中文 English

Standards And Threat Testing For Secure Autonomous Vehicles

Threats modeling and testing will propel the development of autonomous vehicles.

popularity

Modern vehicles continue to move up through the levels of autonomy, as defined by The Society of Automotive Engineers (SAE). These definitions have been widely adopted across the industry and emerging vehicle technology is measured against this scale (figure 1).

Fig. 1: An illustration from the Society for Automotive Engineers shows levels of autonomy.

The closer we move towards level 5 Full Autonomation, the more driving tasks and control we relinquish to the advanced driver-assistance systems (ADAS) technology within the vehicle. The electronics must meet certain standards, including:

  • Contain high-quality, defect-free components and remain defect-free for many years
  • Operation in a functionally safe manner
  • Operate as per the intended function
  • Be secure and guard against cyber security attacks

To ensure that all vehicle systems reach at least a minimum level with regards to these requirements, several standards have emerged over the last few years. Figure 2 shows the different types of faults that are covered by each of the different standards. The ISO 26262 standard for functional safety in the automotive industry covers IC defects that are either present at manufacture or manifest during the lifecycle of the vehicle. The ISO 21448 standard is more focused on operation correctness as it looks at the function of the device within the system to ensure that it operates as intended. The ISO 21434 standard guides cybersecurity risk management throughout the silicon lifecycle.

Fig. 2: Three key standards guide the development of autonomous vehicles.

Cyber security and threat modeling

Unlike the functional safety risk landscape, which is essentially static for a given function, the security threat landscape is very dynamic—the type and complexity of cyber security attacks change throughout the lifecycle of the vehicle. Considering that by the time most vehicles hit the market, the electronics technology used is already several years old, security features built into the system today could be out of date even before the vehicle goes into production. This is the compelling reason to develop security technology that is also extremely dynamic and adaptable to whatever future threats present their selves.

The cybersecurity of automotive electronics is guided by the ISO/SAE 21434 specification ‘Road vehicles – Cybersecurity engineering’, published in August 2021, and recommends the use of a methodology such as STRIDE, developed by Praerit Garg and Loren Kohnfelder at Microsoft, and/or ‘mis-use elicitation’.

The core of an IC cybersecurity methodology is threat modeling. Several off-the-shelf solutions exist for threat modeling, but in general, users have to do the real work to fully commit to a particular solution and stick with it. Some of these solutions are anchored in the STRIDE methodology and framework, while others rely on proprietary databases of threats and assets and structured (but not standardized) description language formats.

The reality is that threat modeling is hard. It can be used as a tool to aid design and to help design teams think more clearly about what types of issues they may face. However, without real-world experience of the ways that systems are attacked at an engineering level, it can be far too abstract. It is crucially important that the teams involved in this work truly understand the threat environment and are in a position to sensibly and dispassionately risk-score certain scenarios. The reason for this is that a threat or risk scored too highly can mushroom the cost of development. Conversely, too low a score will starve funds and engineering resources from an area that sorely needs attention. The overall result is the well-known ‘open kitchen window, triple-locked front door’ scenario.

Other aids to threat modeling can be beneficial in helping to model other aspects of attack – for example, the cost to an attacker of taking a particular route. Attack trees provide this ability and can be useful if they are modular and can be combined in a kind of jigsaw puzzle to provide very useful insights (figure 3). The best way of working on attack trees is to involve individuals in the team who truly understand the situation on the ground both in terms of the technology and in how it is being broken in the field.

Fig. 3: The steps of the STRIDE process for automotive cybersecurity.

Threat modeling should not be static: It should not be allowed to go stale. Everyone has to start somewhere, and the time invested in the initial threat modeling is likely to pay dividends over time, as long as it is maintained and adhered to by the development teams. It is unlikely that there will be an industry-wide threat model, however individual OEMs will have very similar models, as will their suppliers. Future developments are likely to see further automation, but this discipline will still be one of critical thinking.

The Secure-CAV platform

Connected and autonomous vehicles (CAV) are comprised of multiple networked computers. These ECUs (Electronic Control Units) enable a wide range of functionality and features in the vehicle, from driving and powertrain control to connectivity, sensing, and body modules. The ECUs are interconnected through onboard networks, including typically a data bus known as the Controller Area Network (CAN). As such, modern vehicles are an example of a Cyber-Physical System (CPS).

