No Safety Without Dependable Security In Automotive Designs

The cyber threat faced by the automotive industry reached public awareness in 2015, when a “White Hat” research team commandeered the control electronics of a target vehicle at freeway speeds. Subsequently published details of the team’s work identified several discrete weak links that were leveraged by the researchers to create the attack. The approach illustrated a concept well-known to security researchers; that creating trusted systems requires a layered defense that anticipates and takes measures to protect both from external attacks and the inter-system links within a vehicle.

This layered approach is increasingly important in light of the electronics-driven revolution now reshaping the automotive industry. eMobility, Assisted/Automated Driving and Connectivity are making automotive systems more complex and more networked than ever before. Every aspect of the increasingly connected car is a potential attack point (Figure 1), which makes security architecture a lead consideration in vehicle designs. At the same time, companies working on development of autonomous functionality tell us that getting consumers comfortable with relying on these systems is critical to their long-term success. This requires what Infineon calls “dependable systems;” vehicle owners must be confident of the system’s safe and secure operation under all conditions. As the remote hack described above makes clear, securing electronics functionality plays a big role in building consumer trust.

Figure 1: Every connection in the car is a potential attack point

Changing Vehicle Architectures
The trend in automotive design is to reduce the number of individual electronic control units (ECUs) managing various functions, so today’s average of 30-50 ECUs per vehicle is probably a peak. Future architectures will see fewer ECUs with greater integration in functional domains or zones by geographic vehicle location. Even so, the number of systems that need to be protected remains in the dozens, ranging from domain controllers running several virtual machines concurrently, to modules for sensor fusion, braking, steering, clusters, infotainment, telematics and body control (Figure 2). All of these controllers and modules will be over-the-air (OTA) updatable, providing unprecedented flexibility in features and functionality, but also introducing greater security risks.

Figure 2: Semiconductors provide layers of security essential to future car architectures

Centralization and zones will allow for improved sharing of data, simplify overall connectivity, and support Service Oriented Architectures for better operation and lifetime maintenance. Each control module is comprised of three elements – compute, storage and connectivity – with risk associated to each element and recognized approaches to help secure their proper use. OEMs have to consider how these modules are used, how they can potentially be misused, and how the assets of each need to be protected. To provide guidance, a standard now awaiting final approval called ISO21434: Road vehicles — Cybersecurity engineering, offers processes and methods to support the automotive industry’s new designs. The standard defines cybersecurity engineering practices for all electronic systems, components and software in vehicles, as well as external connectivity. Let’s take a look at how these practices are applied to secure key hardware components.

Ensuring Proper Authority
State-of-the-art domain control modules today pair specialized compute engines (e.g. GPUs, neural processors) with workhorse microcontrollers (MCUs) such as the Infineon AURIX. Designed for dependable computing, this family of multi-core processors is designed for secure, safe, dependable computing with a fully-integrated Hardware Security Module (HSM). The HSM is fully compliant with the EVITA (E-safety Vehicle Intrusion Protection Application) standard widely used in vehicles today. This provides the maximum available security for engine control, chassis and safety critical systems. A second Infineon processor family, Traveo II, supports body control applications with an enhanced Secure Hardware Extension (eSHE) module, as well as One Time Programmable (OTP) fuses.

Connectivity in centralized and zone control ECUs flows through these secure MCUs, and the integrated security features support change authorization scenarios that prevent the type of attack used in 2015. If any request to update the system software is made, the target ECU receives a command and software updates that are hashed. Digital signatures are checked and confirmed as authentic prior to installation and use. A similar type of check is accomplished on vehicle communications networks – including both Ethernet and Controller Area Networks (CAN-FD) – before a bus message is acted upon. This protects controllers and networks from unauthorized commands, replay attacks, or malicious message injection from an improper authority.

