intelligent connected vehicle cybersecurity architecture€¦ · topologies:defense in depth...
TRANSCRIPT
Jin Shang, Jingbo Ni
2019-08-20
Intelligent Connected Vehicle Cybersecurity Architecture
Agenda
❑ ICV Cybersecurity:Background
❑ ICV Cybersecurity Analysis:Methodology, Core Assets and Functional Safety
❑ ICV Cybersecurity Structure
❑ ICV Application Layer Security
❑ ICV Cybersecurity Evaluation
❑ Future
ICV Cybersecurity Background
Platform Technologies
Self-Driving
Network Security
Big Data and AI
❑ Cybersecurity Definition❖ Measures taken to protect computer systems and computer network
against unauthorized access to data or data communication
channels.
❑ Cybersecurity is one of the Key Requirements for
Intelligent Connected Vehicles❖ Cybersecurity should be implemented wherever there is
data or data communications: ❖ Vehicle E/E Units and the Vehicle Internal Network
❖ Autonomous driving
❖ Big Data (Cloud)
❖ OTA, IVI
❖ Context for Cybersecurity in the ICV Functional Ecosystem:➢ Software: Pervasive, Complex and Rapidly Growing
➢ Networks
➢ Connectivities: Cloud & Mobile (including IVI) Apps
➢ Computing Nodes: MCU/ECU, Domain Controller, Vehicle Central
Computer
❖ ICV Cybersecurity Arena:➢ Cyber-Attacking Surfaces Exposed by Software and Hardware Interfaces
➢ Vulnerabilities in Computing Nodes: MCU/ECU, Domain Controller,
Central Computer
➢ Network Security: Vehicle Internal Network vs Enterprise Private Network
➢ Cloud and Mobile Security: Connectivities, Cloud Control, Maps, User
and In-Vehicle Mobile Devices
Background❑ Cybersecurity is a Critical and Integral Part of ICV
❖ Cybersecurity Should Be Integrated and Immersed in Vehicle E/E Units over the
Whole Network Topology
❖ A Cybersecurity Framework should be consistently used Vehicle Platform
❖ Cybersecurity is Essential to Big Data Economy, including Ride Sharing, Cloud
Monitoring and Control etc.
❖ As a function of E/E Units Cybersecurity implementations must meet functional
safety standard. However Cybersecurity, the security of vehicle data and data
communications, though contributing and critical to, is different from functional
safety and SOTIF(Safety of the Intended Function)
❖ Example: IDS in Vehicle CAN Network Gateway:
❖ A function in itself: detecting intrusions to the internal CAN network
❖ Must not violate the safety standard set forth for the Gateway Unit in performing its intended
function — e.g., the IDS function cannot disrupt CAN network communications with or without
detection of intrusions.
❖ However, the intended function is for protecting the communications over the CAN network (i.e.
all messages transmitted in the network are from trusted and authenticated sources, unaltered,
behaving in predefined manner).
❖ Helps to enhance the vehicle safety in a limited area but vehicle safety has much broader range
of components and functions in vehicles, in which there are tremendous many other sources of
failures unrelated to data or data communication security (e.g.engine overheating, electronic or
mechanical failures etc).
Background
❑Status Quo:❖ Lack of Consensus:The need and requirements for basic ICV cybersecurity not
industry-wide agreed
❖ ICV development bottleneck: computing power with acceptable performance-cost ratio;
high speed low latency network etc.
❖ Slow migration and/or sharing of mature technologies in IT cybersecurity to ICV
cybersecurity
❖ Auto industry lacks of in-depth cybersecurity theory and engineering practices, while IT
industry lacks of vehicle safety awareness
❖ Lack of urgency
❑ ICV Cybersecurity is essential and critical. It’s also important for the public
(data leaks, malware controlled vehicles etc)
❑ ICV Cybersecurity is a junction where interests and technologies cross
industries and expertises meet and apply.
ICV Cybersecurity Technologies: Cross-Industry Technology Fusion
Network
▪ Gateway, LANs▪ V2X,Cloud▪ ECU-Server, DC
Cybersecurity Attack
▪ 20+years▪ DoS、Tamper, MITM▪ Vulnerability, Breach, Leak
▪ 20+years▪ Topo: In-depth, Multi-layers▪ Tech.: Firewall, IPS, AI, Anomaly
Cybersecurity Defense
Similar/ Leverage
CPU
▪ Embedded▪ Software,RTOS, VM▪ OTA
Topologies:Defense in Depth
Technologies:Anomaly Detection&Analysis, Big Data, Machine
Learning, Constant Monitoring, Threat Intelligence
Both Offense and Defense are Constantly Challenged!
