challenges and current solutions for safe and secure connected...
TRANSCRIPT
Challenges and current solutions for safe andsecure connected vehicles
Dr. Simone Böttger, Dr. Alexander Mattausch, Simon DürrElektrobit Automotive GmbH
Erlangen, Germany
July 12, 2018
Digitalization reshaped our everyday life in thepast twenty years and the automotive industry is alsopart of this change. Today’s vehicles are increasinglysmart and connected providing additional safety andconvenience features (autonomous emergency brak-ing, adaptive cruise control). Next generation vehicleswill be highly automated and autonomous up to level5 (driverless), which will fundamentally change themeaning of driving. At the same time, all these bene-fits require more powerful control units and a greaterflexibility in electronic control unit (ECU) software,which inevitably calls for a redesign of the E/E archi-tecture inside the vehicle.
While safety was always considered as a critical en-gineering concern in the automotive industry, securitybecame a significant challenge when vehicles beganturning into rolling computers. Due to the fatal na-ture of vehicles, autonomously driving and connectedvehicles need to be highly reliable in safety and secu-rity to gain full acceptance, much more than other de-vices in the Internet of Things. Consequently, safetyand security are key concepts in the system architec-ture of future vehicles.
This paper will give an overview of the currentchallenges and solutions regarding safety and securitywithin the vehicle’s E/E architecture.
1 IntroductionThere are two major technologies emerging, whichwill fundamentally change what driving means: au-tonomous driving and connectivity.
Autonomous driving is aiming to reduce the inputfrom human operators to the point of no driver buttravelers only. New features of automated driving andadvanced driver assistance systems that are already inuse (adaptive cruise control, intelligent parking assis-tant, lane warning systems, autonomous emergencybraking etc.) are paving the way for autonomouslydriving vehicles. These features make use of con-nectivity to gain the required external informationfrom the infrastructure. In the future, vehicle-to-everything (V2X) technologies will include much more
elements of the near and remote environment (roadsigns, traffic lights, other vehicles, cloud etc.) to wire-lessly establish the necessary exchange of information.More vehicles will leverage V2X to ease congestion,avoid accidents, or reduce emissions.
Connectivity also enables OEMs to efficiently man-age the software during the whole life cycle of the ve-hicle. As the complexity of software architectures andthe variety of applications increase, feature upgrades,urgent bug-fixes, or security patches will become nec-essary on a frequency that cannot be realized by re-calling vehicles to the dealer’s shop when needed. Forthis reason, over the air (OTA) update technologiesare essential for the next step toward high-level au-tonomous driving.
Along with the transformation of the vehicle to-ward a computerized system on wheels with connec-tions to the internet and other external networks, thedriving experience of the end-user will change. Pas-sengers already have the option to connect devices likesmartphone or tablet to the vehicle and use apps thatare running on them via the In-Vehicle-Infotainmentsystem. New business concepts like pay-by-use mod-els will appear, where the customer pays for certainfeatures on demand (air conditioning, seat heating,navigation, 3D bass). Same with the whole vehicle,people do not need to own a car but can make use ofcar sharing models and choose the equipment of thevehicle as desired for the current purpose.
2 E/E architectureThe current E/E architecture is based on trustedfunctional domain controllers for e.g. chassis, body,or powertrain. To master the upcoming E/E sys-tem complexity and the demand for more computa-tional power and a fast data transmission channel,there shall be a small number of high-performancecontrollers interconnected via automotive Ethernet.These central computing platforms run on multi-coreprocessors that monitor and control a number of lessintelligent, yet highly specialized ECUs. The fu-ture architecture of a vehicle infrastructure is envi-
1
sioned as a service-oriented architecture with multi-layer services. The current numerous ECUs will besplit into low-performance I/O controllers and high-performance domain controllers, which are dynamicsystems that provide update capabilities as well assafety and security features.
Figure 1: Centralized architecture
This influences the software architecture becausethe centralized performance ECUs require a consoli-dated platform that hosts the heterogeneous function-alities of automotive control and infotainment.
In response, the AUTOSAR consortium currentlydevelops a new software platform, the adaptive plat-form (AP), which complements the widely-used classi-cal platform (CP). The combination of both platformsshall guarantee the requirements on performance aswell as safety and security of the E/E architecture ofnext generation technologies. For instance, one of themain features of the AP is the ability to update indi-vidual functions on the ECU retroactively and duringrun-time.
The AP is based on the POSIX operating system,which can run on a multi-core processor or on a hy-pervisor to realize virtualization. While a multi-corecontroller provides a safe and secure separation of per-formance partitions, virtualization provides a safe andsecure separation of software partitions (Figure ??).
3 Functional safetyThese trends initiated a paradigm shift in automo-tive safety concepts. In case of a detected failure,the standard approach in many safety relevant sys-
Figure 2: Software architecture of a high-performancecontroller
tems is fail-silent; that is, the safe state is usually thedeactivation of the function. For autonomous drivingand the electrification of main vehicle functions, x-by-wire technologies are introduced, replacing mechani-cal or hydraulic backup systems. These technologiesrequire fail-operational behavior, which means thatthe function is (partially) maintained for a certainperiod of time after failure and then deactivated orresumed without service interruption. Developing afail-operational architecture for each x-by-wire systemis essential to facilitate reliability and safety. Multi-ple redundancy, as in avionic systems, cannot simplybe adopted to automotive platforms because of theresulting higher hardware costs, weight and energyconsumption. A slightly different approach, whichprovides fail-operational behavior between ECUs withmanageable costs, is the so-called 1-out-of-2 diagnos-tic (1oo2D) system architecture (e.g. [8]). In case ofa fault, the function is dynamically reallocated to an-other ECU, which temporarily continues the functionuntil the vehicle can be safely halted. For this, bothECUs need to be equipped with strong diagnostic ca-pabilities and additional monitoring elements.
