRAMEWORK AND WORKFLOW
This SR follows the workflow and the recommendations of the book of Booth et al. [ 15 ] to formulate the questions and to retrieve the articles for the analysis.We apply the SALSA (Search, AppraisaL, Synthesis, and Analysis) method [ 46 ] with only a few changes for our context (Table 1 ). Figure 2 reports our workflow detailing every phase of the SALSA framework and our operations in each phase: the input of the workflow is the set of the research questions, and the outputs are the retrieved answers.At the top, we show the database sources where we search for the articles with our query.Then, the folded article icons represent the number of resulting articles from each operation.In the middle of the workflow, we perform the selection process, applying the inclusion/exclusion criteria to find the in-topic articles, and then we start the reading phase to retrieve the answers.The last phase at the bottom is the analysis to transform the answers into readable information and informative graphs.

Search Process
The search procedure is made of the definition of the Research Questions (RQs) (Section 3.1.1), the query (Section 3.1.2), the primary and secondary sources (Section 3.1.3), the selection process (Section 3.1.4), and the article extraction (Sections 3.2.1 , 3.2.2, and 3.2.3 ).

Research Questions.
The main target of our SR is to provide a clear and complete description of AE security and safety, and whether AE can be considered more secure than the existing IVN protocols.For these reasons, we formulate four main RQs, following the same sequential schema of Annex 5 of UNECE WP.29 R155 [ 153 ], the automotive regulation released in 2021 by the United Nations Economic Commission for Europe (UNECE) , which reports a list of threats and corresponding mitigations.
We report the RQs with the three main topics that they address: security, safety, and comparison.Security RQ1: In in-vehicle communications, which are the AE cyberattacks (remote and physical) considered in the proposal?RQ2: In in-vehicle communications, is the proposal presenting AE countermeasures to mitigate security vulnerabilities?Safety RQ3: In in-vehicle communications, how is safety affected by the countermeasures presented in the proposal?

Comparison
RQ4: With respect to the related OSI layer, is the AE proposal contributing to add security more than other SOTA protocols?
3.1.2Review Query.From the RQs, we can extract a well-defined list of search terms: in-vehicle , communications , Automotive Ethernet , vulnerabilities , remote , physical , countermeasures , safety , exploits , OSI , layer , SOTA , protocols .We aim to create a database of articles as complete as possible to contain all the interesting literature on AE security to answer our RQs.To reach this target, we have to create a search query string to use in the sources libraries, defined in Section 3.1.3 .
We build some search strings, starting from the basic string "automotive AND Ethernet AND security AND safety ".Querying with the basic string, for example, the library IEEE Xplore [ 63 ], we retrieve 30 articles, and also the other sources do not return a sufficient number of articles for a SR.So, we could not add more detailed terms to the query string, but we have to remove constraints or add synonyms.To release the constraints, we decide to remove the term "safety " because in our work, as reported in RQ3, safety is only analyzed in consequence of security mitigations, so it should not be considered as stand-alone.With the same query without safety, for instance, in IEEE Xplore, we retrieve 57 articles, which is a more relevant number, and also the other sources give us more results.Then, we consider the possible synonyms.The term "automotive " could be too tight because it refers to a domain or industry sector, so we extend this term by adding "OR vehicle ", which is more used to identify road vehicles.The terms "Ethernet " and "security " could be considered mandatory because they are the basics of our work and seem to not have significant common synonyms.Following these considerations and testing the query string on the different sources as described in Section 3.1.4, we decide to use the following query string for our review: (automotive OR vehicle) AND Ethernet AND security. (1)

Review Sources.
To create our database of articles, we decide to use primary and secondar y sources [ 49 ].Primar y sources provide first-hand articles that are close to the object of a study and which have a curated repository of information.Thus, we select the following digital libraries: ACM Digital Library [ 2 ], IEEE Xplore [ 63 ], Science Direct [ 137 ], Scopus [ 138 ], and Web of Science [ 158 ].Besides, automotive IVN literature, even though it is related to general computer networking, has its venues and strong connections with industry, so to not miss some possible articles, we decide to add as a primary source a significant conference like Escar [ 42 ], dedicated to automotive cybersecurity.Instead, as secondary sources can be considered the crawler-based web search engines [ 49 ].Hence, we decide to use Google Scholar [ 45 ], which scans most of the available literature sources (34,300), but since it does not provide the possibility to refine the research only to the Title-Abstract-Keywords (TAK) , it returns a huge number of sources that we need to filter.Hence, we follow the recommendations of Griffith University [ 154 ]: screen and consider only the first X results, where X is the largest number of articles retrieved from one primary source.So, we select the first 153 articles from the Google Scholar results, since the primary source which provides the largest number of articles was Scopus with 153 articles.

Search Activity.
To retrieve consistent and significant literature on AE security, on April 21, 2022, we conducted an automated search with the query in Equation ( 1) on the primary sources' websites with the filter to search in the TAK.Then, on the same date, we performed the same search on Google Scholar and filtered the result as described previously.To summarize, as reported later in Table 3 and in Figure 2 , the search activity allows us to retrieve 299 articles from all the primary sources and 34,300 articles from the secondary source, which will be filtered in the next appraisal phase.

Appraisal Process
Our appraisal process is divided into two main parts: the selection process (Section 3.2.1 ), where we define and apply the selection criteria to the retrieved articles, and the merging process (Section 3.2.2 ), where we merge the obtained results to create a final database from the primary and the secondary sources.

