Guest blog
Paul Wooderson is currently Senior Functional Safety/Cyber Security Engineer at HORIBA MIRA. He is a Chartered Engineer with 14 years’ experience in embedded systems security, in various domains including smartcards and automotive. His work has covered aspects of security engineering including threat and risk analysis, secure design techniques, security validation, penetration testing and certification.
In light of recent news reports on vehicle cyber security, this blog gives an overview of the vehicle threat landscape, discusses some of the security challenges presented by the automotive environment and describes how companies such as HORIBA MIRA are helping to address them.
Today’s vehicles are no longer isolated mechanical machines; they are controlled by as many as 100 electronic control units connected to each other via in-vehicle networks. This trend is increasing rapidly with the introduction of advanced driver assistance systems and the push towards autonomous vehicles. In parallel, the introduction of connected features such as telematics and the integration of smartphones mean that the modern car should be seen as yet another node in the ‘Internet of Things’.
”There are a number of potential attackers with different motivations including criminals, hackers, maintenance personnel and even the vehicle owner. As a result, even entry points of the vehicle which require physical access, must not be ruled out.
Increasing autonomy and connectivity in vehicles has brought about many improvements in terms of functionality and convenience, however this in turn has exposed us to the potential of greater levels of malicious activity in the form of cyber-attacks. There are many potential threats that we face, including traditional vehicle theft, owners enhancing the performance of their own car, identity theft or unauthorised remote access to vehicle functions. Each of these threats can have a variety of different consequences, including the financial, privacy and operational impacts typically associated with the information security domain, as well as potential impacts upon safety.
A motivated attacker can realise these threats by identifying and exploiting attacks via a number of ‘entry points’. Examples include wireless interfaces such as cellular, Bluetooth and keyless entry systems, wired connections such as the OBD-II diagnostic port, sensors and attacks on the electronic control units themselves. The relative accessibility to an attacker of these entry points varies greatly; however there are a number of potential attackers with different motivations including criminals, hackers, maintenance personnel and even the vehicle owner. As a result, even entry points of the vehicle which require physical access, must not be ruled out.
New methods to attack embedded systems are continuously being developed, leading to a ‘cat and mouse’ battle between those developing the attacks and those developing the solutions. This means that as well as taking account of known attacks and defending against known vulnerabilities, a focused R&D effort is necessary to search for unknown attacks and potential weaknesses and to develop appropriate security measures to protect against them.
Due to this dynamic and human element, it is not possible to justifiably claim that any system is 100% secure. Therefore a defence in depth approach must be taken, which involves building in a set of layered security measures aimed at preventing, detecting and responding to attacks. This approach must start from the very beginning of the product lifecycle and be embedded in all stages: from initial concept through design and development, manufacturing, operation, service, and disposal. A security culture should be established within vehicle manufacturers and their suppliers, with all relevant personnel appropriately trained and involved in thinking about security. Such a holistic approach is critical, as security is only as strong as the weakest link.
”It is not possible to justifiably claim that any system is 100% secure. Therefore a defence in depth approach must be taken
Despite the recent media focus on vulnerabilities in vehicles, the automotive industry is addressing this challenge in a number of ways. For example, at HORIBA MIRA we have established a state-of-the-art engineering process for cyber security aligned with existing product development processes required for compliance with standards such as ISO 26262 (Functional Safety). This includes activities such as Threat Analysis and Risk Assessment to identify top level security goals, and the use of Model Based Systems Engineering to elicit security requirements and flow them down to the more detailed design phases. This enables cyber security principles to be integrated with established best practices for safety and quality, synergies to be exploited and any conflicts to be resolved.
Technical solutions are then developed to achieve the security requirements at the necessary level of system design. For example, secure communications standards are under development by IEEE and ETSI to provide security and privacy for vehicle-to-vehicle and vehicle-to-infrastructure communications. Within the vehicle, authenticity, integrity and confidentiality of data on the in-vehicle network can be achieved through the use of cryptographic services, protocols and algorithms, which are increasingly supported by modern microcontrollers and embedded software. The integrity and robustness of the embedded systems themselves are also important and can be realised through platforms which provide secure storage, trusted boot, secure software updates and tamper resistance features.
Effective verification and validation is required at different stages of development to evaluate whether the actual level of security is as designed, and whether it is effective at preventing the relevant attacks. This involves various review, analysis and testing activities which take several forms, including verification of correct functional behaviour, proper implementation of security mechanisms, vulnerability analysis and penetration testing to confirm the effectiveness of those mechanisms. Due to the diverse nature of the automotive supply chain, it is essential to perform relevant verification activities for individual hardware and software components, complete embedded systems and at the vehicle level, to ensure that all the elements are properly integrated.
Recent demonstrations seen in the news show that cyber-attacks are feasible on modern vehicles as the range of connected services increases. By introducing, implementing and improving security standards, engineering best practices and technical solutions, the automotive industry can develop vehicles with desirable and convenient features, but also with appropriate levels of cyber security protection
Yawn, yawn.
This reminds me of one of these hour long slide presentations where you come to the end of it and you realise that you have just wasted a good part of your life listening to something that actually says nothing at all.
Does this actually tell an engineer anything new that is not already in the public domain.
While it all sounds like a statement of the obvious, does the fact that it needs to be said suggest that some manufacturers have not been taking the issue seriously? That so many modern keyless entry cars are being stolen and reprogrammed is the proof of it.
There is a group of very clever folk at a well known establishment located not a million miles from Cheltenham who spend much of their time doing exactly what is happening here: though they are called ‘Ethical’ hackers and they are doing this to ‘them’. One can hardly be surprised if ‘they’ are doing the same to ‘us’: and it appears successfully! If I recall many of the ‘leaders’ of WWI (on both sides) came from the same social classes: and many of those, for the protection of whom they persuaded the lower orders to attack and kill each other in millions, were actually related/family. They did of course all pray to the same ‘Maker’
I do believe we are approaching a new ‘family’ circumstance: and that is the family of those (I am proud to include myself in such) trained in and active in technology, engineering, science. It surely does not matter under what social sysyem or language such study occurred: the manipulation of Nature’s Laws to the benefit of all mankind is the result. I look forward to the day when ‘we’ take the power that such a situation provides and eclipse all other reasons for conflict.
Come on Grumpy, tell me where I am wrong!
I think what Paul is confirming (and if I may defend his, to some, apparently rather bland comments) is that it is the ‘signals’ and their interpretation (and disturbance) which are the key to containing a threat. If I recall Wellington always believed that ‘seeing -over-the hill’ (the task of those parts of his armies charged with keeping him informed) that was the most important thing. Here is Paul seting out a new ‘hill’ and warning us of the consequences of not looking over it. Is that an analogy, metaphor, simile, (our Editor is usually kind enough to remind me!)
Perhaps we who have the good fortune to set-out what we mean technically do so primarily with mathematical (and code) symbols: which mean the same internationally: how sad for our apparant betters that they use word-symbols: which can mean whatever whoever pays the most for their ‘interpreter’ wants them to mean. Is that an analogy…you get the idea!
Get a bicycle.
So cars have to be protected form their owners eh? I thought when I paid money for a car I owned it and (as long as it’s legal) can do what I like with it.