Automotive Safety and Security –current trends and challengesVector Cybersecurity Symposium 2021

Stefan KrisoHead of Bosch Center of Competence Vehicle SafetyRobert Bosch GmbH, Ludwigsburg

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Automotive Product SafetyAutomotive Safety and Security

2

Product Safety

ISO 26262„Functional Safety“

Safe

ty Im

pact

s(s

elec

tion) ISO 21448 *

„Safety of the Intended Functionality“

ISO/SAE 21434 *„Cybersecurity engineering“

*: Standardunder developm

ent

Prod

uct R

elea

se

Measures and standardsaccording state of the art (e.g.

reliability standards)

Product Safety Engineering is an interdisciplinary activity!

GOAL

No unreasonable

riskconsidering

state of the art matching

reasonable safety

expectations at point of timewhen placing

the product on the market

Random hardware faults

Systematic faults

Insufficient nominal performance

Controllability / usability reduction

Aging / wearout

Intentional manipulation of system

DU

TYO

FC

ARE

Safe

ty M

easu

res,

Lega

l and

nor

mat

ive

requ

irem

ents

“A product […] may only be made available on the market if its intended or foreseeable use does not put the health and safety of persons at risk.”

[§3(2) Product Safety Act]

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Functional Safety – SOTIF – CybersecurityAutomotive Safety and Security

3

Functional Safety

SOTIFCyber-security

Absence of unreasonable risk due to hazards caused by malfunctioning

behavior of E/E systems.[ISO 26262-1:2018]

Absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.

[ISO/PAS 21448:2019]

Condition in which assets are sufficiently protected against threat scenarios to items of road vehicles, their functions and their electrical or

electronic components.[ISO/SAE FDIS 21434:2021]

SOTIF = Safety of the intended functionality

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Functional Safety – CybersecurityAutomotive Safety and Security

4

FunctionalSafety

SOTIFCyber-security

Absence of unreasonable risk due to hazards caused by malfunctioning

behavior of E/E systems.[ISO 26262-1:2018]

Condition in which assets are sufficiently protected against threat scenarios to items of road vehicles, their functions and their electrical or

electronic components.[ISO/SAE FDIS 21434:2021]

SOTIF = Safety of the intended functionality

How to evaluate the safety risk of an

intended manipulation?

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Safety-Security-Integration in der Praxis

5

HARA according to ISO 26262

Risk of a hazard Probability of occurrence Severity= ⊗

Probability of the hazardous event

Probability of the hazardous situation

Possibility to control or mitigate

the hazard⊗ ⊗

see also:• ISO/IEC Guide 51:2004 (Safety aspects – Guidelines for their inclusion in standards)• ISO 26262-3:2018, Annex B.1 (Hazard analysis and risk assessment)

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

ASIL

Safety-Security-Integration in der Praxis

6

HARA according to ISO 26262

Risk of a hazard Probability of occurrence Severity= ⊗

Probability of the hazardous event

Probability of the hazardous situation

Possibility to control or mitigate

the hazard⊗ ⊗

see also:• ISO/IEC Guide 51:2004 (Safety aspects – Guidelines for their inclusion in standards)• ISO 26262-3:2018, Annex B.1 (Hazard analysis and risk assessment)

„Severity“ S

„Controllability“ C

„Exposure“EMalfunction

ASIL = Automotive Safety Integrity Level

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

?

Safety-Security-Integration in der Praxis

7

Cybersecurity vs. ASIL

Risk of a hazard Probability of occurrence Severity= ⊗

Probability of the hazardous event

Probability of the hazardous situation

Possibility to control or mitigate

the hazard⊗ ⊗

„Severity“ S

„Controllability“ C

„Exposure“E

Functional Safety: Statistical independence between driving situation (exposure) and probability of the malfunctionCybersecurity: Statistical independence is not given (Attacker may provoke malfunction in dedicated driving situation)

ASIL is not a meaningful parameter for the necessary safety risk reduction of an intended manipulation!