I1
The article is written in English language I2 The article is published in a peer-reviewed journal, or it is a published book, a book section, or thesis I3 The article is focused on road vehicles I4 The article is focused on AE security Exclusion E1 The article is published before January 1, 2004 E2 Articles like news or poster reports E3 Articles like governmental documents

Selection Process.
The retrieved articles are filtered following the inclusion/exclusion criteria (Table 2 ).The inclusion criteria are all the characteristics that each chosen article needs to have to be accepted.On the other side, if an article presents one of the exclusion criteria, it should be excluded.In particular, the articles should be written in English and not older than 20 years because Ethernet technology could be considered significant and applied in the automotive sector only in the past 20 years (Section 2 ).Another relevant criterion is the focus of the article on the AE security of road vehicles.These criteria allow us to remove articles focused on other transport Ethernet applications like trains or avionics.Regarding the criteria I1 , I2 , E1 , E2 , and E3 , the articles are filtered using the search filters of the sources on their websites.To apply the inclusion criteria I3 -I4 , and to perform a quality assessment, determining the suitability of the articles, as suggested in the work of Charrois [ 27 ], three reviewers independently read the TAK of each article and determine if the article is out of topic.For example, several articles are only related to trains or avionics, so they are immediately excluded from our review.The results of this first step are reported in Table 3 .Note that for Google Scholar, we retrieved the articles, and we applied the exclusion criteria E1 applying the year filter on the Google Scholar website.Then, following the criteria explained in Section 3.1.3, we selected the first 153 remaining results, sorted by relevance by Google Scholar, which uses several factors to determine the relevance of an article or paper, including analyzing the full text of a document to find instances where the search term appears in the title, abstract, or body.Additionally, Google Scholar considers factors such as where the article or paper was published, who wrote it, and how often and recently it has been cited in other literature [ 44 ].After the application of the inclusion/exclusion criteria, we check if there are some duplicates present in this first phase as well.To conclude, the final number of articles from each source is reported in Table 3 and summarized in Figure 2 at the level "Selected articles."

Merging Process.
Each source contribution should be merged with the other sources' contributions, and we decided to divide this process into two main phases.As reported in Figure 2 , first, we merge the primary sources and delete the duplicates.Then, second, we merge the result with the secondary source articles, and finally, we remove the duplicates to create the final database.With this process, we know the overall contribution of the merged primary sources, which is 84 articles, and the contribution of the secondary source, which is 98 articles.Finally, after merging the primary and secondary sources and removing duplicates, we have a final database with 134 articles.We can state that the secondary source adds 50 articles to our primary database of 84 articles with an increase of 59.52% of our database articles.

Database Evaluation.
Figure 3 shows the number of retrieved articles per year.The articles were retrieved on April 21, 2022, so the bar "2022" shows in gray only the number of papers (seven) from the first part of the year.However, to have an overview of the possible trend of publications on AE security in 2022, we perform the same search on the sources, with the same selection criteria, on July 21, 2022, just before the journal submission.We retrieve four more articles [ 53 , 57 , 74 , 151 ], which are not included in our SR but that confirm the trend of AE security literature.
In Figure 4 , we note the prevalence of conference articles.To note, the presence of five theses that come from the secondary source Google Scholar. Figure 5 reports the affiliation country of all authors of the retrieved articles.When an author is present in different articles, the affiliation country has been counted every time for each article.It also shows a clear interest in AE security in Germany.At the same time, we find some authors from Asia (China, Korea) and some from Italy and the United States.The Others slice with its 19.8% includes countries like Sweden, Slovakia, France, Austria, Denmark, and India.
To conclude, following the database evaluation, we decided not to apply snowballing techniques that take only the older articles with respect to the current articles.AE is a relatively new technology that has almost developed in the past 10 years, and it continues to change, so we can state that most of the significant works are concentrated in the past 7 to 10 years.

Synthesis Process
After the appraisal phase, we have to read the articles in our database to try to retrieve the answers to RQ1, RQ2, RQ3, and RQ4.To perform this activity, we decided to have each article read by three different experts: two experts are from the same institute (CNR or Fraunhofer SIT), whereas the third is from the other institute.During the reading, the reviewers fulfill a schema to indicate if the specific article answers RQ1, RQ2, RQ3, and/or RQ4.If for an answer there was no full agreement among the three experts, there is a discussion among them to express their considerations, and then the answer is determined by the majority vote of the three voters.Figure 2 reports that 55 articles out of 81 provide an answer to RQ1, 76/81 to RQ2, 48/81 to RQ3, and 40/81 to RQ4.

Analysis Process
In this phase, we analyze and summarize the data and information retrieved from the synthesis phase.In particular, in Section 3.4.1 , we provide the answers to each question, whereas Section 4.4 presents a mapping between the AE attacks and mitigations, retrieved in our analysis, and UNECE WP.29 R155, which provides a list of vehicle attacks and mitigations to be considered during any risk assessment.
In this section, the graphs colors were chosen following specific group criteria.In all the "Yes/No" pie charts, reporting the provided answers, the answer "Yes" is colored with pastel blue, whereas the answer "No" uses pastel orange.Figures 6 and 8 (presented later), which report the possible attacks and the mitigations, are respectively colored with shades of red as the usual automotive plant color used to identify threats and shades of green as the usual automotive plant color for solutions.The last pie chart, in Figure 10 (presented later), is colored with shades of yellow to be distinguished from the previous figures.

