Over many decades, the automotive industry has built up an enviable reputation for Safety and Reliability. But will the mass arrival of connected and automous vehicles put this hard-won reputation at risk.
In future, the affordance of Safety will depend very much in the effective functioning of Cybersecurity, both in-vehicle at at infrastructure scale.
This presentation looks at how the automotive industry is managing to adapt to the brave new world of the Connected Car. It looks at the source of security vulnerabilities, the current state of the art and the measures the industry is taking to align Safety and Security design processes.
2. This presentation was given to the
British Computer Society IRMA SIG
in London on September 11th 2017
12/09/2017 CAVs: the road to Safe and Secure mobility? 2
3. Bill Harpley MSc
⢠30+ years in technology sector
⢠Founder of Astius Technology
⢠Organiser of Brighton IoT meetup group
(700+ members)
⢠Initiator of Brighton node of the global
Things Network
⢠Organiser of the Self-driving Cars &
Autonomous Vehicles meetup group
https://uk.linkedin.com/in/billharpley
bill.harpley@astius.co.uk
www.astius.co.uk
12/09/2017 CAVs: the road to Safe and Secure mobility? 3
4. Welcome to the world of Connected Cars
In this presentation we will talk about:
â The roadmap to a Driverless future
â The technologies and architecture
â Why automotive security is hard to achieve
â What can be done about the problem
â A glimpse into what the future may hold
12/09/2017 CAVs: the road to Safe and Secure mobility? 4
5. The great Connected Car opportunity
12/09/2017 CAVs: the road to Safe and Secure mobility? 5
6. Quick Audience Poll
Which of these propositions do you agree with?
A. âDriverless cars are a good ideaâ
B. âI can trust a driverless vehicleâ
In June 2017 the Transport Research Laboratory conducted a survey 1 into public
attitudes towards driverless vehicles. Before I tell you the results, I would like to
get your opinion.
1. TRL report âAttitudes to Autonomous Vehiclesâ, https://trl.co.uk/reports/attitudes-autonomous-vehicles
12/09/2017 CAVs: the road to Safe and Secure mobility? 6
Our own small audience
poll showed that:
⢠About 80% agreed
with proposition A
⢠About 70% agreed
with proposition B
7. TRL report summary of key findings
B. âI can trust a driverless vehicleâ
⢠78% broadly agree
⢠3% broadly disagree
⢠19% undecided or slightly disagree
Source: TRL âAttitudes to Autonomous Vehiclesâ (p. 6)Source: TRL âAttitudes to Autonomous Vehiclesâ (p. 4)
B. âDriverless cars are a good ideaâ
⢠81% broadly agree
⢠1% broadly disagree
⢠18% undecided or slightly disagree
12/09/2017 CAVs: the road to Safe and Secure mobility? 7
8. Reasons to be cheerful
Cheerleaders for Connected Cars claim numerous benefits.
Here are a few of them.
ECONOMIC
BENEFITS
PWC âConnected
Car Report 2016â
claims that
Connected Vehicle
market set to be
worth ÂŁ120bn by
2022. Would
create new jobs
and prosperity.
SAFER JOURNEYS
According to WHO,
there were 1.25
million global traffic
deaths. In 2015. The
goal of automated
driving is to reduce
this figure to zero.
Would reduce
economic cost of
accidents.
GREATER
PRODUCTIVITY
The average UK
worker spends 124
hours stuck in
traffic jams each
year. Automated
driving would
reduce stress and
enable them to be
more productive.
MOBILITY AS A
SERVICE (MaaS)
Ride-sharing and
driverless taxis
would reduce the
incentive for people
to own cars. Would
create social,
economic and
environmental
benefits.
12/09/2017 8CAVs: the road to Safe and Secure mobility?
9. But itâs a complex picture âŚ
12/09/2017 CAVs: the road to Safe and Secure mobility? 9
Source: https://www.vbprofiles.com/l/connectedcarstwitter
Note only
two security
apps!
