An overview of the standards aiming to mitigate threats to automotive electronics.
Vehicle systems and the semiconductors used within them are some of the most complex electronics seen today. In the past, electronics going into vehicle systems implemented flat architectures with isolated functions controlling various components of the power train and vehicle dynamics. These electronic systems communicated primarily through legacy bus interconnect protocols, like controller area network (CAN) and media-oriented systems transport (MOST) technologies.
To support the realization of Level 4 and Level 5 (L4/L5) autonomous driving, a massive restructure is underway. The software-defined vehicle, the automotive Ethernet, V2X connectivity, and domain controller units are just some of the new technologies required to realize L4/L5 capabilities.
Electronic systems exist for powertrain and vehicle dynamics, advanced driver assistance systems and automated driving, connectivity, infotainment, and in-vehicle experience. Often at the heart of these electronic systems is a complex, multi-island IC containing multi-core processing, dedicated artificial intelligence and machine learning engines, mixed-signal processing, and more. Whether it’s a complex system on chip or a mixed-signal IC sitting at a sensor edge, security and safety are essential. IC suppliers must build in the necessary safety and security prevention measures to ensure high quality and reliability throughout the operational life of the product.
The introduction of features like remote updating, remote monitoring, vehicle to vehicle, and vehicle to grid communication have led to an increased focus in securing vehicle systems. The advancements in vehicle electronic systems have resulted in a large attack surface for adversaries to exploit. In commercial or industrial applications, security is focused on providing trust, protecting assets, and protecting identities. In automotive, these focus areas remain, but another dimension is added. The lack of security has the potential to directly impact safety measures implemented in a vehicle. Functional safety requirements for automobiles are specified by ISO 26262.
Therefore, in the design of vehicle electronics, safety and security aspects are interrelated and co-dependent. The lack of a robust safety architecture can not only cause a design to malfunction, but failures can also open up new security penetration points in the ICs, systems, and the vehicle as a whole. On the flip side, an incomplete security architecture may be used by adversaries to circumvent or disable safety features, making the vehicle vulnerable to run-time failures.
Automotive security has become a key focus area over the past decade as vehicles and their electronic systems have grown in complexity. As a result, several initiatives have been launched to provide a formal framework and approach for vehicle security. As is often the case with security, there are multiple dimensions to the problem. Multiple types of threat models must be considered when analyzing vehicle security, and multiple threat vectors exist for each model, as illustrated in the table. The table below defines mitigation techniques for a threat model and associated threat vectors as well as the applicable standards.
So, what are these security standards that are providing state-of-the-art guidance in mitigating threats for automotive electronics? What follows is a brief background on each.
In 2008, the European research project, EVITA, was started in anticipation of the development of car-to-car communications. To provide a secure basis for car-to-car communication, EVITA designed, verified, and prototyped security building blocks for automotive on-board networks. The EVITA projects addressed communications inside and outside the vehicle, as the integrity of the latter depends on the integrity of the former. The solution recommended was based on hardware-security anchors and a software security layer that makes use of these hardware security modules. The scope of the use cases includes communication between cars and between vehicles and roadside infrastructure, installation of applications from nomadic devices, aftermarket replacement of parts, and remote diagnosis. The project resulted in a list of security requirements such as authenticity, integrity, freshness, confidentiality, controlled access, and availability for the data exchanged between ECUs and displayed to the driver, as well as secure execution environment for the ECUs.
Furthermore, in a car-to-car scenario, EVITA also addresses anonymity and privacy. The solution provided by EVITA is a hardware security module specification that comes in three different versions to accommodate different ECU processing capabilities. The EVITA full version is recommended for large ECUs such as the head unit. The EVITA medium version is recommended for ECUs such as the engine control or central gateway. The light version is suitable for ECUs like the brake actuators or the airbag actuator. The main paradigms of the EVITA specification are that security shall be based on hardware and that the hardware security module (HSM) shall be located on the same chip as the host system CPU. EVITA has spawned several developments and initiatives.
SHE is another popular initiative from the Hersteller Initiative Software consortium founded in 2004 by Audi, BMW, Daimler, Porsche, and Volkswagen. It provides a specification for an on-chip extension to an automotive Microcontroller Unit (MCU). It aims at providing secure storage and secure processing environments for keys. Like EVITA, hardware-based security is a requirement. The manipulation of the secure keys is performed inside a hardware bound enclave including cryptographic accelerators such has AES or SHA-2, a pseudo random number generator, volatile and non-volatile memories, and a control logic to sequence the cryptographic operations and control the keys. SHE is more lightweight than EVITA and focuses on protecting the confidentiality of cryptographic keys used by the automotive MCU, providing an authentic software environment that has not been tampered with to the MCU and providing cryptographic services. SHE is lightweight and for this reason has been quite popular in the automotive industry. It offers a simple and popular API for cryptographic services.
In early 2020, SAE (Society of Automotive Engineers) and ISO released a new standard ISO/SAE J3101 that specifically addresses hardware security requirements for ground vehicles. The standard spells out more than 150 individual requirements for automotive hardware security and addresses a comprehensive list of security aspects such as hardware security lifecycle, key protection, key management, algorithms, entropy and randomness, secure execution environment, and interface control. It also links the requirements to specific use cases such as authenticated boot, authenticated updates, secure messaging, secure storage, or secure diagnostics. It is important to note that ISO/SAE J3101 does not describe a specific design to implement the requirements as EVITA or SHE do, but rather provides a systematic way to evaluate an automotive security solution and determine if it is adequate.
With hundreds of ECUs interacting in a modern vehicle, addressing security requirements for each of them is necessary but not sufficient. It is also important to understand how ECUs interact within the vehicle. Organizations like AUTOSAR help in that regard. The purpose of AUTOSAR is to deliver software platforms and frameworks that help in managing the complexity of an automotive subsystem. From the security standpoint, AUTOSAR provides APIs to abstract the security functions of the ECUs and manage them from a high-level standpoint. Security functions are associated with software services, for encryption/decryption or authentication, for example. At the lower level, hardware security components compliant with EVITA, SHE, or J3101 can be used.
To reduce development time, effort, and risk in developing automotive silicon, architects of chips now have a choice of licensing certified embedded HSM designs that provide state-of-the-art security and meet functional safety requirements. The Rambus ISO 26262 ASIL-B certified RT-640 embedded HSM is a critical security IP component of the security architecture for automotive SoCs. The RT-640 is part of a broad portfolio of security and connectivity solutions Rambus has tailored for the automotive market.
Links:
Leave a Reply