RQ Answers.
After the reading phase, in the following subsections, we describe the findings for each RQ.
RQ1: In in-vehicle communications, which are the AE cyberattacks (remote and physical) considered in the proposal? .
RQ1 represents the starting point of our survey because it allows us to identify if there are and which are AE security threats.From our reading phase, as reported in Figure 6 , we identify 55 articles out of 81 (68%) that provide an answer to RQ1.Usually, in the articles, there is an introduction or a section to identify and list the possible threats, which are the base for the consequent article's analysis or the proposed solution.
The answer to RQ1 is relevant because it allows carmakers and researchers to identify if AE could be considered vulnerable and the main attacks from which it can suffer.Figure 7 shows the  percentages of the most cited attacks in the selected articles.The most cited attacks are the DoS and the Replay like defined in Table 4 .Several other attacks are reported in the graph but with lower percentages, like Machine-in-the-Middle (MITM) or spoofing.The attacks have different attack surfaces, but most of them, like MITM or Eavesdropping, focus on communications to steal data.Among the attacks reported in Figure 7 , eavesdropping can be considered a passive attack in which the attacker does not interact with any other part of the vehicle, but they only passively steal data.The other attacks like DoS, Replay, MITM, Spoofing, or Injection are active attacks, where the attackers interact with the systems by injecting, for example, malicious or fake commands.In Figure 7 , the most significant slice is Others , which contains different active and passive attacks like Brute-force or Sniffing with small percentages resulting from being mentioned only a few times in the articles.The attacks retrieved, along with their National Institute of Standards and Technology (NIST) definition (if available), are listed in Table 4 .The last two columns of the table display the number of citations for each attack and the corresponding article references.
As a technical insight, DoS is well detailed in numerous articles-for instance, defending an IVN shared bus architecture against a DoS attack seems to be more challenging than a switched architecture, where a central gateway or a switch controls the traffic [ 13 ].Dariz et al. [ 34 ] suggested that a Replay attack is closely related to the eavesdropping attack, as it involves capturing messages from the network through sniffing and subsequently retransmitting these messages for specific malicious purposes.For instance, an attacker might intercept and store communications between the Electronic Control Unit (ECU) responsible for managing the wheel and the ECU governing wheel movements.The attacker can then replay these actions without requiring control over the driver, potentially leading to unwanted and dangerous consequences.Hudec and Lastinec [ 60 ] state that the risk of an MITM attack exists because of the initial Address Resolution Protocol (ARP) request from an other gateway.Static ARP tables not only can help eliminate this particular deviation but also reduce the vulnerability to certain types of MITM attacks.Alkhatib et al. [ 6 ] report that the injection attack refers to a specific method employed by an attacker.In this case, the attacker's goal is to manipulate the data traffic within an IVN.The attacker accomplishes this by injecting arbitrary stream AVTPDUs (AVTP data units) into the network.These injected AVTPDUs are designed to disrupt the normal dataflow and potentially cause a specific outcomein this instance, the attacker's objective is to output a single video frame at a terminal application connected to an AVB listener.In conclusion, the retrieved threats, encompassing active and passive attacks, are not dominated by any specific attack or attack category.Within the Others category, we find various attacks such as fuzzing [ 123 ], switch overflow [ 123 ], and Sybil [ 97 ], which warrant A11 Poisoning A type of cyberattack in which attackers insert fake information into a domain name system (DNS) cache or web cache for the purpose of harming users [ 149 ].
4 [ 80 , 89 , 103 , 147 ] A12 Impersonation A scenario where the attacker impersonates the verifier in an authentication protocol, usually to capture information that can be used to masquerade as a subscriber to the real verifier [NIST SP 800-63-3].
4 [ 8 , 80 , 97 , 109 ] A13 Buffer Overflow A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information.Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system [NIST SP 800-82 Rev. 2].
2 [ 24 , 100 ] A14 Hopping This allows an attacker to bypass any layer 2 restrictions built to divide hosts.With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target [ 9 ].
2 [ 89 , 103 ] A15 Tampering An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data [NIST SP 800-53 Rev. 5].
1 [ 24 ] A17 Sybil A cybersecurity attack wherein an attacker creates multiple accounts and pretends to be many persons at once [NISTIR 8301].
1 [ 97 ] A18 SYN Flooding This is a type of DoS attack on a computer server [ 150 ]. thorough detection and further investigation.For this reason, our examination, as addressed in response to RQ1, emphasizes the critical importance of safeguarding AE systems against a wide array of threats, each of which is explored within the respective articles.RQ2: In in-vehicle communications, is the proposal presenting AE countermeasures to mitigate security vulnerabilities? .
RQ2 is the direct consequence of RQ1.It should provide the mitigations for the attacks retrieved in the previous answer.According to Figure 8 , 93% of the articles offer mitigations, which is a higher percentage than the articles that merely list the attacks.It seems that some articles provide solutions without listing the treats and that the literature is more focused on the mitigations than on the possible attacks.Figure 9 shows the percentage of each mitigation concerning the total of cited mitigations.As for RQ1, the biggest percentage is the slice Others , which contains several solutions cited a few times, as reported in Table 5 , but that together form the biggest set.The other most recommended solution is the usage of a firewall, which is "an inter-network connection device that restricts data communication traffic between two connected networks" [ 117 ].In an IVN, a firewall can be a solution to filter the input/output dataflow with external nodes like in a computer network.Besides, it can be used to protect more critical areas of the IVN and to segment the network.The second proposed mitigation is an IDS that is "a security service that monitors and analyzes network or system events for finding, and providing real-time or near realtime warning of, attempts to access system resources in an unauthorized manner" [ 117 ].The IDS monitors the traffic, and it is sometimes combined with an Intrusion Prevention System (IPS) , which, however, is cited fewer times than the IDS.An IPS is "a system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets" [ 117 ].The two solutions both monitor the traffic, but the IPS can take actions to block packets or suspicious activities, whereas the IDS just detects and reports the possible threats.Note that the first two most cited solutions, firewall and IDS, work on the network traffic and are like an add-on that can be added to existing technologies, without modifying protocols or adding cryptographic solutions.We assume that these solutions could be easier and cheaper to install in a complex environment like a vehicle, instead of creating personalized solutions or modifying the protocols.The third mitigation is an encryption solution, IPsec (Internet Protocol Security), which is a layer 3 security protocol, which authenticates and encrypts the packets in a network, especially in a VLAN.From the articles, we note that often an IVN with AE is described as a VLAN network, which is also a proposed security solution.A VLAN enables the carmakers to divide the IVN into subnetworks Possible latency [ 25 ], Computationally intensive steps [ 24 ] MT7 SecOC An AUTOSAR Secure Onboard Communication Basic Software (BSW) module to ensure integrity and authenticity among ECUs [ 11 ].