10. The roadmap to a driverless future
12/09/2017 CAVs: the road to Safe and Secure mobility? 10
11. The SAE J3016 classification standard
Levels 0 to 3 are commonly referred to as ADAS (Advanced Driver-Assistance System)
12/09/2017 CAVs: the road to Safe and Secure mobility? 11
12. Quick summary of J3016 automation levels
12/09/2017 CAVs: the road to Safe and Secure mobility? 12
Level Definition Summary description
0 Driver only Conventional vehicle â driver manages all
aspects of speed, direction, overtaking, etc.
1 Assisted driving Driver receives support for specialised tasks
(e.g. parking in a narrow space)
2 Partial automation Driver receives support for coping with
predefined scenarios (e.g. traffic congestion
warning and avoidance)
3 Conditional automation Driver can relinquish control of the vehicle for
specific tasks but must be ready resume control
at short notice (e.g. motorway autopilot)
4 Significant automation Majority of driving tasks may be automated but
driver must be ready to take control if needed
(e.g. urban driving in busy traffic)
5 Complete automation Complete 100% automation of the journey
13. Points to note
Twin strategies
The automotive industry is
divided into two camps
A. Take an evolutionary path to full
automation (requires driver
handover up to L4 capability) â
e.g. Volvo, Tesla
B. Safe and reliable handover is
difficult to achieve, so focus on
developing L5 capability â e.g.
Google Car (Waymo)
A period of transition
There is no roadmap for smooth
transition from âmanualâ to
âdriverlessâ motoring
⢠Expect vehicles with varying
levels of SAE J3016 capabilities
to share the road space for
many years to come
⢠Possible recipe for chaos,
crime, accidents and novel
security exploits?
12/09/2017 CAVs: the road to Safe and Secure mobility? 13
14. Itâs not just about cars
12/09/2017 CAVs: the road to Safe and Secure mobility? 14
For convenience, we will only talk about cars today. But everything in
this slide deck applies equally well to driverless Taxis, Trucks and Buses.
Trials of Taxis, Trucks and Buses â with various levels of automation â are
being conducted in many countries around the world.
15. Building blocks of Connected & Driverless cars
12/09/2017 CAVs: the road to Safe and Secure mobility? 15
16. Car hacking has been in the news
12/09/2017 CAVs: the road to Safe and Secure mobility? 16
Letâs take a look at what makes them so vulnerable âŚ
17. Brief overview of Smart Car components
12/09/2017 CAVs: the road to Safe and Secure mobility? 17
Sensors monitor the
internal and external
environment.
Actuators apply force
or switch ON/OFF
Data is transferred
along Communication
Buses
Key subsystems which
need to be monitored
and controlled
Specialised
control units
Electronic
Control Unit
(100+ ECUs in
modern cars)
Telematics Control Unit
( TCU ) connects vehicle
to the outside world
Diagnostics
interface
( OBD-II )
Onboard Diagnostics Port gives vehicle
technician access to status of
subsystems via CAN protocol. Also used
by 3rd party aftermarket devices.
LIDARRADAR
ULTRASOUNDTEMPERATURE
CAMERAS
ACCELERATION
PRESSURE ELECTRICAL
HYDRAULIC
CAN LIN FlexRay MOST Ethernet
POWERTRAIN CHASSIS BODY INFOTAINMENT
18. High level architecture of a Smart Car
12/09/2017 CAVs: the road to Safe and Secure mobility? 18
Source: ENISA, âGood practices on the Security and Resilience of smart carsâ, Fig. 3 (p. 15)
19. ECUs (Electronic Control Units)
ECU is a generic term for an
embedded system which controls
one or more electrical subsystems
within a vehicle
⢠A modern vehicle may have
100 or more of these units
⢠Examples of functions which
an ECU may provide:
â Parking Assist
â Brake-by-wire collision
avoidance
â Automatic windscreen wipers
â Cruise control
â Airbag activation
12/09/2017 CAVs: the road to Safe and Secure mobility? 19
Example: Siemens keyless-entry ECU
20. Controller Area Network (CAN) layout
12/09/2017 CAVs: the road to Safe and Secure mobility? 20
Example of CAN bus layout
CAN bus
Dashboard
Engine
control
Transmission
control
Power
Door
ABS Brake
control
Airbag
control
Occupant
Detection
Electric Park
Brakes
Lane
Assist
If the CAN bus is
compromised then the
safety of the vehicle
and its occupants may
be at risk.