IPS/AV/Sandbox
Firewall
Intelligence
Deep Inspection
Segmentation,
Encryt/Auth.
DoS, Network Attack Intrusion, Virus APT,Zero-Day, mutation
Detect
MediationPrevent
Ecosystem:• Offense and Defense: mutual
evolution in lock steps
• Journey never ends
• Security Technology Evolution:
Addition(Communication Stack-
based Layering, Function
Complementary & Co-
existence), not Iteration(
Revolution, Substitution)
Security:• Platform and Architecture
• Variants: Network Topologies
• Invariants: Technologies
• Technology Innovation
• Applications, Privacy/GDPR Host
Router/Switch
Cloud/DC
IT Cybersecurity Technologies
IoT/Vehicle
ICV Cybersecurity
Distinguish Functional Safety/SOTIF and Information/Data Security
Auto Industry Multi-Dimensional Vehicle Safety Concepts:❖ Safety:Active, Passive
❖ Methods:❖ Physical (Material, Mechanical Design etc)
❖ Big Data (Modeling, Analyzing, Monitoring, Data-based Preemptive Prevention etc)
❖ Reliability:Functional Safety, SOTIF
❖ Functions:Cybersecurity (Data & AI)
ICV Cybersecurity
Core Assets of ICVs:❑ Computing Platform: – Full Stack Software and Application services
❑ ECUs and Controllers on Critical Path: Gateway, T-Box etc
❑ IVI: Connectivity with Mobile Devices and their Ecosystems
❑ In/External Networking: CAN, IP, 4G/5G, WiFi,V2X
❑ Sensors, Data Collecting, Store and Transmission
❑ Cloud: TSP, APPs, Maps, OTA etc
ICV Cybersecurity vs Functional Safety: A Case Study
AI GAN Attack:SOTIF/Functional
Safety
Rain Wiper - QM Level (risk associated
with a hazardous event is not unreasonable and
does not therefore require safety measures)
OK
Perception, Planning
OK — SOTIF
An issue in AD Domain Cybersecurity?
NO — A system security issue (the wireless
interface)
A Major Vulnerability?
Tencent KernLab: “… by placing interference
stickers on the road, the Autopilot system will
capture this information and make an
abnormal judgment, which causes the vehicle
to enter into the reverse lane. ”
Tencent KernLab: “trick the automatic wipers
powered by Autopilot’s computer vision
system and cameras, by showing images of
water to the front-facing camera – triggering
the wiper to start wiping the window ”
Tencent KernLab: “… control the steering
system through the Autopilot system with a
wireless gamepad, even when the Autopilot
system is not activated by the driver. ”
Cybersecurity Structure
Assets:■ Edge:Gateways, T-box over IP/CAN
■ Nodes (ECU/CPU): Chip/Boot/OS Security/Auto Driving
■ Communications (Sensors, V2X, In-Vehicle): AAA/Encryption/PKI
■ Cloud (TSP, APPs, Data Storage and Sharing): Cloud-based Security Services: Security Situational Awareness, Big Data Analysis/Machine Learning, Emergency Responses, Mobile App Security, GDPR
Critical Security Targets: Auto Driving, OTA, AI, Data
OEM Vehicle Design:Software Defined Vehicle Platform & Cybersecurity Platform
ICV
Protection
Defense in
Depth
Defense
Technology
Stack
Ecosystem
Integration with
Functional
Safety
ICV Cybersecurity IT cybersecurity
Security defense
Protection Architecture
Core re-invent technology
Referral
Firewall
ECU: Secure Boot, TEE, SE
PKI, Authentication
BigData, AI, Anomaly Detection
OS, Mobile APP security
Platform referral Direct LeverageCloud Security
V2X IP Communication
Ecosystem Vulnerability, attack and test,, emergency response, regulation, standard, etc. Core Tasks Referral
FortiOS, Junos
ICV Cybersecurity Structure - Fusion with Key IT Industry
Technologies
■ Edge Security, Vehicle Computer Security, Secured Data Access and Communications, Security Services
Build Four Cybersecurity Systems
Secured GW
➢Access Control➢Session Control➢Signal Health➢Anomaly Detection
➢ Secured Data Collection➢ Data Co-relation Check➢ Signal Time-series Analysis➢ Security Monitoring➢ Security Situational Awareness
Vehicle
Cloud
①Edg
e S
ecu
rity
➢General OS Security➢ Linux Security➢Android Security➢QNX Security etc
Syste
ms
②Veh
icle C
om
pu
ter
Secu
rity
➢OS Kernel Security Model➢Networking Security➢Services and API Security➢Mobile APPs Security➢AI, ADAS etc Security
Secu
rity
Mo
del
➢ PKI based User Authentication
Ensure users are authenticated. Against middle-man attacks
Au
then
ticatio
n
③Secu
red
Data
A
ccess &
Co
mm
.
