A multi-layer security approach using DFT and embedded analytics.
The day has already arrived when we need to be concerned about the cybersecurity of our cars. An average modern car includes about 1400 ICs and many of them are used in sophisticated applications, like autonomous driving and vehicle-to-everything (V2X) communication. The security of road vehicles is an important issue to automakers and OEMs but is rooted in the IC devices that power the vehicle systems.
Security of automotive electronics is not just an issue of competitive advantage; it’s a business, legal and moral imperative. The electrical/electronic systems in vehicles are growing in complexity and are more connected than ever. A malicious hack can affect not only privacy, but the life and health of the passengers. Security is an urgent issue now as the automotive industry pursues greater automation, connectivity, electrification, and sharing.
However, the problems faced by IC designers are not well defined or widely understood, and the solutions are not always clearly presented. It’s the IC designers that need to build in security solutions to the ICs for ECUs, communication channels, infotainment system, and various driver assist features. A multi-layer security approach touches many parts of chip design, and I’ll describe the roles of Tessent design-for-test (DFT) and Embedded Analytics IP.
Yes, a number of reports over the past decade have highlighted the growing issues of electronics security. In 2010, the U.S. Department of Commerce said that 55% of the survey participants had encountered counterfeit products. In 2012, the National Highway Traffic Safety Administration found counterfeit air bags in the US fleet, affecting nearly 200,000 drivers. In 2018, researchers describe in “The Big Hack” how they found a tiny microchip embedded in a server’s motherboards. At the end of 2022, a group of researchers discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.
Effective security must be embedded in the chip design architecture, inserted as layers (similar to a network layer both software and hardware) all the way through the chip design process.
The semiconductor industry widely implements cybersecurity measures to mitigate the risks of hacking and counterfeiting. They follow the well-established ISO 26262 functional safety, and the newer standard for automotive cybersecurity, ISO/SAE 21434. There is a massive effort among commercial players in the automotive ecosystem, including technologies, standards, and new regulations to prevent cyberattacks.
What the standards don’t do is dictate solutions or technologies, but there are a few strategies in place for automotive security, including embedded firewalls, authentication, secure communications, encryption, and digital certificates. Not all of these apply to every vehicle system. The backend servers might have different security solutions than the ECUs or communication channels. However, securing the ICs that drive all the systems that make up a modern vehicle is clearly a fundamental goal.
Securing the ICs involves securing the semiconductor supply chain, protecting against cyber-attacks, and protecting embedded systems with hardware-based security.
Embedded devices for automotive vehicles follow the Open Systems Interconnect (OSI) 7-layers model for network communication. Each layer has a role and is assigned a given security requirement. As shown in figure 1, the physical layer protects against tampering and supply chain. The data link-layer validates all the hardware and software at boot time. The network layer, which is a hybrid (HW/SW) layer, prevents the exploitation of software vulnerabilities and ensures integrity and confidentiality.
Fig. 1: OSI seven-layer model for securing network communication.
The implementation of hardware consists of three layers: The physical layer, the data link layer and the network layer.
In the physical layer, which is the electrical and physical representation of the system, designers can address the supply chain vulnerability. This is done using design-for-test (DFT) structures (IP) and test buses to protect against side-channel attacks by securing the design structure and sensitive data. Each DFT structure as well as the test infrastructure must itself be secure-by-design. All test access and operations must be controlled and monitored by dedicated secure logic to ensure the validity of any access and the integrity of test data.
The data link layer is the root-of-trust point that validates all the system hardware and software boot at the start of the functional operation. Hardware trusted anchors (HTA) are typically used for these purposes and can include functions like key protection, memory protection, cryptographic accelerators, secure code execution environment, secure boot and software attestation, and device identity directly on the device. There are several types of HTA (TPM, HSM, etc.).
In Upstream’s 2023 Global Automotive Cybersecurity Report, about 63% of reported attacks are remote access through application software and the network. The attacks targeted telematics, remote keyless entry systems, ECUs, infotainment systems and mobile applications.
Many automotive systems are moving from domain-based architecture, in which ECUs are categorized into domains based on their function, to zone-based architecture that classifies ECUs by their physical location in the vehicle. This change helps to consolidate the ICs and reduces cost and overall vehicle weight. In zone-based architecture, the firewall at the central gateway of the domain plays a vital role protecting the system from external as well as in-vehicle network threats.
The network layer is where we should address malicious network transaction and software requests. The firewall protects the embedded system from the application side by controlling packet processing and establishing an audit point to track attacks. A software-based firewall is highly configurable with built-in flexibility and filtration capabilities yet is more resource expensive. While a hardware-based firewall requires more silicon resources, it runs effectively and efficiently.
There can also be a hybrid firewall system that includes hardware and software. An example is the Tessent Embedded Analytics IP, which protects and audits the system from any anomaly or malicious attack. This IP has the flexibility and configurability to use on top of dedicated hardware monitors to speed up the process while offloading the time-consuming firewall tasks from the main processor. Tessent Embedded Analytics covers the physical, data link, and network layers, as illustrated in figure 2.
Fig. 2: Tessent solutions from Siemens that address hardware security.
With a multi-layered approach for embedded system security, a secure boot is fundamentally the first step to validate and verify the integrity of the software to run. This requires a trusted anchor to start the execution with. This hardware immutable root-of-trust (RoT) control vector as well as the hardware itself must be proven secured. That mandates the use of secured nonvolatile memories or pre-locked one-time programmable memory and a security processor/core to run the software. Figure 3 illustrates the flow for a secure run.
Fig. 3: Self-tested hardware RoT for secure boot and in-system test.
This process is a catch-22 as you cannot assume 100% security even when using a trusted manufacturer. A defect on any of the components could invalidate the secure boot procedure. A self-tested test structure with a tiny version of a RoT can solve this catch-22 problem embedded in the common secure boot process. That test structure verifies the security core processor after reset and prior to running the secure boot procedure. The same structure used to validate and verify the test data is also used to run in-field tests.
Makers of ICs for use in automotive applications are under pressure to deliver products that meet security standards and regulations. Designers can design-in security features using Siemens solutions like Tessent Embedded Analytics IP to future-proof vehicles against malicious attacks.
Tessent Embedded Analytics enables a comprehensive multi-layer security solution for your IC product, addressing authentication, communication, protection and device lifecycle management. Spanning across test, functional operation and system level security, Tessent hardware-based security solutions provide low latency and fully configurable solutions.
Leave a Reply