Firewalls Are Not Cyber-Secure Enough to Protect Safety-Critical Functions

Lockdown of safety-critical ECUs is obligatory for automotive cyber security

Borrowing from the IT world, certain automotive cybersecurity companies are touting the benefits of placing firewalls at various points in the connected car. Firewalls are a mainstay in endpoint and enterprise security. However, it is vital to keep in mind that a firewall is not a source of adequate security for a safety critical ECU.

Vehicle ECU firewall protection is not sufficient to protect connected cars and vehicles

A firewall might be sufficient for lower risk systems like infotainment, but it won’t be enough for a system upon which lives depends on.

Firewalls in the IT World

Just as a physical firewall prevents a fire from spreading from one area to another, a cyber firewall provides a layer of protection between computer devices and cyberspace. In the IT world, the firewall is a software program or hardware device that filters the communications that reach or leave the network and endpoints, inspecting communication packets as they arrive at either side of the firewall—inbound to or outbound—to determine whether they should be allowed to pass or should be blocked.

Firewalls can be stateless or stateful. Stateless firewalls enhance cyber security by filtering network traffic (permitting or blocking packets) based on source and destination addresses or certain other static values. Stateless firewalls maintain no context—they are not aware of data flows or traffic patterns and they do not keep track of the state of network connections (sessions).

More sophisticated stateful firewalls retain information and status about each communicating partner for the duration of a session. Stateful firewall inspection of packets (also known as dynamic packet filtering) monitors the state of active connections to determine which network packets to allow through the firewall and which to reject.

Neither type of firewall is necessarily superior. Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications.

Whether stateless or stateful, the job of the firewall is to:

  • Defend resources
  • Validate access
  • Control network traffic
  • Prevent data leakage
  • Report events

Firewalls provide protection at two layers:

  • At the network layer, firewalls provide packet-filtering where they inspect the metadata (e.g., source address, destination address) that accompanies each packet of information to determine whether the packet should be rejected or allowed to pass.
  • Application-layer firewalls look deeper into the actual data being transported. Knowing how communication protocols work (i.e., HTTP), they validate the data in the packet to determine if the packet should be rejected or allowed to pass. 

Firewalls can be programmed with policies and rules to determine what constitutes passable communications such as which devices may talk to each other and what types of data are prohibited from exiting the organization. Typical firewall policies may include a storehouse of thousands of rules that grows and changes over time as needs change. When a packet arrives at the firewall, it is compared against the list of rules until a match is found or until it reaches the end of the list without finding a match. Once a match is found, a programmed action is applied to drop or pass the packet and, sometimes, to perform other actions such as alerting or recording the event. If no match is found, the packet is deemed to be in error and is dropped.
While firewalls have become a mainstay in the arsenal of traditional IT cyber security, their inadequacies render them only a partial solution. A single misstep by a firewall can take an entire network offline and expose the business to cyberattack. In fact, improperly managed firewalls create some of the greatest business risks in any organization.

Quote about ECU firewall protection and how it's only a partial solution

Firewalls in the Connected Car

When it comes to cyber attacks, protecting connected vehicles can resemble protecting endpoints in traditional IT networks. In both cases, hackers can perform innocuous actions (like putting up a funny picture on a computer screen or head unit). More importantly, they can try to steal data from each type of system—detrimental, to be sure, but not catastrophic to the point of threatening lives. But here is where connected vehicles and IT endpoints part company. When hackers attack your car, you may find yourself suddenly without brakes or in a ditch in need of medical attention.

The connected car resembles the closed system of a commercial or military airplane. Today, just like in planes, more than 100 electronic control units (ECUs) control the car’s functions from ignition to seat position, infotainment, navigation, communication with other vehicles, and much more.

The US Government Accountability Office (GAO) has raised concerns that increased connectivity of modern aircraft has opened a cybersecurity gap between cockpit avionics and cabin broadband networks. The firewalls used to separate cockpit avionics from intrusion by cabin systems users are insufficient as “they could be hacked like any other software and circumvented.” In fact, the Department of Homeland Security has demonstrated the commercial or military jet hacking of commercial airplanes. The US Federal Aviation Administration concurs, stating that firewalls are insufficient to protect air traffic control systems from potential attacks.

The same warnings hold true for the connected car where ECUs now control devices in all five interlinked subsystems. Many of these ECU functions are safety-critical including door locks, brakes and steering. These functions cannot afford the deficiencies inherent in IT firewalls.

In the car, once they get past a firewall, hackers can make ECUs imitate other ECUs, enabling the hackers to take control of systems through electronic messaging. That's the essence of the apocalyptic Miller and Valasek hack where they caused the head unit in a Jeep Cherokee to pretend to be the electronic control unit for the brakes, transmission and other critical systems. They were able to remotely take control of the traveling Jeep. In a denial of service scenario, ECUs can be bombarded with signals, effectively shutting them down and putting vehicles and their passengers at risk.

The problem with the firewall is that it examines packets, compares against rules, and makes decisions regarding the veracity of the packets. 25 years of experience has already taught us that firewalls are vital to security, but must be supplemented with additional mechanisms. We must apply this to the connected car.

From IT Firewall to Lockdown

The IT firewall concept depends on fluidity to stay ahead of the hackers. Since the number of states is virtually infinite, the IT firewall defends against the growing array of hacks by growing its defenses in tandem. Even the most advanced IT stateful firewall can protect against only what it knows. Rules must be added whenever a new situation is encountered. As threat intelligence increases and improves, it is rapidly added to firewall rules and downloaded to the car.

As millions of new connected cars come online, they will become attractive targets for the very best hackers. IT firewalls will forever be playing catch-up with new types of attacks they have never experienced before. We can expect these to number in the thousands in the near future.

To defend against cyberattacks aimed at safety-critical systems, a deterministic technology is required. The technology cannot “learn as it goes”. It must be agnostic to all attacks “out of the box”. There is no room for error.

Lockdown technology provides the deterministic, real-time defense that safety-critical systems require. Adapted from the world of fighter jets and anti-missile systems, Lockdown is a full data-inspection, stateful firewall that locks every bit in every field in every message in the vehicle. Since there is a finite number of messages and a well-defined protocol, Lockdown can provide total cyber coverage. Any communication that would take the vehicle out of a safe state is automatically rejected and discarded (and recorded for forensic analysis).

Lockdown is the technology of choice to provide air safety and must be adopted by connected land vehicles to ensure the safety of our families.

The cyber security threat landscape for automotive market and connected vehicles cyber defense