4-7 2 [ 103 ] To be further investigated
To be further investigated with their features and isolates them to prevent possible attacks.Another security solution that has been proposed is to use Transport Layer Security (TLS) to secure network communications in AE.Following the NIST definition, TLS is "an authentication and encryption protocol widely implemented in browsers and Web servers" that operates at the transport layer and provides security features for layers 4 through 7 of the networking stack.However, TLS was originally designed for point-to-point communication and does not work well with multicast or broadcast protocols.For this reason, it can be applied only in some cases when a point-to-point communication is required.TLS is largely applied, for example, in the HTTP traffic where transmissions using TLS are known as HTTPS.This solution proposes to compare the IVN with Internet communications and apply the same well-defined solution to assure authentication and encryption.The fifth mitigation is the usage of a MAC, which is a piece of code used to authenticate a message.With this solution, it is possible to verify the authenticity of a message, which we can assume as an important element for an IVN and that standard AE cannot provide.Another significant mitigation, which was the focus of several articles, is MACsec, also known as IEEE 802.1AE, to encrypt the IVN traffic.MACsec works at layer 2 of the ISO/OSI model and is based on GCM-AES-128 to provide integrity and confidentiality.It is largely applied in the standard wired Ethernet networks, but it is also proposed as a mitigation for IVN.Another proposed solution, shown in Figure 9 , is the SecOC module.It was proposed for the first time in 2014 by AUTOSAR (the AUTomotive Open System ARchitecture), which is a partnership of automotive stakeholders to define an open and standardized software architecture in the IVN.In particular, SecOC is a module to assure integrity and authenticity in the communication among the different ECUs.The last reported solution is access control, which is a generic definition for a set of procedures, but it shows the need for control of the accesses that the standard AE cannot assure.In particular, following the NIST definition, the access control is "a set of procedures and/or processes, normally automated, which allows access to a controlled area or information to be controlled, following pre-established policies and rules."Concerning the previous mitigations, access control is not a direct implementable solution, but it contains all the procedures to assure, for example, the authenticity property, and it is cited in several articles, showing the importance to implement access control systems.
Table 5 reports the other solutions, which are cited a few times.Note the presence of some solutions like blockchain or honeypot that can be considered innovative and not usually applied in the computer networks like the previous solutions.There are still other mitigations like Named Data Networking (NDN) and Secure ARP (S-ARP) which are cited and can be considered as possible implementations.In Table 5 , we present the mitigations offered, along with some of the advantages and disadvantages as extracted from the articles.This information underscores that latency is a primary concern when integrating security solutions into IVNs.Additionally, it indicates that solutions such as IDS and IPS may have a lesser impact compared to the introduction of new protocol-based solutions like MACsec.When it was not possible to obtain a clear statement regarding advantages and disadvantages, we indicated "To be further investigated."Specifically, this condition indicates that the retrieved papers lack a comprehensive analysis of both the advantages and disadvantages of the solution.The disadvantage analysis could explore factors such as the impact on latency and its potential significance.However, when evaluating the advantages, aspects like compatibility with existing solutions and the energy impact could be taken into account.Consequently, these gaps in the literature present a possible direction for future research.To conclude, the significant number of solutions in Table 5 suggests several possibilities, inherited from computer networks, to secure AE.However, from the reading phase, it emerges that some solutions have only been proposed, not well described, and not investigated or applied in an

C5 Cost
The amount of money needed to buy, do, or make something [ 36 ] 2 [ 98 , 103 ] automotive context, so it is not possible to determine their feasibility for vehicle implementation, specifically the solutions that are considered innovative and have not been well described or investigated in an automotive context.Although the table suggests several possibilities, it is unclear whether these solutions are practical for implementation in vehicles.This issue highlights the need for further research and testing to determine the feasibility and effectiveness of these innovative solutions in the context of automotive cybersecurity.