21. TCU (Telematics Control Unit)
12/09/2017 CAVs: the road to Safe and Secure mobility? 21
Source: http://ficosamwc.com/telematics-control-unit/
TCU provides vehicle with a gateway to the outside
world. Itâs designed to enable security, safety and
infotainment applications within the vehicle.
Example shown is the Ficosa TCU product:
⢠Linux OS based
⢠3G and 4G connectivity enabled
⢠WiFi hotspot connection
⢠eCall enabled
⢠GNSS onboard (GPS, GLONASS, Galileo)
⢠Able to detect crashes and trigger airbag
deployment by CAN bus
⢠Support for up to 6 CANbus connections and
Ethernet
22. OBD-II standard
12/09/2017 CAVs: the road to Safe and Secure mobility? 22
Onboard diagnostics is a service which allows
a technician to gain access to various vehicle
subsystems.
ECU A ECU B ECU C
OBD-II Port
Aftermarket OBD-II device
⢠Huge security concerns around âmisuseâ of
ODB-II interface due to fact that it provides
access to the CAN bus
⢠Potential for safety-critical issues to arise (e.g.
driver distractions, steering malfunctions)
23. From âsmart carsâ to âsmart trafficâ
12/09/2017 CAVs: the road to Safe and Secure mobility? 23
24. Vehicle-to-Vehicle (V2V)
Radar for hazard detection
Status message
V2V messages must be securely
transmitted and processed.
ďź Reliable
ďź Encrypted
ďź Authenticated
ďź Ensure privacy (no tracking)
Vehicles transmit status messages
to each other to improve traffic
flows and increase safety.
ďź âTraffic jam aheadâ
ďź âI have just put the brakes onâ
ďź âIce on the road aheadâ
Secure these
wireless links Communication links
use the IEEE 802.11p
standard
12/09/2017 CAVs: the road to Safe and Secure mobility? 24
25. Vehicle-to-Infrastructure (V2I)
âSpaces available in
Broad Street car
parkâ
âRoad works aheadâ
âTraffic lights not
working at junction
aheadâ
ROADSIDE UNITS
Status messages can be
transmitted from kerbside
infrastructure to warn of
delays, hazards or provide
useful advice to travellers.
âRoad ahead closed.
Turn left at junctionâ
Secure these
wireless links
IEEE 802.11p
wireless links
12/09/2017 CAVs: the road to Safe and Secure mobility? 25
26. Vehicle-to-Person (V2P)
Pedestrians
and joggers
Horses (and
other animals)
Cyclists, scooter
riders and other
2-wheeled transport
Non-vehicular road
users can indicate their
presence by sending
status messages to
oncoming vehicles
Secure these
wireless links
IEEE 802.11p
wireless links
12/09/2017 CAVs: the road to Safe and Secure mobility? 26
27. Vehicle-to-Everything (V2X | LTE-V)
Cellular
Operator
⢠LTE-V was developed by 3GPP
(organisation which develops
Cellular technology standards)
⢠Not likely to be available until
2018 at the earliest
⢠Aims to provide all the functions
of V2V, V2P and V2I
⢠UK has relatively poor 4G coverage!
⢠Would vehicle owners be able to
choose which MNO to subscribe to?
⢠Would government license
infrastructure as a concession?
⢠Would key roads be privatised to
facilitate use of V2X?
Leverages security of Cellular network
12/09/2017 CAVs: the road to Safe and Secure mobility? 27
28. Some applications of V2X
12/09/2017 CAVs: the road to Safe and Secure mobility? 28
Urban traffic
management
Improved traffic flows
at junctions and
collision avoidance
Vehicle platooning
Vehicles can be closely
packed into convoys to
improve road space
efficiency
Hazard detection and
warning
A vehicle which encounters
dangerous road surface
conditions can warn other
traffic in the area
All of these applications depend on the security of wireless links
and the integrity of onboard systems.
