Paul Wooderson is currently Senior Functional Safety/Cyber Security Engineer at HORIBA MIRA. He is a Chartered Engineer with 14 years’ experience in embedded systems security, in various domains including smartcards and automotive. His work has covered aspects of security engineering including threat and risk analysis, secure design techniques, security validation, penetration testing and certification.
In light of recent news reports on vehicle cyber security, this blog gives an overview of the vehicle threat landscape, discusses some of the security challenges presented by the automotive environment and describes how companies such as HORIBA MIRA are helping to address them.
Today’s vehicles are no longer isolated mechanical machines; they are controlled by as many as 100 electronic control units connected to each other via in-vehicle networks. This trend is increasing rapidly with the introduction of advanced driver assistance systems and the push towards autonomous vehicles. In parallel, the introduction of connected features such as telematics and the integration of smartphones mean that the modern car should be seen as yet another node in the ‘Internet of Things’.
”There are a number of potential attackers with different motivations including criminals, hackers, maintenance personnel and even the vehicle owner. As a result, even entry points of the vehicle which require physical access, must not be ruled out.
Increasing autonomy and connectivity in vehicles has brought about many improvements in terms of functionality and convenience, however this in turn has exposed us to the potential of greater levels of malicious activity in the form of cyber-attacks. There are many potential threats that we face, including traditional vehicle theft, owners enhancing the performance of their own car, identity theft or unauthorised remote access to vehicle functions. Each of these threats can have a variety of different consequences, including the financial, privacy and operational impacts typically associated with the information security domain, as well as potential impacts upon safety.
A motivated attacker can realise these threats by identifying and exploiting attacks via a number of ‘entry points’. Examples include wireless interfaces such as cellular, Bluetooth and keyless entry systems, wired connections such as the OBD-II diagnostic port, sensors and attacks on the electronic control units themselves. The relative accessibility to an attacker of these entry points varies greatly; however there are a number of potential attackers with different motivations including criminals, hackers, maintenance personnel and even the vehicle owner. As a result, even entry points of the vehicle which require physical access, must not be ruled out.
New methods to attack embedded systems are continuously being developed, leading to a ‘cat and mouse’ battle between those developing the attacks and those developing the solutions. This means that as well as taking account of known attacks and defending against known vulnerabilities, a focused R&D effort is necessary to search for unknown attacks and potential weaknesses and to develop appropriate security measures to protect against them.
Due to this dynamic and human element, it is not possible to justifiably claim that any system is 100% secure. Therefore a defence in depth approach must be taken, which involves building in a set of layered security measures aimed at preventing, detecting and responding to attacks. This approach must start from the very beginning of the product lifecycle and be embedded in all stages: from initial concept through design and development, manufacturing, operation, service, and disposal. A security culture should be established within vehicle manufacturers and their suppliers, with all relevant personnel appropriately trained and involved in thinking about security. Such a holistic approach is critical, as security is only as strong as the weakest link.
”It is not possible to justifiably claim that any system is 100% secure. Therefore a defence in depth approach must be taken
Despite the recent media focus on vulnerabilities in vehicles, the automotive industry is addressing this challenge in a number of ways. For example, at HORIBA MIRA we have established a state-of-the-art engineering process for cyber security aligned with existing product development processes required for compliance with standards such as ISO 26262 (Functional Safety). This includes activities such as Threat Analysis and Risk Assessment to identify top level security goals, and the use of Model Based Systems Engineering to elicit security requirements and flow them down to the more detailed design phases. This enables cyber security principles to be integrated with established best practices for safety and quality, synergies to be exploited and any conflicts to be resolved.
Technical solutions are then developed to achieve the security requirements at the necessary level of system design. For example, secure communications standards are under development by IEEE and ETSI to provide security and privacy for vehicle-to-vehicle and vehicle-to-infrastructure communications. Within the vehicle, authenticity, integrity and confidentiality of data on the in-vehicle network can be achieved through the use of cryptographic services, protocols and algorithms, which are increasingly supported by modern microcontrollers and embedded software. The integrity and robustness of the embedded systems themselves are also important and can be realised through platforms which provide secure storage, trusted boot, secure software updates and tamper resistance features.
Effective verification and validation is required at different stages of development to evaluate whether the actual level of security is as designed, and whether it is effective at preventing the relevant attacks. This involves various review, analysis and testing activities which take several forms, including verification of correct functional behaviour, proper implementation of security mechanisms, vulnerability analysis and penetration testing to confirm the effectiveness of those mechanisms. Due to the diverse nature of the automotive supply chain, it is essential to perform relevant verification activities for individual hardware and software components, complete embedded systems and at the vehicle level, to ensure that all the elements are properly integrated.
Recent demonstrations seen in the news show that cyber-attacks are feasible on modern vehicles as the range of connected services increases. By introducing, implementing and improving security standards, engineering best practices and technical solutions, the automotive industry can develop vehicles with desirable and convenient features, but also with appropriate levels of cyber security protection.