Increased computing and connectivity capabilities in ECUs have introduced new cybersecurity challenges that can potentially affect the safety of an automobile and its occupants. Effective cybersecurity testing of vehicles can play a crucial role in discovering and addressing security flaws. However, testing a real vehicle (involving cyber-physical components) itself carries safety and economic risks. Therefore, researchers and practitioners often rely on testing environments (commonly known as testbeds) for uncovering cybersecurity vulnerabilities. Effective and efficient security testing needs the application of appropriate and systematic testing methods.

The Innovate UK-sponsored Secure-CAV Consortium has developed a multi-component testbed representing a flexible and functional in-vehicle architecture for real environment trials to train, test, validate, and demonstrate automotive cybersecurity solutions. This demonstrator aims to reproduce the behavior of a real vehicle as accurately and faithfully as possible (fidelity), while also being reconfigurable, portable, safe, and inexpensive to construct. The testbed gives the cybersecurity researchers and engineers comprehensive security evaluation of in-vehicular network components providing:

  • Integration of Siemens IP in an FPGA implementation for ECU behavior monitoring
  • Support for multi-component architecture and a range of on-board communication protocols (including CAN and Automotive Ethernet)
  • A ‘plug-and-play’ facility for client ECUs (which may be telematics units, sensors, infotainment systems, in-cabin connectivity, and body modules)
  • A traffic scenario simulator to generate sensor data and connectivity supporting threat use cases being demonstrated
  • Configurability for repeatable test scripts, and an interface for packet injection and tracing, to support attack vectors
  • A data repository for data captured from emulated sensors, vehicle simulator, CAN/Automotive Ethernet payload, FPGA, and attached ECUs for visualization, test calibration, and machine learning. The repository could be in-cloud for remote analysis or on local storage.

Figure 4 shows the Secure-CAV automotive cybersecurity testbed. It includes a car simulator, an on-board network simulator, a field-programmable gate array (FPGA) system, a physical network, data storage, and a real car’s instrument cluster. Most of the vehicle architecture and its CAN bus network is realized within a virtual environment using Vector CANoe network simulator.

Fig. 4: Demonstrator architecture diagram.

The IP and anomaly detection software in the Secure-CAV demonstration vehicle monitors protocols and transactions at the lowest level in hardware. This is backed by unsupervised machine learning algorithms and statistical analysis, with expert input from the University of Southampton. This was integrated into FPGA technology and linked to two vehicle demonstrators developed by teams at Coventry University and cybersecurity specialists Copper Horse. A range of selected real-world threats has been exercised, including purchasing and analyzing hacking equipment for existing vehicles.

The long lifespan of automobiles requires an innovative cybersecurity approach. Many suppliers and OEMs are constantly working on solutions to detect and mitigate new and upcoming attacks. Modeling and testing threats can be a challenge because it often needs to be done at the system level rather than at the component level.

The Secure-CAV project has a proven hardware-based security technology that will allow the automotive industry to leap ahead of the threats of today and the as yet unknown threats in the future, putting the industry into a much more tenable cybersecurity posture than it currently holds.

To further ensure that the cybersecurity detection and mitigation technologies are fully tested in all different conditions and scenarios, developers can move from the physical demonstrator of Secure-CAV to a completely digital domain with the Siemens PAVE 360 Platform, which can model and emulate complete vehicle systems in a digital environment. A complete digital twin of the electronics system can be created, enabling an extremely comprehensive set of real-life data applied. With this real-life data, it is possible to subject the vehicle system to the equivalent of millions of driven miles in different conditions. This approach means that with a high-fidelity model a digital twin environment gives results equivalent to what would be seen on the track, and the digital model allows for easier exploration of more corner case usage scenarios than what would be possible in the physical world.

Summary

As we strive towards full level-5 autonomy, the way automotive systems are developed and certified within the supply chain will change. The adoption of the latest tools and technology ensures that new automotive electronics systems are both safe and secure against today’s cyber attackers and those in the future. Without advanced Embedded Analytics technology, automotive ICs will remain a black box, making it hard to determine the overall health of the vehicles system reducing the vehicle’s overall reliability.



Leave a Reply


(Note: This name will be displayed publicly)