29. Key challenges for automotive security
12/09/2017 CAVs: the road to Safe and Secure mobility? 29
30. Challenge No. 1: the supply chain
12/09/2017 CAVs: the road to Safe and Secure mobility? 30
3rd Party value-added productsPRIME
MANUFACTURER
Tier 1 suppliersTier 2 suppliers Aftermarket
OBD-II
Diagnostics
Vehicle manufacturer
Huge challenge
to secure all
components in a
global supply
chain
31. Challenge No. 2: the huge attack surface
12/09/2017 CAVs: the road to Safe and Secure mobility? 31
EXTERNAL INTERFACES
Wi-Fi, 3G, 4G,
802.11p (V2X)
Cloud data storage
and services
⢠Data theft
⢠Identity theft
⢠Insecure APIs
⢠Denial of Service
SMARTPHONE
Bluetooth, USB,
Wi-Fi, 3G, 4G, NFC
OBD-II PORT
Garage diagnostics,
Aftermarket dongles
Body Control
(ECUs, Sensors,
Actuators)
Door Lock,
Warning Lights,
Windows, Seat
Belts âŚ
Powertrain Control
(ECUs,Sensors,Actuators)
Engine, Gearbox,
Transmission âŚ
Chassis Control
(ECUs, Sensors, Actuators)
Steering, Braking, Airbag,
ADAS systems, Wipers âŚ
INFOTAINMENT
(ECUs, Sensors)
Multimedia, Satnav,
Phone, Internal
networks (Bluetooth,
NFC, WiFi), USB
Communications
Control (TPU)
Telematics gateway
connectivity and
services (e.g. V2X,
eCall, GNSS)
32. Challenge No. 3: the complexity of code
Example: Ford F150
âsmartâ pickup truck
150 million
lines of
software code
Multiple
âElectronic
Control Units
(ECUs)â
Numerous potential
points of attack
Complexity is the
enemy of security!
12/09/2017 CAVs: the road to Safe and Secure mobility? 32
33. Challenge No. 4: a tale of two cultures
12/09/2017 CAVs: the road to Safe and Secure mobility? 33
âINFOMOTIVEâ
INDUSTRY
INFORMATION
INDUSTRY
AUTOMOTIVE
INDUSTRY
AUTOMOTIVE CULTURE
⢠Key values of Safety and
Reliability
⢠Long product development
cycles
⢠Long product lifetimes
⢠Strong focus on âhardwareâ
INFORMATION CULTURE
⢠Values of UX and Security
⢠Rapid product
development cycles
⢠Short product lifetimes
⢠Strong focus on âSoftwareâIt will take many
years to create a
unified culture, with
Security at its heart
34. Challenge No. 5: Inadequate practices
12/09/2017 CAVs: the road to Safe and Secure mobility? 34
Lack of
âSecurity by
Designâ and
âPrivacy by
Designâ
Weak or non-
existent
authentication
and authorisation
between
components
Weak password
policies and use
of defaults (e.g.
passwords,open
ports, telnet)
Lack of shared
technical
standards leads
some suppliers
to use âglue
codeâ
No clear standard
for product
liability makes
resolution of
security problems
difficult
Automotive
vendors are
slow to release
security patches
Actors within
the smart car
ecosystem have
different
approaches to
security
Design and
development
processes fail
to integrate
safety and
security
Hereâs a sample of the poor practices which security researchers have
discovered within the automotive industry and its suppliers *
* To be fair, the industry is trying to fix these problems. See for example, Auto-ISAC âCybersecurity Best Practices FAQâ
35. Challenge No. 6: Safety v. Security
12/09/2017 CAVs: the road to Safe and Secure mobility? 35
Adding more security features sounds like a good idea. But it does present some
technical challenges to designers. Here are two examples.