RQ3: In in-vehicle communications, how is safety affected by the countermeasures presented in the proposal? .
RQ3 can be a relevant and critical question for carmakers and AE stakeholders.Generally speaking, safety is "the condition of not being in danger" [ 38 ], whereas in the automotive context, we can use the definition of ISO 26262 [ 67 ], which is the functional safety standard used in the automotive industry, where safety is defined as the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment.Based on this definition, vehicles must ensure safety at all times through solutions that can significantly reduce the risk of harm to people.Besides, we should consider that computer security is a crucial topic to protect users' data, but usually, an attack does not have an immediate consequence on people's safety (Table 6 ).The situation is different in an industrial context where, for example, a cyberattack could compromise a water system or a nuclear plant.In these situations, people's lives are in danger, and the automotive context is much more similar to the industry than to the computer context.The security mitigations for IVN could influence some time-critical systems of the vehicle, compromising safety.For this reason, it emerges that RQ3 provides a significant overview of a demanding topic.
Concerning the previous RQ1 and RQ2 analysis, the reading phase of RQ3 provides us fewer answers, sometimes without a description or motivations for a statement.For this reason, we decide to classify the articles into three categories: -Direct : When safety is directly addressed and each statement is explained and motivated.
-Indirect : When the article contains statements about safety, but they are not motivated but just affirmed.We consider it, but with a different weight with respect to the previous direct articles.-No : When safety is not addressed.
With this triple classification, we can retrieve more details on a crucial but less addressed topic.As shown in Figure 10 , we have 16 articles out of 81 that consider and analyze the consequences of security mitigations on safety.A total of 32 articles provide safety assumptions as a consequence of the mitigations, but they do not provide any deep explanation.Finally, 33 articles do not address safety.
Figure 11 describes the main consequences on safety after the application of security solutions on AE.In this graph, we have a strong prevalence (61.5%) of the delay/latency, where the two terms, in our work, are considered equivalent and can be seen as the main consequences of a security solution application.IVN contains some time-critical partitions, like the braking system, so the introduction of a firewall or encryption solutions can increase the response time with a specific delay.The articles report this problem as the main critical consequence, and some articles test vehicles to quantify the delay.Another impact could be the reduction of the IVN performances and bandwidth.These last two consequences are related to performance impact, but we prefer to leave bandwidth as a specific consequence because it was cited several times and it can show that a network overload can also impact safety.
Another issue, related to time-critical systems, is the jitter, which, following the NIST SP 800-82 definition, can be defined as "the time or phase difference between the data signal and the ideal clock."Jitter is not only latency, but it can be seen as a real malfunctioning of a network because it impacts the system clock synchronization.The last consequence, even if cited a few times and without a direct impact on safety, is the cost, which can be considered an important element of carmakers' choice.The introduction of a security mechanism could impact the cost, and it could lead to a further increase in the cost to implement safety as well.
When it comes to security controls, fault tolerance is an important aspect to consider.Fault tolerance refers to the ability of a system to continue functioning correctly in the event of a failure or malfunction [ 118 ].In our SR, some articles (e.g., [ 35 ]) use reliability as synonym of fault tolerance, although they are different concepts because reliability refers to the ability of a system to perform its intended function over a specified period under specific conditions, and not only in case of failure like fault tolerance.A few articles focus specifically on fault tolerance, but some explore it in relation to different technologies.For example, some authors [ 86 , 103 , 129 , 130 ] discuss fault models and solutions for TSN, whereas another [ 134 ] describes a fault scenario for TSN.In relation to ISO 26262, some works [ 12 , 39 ] explore fault situations.Meanwhile, other works [ 77 , 144 ] focus on fault tolerance in AE, and yet another [ 165 ] analyzes fault-detection capabilities of AE and FlexRay.The only work fully dedicated to fail operations in Ethernet is that of Möstl et al. [ 114 ], who implement isolation, fault recovery, and controlled degradation in AE.To conclude, an open issue discovered with RQ3 is the lack of clear motivation and explanation for safety assumptions made by some articles in the Indirect category.This could lead to less reliable or incomplete  information regarding safety implications of security mitigations on IVN.Another issue is the focus on delay/latency as the main consequence of applying security solutions on IVN.This could result in an incomplete understanding of the impact of security solutions on IVN and safety.It is important for future research to address these issues and provide a more comprehensive understanding of the implications of security mitigations on IVN safety, like studying fault-tolerance solutions.To conclude, we can state that the articles identify the timing and the consequent delay as the main issue on safety if we apply AE security mitigations.
RQ4: With respect to the related OSI layer, is the AE proposal contributing to add security more than other SOTA protocols? .
RQ4 is a comparison with the existing in-vehicle network communication protocols like CAN, FlexRay, LIN, or MOST, which, in this work, we call SOTA protocols .We aim to define if AE can be considered an improvement for IVN security with respect to the current scenario.In particular, as shown later in Figure 13 , the comparison has to be based on the OSI model because it is not reasonable, for instance, to compare a data link layer protocol with an application layer protocol.
As shown in Figure 12 , less than half of the 81 articles provide a comparison with SOTA protocols, and often the comparison is not well detailed and motivated.Current communication SOTA protocols have no security services [ 104 , 126 , 146 ], such as authentication or encryption to assure, for instance, confidentiality.This lack is caused by the absence of security requirements when the protocols, such as CAN in 1983 or LIN in 1990, were designed.This lack of security by design exposes the vehicles to possible malicious attacks [ 71 ].From the reading of the articles, it seems that SE is not more secure than the other protocols because it was not created with security by design.However, AE can be implemented with some security improvements already widely applied in computer networking that can make it more secure than the SOTA protocols.Besides, we can report unanimity on the security prevalence of AE over the SOTA protocols, just because it provides several efficient security solutions like TLS, MACsec, or IPsec.
From the same RQ4 analysis, we can retrieve other significant findings.In particular, we identify which OSI layer each article addressed.An article can consider multiple layers or just one.In Figure 13 , we report when an article discusses a single layer or it combines multiple layers.The most discussed is layer 2: 13 times exclusive and in 45 articles with other layer solutions.Usually, the discussed layer 2 solutions are MAC and firewalls.Sometimes, some articles discuss solutions ranging from layer 2 to 7, excluding only the physical layer.Another significant layer for AE is layer 7, where some application solutions like SOME/IP and DDS are discussed.The other layers that are considered are layer 3, especially for the IP solutions, and, consequently, layer 4 for TCP/UDP solutions to secure the network packages.The other layers, 5, 6, and 1, seem to be less considered and only in relation to other layers.
As already defined in Section 1 , AE is a stack and not only a single protocol.In Figure 14 , we report the AE protocols with the reference of the layer.Figure 14 describes the AE solutions we take from the articles for each OSI layer.The AE schema reports several solutions similar to the computer Ethernet stack; however, it adds some specific protocols for the automotive sector.At the physical layer, the solutions are 100 BASE-X or 1000 BASE-T, which are network standards used for fast data transfer at rates up to 100 Mbit/s and 1,000 Mbit/s, respectively.Other solutions are being implemented to increase the bandwidth, which is one of the most significant improvements of AE.In fact, the current solutions are, for instance, CAN, which has a data rate up to 1 Mbit/s, LIN up to 20 Kbit/s, FlexRay up to 10 Mbit/s, and MOST in its basic version up to 24 Mbit/s.
At layer 2, AE can be secured using MAC, as described in Section 3.4.1 , and it enables the creation of VLAN, which is not possible with the current protocols.Layers 3 and 4 contain the fundamental computer Ethernet protocols like IP and TCP/UDP.The most significant change with respect to the previous protocols is the possibility to create specific applications for layers 5-6-7 like SOME/IP, which is an automotive/embedded communication protocol that supports remote procedure calls and event notifications [ 10 ].Another relevant protocol is the DDS, standardized in AUTOSAR, which can be defined as a data-centric middleware protocol based on the publish-subscribe pattern to control the flow of data between different nodes [ 131 ].Note that is it possible to have the Onboard Diagnostic (OBD) II port also in the AE schema, even if it was not reported in Figure 13 .
To conclude, the OSI model is the most used architecture to define AE; however, in a paper [ 122 ] of our SR, the authors suggest using an NDN architecture instead than the standard OSI.NDN is a future Internet architecture that implements security by design.Unlike IP, which covers the communication channel, NDN secures the content through cryptographic signatures.The paper's authors suggest NDN as a possible candidate to replace the standard IP stack, running on top of layer 2.

