The automotive industry stands at the dawn of a revolution enabled by innovative technologies and integrations within and without the vehicle. These include:
- More than 100 lightweight, high-speed processors known as electronic control units (ECUs)
- As many as 100 million lines of software code—more than the latest fighter jet
- Sensors (RADAR, LIDAR, video cameras, parking sensors, etc.) that provide real-time analysis of the surrounding environment
- High-speed wireless communication channels (4G, 5G, dedicated short-range communications (DSRC), etc.) for speedy and reliable vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) digital communication
- 4 7-10 internal local area networks that interconnect ECUs and other computerized devices
- Acquisition of digital road mapping and condition data from sensors and the cloud
- Artificial intelligence (AI) and machine learning (ML) capabilities
- Transmission of vast volumes of data to and from the vehicle
These capabilities converge to trigger a quantum leap in automotive history: the development of the connected car.
Connected Vehicle Ecosystem
As connected cars have become virtual local area networks with numerous endpoints (every ECU can be considered an endpoint), they resemble traditional IT networks. Just like IT networks and endpoints, they are subject to cyberattacks. Manufacturers absolutely must implement powerful automotive cyber security mechanisms even more extensive than they would for an IT network. As we shall explain, approaches used in IT cyber security are pertinent to certain subsystems of the connected vehicle, but not to others where a vehicle-specific approach to connected car data and safety protection is required.
The connected vehicle ecosystem can be decomposed into five interlinked subsystems:
- Safety critical subsystem (powertrain components) with direct impact on the safety of vehicle passengers and others
- Sensors and V2V Communication provides major inputs to the safety critical subsystem
- Operational and V2X Communication includes general and non-critical, safety subsystems and vehicle environment-control components
- Business Processes include components related to data monetization as well as Telematics and Fleet Management System (FMS)
- User experience (UE) includes infotainment, apps, and convenience components
What is automotive cyber security
So what is automotive cyber security and what makes it different than IT security?
As we explained in our blog about IDS/IPS and automotive cyber security essentials, IT cyber security mechanisms are appropriate for the non-safety-related, open subsystems in the automotive ecosystem.
White-hat and black-hat hackers have already begun to implement a wide range of attacks against moving and stationary vehicles, sometimes to steal them or their cargoes or data and other times to upset their proper performance. Different types of attacks are directed against each of the five subsystems.
Cyberattacks against the User Experience (5) and Business Processes subsystems (4)
These attacks include installation of malware-infected apps via communication channels or by installation of rogue components that have bypassed supply chain procedures and that are malware-infected. In most cases, these types of cyberattacks are similar to those perpetrated against endpoints like smartphones, tablets and laptops—they use similar techniques and hacking tools.
Traditional IT cyber security approaches are relevant here.
Cyberattacks against the Operational and V2X subsystem (3). This subsystem includes:
- Vehicle immobilizer
- Body control
- Remote Keyless Entry
- Tire Pressure Monitoring
- Vehicle Lights
- V2X Gateway
Cyberattacks against the vehicle’s internal and external communication systems resemble network attacks in the IT environment. They are usually a preliminary stage for planting malware somewhere for a zero-day exploit. An example is a cyberattack against the wireless link used for electronic keys with vehicle or cargo theft as the goal.
Cyberattacks against the Safety Critical subsystem (1) and certain aspects of the Sensors and V2V Communication subsystem (2).
Here is where automotive cyber security diverges from the IT model and resembles the closed system found in other moving platforms like fighter jets. In all of the previous subsystems, traditional IPS and IDS technologies provide adequate safeguards and reporting. Losing use of the radio or suffering data leakage, while unpleasant or somewhat damaging, do not endanger the safety of passengers. However, the same cannot be said for some Sensors and V2V Communication and all Safety Critical functions. Here, we need perfect, deterministic cybersecurity in real-time. This is not delivered by IT cybersecurity systems.
Relevant sensors and gateways include:
- V2V/VI gateway
- RADAR sensor
- LIDAR sensor
- Camera(s) sensor
- Ultrasound sensor
Safety Critical Subsystems include:
- Brake, throttle, steering and ignition key
- Advanced Driver Assistant System computer and sensors
- Anti-lock Braking System
- Electronic Stability Program/Subsystem
In this case, we are ultimately concerned with the kinds of attacks that can endanger life and property and which explains the importance of automotive cyber security:
- V2V/V2I gateway authentication, integrity and denial of service
- Sensor validation and security, authentication and jamming of RF signals
- Malware gaining control over a safety-critical ECU
- Malware taking control over the communication to the ECU or component
- Communication disruption (Denial of Service) over a critical segment of the CAN bus
- Omission in the supply chain where an original component is replaced by a malware-infected part
- Flaw in the software/firmware management where the original software/firmware component is replaced with a malware-infected counterpart
The components of the Safety Critical Subsystem play a crucial role in preserving the safety of the vehicle, its driver and passengers. In this case, implementation of the cyber security solution has to comply with very strict requirements as if our lives depend on it:
- A deterministic and reliable mechanism that is verifiable and certifiable, and that can detect and prevent the cyber threat in real time (preferably in hardware). Software solutions that require post-event analysis by security experts or that are prone to false positives are inadequate.
- Formally documented and certified “safe” for the vehicle driver and passengers for each hardware/software/firmware new version—including its embedded cyber security component.
- Mandatory extension of OEM and Tier1 product-qualification procedures as well as production-verification and validation procedures to include the cybersecurity component so as to prevent rogue hardware and software/firmware components from creeping into the supply chain via the production line and at maintenance sites.
- Download of new versions of software/firmware must be performed using encrypted object-code images signed with electronic signatures that can be verified against the data in the OEM depository. The download of object-code images with incorrect electronic signature must be blocked.
Deterministic Automotive Cyber Security for Safety
A deterministic approach to cyber security at the Safety Critical level is mandatory for passenger and vehicle safety. Here, we cannot rely on the post-event remediation methods of IT cyber security. False positives and false negatives are not an option!
GuardKnox’s deterministic cyber security methodology, Communication Lockdown™, delivers the requirements of the Safety Critical Subsystem of the connected car. Its fully deterministic, closed-system approach is not to look for attacks but to ensure that the vehicle continues to function in the way it was designed. There is no need for cloud connectivity nor for ongoing updates so no malware can sneak in and corrupt the safety requirements of the vehicle.