In vision and sensor fusion systems, flash memory that contains boot code and calibration data can be an attack point, or “Honey Pot,” for malicious code insertion. Infineon Semper Secure NOR Flash brings a hardware root-of-trust to the memory device (Figure 3). A Unique Device Secret, following the Trusted Group Device Identifier specification, assures that the code remains inviolate and can only be updated by its designated compute engine. Safe Boot features are invoked if any code error is detected, and the entire memory device is Side Channel Attack resistant.

Figure 3 : In-depth measures by the Semper Secure NOR Flash for centralized ADAS system with connectivity (5G)

Secure Updates Beyond ECUs
The security points highlighted in Figure 2 can be thought of in two ways; those big enough to contain hardware security modules and those that are not. What this really gets to is that the security must scale with the system. Larger devices such as ECUs with Microcontrollers and Microprocessors that are on a vehicle network and control airbags, steering, braking, radios, clusters, and Advanced Driver Assistance Systems (ADAS), are systems large enough to warrant hardware security modules.

For smaller devices that are not connected to the main network buses, such as a window actuator, cost considerations make full hardware security modules impractical. Instead, techniques such as making the flash memory for the device updatable only once, or requiring a password, can be used to essentially turn the device into a Read Only Memory (ROM), making the code update process immutable and thus securing its operation.

Securing the Human Interface
In the 2015 hack, the White Hat team’s first point of attack was the headend infotainment unit of the target vehicle. While primarily isolated from critical systems, the attackers did find a path to a control unit that exchanged data with the headend, and this provided them with data ultimately used in their attack. As these infotainment and telematics units play an increasing role in the human machine interface of modern vehicles, they continue to represent a potential attack surface for determined bad actors. In defense, Infineon engineers its Wi-Fi and Bluetooth connectivity family with multiple, redundant levels of protection to delay and disrupt attacks. Each subsystem is independently secured, validated intersystem communications and memory protection units (MPU) are employed to block code injection, and TrustZone CPUs support a trusted execution environment.

Supply chain
As vehicles advance on the parallel paths of electrification and autonomous operation, and the likelihood of becoming enticing targets for bad actors increases, the industry is expanding its view of potential attack points. In particular, the security of the entire supply chain must be ensured. Each control module, with its millions of lines of code, need to be verified from point of initial manufacture to installation in each vehicle. And the connection between the cloud and the car must be configured to ensure that only authorized parties connect to the vehicle.

The risk to the supply chain comes if an attacker can slide something in between the product and the programming chain. To help secure the supply chain in the future, products will need to be shipped with a certificate or a key, stored in memory contents or on dedicated product identification ICs integrated on system boards. This creates a chain of custody for the hardware, all the way to where the software is installed and future updates are applied.

We’re already seeing demand from Tier One suppliers and OEMs to move in this direction. As a result, it is highly likely that we’ll get to the point in the near future where companies must assure the integrity of the supply chain from manufacturing, all the way until the silicon is put into the vehicle. When a secure supply chain is deployed, the chances of an attacker slipping something in are tremendously reduced. Infineon is familiar with this practice from decades of experience supplying security ICs for bankcards and secure ID credentials for government ePassports and similar applications, where lifetime, end-to-end security is a standard practice.

Cloud Connectivity
The recognition that the driving experience of the near future will be driven by OTA updates of both essential systems software and a host of user features rests on an assumption that car-to-cloud data exchange is inherently secure. Thus, as part of defense in depth, the TPM (Trusted Platform Module) architecture developed for enterprise networks is now mirrored in automotive qualified TPM 2.0 modules.

As the old adage goes, if you have enough time, resources and expertise, nothing is 100% secure. The goal is to create complementary layers of defense, so that if one falls short, another is there as backup. By ensuring proper authority, securing connectivity within and between systems and in cloud connectivity, scaling systems to suit the target application, and securing the supply chain, the automotive industry can achieve a level of dependable security that will make it very difficult to develop exploits against connected and autonomous vehicles. The semiconductor industry stands at the ready to lead the effort to help secure the connected, autonomous vehicle and ensure its safe and trusted operation.