EXAMPLE 1
⢠A safety engineer
wishes to set a
microcontroller to
debug mode in order
to examine the
contents of RAM
⢠The security engineer
wishes to disable
debug mode in order
to prevent the
contents of RAM being
discovered
EXAMPLE 2
⢠A security engineer
wishes to add firewalls
and authentication to
a safety-critical
component in order to
improve security
⢠The safety engineer
objects that this may
add unwanted latency
to response times and
jeopardise functional
safety
Functional
Safety Security &
Privacy
Conflicts of this type can
only be resolved through
dialogue and designing
better processes.
36. The current âstate of the artâ
12/09/2017 CAVs: the road to Safe and Secure mobility? 36
37. Functional safety: ISO-26262
12/09/2017 CAVs: the road to Safe and Secure mobility? 37
The automotive industry has very mature standards for ensuring the
functional safety of products. In the next few slides we will examine the
principal ones which you need to be aware of.
⢠ISO 26262 âRoad vehicles â Functional safetyâ is an
international standard for functional safety of electronic
systems in vehicles.
⢠Describes a complex process by which a product can
be judge to be in compliance with this standard
⢠It aims to address possible hazards caused by the
malfunctioning behaviour of electronic and electrical
systems. However, it is not directly concerned with
matters of security.
38. MISRA-C
MISRA-C is a set of software development guidelines for the C/C++
programming language
⢠First released in 1998, it is developed and maintained by MISRA (Motor
Industry Software Reliability Association)
⢠It aims are to facilitate code safety, security, portability and reliability in
the context of embedded systems
⢠C/C++ widely used for developing embedded applications but known to
have potential deficiencies (e.g. buffer overflows) which can cause
security problems
12/09/2017 CAVs: the road to Safe and Secure mobility? 38
39. AutoSAR: a common software platform
AUTOSAR (AUTomotive Open System ARchitecture)
⢠Defines a methodology and a software architecture for
automotive ECUs (Electronic Control Units)
⢠In Version 4.2 the specifications have been expanded to
consider evolving security landscape for connected vehicles
â Memory protection
â Cryptographic services
â End-to-End message protection
⢠Use of a common software platform may help to
improve security in the long run
12/09/2017 CAVs: the road to Safe and Secure mobility? 39
40. Euro-NCAP
12/09/2017 CAVs: the road to Safe and Secure mobility? 40
The European New Car Assessment Programme (NCAP) provides consumers with
Safety information about new vehicles. Published ratings do not yet include
cybersecurity as part of the criteria!
41. ISO 15408 : Common Criteria for security
ISO 15408 Common Criteria is an internationally
accepted standard for computer security certification
⢠It permits a product to be certified to a specific
Evaluation Assurance Level
⢠Levels are defined 0 to 7 , each with increasingly stringent
security requirements
⢠Evaluations are conducted by accredited laboratories
⢠Examples: many common operating systems have been
certified to EAL4 (e.g. RedHat 5 Server)
12/09/2017 CAVs: the road to Safe and Secure mobility? 41
42. SAE J3061
J3016 âCybersecurity Guidebook for Cyber-Physical
Vehicle Systemsâ - published June 2016
⢠Defines a complete lifecycle process framework from concept
phase through production, operation, service, and
decommissioning.
⢠Provides information on some common existing tools and
methods used when designing, verifying and validating cyber-
physical vehicle systems.
⢠Documents basic guiding principles on Cybersecurity for
vehicle systems.
⢠Enables the foundation for further standards development
activities in vehicle cybersecurity
12/09/2017 CAVs: the road to Safe and Secure mobility? 42
43. IEEE 1609 Connected Vehicle Security
⢠IEEE 1609 Defines a set of
standards for Wireless
Vehicular Access (WAVE)
â Employs IEEE 802.11p ( an
amendment to the common
802.11 âWi-Fiâ standards)
â Supports V2X data
exchange between high-
speed vehicles and between
the vehicles and the
roadside infrastructure
12/09/2017 CAVs: the road to Safe and Secure mobility? 43
44. Current regulations
12/09/2017 CAVs: the road to Safe and Secure mobility? 44
Regulation will play an important role in the evolution of the âInfomotiveâ sector
⢠Strengthens individual
privacy rights.
⢠Adopted in UK from May
2018
⢠Privacy issues are a hot
topic for Connected Cars!