➢ Secured Data AccessAgainst unauthorized data
access & modification, illegal operation cover-ups
Au
tho
rizatio
n
& A
ud
iting
➢ SSL/PKI Encrypted Data Transportation
Ensure the communication channel security
Co
mm
un
icatio
n
④Secu
rity S
erv
ices
➢ Threat Intelligence➢ Vehicle Cybersecurity Monitoring➢ Vehicle Security Alarm and Incidents➢ Emergency Responses
Security Monitor
and Control Center
➢7× 24 monitoring➢24 hr response➢15 day security patch➢Cover vehicle full life-cycle
Security Services
Team
IVC Cybersecurity Structure
■ Vehicle Internal Network Security(CAN、Ethernet & T-BOX)
Edge Security System
① CAN (Traditional)
② Mixed: CAN + Eth + 4G
③ Ethernet
Vehicle Internal Network Types
① CAN Bus
② LIN
③ FlexRay
Traditional CAN Net
① Physical Layer
② Link Layer: To Next
Node
③Networking Layer: Pkt
Rt & Fwd
④ Transport Layer: Data
transport (TCP/IP)
⑤ Application LayerEthernet Layered
Structure
①3G/4G/Wifi/BT
② V2X
③ Vehicle Apps
④ FOTA/SOTA
⑤ 远程诊断
External Networking
① ECU Key
② Reverse
Engineering
③ Account Staffing
Brute Force
① DDoS
② Illegal Injection
③ Malware(Trojan Horse,
Ransomware, DDoS Mules)
④ Vulnerability Exploit etc
Cyber Attacks
Typical Cyber Attacks
① Secure Boot/Trusted
Computing
② Trusted Zones
③ Encryption
Hardware Security
① Secure Execution
② Secure Data Storage
③ AAA
Software Security
Hard/Soft-ware SecurityVehicle Networking Model Firewalling CAN+Eth Networks
Access Control Anomaly Detect/Mitigation
Session Sanity Check Security Alerts
CAN Security GatewayT-BOX Security GatewayEthernet Security Gateway
ICV Cybersecurity Structure
❑ Security Coverage:Edge, Computing Nodes, Communications, Applications, Services
Application: Autonomous Drive Security
Assets:
■ Internal Networks
■ Multi-dimension Connectivities (internal, v2v, v2x, v2cloud)
■ Maps, Cloud control: OTA, SPOTA (security-provisioning-over-the-air)
■ Security Cloud Services (Monitoring, Big Data Analysis etc)
AD-Specific Security Risks:
■ More software introduced vulnerabilities: ROS/Open Source codes
■ AI Security: GAN (generative adversarial nets Attacks
■ Malwares
Full stack AD Cybersecurity will largely employ IT Cybersecurity technologies!
❑ Many data sources and ownerships
❑ GDPR,CCPA:trackable, auditable
Application Security:Data
Application Security:OTA
❑ Image/Data transport security.
❑ Image/Data authentication.
❑ Image/Rollback support.
❑ Multiple Supplier Software Release Orchestration
Vehicle-wide Cybersecurity Design Framework:
❑ Safety & Cost: Functional Safety Integration with Basic Cybersecurity Structure
❑ Integrated with the Full Cycle of Vehicle Development
❑ Software Defined Cybersecurity (Security Feature Provisioning)
ICV Cybersecurity Evaluation
❑ Establish Industry Standard for Cybersecurity Levels
❑ Cybersecurity Level Verification and Evaluation: Standard Based
❑ Penetration Test on Components and Whole Vehicle
❑ Cybersecurity Level Scoring based on Long Term Big Data Monitoring
❑ Auto Industry-wide Cybersecurity Awareness
❑ Establish Auto Industry Cybersecurity Ecosystem:
❑ Threat Intelligence Sharing
❑ Emergence Responses,
❑ Security Standards and Regulations
❑ Cybersecurity Test and Evaluations
❑ Cybersecurity as a Fundamental Market Access Factor
Future