Cybersecurity For Cars Starts With Chips And IP

The automotive industry is undergoing a significant transformation. Cars are becoming more sophisticated and valuable with increased connectivity and capabilities to provide a better user experience. They are also collecting and transmitting more and more sensitive data and thus are becoming very attractive targets for attacks. Cybercrime in the automotive industry is growing rapidly. How bad is it? According to the AV-TEST Institute, the number of malicious programs targeting automobiles has increased to roughly 1.1 billion at the end of 2020, from ~65 million in 2011. Upstream Security reported in a 2019 cyber hack security study that there was a 94% year-over-year growth in automotive hacks since 2016.

Cybersecurity is a critical and urgent need that OEMs must address, and it’s important that they do so starting early in the design cycle. While the automotive sector has not been as regulated as other industries, the environment is changing rapidly with more regulations, standards, and guidelines, such as:

• 29 regulations released by UNECE (United Nations Economic Commission for Europe) mandate cybersecurity management systems for new vehicles. The regulations require OEMs to manage cyber risks, secure vehicles by design, detect and respond to security incidents, and provide safe and secure over-the-air software updates.
• ISO/SAE 21434, a new standard scheduled for release in 2021, specifies the process requirements for cybersecurity risk management of road vehicle systems. Covered processes include the complete life cycle from concept, development, production, operations and maintenance, to decommissioning.
• SAE J3101 specifies hardware-protected security requirements for ground vehicle applications. SAE J3101 includes a comprehensive view of security functions and corresponding use cases as well as applications that need to be supported to address the security needs in a vehicle.
• NHSTA (National Highway Traffic Safety Administration) cybersecurity best practices report recommends a multilayered automotive cybersecurity approach. NHSTA focuses on vehicle entry points that could be vulnerable to cyberattacks, such as wired and wireless connections designed for human or machine interfaces.

While automotive security is critical and must be addressed from the ground up starting with the system-on-chips (SoCs), it also needs to be approached together with safety in a holistic manner. In addition to the systematic and random faults addressed by the ISO 26262 functional safety standard, secure automotive systems must be able to handle malicious attacks that can occur unpredictability. Designing security into automotive SoCs from the hardware level with safe and secure Hardware Secure Module (HSM) IP with root of trust will help ensure that connected cars behave as expected, prevent random and systematic faults, and are able to fend off malicious attacks.

Automotive hardware secure modules to protect chips

The foundation of security is an in-depth defensive strategy for securing a vehicle. At the heart of every software program is the hardware on which it runs. To ensure that an SoC has not been compromised, the hardware should be capable of assessing its own integrity as it comes out of reset. Then, when it is deemed secure, it can bring up the network that ultimately forms the intelligence inside the car that will eventually connect to the outside world. In addition to ensuring the SoC boots safely and is protected, the SoC needs to be able to prevent random and systematic faults and meet stringent safety requirements.

Highly secure HSM IP, such as Synopsys’ ASIL B Compliant DesignWare tRoot HSM IP for Automotive (figure 1), offers a multifaceted approach. In addition to a comprehensive root of trust security solution, ASIL-ready IP offers a suite of automotive documentation (safety manual, DFMEA/FMEDA/DFA analysis reports, quality manual, development interface and safety case reports) and hardware safety mechanisms to protect the SoC against malicious security attacks while preventing random and systematic safety faults. To protect against both malicious attacks and unexpected errors, the IP includes a broad range of safety mechanisms such as dual-core lockstep, memory ECC, register EDC, parity, watchdog, self-checking comparators, bus and MPU protection, and dual rail logic. Secure HSM IP also incorporates an ASIL compliant processor, such as ASIL D Compliant low-power ARC Processor IP, for running secure applications and cryptographic processing.

Trusted Execution Environment with the HSM

HSM IP for automotive applications must provide a Trusted Execution Environment (TEE) to protect sensitive information and processing at the SoC level. In addition, the HSMs can offer security-critical functions required throughout the device life cycle:

• Secure boot validates software and data integrity of the host CPU and is used to ensure that it executes only trusted firmware. The HSM verifies the authenticity and integrity of the code base that will run on the host processor. Based on the result of the authentication, the host system can be allowed to continue with the boot process or not. Besides integrity and authenticity, the secure boot service supports confidentiality as well via optional decryption of firmware images.
• Secure update enables in-the-field firmware updates based on secure identification and authentication, with optional encryption.
• Secure authentication is essential to ensure that one or more of the upstream and/or downstream devices communicating with the target device can be trusted. To ensure this trust, a mutually agreed upon authentication scheme is required. The HSM can ensure the integrity of various authentication protocols as well as the confidentiality of shared secrets between devices.
• Secure debug permits authentication with an external host using a secure protocol to enable local debugging on a device. Only trusted, authenticated developers are allowed debug access to the system.
• Secure storage provides protection for the device’s application data. When enabled, the HSM provides a secure path to encrypt and decrypt the application data for storage in non-trusted locations, preventing attackers from reading or modifying it.
• Key management keeps the secret key material inside the hardware Root of Trust. Use of keys is allowed and managed by permissions and policies at the application layer. In addition, key generation, import, and export are controlled by the HSM’s trusted application software without access to the keys from application or other less-trusted processors in the system.

HSM IP for secure automotive chips

Synopsys’ ISO 26262 standards-compliant HSM has already been deployed with lead customers and offers:

• Fully programmable solution provides the hardware root of trust for a system and safeguards against evolving threats with high-grade security
• Safety mechanisms for ASIL B compliance for random faults and ASIL D compliance for systematics
• Scalable symmetric/asymmetric/hash/MAC cryptography acceleration from CPU custom instructions, to cryptographic cores with side channel protection
• Efficient low-power ARC processor with SecureShield technology includes an MPU for memory access permission control
• Secure external memory controllers with side channel (DPA protection) provide confidentiality and integrity protection for untrusted external memory, as well as runtime tamper detection
• NIST SP800-90c compliant True Random Number Generator (TRNG)
• Multiple secure key servers for secure key distribution within the SoC
• Compliant with EVITA Full/Medium/Light hardware requirements
• Power, clock, and reset management
• Software that includes secure applications such as SDK, NIST-validated cryptography library, SecureShield runtime library, device drivers, and reference designs
• Delivered with development and manufacturing tools

Fig. 1: DesignWare tRoot HSM for Automotive.

Conclusion

Connected cars are evolving rapidly with more innovation and new applications for ADAS/autonomous driving, V2X, and infotainment. With the amount of hardware and software content enabling greater automation, cars have many potential points of security vulnerability and are targets to an increasing number of cyberattacks. To avoid weaknesses in security, OEMs are demanding both data protection and safety in the chip level. Automotive systems must address high-grade security and also must meet functional safety standards, which means implementing security functions to ensure that functional safety cannot be tampered with. Without security, there is no safety and vice versa. Secure systems must be able to handle unpredictable inputs that would create unacceptable behaviors. Designing the security into automotive SoCs from the hardware level will help ensure that connected cars behave as expected, are able to protect against malicious security attacks, and are capable of preventing random and systematic safety faults.

Synopsys is uniquely positioned in the market with standards-compliant safe and secure HSM IP for automotive that aligns with the latest technology demands and cybersecurity guidelines and enables SoC designers to quickly implement the required security in their chips with low risk and fast time to market.