As the auto industry plows ahead with advances in energy efficiency, comfort and safety, it appears that some are forgetting the importance of the E/E Architecture and the role it plays in the safety of the automobile. I recently highlighted some of the Myths that persist around Automotive Cybersecurity at an Automotive Security Research Group presentation, emphasizing the importance of the modern automobile being Secure by Design.
Here we highlight the myths that are diverting attention from the critical importance of ensuring that you have the processes in place to always ensure that your product is protected and the safety of your customers is front of mind.
In 2021 the auto industry will be significantly influenced by a number of trends that will drive the shift from “vehicle manufacturers” to “vehicle software platform developers”.
Designing in cryptography is only one part of the solution for designing a secure E/E Architecture and requires every application in the vehicle to be secure. With application cryptography, each application may require its own keys with therefore key management - making the implementation of Automotive Cybersecurity a complex but very necessary task.
The design of the security system will also need to look at the current limitations of the automobile Controller Area Network (CAN), a bus network where all applications can read and write and hence is open to security vulnerabilities deliberate or otherwise in any of the applications connected.
The current CAN is designed for small payloads / short messages and so is not well suited to have crypto added to those messages.
Although the CAN bus meets its original design requirements as a closed network transporting short informational messages, it is not well suited for networking smart devices passing both information and control messages. It was never intended as a general communications network with possible connections to outside the vehicle and connecting a multitude of active controllers.
The current CAN bus’ small payload will not support strong cryptographic protocols, and any crypto used will increase latency (a very undesirable feature in the real-time environment of a vehicle). On top of this, there is little ability to support key management and Message Authentication Codes thus the CAN bus is not suitable as a backbone architecture.
Yes, Hardware Security Modules (HSM) will assist in securing a vehicle, but it is only one element in a robust security design - secure hardware is only useful to support a secure application.
An HSM will help with security key management and authenticating software and messages. An HSM will also help keep the costs of implementing Automotive Cybersecurity, but each of the applications will also need to have cybersecurity central to their design.
We all need to recognize that software is created by engineers, engineers are human and humans are fallible. Regardless of how well the application is designed and coded, there is a chance that there will be bugs and maybe even flaws in the design.
A malicious agent will look for and exploit any chink in the armour they can find, be it a flaw in the design or an un-noticed bug. The system architect will need to take into account the possibility that any one of the applications may become compromised and introduce malicious requests on the overall system.
Standards are not a Silver Bullet to solving Cybersecurity challenges as those standards need to be included into the architecture, design and coding of the solution and this is done by people (see Myth 4). With the UN mandating that cybersecurity be considered part of a vehicle’s lifecycle, publishing standards and proposing regulation will force us to consider the problem. BUT standards provide guidance, they do not provide a solution.
Think of the lack of effective security as a defect - fixing a defect by adding security features after release may require a re-design of the product and will definitely be significantly more costly than if it were included in the design from the outset. Security cannot just be patched in.
It is impossible to build a firewall around a system of many connected applications, there are far too many required trusted relationships needed. If any one of the connected applications is compromised the attacker is inside the firewalls and free to wreak havoc.
Trust between applications is essential, but that will rely on establishing that trust through ensuring authenticity and ensuing that a request from a trusted application actually originated from that application. This requires layers of security to exist inside the firewall and not to rely on the firewall itself.
Send the invitation to the hackers! Really … nothing is unhackable, and if you find this hard to believe request a white hat penetration test.
Just because no one has found, maybe even attempted to find, a vulnerability in your automotive E/E Architecture it does not mean that they can’t or won't. If someone wants to perpetuate a malicious act against your company, they will spend the time, money, and effort to find a vulnerability that allows them to … the only way to beat them is to stay one step ahead of them … invest in on-going processes to identify and remedy vulnerabilities before they can be exploited.
Do not believe that just because you have in-house architects, designers and engineers that have developed their own methods for securing the E/E, that their secrets will remain secret for long. Refer to Myth 9.
If you have an On-Board Diagnostic (OBD) port, wireless connection or any other third party device connected to the automotive E/E network or backbone, then you have potentially opened the door to the automotive control systems. Think every ride-share, car-share, taxi or fleet vehicle that are connected and can thus be attacked by those with malicious intent.
Security is the enabler of the connected, immersive environment of modern cars. Without security you would not have safety and the ability to sell a product. Security adds a LOT comparatively to the small incremental cost of design and production.
Now that we have reviewed these 12 myths, we must recognize that:
This means that automotive cybersecurity must now become an integral and essential part of the modern E/E Architecture. Cars must be secure by design. This means that cybersecurity must be included in the initial design and not as an add-on.
Every application and their interactions must be secured holistically. We MUST implement a process to continually monitor, investigate, identify and remedy security vulnerabilities.
A cybersecure vehicle is a SAFE vehicle.