Current Usage of AE and Future Applications
Several vehicle manufacturers are actively incorporating AE technology to varying degrees into their products, as evidenced by recent studies and industry reports [ 22 , 54 , 121 , 135 , 159 ].AE serves as a versatile communication infrastructure that interconnects different domains within vehicles, gradually replacing the conventional CAN as the backbone technology.One of the main contributors is the OPEN Alliance (One-Pair Ether-Net) [ 140 ] that is promoting the widespread adoption of Ethernet-based networks as the standard for automotive networking applications.Another example is the German company Bertrandt that designed a vehicle platform HARRI [ 135 ] with Ethernet-based network structures, where the key protocol used for service-oriented communication is the AE SOME/IP protocol.Another German company, Vector, which supplies software and engineering services for the networking of electronic systems in the automobile and related industries, proposes several solutions for AE [ 155 ].In particular, Vector supports carmakers with embedded software, trainings, and services.In 2020, a technical report [ 70 ] from Frost & Sullivan, an American business consulting firm, states that some 400 million AE ports were in use in the automotive industry.Besides, BMW was considered the front-runner in terms of adopting AE, but also Hyundai used AE for infotainment systems, and Volkswagen uses AE for driverassist systems [ 70 ].Hence, the transition from CAN to AE highlights the industry's recognition of AE's benefits and its potential to meet the evolving communication requirements of modern vehicles.One prominent application of AE is in interconnecting infotainment components.Previously, MOST was commonly employed in earlier-generation vehicles for multimedia communication.However, AE has emerged as a superior alternative due to its high bandwidth capabilities, which enable the seamless transmission of high-quality audio, video, and other multimedia content.With AE, vehicle occupants can enjoy advanced infotainment features, including in-car entertainment systems, navigation units, smartphone integration, and connectivity with external devices.AE's capabilities extend beyond multimedia integration.It is also utilized in diagnostic ports and connections to high-bandwidth sensors, such as high-resolution cameras.Diagnostic ports equipped with AE enable efficient communication between the vehicle's OBD systems and external diagnostic tools.This facilitates comprehensive vehicle diagnostics, fault code retrieval, and software updates, streamlining maintenance and troubleshooting processes.Regarding safety-critical applications, AE plays an important role in transferring a wide range of data types, including sensor and actuator information, between domain controllers.The high bandwidth and deterministic communication capabilities of AE ensure reliable and real-time data exchange, supporting safety systems such as advanced driver assistance systems).
Overall, AE serves as a versatile technology that enables the transfer of various data types within vehicles.It facilitates the seamless integration of multimedia components, enhances diagnostic capabilities, and supports the reliable transmission of safety-critical information.As a result, AE is being increasingly adopted by vehicle manufacturers as a vital communication infrastructure, gradually replacing in some IVN domains the traditional communication protocols like CAN.This transition represents a significant shift in the automotive industry, as manufacturers recognize the value of AE in meeting the evolving communication needs of modern vehicles.

Article Categorization and Comparison
In response to the emerging requirements driven by the integration of AE communication in next-generation vehicles, the research community has initiated an exploration of potential security concerns associated with this advancement.The answers we retrieved within our SR work provide a framework of potential attacks and mitigations that AE solutions may face.However, we want to compare the different approaches that were taken by the reviewed articles.To this end, during the reading process, we created three classification categories based on articles' relevance: -Conceptual and designing : Articles that provide an introduction and a baseline for AE, including a description of the SOTA and an analysis of threats and mitigations.-Implementations : Articles that describe, compare, and test possible security solutions.
-Real-time Ethernet protocols : Articles that deal with time-sensitive solutions like TSN.
We use Table 7 to simplify the search for possible contributions to a specific topic, such as IDS, and to aid in practical implementations.In this table, we identify the article approach, which can be theoretical when the article deals with the theoretical aspects of AE; review when it offers a description of the SOTA, retrieves and analyzes evidence from the literature, or expresses an opinion on a specific AE topic; comparative with tests when an AE solution is defined and tested to be compared with other solutions or to define the best options for the solution itself; applicative when it implements an AE solution on hardware; or mixed when an article takes more than one approach and it is not possible to distinguish the predominant one.We start by examining each topic and report whether the articles consider safety aspects, which are crucial in the automotive industry since security and safety are closely related [ 32 ].Additionally, we evaluate whether the articles include comparative tests and/or applications, even if they fall into the conceptual and designing category .Last, we determine if the articles compare the AE proposed solution with existing protocols such as CAN.The application column (AT) in Table 7 is particularly relevant to engineers and practitioners, as it allows them to identify potential hardware implementations, make comparisons, and retrieve possible application models.
When analyzing Table 7 , we found that a considerable number of articles discuss possible threats and mitigations.This allowed us to identify the most common research questions.Additionally, other articles compare AE to existing communication protocols to highlight differences and similarities for potential implementations.In the conceptual and design category, there is a significant interest in Software-Defined Networking (SDN) solutions that can be applied in vehicles to create a new type of vehicle called a software-defined vehicle [ 14 ], which abstracts and manages almost all vehicle hardware components using software.However, there is a lack of formal analysis, as only one article [ 93 ] deals with formal analysis and only one article discusses functional safety.Several articles focus on gateway and IDS solutions, whereas few or single contributions exist for VLAN, TLS, SDN, and blockchain solutions.In conclusion, there is a significant contribution to real-time Ethernet solutions like TSN, which is part of AE.The attention is due to the application of AE in communicating vehicle camera video and images, which are used in safety-critical systems like the braking.The articles underline the benefits of using AE for video/image transfer over the standard CAN.However, only one article [ 86 ] directly deals with functional safety.
In summary, the analysis of Table 7 reveals a significant interest in addressing the security and safety challenges in AE.Although there are promising solutions such as SDN and TSN, more research is needed to formalize analysis and ensure functional safety in the implementation of these technologies.