4 Connectivity and securityWith all the unprecedented possibilities and opportu-nities that come with digitalization and connectivity,new challenges concerning security issues arise. As thenumber of advanced functionalities, electronic compo-nents, processing intensity, and connection points of avehicle increase, the amount of assets gets larger, ex-tending the attack surface to a new dimension. A ve-hicle compromised through vulnerability in the systemmay lead to operational, privacy, financial, or safetyloss.
In the past, the vehicle was a closed system andthreats that require (prior) physical access to the in-
Figure 3: AUTOSAR’s distributed health manage-ment
vehicle network had been excluded from the securityconcept. Since wireless connections expose the vehicleto external attacks, the automotive industry is facingunconsidered threat models. In case of the attack onthe Chevrolet Impala of General Motors in 2010, ittook years to fix the vulnerabilities and implementcountermeasures ([9]). Since then, many successfulattacks have shown that, like every device connectedto the Internet, a vehicle with wireless connections isvulnerable to remote attacks ([1], [2], [6]).
The most prominent attack that finally raised ev-eryone’s attention to the importance of security inthe automotive industry, was the attack on the JeepCherokee in 2015 ([5]). Two security researchers re-motely gained access to the Jeep via the diagnos-tic bus port of the entertainment system and tookcontrol over vehicle functions including steering andbrakes. Less significant threats to personal safety maycause financial problems or reputational damage tothe OEMs, when the whole fleet of a popular modelis affected via OTA mechanisms.
How to avoid such attacks? First of all, one hasto accept that there is no such thing as a 100% se-cure system. Instead, one has to check the systemfor vulnerabilities on a continuous basis, try to thinklike an attacker, learn about new threat models, andadjust the system’s security as needed. The lattermakes OTA software updates a must-have technologyfor connected vehicles.
Hidden vulnerabilities are unavoidable and mightbe found by a black-hat hacker first. In this case, thegoal is slowing down or stopping the attacker on thepath to the most critical assets. For this, many chal-lenging obstacles need to be implemented by means ofsecurity mechanisms in every layer (Figure 4). Thisis a well-established strategy in military, known as
defense in depth. By causing delays for the attacker,additional intrusion or anomaly detection mechanismsenable applying several defense modes, e.g. reconfig-uration (request change of session key), and enhancethe chances of stopping the attacker before doing anyserious damage.
Figure 4: Layered security
In fact, in almost every example where attackerstook control of vehicle functions, they were only ableto do so because they found not a single vulnerabilitybut a chain of vulnerabilities on their way to thesecritical functions.
5 Standardized development processAs shown in the last section, security issues have animpact on safety, when security mechanisms fail toensure the integrity of safety functions. On the otherhand, safety mechanisms like consistent monitoringand reporting is a key requirement for good, layeredsecurity. Functional safety and security are not inde-pendent from each other and need to be synchronizedin processes and development like in other domains.
Figure 5: Combined safety and security process modelfor systems engineering
The ISO 26262 standard ([3]) covers the aspectsof functional safety in system development on processlevel as well as on method level. An equivalent se-curity standard does not exist yet. The guidebookfor the development of security relevant systems SAEJ3061 ([7]) describes processes and methods similar tothe life cycle of ISO 26262 but is not a standard. In2019, this gap shall be filled by the standard ISO/SAE21434. It shall specify the requirements for cyber se-curity risk management for road vehicles, their com-ponents and interfaces, throughout engineering (e.g.concept, design, development), production, operation,maintenance, and decommissioning.
AcknowledgmentThis work was supported by the Federal Ministry forEconomic Affairs and Energy (BMWi) under Grant01MD16002G.
References[1] c’t magazine for computer techniques:
Beemer, Open Thyself! Security vul-nerabilities in BMW’s ConnectedDrive,http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html,2015.
[2] Troy Hunt: Controlling vehicle features of Nis-san LEAFs across the globe via vulnerable APIs,https://www.troyhunt.com/controlling-vehicle-features-of-nissan/, 2016.
[3] ISO 26262: Road vehicles - Functional safety.
[4] ISO/SAE 21434: Road vehicles - Cybersecurityengineering.
[5] Charlie Miller, Chris Valasek: Remote ex-ploitation of an unaltered passenger vehicle,http://illmatics.com/Remote\%20Car\%20Hacking.pdf, 2015.
[6] Sen Nie, Ling Lu, Yuefeng Du: Free-fall:hacking Tesla from wireless to CAN bus,https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf,
[7] SAE J3061: Cybersecurity guidebook for cyber-physical vehicle systems, 2016.
[8] Philipp Schleiss, Christian Drabek, GereonWeiss, Bernahrd Bauer: Generic Management ofAvailability in Fail-Operational Automotive Sys-tems, SAFECOMP 2017: Computer Safety, Re-liability, and Security, 2017
[9] WIRED magazine: GM took 5 years to fix afull-takeover hack in millions of onstar cars,
https://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/, 2016