The road to autonomous vehicles depends upon components that are secured against hacking and other outside interference. The cybersecurity precautions necessary for self-driving cars must be embedded in chips and systems from the beginning of the supply chain.
Automotive manufacturers and their Tier 1 suppliers are counting on their electronics vendors to provide products that can withstand the known exploits of cyberattacks. Those elements of the connected car also must have the capability to receive over-the-air software updates to defend against the latest in bots and malware.
But cybersecurity in 2018 has become a cat-and-mouse game between cybercriminals and security professionals, who wage battle with cyberattacks on a daily basis.
“The car that is coming essentially will be its own network that’s exposed to the rest of the world,” says Robert Bates, chief safety officer for automotive at Mentor, a Siemens Business. “It’s going to have the same sets of problems as essentially any system has that has to deal with personal information. It will be a lucrative target for both cybercriminals and people with more nefarious motives. The motives might be anything from just stealing personal information so it can re-used elsewhere, to taking any kind of payment or other information that’s going to end up being stored in the car’s systems itself. If I am the CEO of General Motors, five years from now the last thing I want to see is an email in my inbox in the morning that says ‘Pay me $2 billion or else all of your cars are going to turn left.’ Those are all legitimate concerns when we start talking about the importance of cybersecurity in automobiles.”
Five years ago, security in automobiles meant locking the vehicle’s doors and turning on the car alarm, and the biggest risk was having a car stolen for parts. Much has changed since then, and carmakers and their suppliers have come a long way toward adding security. But security will never be complete. Hackers become more sophisticated, new vulnerabilities are exposed, and new technology adds new attack surfaces. While all of those still need to be secured, this isn’t a problem that can be solved by just adding more technology.
“They’re going to have to look at security the same way the Army looks at security,” Bates says. “The key tenet is simplification, cutting down the threat surfaces as much as possible to limit the number of things that can be attacked. If you look at that famous picture of the Jeep that got pulled off to the side of the road, the reason that that happened was they were able to exploit the system by getting in through a tire sensor that was accessible through Wi-Fi, which then attaches into the CAN network. The CAN network was never been meant to be protected. The hackers were able to access large parts of the car. Now, that was a very simple topological model, compared with where we’re going in the next five years.”
The 2015 Jeep Cherokee hack is a commonly used marker when discussing security in the automotive segment. But as the electronics used in vehicles evolve, with systems in those vehicles connected to each other and to other systems outside the vehicle, there is a growing recognition that security needs to be considered much earlier in the design cycle and that it needs to be much more pervasive. So rather than securing a single piece of software, the entire software stack needs to be protected. Instead of just adding in a cryptographic block of IP, the flow of data inside and outside of the vehicle needs to be monitored. And rather than focusing securing the security of a single ECU, security now has to include all ECUs and all security within them.
“It’s about how you secure a chip from every direction,” says Dave DeMaria, corporate vice president of marketing at Synopsys. “There is a big architectural debate right now with autonomous driving about how much should be self-contained versus connected. Theoretically, the more that’s in your control as an OEM the better. But it’s probably not going to be one or the other. It’s going to be both.”
That creates a whole set of issues in its own right, but it still only part of the problem. Failures in any system can create vulnerabilities for hackers, because safety and security are so closely intertwined in autonomous vehicles. While reliability and safety always have been top concerns for carmakers, chips built at older, well-established process nodes are generally simpler and therefore easier to safeguard. “Now they’re starting to incorporate chips from advanced nodes, and those were not built for reliability,” says DeMaria. “They were built for performance. The biggest thing you need to worry about in automotive is reliability, particularly as hackers become more sophisticated.”
While all of these measures are essential, carmakers and chip companies are beginning to rethink how to approach the overall security problem. One tactic is to limit the number of entry points into a system. Multiple entry points into a system make it much harder to safeguard. In contrast, a single entry point is much easier to secure.
“That one entry into the automotive network will then be responsible for authenticating and verifying all of the things that are on the network, because at the end of the day the network itself is exceedingly hard to protect,” says Mentor’s Bates. “When you look at communication with the outside world, the number of entry points has to be small. It has to be built much like how we try to build secure systems today, but we also have to recognize that it’s not perfect. And because it’s not perfect, we have account for the possibility of having to update it.”
Cars aren’t necessarily more vulnerable than other systems. But as with any safety-critical system, the damage that can be done by an external hack is enormous.
“Pretty much every kind of electronic device that we’re building that’s connected to a network these days needs some level of security on it,” says Bernard Deadman, an automotive solutions architect at Cadence. “What we’re doing for customers is putting in things like secure boot. You’ve got to start with code that you know where it came from. It requires deep trust. The ADAS sensor is going to be communicating with the ECU in the vehicle. Then, typically, one of the problems we’ve seen in the past is the security of the message transmission. Most people are going toward some kind of encrypted message transmission. You’ve got to stop people from stealing the keys.”
This isn’t that much different than the kind of threats that financial institutions and data centers deal with every day. The central logic in autonomous vehicles will be a high-performance server, which will be required for pattern recognition and ensuring that cars can execute decisions quickly enough to avoid accidents. That provides enough power to be able to actively tackle these problems inside the vehicle, rather than relying on passive security or even cloud-based monitoring.
