integrated assessment of automotivespice 3.0,...
TRANSCRIPT
EuroSPI 2017 6.-8.9.17 1
Integrated Assessment of AutomotiveSPICE 3.0,
Functional Safety ISO 26262, Cybersecurity SAE J3061
Christian KreinerInstitute of Technical InformaticsTUGraz
Richard MessnarzISCN GesmbH
The “AQU” project is financially supported by the European Commission in the Erasmus+ Programme under the project number 2015-1-CZ01-KA203-013986– P1 TUG. This website and the project’s publications reflect the views only of the authors, and the Commission cannot be held responsible for
any use which may be made of the information contained therein.
EuroSPI 2017 6.-8.9.17 2
Institute of Technical InformaticsIndustrial Informatics Workgroup
Workgroup hot topics:
• Functional safety and embedded systems security• ISO 26262, IEC61508, J3061• ECQA Certified Training Provider for Functional Safety• ECQA Certified Training Provider for AQUA
• Development methods• Product Line Engineering• Standard Quality models (AutomotiveSPICE)• Agile Systems Engineering
• Model-based system development• Domain specific languages• models@runtime
• (Embedded) software architecture• Component and middleware architectures
Contact: [email protected]
EuroSPI 2017 6.-8.9.17 3
• Accreditated iNTACS™ training provider for ISO/IEC 15504 and Automotive SPICE®
• VDA-QMC certified training provider• ECQA Certified Training Provider for Functional Safety• Moderator of SoQrates group
> 20 leading German and Austrian companies share knowledge concerning process improvement, safety, security. http://soqrates.de
3
Contact: Dr Richard Messnarz, [email protected]
EuroSPI 2017 6.-8.9.17 4
Contents
Example integration of ASPICE, Functional Safety and Cybersecurity (ASQ – SQP Volumes)
Extended and integrated review and assessment approach (SOQRATES Working Group)
Future of Static and Dynamic Cybersecurity System Architectures and Function Groups in Cars
4
EuroSPI 2017 6.-8.9.17 5
Running example: Electronic Power Steering (EPS)
EuroSPI 2017 6.-8.9.17 66
Integrated Teams
Assembler Manufacturer
SW Safety & Security Designer
Mechatronic Designer
Technical Project Leader
HW Safety & Security Designer
System Safety
& Security Engineer
EuroSPI 2017 6.-8.9.17 7
AUTOMOTIVE SPICE 3.0
EuroSPI 2017 6.-8.9.17 8
The relationships between element, component, software unit, and item, which are used consistently in the system and software engineering processes.
Automotive SPICE 3.0 terminology:"Element", "Component", "Unit", and "Item"
EuroSPI 2017 6.-8.9.17 9
Automotive SPICE key concept:Traceability of System Design and Domain Plug-Ins
• System Architectural Design describes system functions and their decomposition into hardware, software, mechanical components and functions
EuroSPI 2017 6.-8.9.17 10
Automotive SPICE key concept:Traceability and Consistency between the life cycle phases
EuroSPI 2017 6.-8.9.17 11
STEERING
EuroSPI 2017 6.-8.9.17 12
ASIL-D
ASIL-D
ASIL-D
Typical Scope of Supplier
Classic EPS scope
EuroSPI 2017 6.-8.9.17 13
Risk Classification
13
EuroSPI 2017 6.-8.9.17 1414
Risk Classification
EuroSPI 2017 6.-8.9.17 1515
Risk Classification
EuroSPI 2017 6.-8.9.17 16
Building a Requirements Traceability as Part of the Safety Case
Customer Requirements
e.g. Steering angle assured by ASIL-D
e.g. Mechanical and software based
steering endstop
Hazard AnalysisIdentification and classification of
safety risks and hazards. e.g. Safety Goal : no uncontrolled
actuation of steering systemRisk: uncontrolled actuation can
happen with wrong sensor input or steering command
FMEA / FMEDAAnalysis of hazards and
safety risks and measures by FMEA and FMEDA
e.g. Measure: redundant and diverse rotor position
sensors, comparing internal steering angle with external (ADAS command)
steering angle.