Attack RQ1: Mitigation RQ2 Mapping
In accordance with the requirements of the industrial sector, one of the primary questions arising from this study is whether the current mitigations adequately address all the potential attacks identified in RQ1.Table 8 presents the mapping between attacks and their corresponding mitigations.

Analysis of the table includes the following:
-Attacks without direct solutions : The table highlights that "Replay" attacks lack direct and explicitly mentioned solutions.These attacks may require more research and innovative strategies to be effectively mitigated.-Significant solution : Among the solutions listed, IDS and IPS appear frequently as potential mitigations for a wide range of attacks, including Message Injection, Poisoning, Impersonation, Buffer Overflow, Hopping, Tampering, Brute-force, Sybil, and more.This suggests that IDS and IPS solutions play a significant role in mitigating multiple security threats in the context of AE technology.-Other significant solutions : Additionally, TLS and MACsec are essential solutions for addressing specific attack types, such as Spoofing, Eavesdropping, Sniffing, Masquerading, Forgery, and Hijacking.These solutions are crucial for ensuring the confidentiality and integrity of data in AE systems.
In conclusion, the table emphasizes the need for further research and the development of mitigation strategies for attacks that currently lack direct solutions or further research on the current solutions to find the most suitable.It also underscores the significance of solutions like IDS and IPS in addressing a wide range of security threats in the AE technology domain.Additionally, TLS and MACsec are crucial for specific security aspects related to data protection and integrity.In the following section, we suggest an inverted mapping in comparison to Table 8 .Here, we align UNECE threats with the corresponding potential attacks, following the guidelines of UNECE R155, and reference the mitigation IDs from Table 8 .In Table 10 , we provide a mapping of the UNECE WP.29 R155 mitigations with the AE retrieved mitigations, highlighting the fact that AE can offer multiple solutions for most of the required UNECE WP.29 R155 mitigations.However, it is important to note that the mitigations of UNECE R155 are primarily employed in system design and thus have an architectural view on the vehicle.Some issues may be solved on the protocol/network level, whereas others may require more comprehensive solutions such as physical protections.To make the completeness of AE mitigations in relation to UNECE R155 more transparent, we include a column labeled MCL in Table 10 .This column indicates whether the AE mitigations fully implement the corresponding UNECE WP.29 R155 mitigation or if they are only part of a more comprehensive system security solution.Notably, the AE solutions that can fully address UNECE WP.29 R155 mitigation requests are those that prioritize data protection.As AE is typically implemented as a backbone, it can play a critical role in ensuring data protection, and with the right mitigations in place, it can provide a high level of security.However, it is important to note that some of the more generic requirements such as M3 or M20 in Table 10 may require additional solutions beyond the access control offered by AE, such as physical protections.Following the results of our SR, we notice that AE can provide solutions to assure control of the accesses, and the authenticity and confidentiality of the messages.In  the AE literature, it seems that there is a lack of solutions for cryptographic key storage, back-end services, and cloud computing.However, these two last UNECE WP.29 R155 requirements could be considered activities not directly related to AE and that should be implemented with other technologies.In Table 10 , at mitigation M16, we report the reference to UNECE WP.29 R156 because this category of mitigations is deeply explained in this last regulation, but they do not emerge from our SR.Released with UNECE WP.29 R155, R156 defines the software update and requires a software update management system (SUMS) to provide mitigations like M16.
To conclude, from the findings of our SR, we can state that AE literature provides relevant indications to address some requests with UNECE WP.29 R155, identifying a significant number of attacks.Besides, the AE suggested mitigations address several UNECE Table B and C requirements that could help companies define the solutions and documentation for the CSMS.

CONCLUSION AND LESSON LEARNED
This article presented an SR of the literature on AE security and its impact on safety, providing also a comparison with the existing IVN protocols.In addition, as a result of the analysis, we performed a mapping between UNECE WP.29 R155 requirements and our findings.Our goal was to provide a complete overview of future developments of the emerging AE technology and its cybersecurity.
To achieve our target, the starting point was the four RQs.The first two aimed to define the possible cyberattacks that AE can suffer and the consequent possible mitigations.The third question studied the impact of security mitigations on safety, whereas the fourth question was a comparison between AE security and the existing protocols' security.To perform the SR, as described in Section 3 , we followed a specific framework called SALSA , which allowed us to have structured and consequential phases to avoid selection and analysis biases to obtain a final database of 81 articles which we used to answer the four RQs.After the first phases, we analyzed the results and it emerged that AE can suffer several active and passive attacks.However, AE can inherit from computer networking different mitigations that can increase the cybersecurity level.From RQ3, we knew that the mitigations could have an impact on safety, especially causing a delay/latency of the data transmission with possible significant consequences in time-critical vehicle systems like the brakes.From RQ4, we retrieved that AE could be considered more secure than the current IVN

M23
Cybersecurity best practices for software and hardware development shall be followed ---