Network and Information
Security directive
⢠Set of EU-wide rules and
regulations regarding
cybersecurity
⢠Puts special responsibilities
on owners and operators of
âcritical infrastructureâ
45. UK Government guidance
In August 2017 the UK Government issued âPrinciples of cyber security
for connected and automated vehiclesâ
1. Organisational security is owned, governed and promoted at board
level
2. Security risks are assessed and managed appropriately and
proportionately, including those specific to the supply chain
3. Organisations need product aftercare and incident response to
ensure systems are secure over their lifetime
4. All organisations, including sub-contractors, suppliers and potential
3rd parties, work together to enhance the security of the system
5. Systems are designed using a defence-in-depth approach
6. The security of all software is managed throughout its lifetime
7. The storage and transmission of data is secure and can be controlled
8. The system is designed to be resilient to attacks and respond
appropriately when its defences or sensors fail
12/09/2017 CAVs: the road to Safe and Secure mobility? 45
There is nothing new in any of these principles!
46. The highway to the future
12/09/2017 CAVs: the road to Safe and Secure mobility? 46
47. ISO 21434 : Road vehicles cybersecurity
⢠ISO/SAE 21434 Road Vehicles --
Cybersecurity engineering
⢠Eagerly awaited standard which is
currently in development ( ~ 2018 )
12/09/2017 CAVs: the road to Safe and Secure mobility? 47
48. A unified development process
12/09/2017 CAVs: the road to Safe and Secure mobility? 48
A crucial milestone will be the development and adoption of a standard industry
process which integrates each stage of Functional Safety and Security design.
It might well look something like this âŚ
Hazard Analysis
& Risk
Assessment
Definition of
Safety
Requirements
System Design
System
Verification and
Validation
Threat Analysis
& Risk
Assessment
Definition of
Security Model
&
Requirements
Defence-in-
depth System
Design
Security
Verification and
Validation
SYNCHRONISATION SYNCHRONISATION SYNCHRONISATION SYNCHRONISATION
FUNCTIONAL
SAFETY
SECURITY
DESIGN
49. Collaborate and share
There is a growing spirit of
openness and collaboration
between automotive and non-
automotive actors
⢠Regular conferences
⢠Industry consortia
⢠Sharing of expertise
⢠âBug bountyâ programmes
⢠âWhite Hatâ hackathons
12/09/2017 CAVs: the road to Safe and Secure mobility? 49
CaRSEC Expert Group
50. A role for blockchain
Many organisations are currently exploring how
blockchain can be used to improve security within
the automotive sector. Examples:
⢠Track and verify automotive parts across the supply
chain (including spare parts and warranty repairs)
⢠Log vehicle performance data on a blockchain to
prevent fraud
⢠Enable pooling data from vehicle owners, fleet
managers, and manufacturers to shorten the time
achieving safety and security of autonomous
12/09/2017 CAVs: the road to Safe and Secure mobility? 50
52. What have we learned today?
12/09/2017 CAVs: the road to Safe and Secure mobility? 52
1. We are heading for a driverless future but public acceptance is key
2. There are a myriad of ways cars can be compromised due to their large attack surface
3. The automotive sector has developed an exemplary Safety culture
4. New actors in the automotive space demand creation of Security culture
5. Existing processes and technical standards are inadequate but many new initiatives
6. We are witnessing the birth of the âInfomotiveâ industry but cybersecurity lags behind
53. Audience poll (revisited)
12/09/2017 CAVs: the road to Safe and Secure mobility? 53
Which of these propositions do you agree with?
A. âDriverless cars are a good ideaâ
B. âI can trust a driverless vehicleâ
Our audience at this
meeting broadly
stuck to the views
which they expressed
in Slide 6. However,
there was a lively
debate afterwards!
54. Automotive cybersecurity meetup
12/09/2017 CAVs: the road to Safe and Secure mobility? 54
Fancy starting an Automotive Cybersecurity
meetup group? London or Thames Valley.
Come and see me during the break
or ping me a mail at bill.harpley@astius.co.uk