System Requirements Specification
System Requirements
e.g. Steering angle is measured internally and
reported on the bus.
Safety Requirementse.g.
we need to trust the steering angle at ASIL D, 2 redundant diverse rotor positions, plausi check, safe state in
case of deviation.Safe state is assured by a 6 or 12 phase motor with a limp home
mode (in ADAS mode with no driver interference).
Requirements, safety requirements, and traceability
EuroSPI 2017 6.-8.9.17 17
Independent confirmation measures [ISO 26262-2, 6.4.7 Tab1]:•Confirmation reviews•F.Safety audit•F.Safety assessment
Independence of elements after decomposition:•No dependent failures
or•Dependent failures have safety mechanism
17
Decomposition (ISO 26262)
EuroSPI 2017 6.-8.9.17 18
Functional flow
ASIL-D
ASIL-B
ASIL-D
ASIL-BRotor Position 1 Rotor Position 2
ASIC
ASIL-D
Sin,Cos,IndexPos 1
Sin,Cos,IndexPos 2
Functional Signal Flow
EuroSPI 2017 6.-8.9.17 19
INTEGRATION OF AUTOMOTIVE SPICE, FUNCTIONAL SAFETY, CYBERSECURITY
EuroSPI 2017 6.-8.9.17 20
ASIL-D
ASIL-B
ASIL-D
ASIL-BRotor Position 1 Rotor Position 2
ASIC
ASIL-D
Sin,Cos,IndexPos 1
Sin,Cos,IndexPos 2
Functional Signal Flow
Steering Command
Network around the car
ASIL-D
Functional flow for ADAS scenarios
need „external“ steering commands
with ASIL-D
EuroSPI 2017 6.-8.9.17 21
IT Secure vehicleUnderstanding interference from IT Security
• Prio 1: Analyse IT Threats which can lead to the hazardouus failure
• Prio 2: Analyse additional IT Security Threats
21
EuroSPI 2017 6.-8.9.17 22
Attack Type* Impact HowSpoofing Commands Messages on CAN
are used to simulate car is stopping. Checksum algorithm and message structure hacked.
Sending a wrong steering commandwith the correct encryption and identification.
Denial of service Messages on CAN are used to simulate car is never stopping.
Overloading the bus with speed < 3 km/h so that the steering lock is activated.
Tampering Changing configuration data in a memory (setting speed limit for activating steering lock)
Changing parking mode from < 10 kmhto < 200 kmh so that parking mode steering is used at high speed (resulting in a too big steering angle)
*Following STRIDE security analysis method
Dependable vehicleUnderstanding interference from Cybersecurity
EuroSPI 2017 6.-8.9.17 23
Attack Type* Impact How
Identity Spoofing Spoofing identity of garageSpoofing identity of message
Presumptipon of above scenarios.
Information Disclosure Memory dump and copying of data, gaining knolwedge about encryption keys, checksum algorithms.
Presumptipon of above scenarios.
Elevation of privilege Access to the gateway and access to the priviliged bus in the car
Presumptipon of above scenarios.
*Following STRIDE security analysis method
Dependable vehicleUnderstanding interference from Cybersecurity
EuroSPI 2017 6.-8.9.17 24
Dependable vehicleUnderstanding interference from Cybersecurity
24
Maintenance tools, listening
tools
Information Disclosure
Elevation ofPriviliges
Vehicle Bus and Gateway
Spoofing Identity
Vehicle Steering Related ECUs
Spoofing ofCommands
Tampering
Vehicle Function Steering
Lock
Denial of service
Spoofing ofCommands leading to locking
Auto
mot
ive
Defe
nse
Laye
r 1
Auto
mot
ive
Defe
nse
Laye
r 2
Auto
mot
ive
Defe
nse
Laye
r 3
ASIL-D
Compared to function chains in Safety, we have to analyse a completely different - „intrusion“ - structure
EuroSPI 2017 6.-8.9.17 25
Attack Type* Impact HowSpoofing Commands Messages on CAN
are used to simulate car is stopping. Checksum algorithm and message structure hacked.