Malfunction

ASIL = Automotive Safety Integrity Level

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Automotive Safety and Security

8D. Förster, C. Loderhose, Th. Bruckschlögl, F. Wiemer (Bosch): Safety Goals in Vehicle Security Analyses, ESCAR 2019

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Functional Safety – SOTIFAutomotive Safety and Security

9

Functional Safety

SOTIFCyber-security

Absence of unreasonable risk due to hazards caused by malfunctioning

behavior of E/E systems.[ISO 26262-1:2018]

Absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.

[ISO/PAS 21448:2019]

SOTIF = Safety of the intended functionality

How do Functional Safety and SOTIF

interact?

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Functional Safety vs. SOTIFAutomotive Safety and Security

10

ISO

/PAS

214

48:2

019

Intendedfunction

Malfunction

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Safety of the Intendend Functionality (SOTIF)Automotive Safety and Security

11

Is the performance of the sensors / the system sufficient to ensure a sufficient/reasonably safe operation of the system? Is the situational awareness sufficient?

[https://www.engadget.com/2010/09/08/optical-illusion-lets-you-safely-run-over-fake-children]

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

SOTIF – CybersecurityAutomotive Safety and Security

12

Functional Safety

SOTIFCyber-security

Absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.

[ISO/PAS 21448:2019]

Condition in which assets are sufficiently protected against threat scenarios to items of road vehicles, their functions and their electrical or

electronic components.[ISO/SAE FDIS 21434:2021]

SOTIF = Safety of the intended functionality

Manipulation of the environment?

(“Environmental Hacks”)

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

„Environmental Hacks“: Traffic signAutomotive Safety and Security

13

http

s://w

infu

ture

.de/

new

s,99

034.

htm

l

Similar to pollution of the traffic sign (e.g. by snow), therefore in principle already addressed in SOTIF

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

„Environmental Hacks“: Example Projection of traffic signs Automotive Safety and Security

14

http

s://w

ww

.you

tube

.com

/wat

ch?v

=C-J

xNH

Kqgt

kA speed limit traffic sign is projected by a

drone on wall…

Car considers 90 km/h speed limit as real!

From system point of view, input data are “valid”, therefore not addressed in SOTIF

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

„Environmental Hacks“: Processual approachAutomotive Safety and Security

15

Test, verification & validation as part of the “standard” product development process

SystemTest

SystemDesign

HW/SW Design

HW/SWTest

SystemIntegration

RequirementsAnalysis

HW/SW Implementation

Non-security disciplines: Define & implement countermeasures to address identified relevant attack scenarios

Research Series Development Production After-Sales/

Maintainance

Security: Identify relevant environmental attack scenarios

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

The systematic collaboration between the different safety and security disciplines become more and more important

… and will be required therefore by different safety standards and regulations in future!

16

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

ISO 26262-2:2018Automotive Safety and Security

17

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

UN-ECE R157 (2021-03)Automotive Safety and Security

18

https://unece.org/sites/default/files/2021-03/R157e.pdf

M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview Automotive Safety Standard (without claim of completeness …)

Automotive Safety and Security

19

Relevant for ADAS/AD AI specific

Published

Under development

ISO 26262(2018)

ISO/PAS 21448(2019)

ISO/TR 4804(2020)

ISO 21448(03/2022)

ISO/TS 5083(02/2023)

ISO 34502(09/2022)

ISO/TR 5469(04/2022)

ISO 21434(07/2021)

In preparation: • ISO TR Predictive Maintenance• ISO PAS Qualification of preexisting SW

Planed:• Automotive specific safety standard for AI

Not relevant in the automotive context: UL 4600

Standard contains AI specific issuesNote: Other standards (e.g. ISO

24089 Road vehicles —Software update engineering

(under development)) can also be relevant

THANK YOU