M24
Best practices for the protection of data integrity and confidentiality shall be followed for storing personal data ---protocols only if it were applied the mitigations that are already applied for Ethernet in computer networking.The mapping between UNECE WP.29 R155 and AE findings suggested that the results of our SR can be used to be compliant with UNECE WP.29 R155.In particular, we identified most of the attacks that are required by UNECE WP.29 R155 to be analyzed in the risk analysis and the consequently required mitigations.Finally, we performed a discussion of the results, including evidence coming from the automotive experience.
As for the lessons learned, this article highlighted several open issues related to the cybersecurity of AE technology.One of the primary concerns is the need for more efficient and secure communication protocols specifically designed for AE.Currently, AE inherits its structure from SE used in computer networking, but more automotive-dedicated solutions are necessary to meet the unique requirements of IVN, such as low latency and communication with internal and external moving nodes.Future communication solutions must prioritize essential security properties, including confidentiality, integrity, availability, and authenticity.Depending on the criticality of the data, various solutions can be designed to meet these security requirements.For example, studying the security of application protocols such as SOME/IP [ 164 ] or automotive MQTT, which appear to be the most suitable options for providing vehicular services [ 7 ], can make a substantial impact.Another open issue is the need to minimize the impact of security mitigations on safety-critical systems, particularly those that could cause delays or latency in data transmission, such as the brake one.Introducing security solutions into the IVN inevitably extends the time required to send and accurately interpret messages.Nevertheless, when it comes to the communication between two safety-critical ECUs, any delay becomes a critical concern.Balancing security and safety emerges as a paramount challenge in the automotive industry.For instance, although MACsec appears to offer promise, it also can result in relevant delays [ 25 ] that should be addressed.Delay has been extensively discussed in the automotive field [ 106 , 157 , 168 ].However, there is a lack of solutions dedicated to AE.For example, using an AE backbone can speed up communication between vehicle network domains.But when we add security solutions, it can slow down the process.An IDS has a low impact on delay, whereas an IPS or other cryptographic solutions can cause more delay [ 160 ].Additionally, there is a need to improve standardization and regulation of AE cybersecurity, including the development of industry-wide best practices and guidelines.These open issues suggest that there is a need for further research and collaboration between industry, policymakers, and researchers to ensure the safe and secure development of AE technology.For instance, ISO/SAE 21434 and UNECE R155 provide security solutions for IVN, but they appear to be somewhat generic, potentially lacking clear thresholds or causing confusion among automakers [ 32 ].Consequently, to establish more comprehensive standards, a collaboration among various stakeholders becomes a primary concern for enhancing automotive security.
To conclude, this work can be used as a baseline for future research on AE and in general for IVN communications.In particular, it emerges that AE inherits its structure from the SE, used in computer networking.Several solutions for vehicles at the physical (e.g., 1000BASE-T1) or the application layer (e.g., SOME/IP) have been developed; however, it should be necessary to define more automotive-dedicated solutions for AE to face the specific requirements of an IVN like the low latency or the communications with internal and external moving nodes.

Fig. 3 .
Fig. 3.The number of articles per year in our database.

Fig. 4 .
Fig. 4. Document type of each article of our final database.

Fig. 5 .
Fig. 5. Affiliation country of all the authors of the articles in our final database.

Fig. 6 .
Fig. 6.Number of articles which answer (Yes) and do not answer (No) RQ1.

Fig. 7 .
Fig. 7. Percentages of the most cited attacks against AE over the total of cited attacks in the articles which answer RQ1.

Fig. 12 .
Fig. 12. Number of articles which provide a comparison with other SOTA protocols (Yes) and that do not compare protocols (No).

Fig. 13 .
Fig. 13.Which OSI layers are addressed by each article.The bars show when an article considers only one layer (Single) or multiple layers (Multiple).

Fig. 14 .
Fig. 14.OSI stack protocols in current usual schema and in AE schema.

Table 1 .
SALSA Framework[ 46 , 112 ]of an SR with the References of the Sections Where We Address the Relative Phase

Table 3 .
Number of Articles for Each Source After Each Selection Step

Table 4 .
AE Cyberattacks Retrieved from the Articles Id = Identifier of the attack; # = number of articles which cite the attack

Table 5 .
AE Mitigations Retrieved from the Articles Id = Identifier of the mitigation; # = number of articles which cite the mitigation

Table 6 .
Consequences on Safety of the Application of AE MitigationsId = Identifier of the consequence; # = number of articles which cite the consequence

Table 7 .
Summary of Articles Included in the SR Categorized by Their Purpose Article approach: Theoretical, review, comparative with tests, applicative, mixed.• = Yes; •= No SC: Safety Considered; CT: Comparison Tests; AT: Application Examples; CEP: Comparing Existing Protocols ACM Computing Surveys, Vol.56, No. 6, Article 135.Publication date: January 2024.

Table 8 .
[ 153 ]Mitigation Mapping between RQ1 and RQ2 UNECE R155)[ 153 ]is mandatory for the new vehicle types from July 2022 and for all vehicles produced from July 2024 in each of the more than 60 countries which belong to the UNECE.The regulation UNECE R155 aims to increase vehicle cybersecurity with the mandatory establishment for the carmakers of a Cyber Security Management Systems (CSMS) .In particular, it lists the requirements and documentation to obtain the Certificate of Compliance for CSMS.One relevant part of UNECE R155 is Annex 5, which reports a list of threats and corresponding mitigations.In particular, Annex 5 Part A defines a list of possible attacks and threats that should be considered in the risk analysis to obtain the homologation of new vehicles.Then, in Parts B and C, UNECE WP.29 R155 describes some possible mitigations.Following the results of RQ1 and RQ2, in this section, we map the UNECE attack/mitigations with our AE findings to define if there is a correspondence between UNECE WP.29 R155 and AE literature.Table 9 reports the automotive threats of Table A of UNECE WP.29 R155 and if there is a related attack that has been identified in the AE literature.This mapping shows that AE could suffer most of the possible attacks listed by UNECE WP.29 R155 and that they should be addressed with proper mitigations.As expected, the main AE threats are related to the communications channels (UNECE WP.29 R155 Table A 4.3.2) and data/code (UNECE WP.29 R155 Table A 4.3.6).Other threats, related to the software update procedures or human actions, even if considered by the UNECE WP.29 R155, seem to not be identified as AE vulnerabilities by the AE literature.

Table 9 .
Attacks Mapping between UNECE WP.29 R155 Table A and Our AE Retrieved AttacksU-Id = UNECE Identification number; Id = Identifier of Table8

Table 10 .
Mitigation Mapping between UNECE WP.29 R155 Tables B and C and Our AE Retrieved Mitigations U-Id = UNECE Identification number; Id = Identifier of the mitigation of Table 5 ; MCL = AE Mitigation(s) Completeness Level