Sending a wrong steering commandwith the correct encryption and identification.
Denial of service Messages on CAN are used to simulate car is never stopping.
Overloading the bus with speed < 3 km/h so that the steering lock is activated.
Tampering Changing configuration data in a memory (setting speed limit for activating steering lock)
Changing parking mode from < 10 kmhto < 200 kmh so that parking mode steering is used at high speed (resulting in a too big steering angle)
Dependable vehicle Understanding interference from Cybersecurity
EuroSPI 2017 6.-8.9.17 26
Traceability
Threat Specification per Safety Goal
Safety – Security traceability
EuroSPI 2017 6.-8.9.17 27
SPOOFING OF COMMANDSLEADING TO UNINTENDED
STEERING
Automotive Defense Layers
EuroSPI 2017 6.-8.9.17 28
OBDOn Board Diganose
GWGateway
DDCDynamic Drive
Control
Electronic Steering ECU and Sensors
Motor and
Steering Rack
Aut
omot
ive
Def
ense
Laye
r 1
Aut
omot
ive
Def
ense
Laye
r 2
Aut
omot
ive
Def
ense
Laye
r 3
Aut
omot
ive
Def
ense
Laye
r 4
Flow Case 1 : vehicle infrastructure
Flow Case 2 service garage
Flows are highlighted by variables that can be monitored
Defence MechanismsLayer 1
Defence MechanismsLayer 2
Defence MechanismsLayer 3
Defence MechanismsLayer 4
28
Indicator: steering command
Indicators to be monitored: Combining steering command e.g. with speed (active steering), requested torque, etc.
Indicator: Comparing steering angle with internally measured angle by rotor position sensors
Dynamic Flow through Layers
EuroSPI 2017 6.-8.9.17 29
SteeringLockAPP
X (e.g. 10) -Core HW
Realtime VM
Defence Layer ModelModelling New Car Architectures and App-Communication
29
FUNCTION GROUP STEERING
Steering APP
PLA APP …
Safe Operating System
SecureEthernet
X (e.g. 10) -Core HW
Realtime VM
FUNCTION GROUP POWERTRAIN
Gearbox APP
Motor Control
APP…
Safe Operating System
EuroSPI 2017 6.-8.9.17 30
SupplierAPP
X (e.g. 10) -Core HW
Realtime VM
Customer SSL AppsModelling New Car Architectures and App-Communication
30
FUNCTION GROUP STEERING
Customer
SSL …
Safe Operating System
SecureEthernet
X (e.g. 10) -Core HW
Realtime VM
FUNCTION GROUP POWERTRAIN
Gearbox APP
Motor Control
APP…
Safe Operating System
Encryption bye.g. Autosar
Encryption By Customer
Function Flow with Autosar Encryption plus Internal Customer SSL Encryption on Application Layer (all signals along this critical path are encrypted)
EuroSPI 2017 6.-8.9.17 31
Nodewith
Service A[i]
X (e.g. 10) -Core HW
Realtime VM
SDN Driven SystemThe System is not just the car any more! What is the system scope?
31
CAR i
Nodewith
Service B[i]
Nodewith
Service C[i] ..
Safe Operating System
X (e.g. 10) -Core HW
Realtime VM
CAR 1
Nodewith
Service A[1]
Nodewith
Service B[1]…
Safe Operating System
SDN Software Defined Network is a methid for a network set up where the dependency on the hardware architecture is substituted by a software controlled network where comtrolers
offer services in the network.
