Automotive IoT Security By Design

A good example of the wider adoption and application of IoT devices is in automotive uses. It’s a growing market, with the worldwide number of IoT-connected devices projected to increase to 43 billion by 2023, an almost threefold increase from 2018.

The modern vehicles that host so many IoT devices are increasingly connected—for cellular over-the-air updates, but also potentially to communicate with other vehicles and city infrastructure. The ever-growing volumes of electronic systems creates unprecedented systemic complexity. Even an average vehicle design will include over 150 electronic control units (ECUs), which control not just infotainment and communications, but powertrain, safety, and driving systems (figure 1). Supporting all these functions requires not just an increase in the volume and complexity of electronics, but a commiserate growth in software, driving the growth of the Software-Defined Vehicle (SDV) and turning the modern vehicle into a IoT device on wheels.

Fig. 1: Components of a security by design solution.

Securing automotive IoT devices

The need for security in these devices is now critical to their success and a required part of the overall IoT infrastructure. The IoT Security Foundation provides a well-defined and established assurance framework, which gives guidance on requirements for IoT security based on the end application and the overall objective of adding security. They define requirements for four assurance classes, as outlined in table 1.

Table 1: Cyber Security Assurance objectives. (IoT Security Foundation – https://www.iotsecurityfoundation.org/)

With the security objectives in mind, chip makers must then take the rather large step of implementing them.

Hardware-based security solutions

At Siemens EDA, we have been exploring the application of Tessent Embedded Analytics for an overall hardware security strategy that includes many of the elements that are needed to address IoT security requirements across a broad spectrum of applications.

What security features can be addressed with Tessent Embedded Analytics?

1. Secure boot – Hardware monitoring technology can be used to check a prescribed boot sequence has been executed as expected. This ensures that both the hardware and software are as intended.
2. Attestation – Similar to secure boot, functional monitoring can be used to generate dynamic signatures that represent either a hard or soft configuration of a specific IP or IC in a system. This confirms again both the accuracy of the expected hardware and its configuration. This approach can be used to provide either a single identity token or a system wide collection of tokens.
3. Secure access – As with all systems, it is critical that communication channels in and out of the device are secure and, in many cases, configurable based on different levels over required access.
4. Asset protection – Active functional monitoring can be a critical part of any defense in depth strategy against the dynamic cyber-threat landscape. Based on a detailed threat analysis, selection and placement of functional monitors within the device provide extremely low latency threat detection and mitigation.
5. Device lifecycle management – Auto-makers need to be able to monitor the health of the IoT devices throughout their active life cycles, from manufacture through to decommissioning. Functional monitoring and sensors play a significant part in monitoring device health over their life cycle.

Example of secure boot in an IoT device

Secure boot is the first critical step in ensuring that an IoT device comes online, even before any form of authentication takes place. Figure 2 shows a typical architecture for a simple IoT device, comprised of a processor, some memory, and some peripherals.

Fig. 2: Regular IoT device architecture.

During the system boot process, the device will load and execute a small piece of boot loader code from the ROM, before the device is ready to authenticate and run any application software. It is here during the boot sequence that a hack to bypass or interfere with authentication process takes place. If we take the same system, here shown in figure 3, we can see several embedded analytics monitors used to monitor the transactions occurring during the boot sequence and indicate a pass/fail to the boot sequence based on the transactions monitored.

Figure 3: Regular IoT device architecture including Embedded Analytics (EA) monitors.

Summary

Using embedded analytics technology to actively monitor an IoT device boot sequence will enable a trusted boot sequence to be identified and the system to subsequently be unlocked. Because the monitoring is done in hardware, it ensures that both the hardware and software elements of the IoT device are correct. Also, the monitors can be placed at any number of locations around the system, to make sure the locking mechanism is well distributed.