“We think of vehicles as being mobile, but it’s kind of a misnomer in terms of electronics because we don’t have the kind of power limitations that we see in wearables or in cellphones,” Deadman says. “While the parts are mobile, the reality is they’re not short of power. And they’ve got a huge amount of computation to do.”
And as with other servers and computationally intensive systems, there is plenty of information about what kinds of vulnerabilities exist and why. In fact, there are industry conferences devoted to addressing these issues, and platforms being introduced to help reduce the threats.
“There are several security elements that need to be considered,” says Robert Day, Arm’s director of automotive solutions and platforms. “These include trusted boot sequence, trusted firmware, root key generated securely, secure storage, hardware/software identification, data attestation, data and process separation and least privilege, and secure device provisioning and firmware updates. Last year, we also introduced Platform Security Architecture (PSA), the first common industry framework for building secure connected devices. PSA aims to provide a holistic set of security guidelines for security across all applications, including automotive, to enable everyone in the value chain—from chip manufacturers to device developers—to implement security successfully.”
One of the strategies Arm uses is to separate operating systems and applications, as well as the devices they connect to. That can isolate and control the flow of data between external communications, which is where the threats often originate, and the critical car functions. That helps prevent attacks from reaching their intended targets.
“As technology continues to advance, so does the overall ecosystem supporting this evolution,” Day says. “The automotive industry is not unlike other technologically advanced verticals in this capacity. There are five recognized levels incrementing to full autonomy, with ‘0’ being traditional legacy vehicle operation and ‘5’ being the fully autonomous vehicle. As full autonomy is the target, we can expect that momentum toward level 5 autonomy will persist, culminating in a fully self-driving vehicle experience. The embedded and cloud-driven capabilities of secure connectivity, machine learning and artificial intelligence are essential to achieving the ambitious goal of fully autonomous vehicles being mass produced.”
It’s questionable whether any system will ever be 100% secure—particularly in the context of its projected lifespan, which in the case of cars may be 10 to 15 years. But much can be done to reduce or isolate the impact of attacks throughout its lifetime.
“All of the components in a vehicle must be designed with mitigation strategies derived from threat models and security analysis conducted for their given use cases,” says Day. “Connected vehicle subsystems require communication over secure and insecure links. Cryptography and secret keys are required to remedy this. “
In automotive, the implications of security are much broader than a single vehicle. Cars share the road with other cars, and many of these will include different levels of security and autonomy.
“For cyber-physical systems and, in particular, for autonomous vehicles that could soon be omnipresent in the streets of our cities and on our motorways, any security vulnerability constitutes a serious safety concern to all road users,” says Sergio Marchese, technical marketing manager at OneSpin Solutions. “Cybersecurity is, in some respects, more challenging than safety. Hardware is at the bottom of the stack and software relies on hardware to ensure isolation between processes with different levels of security clearance. Vulnerabilities may be exploited through software and physical attacks. Their origin may be in specification or implementation bugs, additional unintended functionality, or internal or external malicious actors operating during development or production.”
Marchese believes the forthcoming publication of an international standard governing cybersecurity for automotive electrical and electronic (E/E) systems will be a crucial step in the right direction.
“It will be a turning point for the development and widespread adoption of security-specific methodologies, tools, and practices,” he says. “An ISO/SAE joint working group is expected to publish a first version of this standard (ISO/SAE AWI 21434) in 2020. To properly incorporate cybersecurity into automotive hardware, all stages of the development lifecycle must be adapted. Similarly to safety, security must become an integral part of a company’s engineering and management culture. Moreover, innovative, security-specific EDA technology and methodology must be developed.”
That will require much more extensive verification to ensure that it behaves correctly in targeted use cases.
“Marking a scenario as useless supports the argument that there is no need to waste time in further analysis of the issues, or in implementing design changes,” he notes. “Unfortunately, when it comes to cybersecurity, misuse cases are important. The researchers behind Meltdown and Spectre vulnerabilities have shown us what can be achieved when stressing the hardware with well-architected software. The range of attackers varies from smart teenagers to state-sponsored organizations specialized in identifying vulnerabilities to devise and exploit misuse cases. Formal technology helps by drawing a precise line between possible and impossible hardware behaviors. Engineers accustomed to this technology are naturally inclined, if not forced, to pay equal attention to all possible behaviors, regardless of whether they are expected, rare, or utterly bizarre.”
Security concerns continue to grow in the automotive world, just as they do in other markets where the value of data is increasing. The automotive industry is taking these concerns very seriously, however, and the impact is being felt across the supply chain.
Still, some attacks take years to materialize, and it’s likely that not all of them will be stopped. As with any hacks, the most successful ones are the ones that go undetected. For now, the best path forward appears to be designing and fabricating automotive chips, subsystems, and systems with cybersecurity in mind. But no matter how good the technology, it’s unlikely this battle will ever be completely over. Diligence, constant monitoring and honing of architectures will be required, as well as fast response times when vulnerabilities are exposed.
Jeff Dorsch is a technology editor at Semiconductor Engineering.