A[n]B[n]C[n]
EuroSPI 2017 6.-8.9.17 32
ASPICE 3.0 Integration Integrating Into Base Practices –Extended Assessment Questions
32
(ASPICE) SYS.2.BP3 Analyze the impact on the operating environment. Determine the interfaces between the system requirements and other components of the operating environment, and the impact that the requirements will have. [Outcome 3]
ISO 26262-4, 6.4.1 Specification of the technical safety requirementsISO 26262-4, 6.4.1.1 The technical safety requirements shall be specified in accordance with the functional
safety concept, the preliminary architectural assumptions of the item and the following system properties:
a) the external interfaces, such as communication and user interfaces, if applicable;b) the constraints, e.g. environmental conditions or functional constraints; andc) the system configuration requirements.NOTE: The ability to reconfigure a system for alternative applications is a strategy to reuse existing systems. NOTE: See questions for ISO 26262-4, 6.4.1 and ENG.2 BP1.
(Security) SAE J3061, 8.3.1 Feature DefinitionThe feature definition defines the system being developed to which the Cybersecurity process will be
applied. The feature definition identifies the physical boundaries, Cybersecurity perimeter, and trust boundaries of the feature, including the network perimeter of the feature. …
EuroSPI 2017 6.-8.9.17 33
SAFETY FUNCTIONS ANDCONNECTED VEHICLES
EuroSPI 2017 6.-8.9.17 34
Mobile internettechnologies
Infrastructure base stations
Driving events databases(OEM, authorities)
Driving data analysis
Cloud driving services
Vehicles report driving events into the cloud:
E.g. position, speed, steering angle, obstacles
detected, ...
Vehicles get driving situation, recommendations, commands from the cloud:E.g. steering related:* instantaneous steering angle of neighbor cars* typical steering angle for road position, * obstacles detected, ...
Radio-navigation satellite systems
Cloud based infrastructure for driving support
The world is biggerADAS (connected) environments
Critical signal path scenario
1. Vehicle local sensors (correctness?)
2. signals sent to service infrastructure (correctly related to position etc.?)
3. Cloud storage (corruption?)
4. merge with other cars signals (data poisoning?) in the current vicinity (correct location?) and those ever operated near the current position (depending on the algorithm for driving data analysis, and its correctness).
5. Up-to date steering angle recommendation& road conditions for the current position sent to all the cars (availablitiy, low latency, correctness, scalability?).
6. Steering angle is applied to the cars’ steering (correct in the current context?).
EuroSPI 2017 6.-8.9.17 35
Proposed ASPICE extension for Automotive Service Infrastructure (ASI processes)
Expected typical properties • “ASIL-D” QoS (Quality of Service) service monitoring for correct operation,
availability, scalability and low latency. • Preparedness for interruption of connectivity - local take-over (challenging for
eg. platooning) • Cybersecurity of service infrastructure (eg. wrong data injected, services
spoofed, stored data and algorithms tampered with, messages altered) • Etc.
EuroSPI 2017 6.-8.9.17 36
Extension of ASPICE for Automotive Service Infrastructure ASI processes
By example: ASI.2 Requirements Analysis Base practice BP4
ASI.2.BP4: Analyze the interfaces between the vehicle and the service infrastructure. • Analog and linked to “SYS.2.BP4: Analyze the impact on the operating environment” • Identify the interfaces between the vehicle and the service infrastructure.• Analyze the impact that the service infrastructure interfaces will have on the vehicle
operating environment. • OUTCOMES: Quality of Service (Availability), Defined reaction in case of no availability,
criticality of information, safety classification (if provided as QM or validated among a set of data to be provided with an ASIL), encryption and identification mechanisms to be implemented.
Extended Cybersecurity (SAE J3061:2016) Assessment Questions :• Related to SAE J3061:2016, clauses 8.3.1 Feature Definition – identifies
• physical boundaries, • Cybersecurity perimeter, and • trust boundaries of the feature, including the network perimeter of the feature.• The feature definition defines the scope and interfaces of the feature.
Christian Kreiner,TUGraz Richard Messnarz, ISCN
EuroSPI 2017 6.-8.9.17 37
RELATED SKILLS PROJECTS
AQUA ECOSYSTEM
EuroSPI 2017 6.-8.9.17 38Christian Kreiner,TUGraz Richard Messnarz, ISCN
AQUA - Knowledge Alliance for Training Quality and Excellence in Automotive
http://automotive-knowledge-alliance.eu
EU Sector Skills Alliance for AutomotiveAims:
• A unique, sustainable strategic alliance for• modern certified VET Curricula for the automotive sector• Industry aligned• Capable of Europe-wide implementation
• Certified VET training course:• Integrated Quality, Functional Safety, and Six Sigma in Automotive
• Certification by European Certification and Qualification Association (http://ecqa.org)
• Incorporated into • Automotive Clusters Qualification programmes • University Education (TUGraz, Grenoble INP)
This project has been funded with support from the European Commission under agreement EAC-2012-0635. This publication/communication reflects the views only of the author, and the Commission
cannot be held responsible for any use which may be made of the information contained therein.
EuroSPI 2017 6.-8.9.17 39
AQUA Skills Set„Automotive Quality Manager with AQUA Skills”
UnitID Unit Name Element ID Element NameAQUA.U1 Introduction AQUA.U1.E1 Integration view and general part
AQUA.U1.E2 Organisational readiness
AQUA.U2 ProductDevelopment
AQUA.U2.E1 Lifecycle
AQUA.U2.E2 Requirements
AQUA.U2.E3 Design
AQUA.U2.E4 Integration and Testing
AQUA.U3 Quality and Safetymanagement
AQUA.U3.E1 Capability
AQUA.U3.E2 Hazard & Risk management
AQUA.U3.E3 Assessment and audit
AQUA.U4 Measure AQUA.U4.E1 Measurements
AQUA.U4.E2 Reliability
Each element contains four views:• integrated perspective• Automotive SPICE perspective• Functional Safety perspetcive• Six Sigma perspective
EuroSPI 2017 6.-8.9.17 40Christian Kreiner,TUGraz Richard Messnarz, ISCN
SafEUr - ECQA Certified Functional Safety Manager http://safeur.eu
• Industry training and TUGraz course:• Functional Safety Introduction, Management, Engineering,
Production, Legal, Qualification topics• Modular: 15 course elements• Face-to-face and online delivery• Heavily based on Industry Best Practice• ISO26262, IEC61508
• Skills set aligned with Industry• Europe-wide certification by European Certification and
Qualification Association (http://ecqa.org)• Contact: [email protected]
EuroSPI 2017 6.-8.9.17 41
Automotive Quality Universities (AQU) AQUA alliance extension to higher education
Partners• VŠB - Technical University of Ostrava, CZ• Graz University of Technology, AT• UAS Joanneum, Graz, AT• University of Maribor EE + CS, SLO• ISCN IE/AT
Christian Kreiner
• EMIRAcle (European Innovation in Manufacturing Association), BE/FR
• Grenoble INP (EMIRAcle)• Hochschule Düsseldorf (EMIRAcle)• ECQA Online Campus for Industry
•The “AQU” project is financially supported by the European Commission in the Erasmus+ Programme under the project number 2015-1-CZ01-KA203-013986– P1 TUG. This website and the project’s publications reflect
the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.
EuroSPI 2017 6.-8.9.17 42
AQUA/AQU @ TU Graz• Regular student‘s course from 2014• AQUA university course for industry (TU
Graz Life-long-learning progm. & ECQA)• 1st ECVET-ECTS bridge between
university and industry education• Coordinator of AQUA project - EU
funded Sector Skills Alliance 2013-15• Automotive Quality Universities EU
project (partner)
Christian Kreiner
EuroSPI 2017 6.-8.9.17 43
The AQUA ecosystem – current state
Christian Kreiner
ECQA Functional SafetyManager /Engineer
Yellow BeltOrange Belt
Green BeltBlack Belt
intacs Automotive SPICE®
„AQUA for ROC“ (EQF Level 4-5)
AQUA extensionAQUA extensionIntegrated Cybersecurity
automotive & medical & automation
Planned
AQUA MOOCs ?
SPI manager/facilitatorIntegrated, interdisciplinaryInnovation and improvment
ECQA Integrated Design Engineer More …
AQU - AQUA Quality Universities(EQF Level 6-8)