IoTs, Wireless Data, OTA updates – Ensuring the Security of the Connected Car
The automotive industry is becoming increasingly reliant on computing, connectivity, and software to provide functionality and differentiators. This growth has brought cybersecurity to the fore of vehicle design. The key automotive trends that will transform how cybersecurity is applied include:
- Vehicle autonomy, which will see the introduction of domain controllers to control advanced ADAS functions and eventually of domain architectures. In addition, robotaxis, where no driver is present in the vehicle and the vehicle is entirely controlled by software, will simultaneously increase the probability of cyberattacks as well as the potential implication of any cyberattacks.
- Vehicle Over-The-Air (OTA) updates will see the secure internal vehicle infrastructure opened up to the outside world. Although vehicle OTA will provide a means to patch faulty software or potential vulnerabilities, the OTA process will need to be provided in a secure manner. With different types of ECUs in a vehicle and challenging CAN constraints, among other issues, vehicle OTA will require new frameworks and hardware security so that it can be implemented in a safe and secure manner.
- The increasing number of devices and applications being connected to the infotainment unit, combined with the incorporation of new connectivity methods such as V2X, will mean that new security measures will be needed to validate connections and separate third-party applications and devices from accessing the core secure vehicle network.
The current approach towards automotive cybersecurity is to prevent access into the vehicle via key remote access points: the infotainment unit, the telematics unit, and the OBD-II port. Current cybersecurity measures used in-vehicle, namely hardware-based firewalls, application sandboxing, and Secure Hardware Extension (SHE)-specified processors, will not be enough to secure future vehicles. In particular, they do not provide enough consideration for the protection of data that will circulate internally, as well as to and from the vehicle. This is where communication security becomes important.
In many ways, it is the infotainment head unit that has become central to the vehicle experience, and where data plays a crucial role. Over the coming years, more and more valuable data will be present on the vehicle as well as being uploaded to the cloud for additional services. This data will be broad and varied, including real-time location, personal information, and other contextual data related to infotainment experiences. Above all, this data will be valuable and lucrative for OEMs, application developers and service providers.
Cybersecurity as such will need to safeguard not only the protection of personally identifiable information, but also data related to physical processes that may be monitored or actioned remotely. As such, security measures will need to be applied for data at rest (whether in the vehicle or in the backend), but also in motion and especially at the connection level.
The threat actors that may target connected cars are not just of the cybercriminal persuasion. Vehicles are increasingly being connected to third-party devices and applications. This includes connection to third-party devices such as handsets and OBDII dongles as well as third-party cloud services to share data between device/service and the vehicle via the head unit. It is those third parties that also carry a responsibility for safety and security with regards to the data communicated to and from the vehicle. Certainly, there is the further risk of unscrupulous third-party providers that are simply focused on monetization to the detriment of data protection.
This poses an issue in terms of privacy protections for individuals, but can be a functional safety hazard when considering communications between vehicles, road-side units and other connected infrastructure (V2X).
V2X is set to allow vehicles to communicate with other vehicles as well as the surrounding infrastructure. Possible V2X applications are numerous and include, among others:
- Autonomous Vehicle Applications: Utilizing V2X as a key sensor for being able to detect other vehicles and stationary objects that are at distance or in a position (i.e., around a corner) that means they cannot be detected by the sensor suite.
- Smart City Applications: Utilizing V2V and V2I to optimize traffic flow, reduce congestion, optimize parking, and charging infrastructure.
- Other Applications: Relaying important information such as road conditions and nearby accidents to drivers and relevant parties such as emergency services.
The potential impact of interference with V2X communications could be significant. As such, automotive stakeholders need to ensure security mechanisms are in place to minimize risks. These can include increased security in the head unit, which is the focal point for all third-party devices and applications connecting to the vehicle.
OTA capabilities render it even more vulnerable and so monitoring during the device’s lifecycle is critical. OEMs should consider the possibility of separating third-party applications and devices from the core vehicle network.
In addition, new V2X communication domains will need to be secured. The V2X domain will be responsible for connections to other vehicles and infrastructure. Sharing information in the most secure manner between numerous vehicles and infrastructure will require the use of cryptographic keys, and therefore integrated hardware security modules.
Beyond that, there is no doubt that OTA updates will enable OEMs to create and swiftly deploy security patches. OTA in itself is not a protective measure however, but an impact mitigation technique. As a security tool, OTA updates can not only serve to patch vulnerabilities, but also to update intrusion detection and prevention systems.
Although OTA provides a method of mitigating the impact of a potential cyberattack, simultaneously it opens up access to the deeper vehicle network, i.e., secondary ECUs to the outside environment.
Providing suitable security is perhaps the current biggest barrier to widespread adoption of OTA processes. From a cybersecurity point of view, the biggest challenge is that each ECU is different. Although almost every ECU in a vehicle is capable of being updated, the security and length of time required to update an ECU varies greatly. ECUs have different CPU bandwidth, storage capacities, memory types and sizes, and cryptographic key storage capabilities, meaning that one update method may not applicable to every ECU.
Ideally, each secondary ECU would be capable of secure key storage, but in reality this will not be the case. Most keys will likely be stored in SHE implementations or even in the software itself due to the cost of having to provide secure hardware to more than 100 ECUs in the vehicle. Secure software OTA frameworks specifically designed for the automotive industry such as the Uptane framework will instead be used to provide the security required. Such a framework does not require the use of secure key hardware storage on the secondary ECUs but can still provide a high level of security. Initially based on the secure framework TUF (The Update Framework, originally introduced in 2010), Uptane is an open-source software update system designed to provide secure software updates for ground vehicles. It is considered the de facto standard for secure software updates for automotive. The Uptane Alliance was formally instituted to standardize the design. As a result, the Uptane Standard for Design and Implementation Volume 1.0 was released by the IEEE/ISTO Federation in July 2019 (IEEE-ISTO 618.104.22.168). Currently, the Alliance has teamed up with the Linux Foundation Joint Development Foundation to continue running the project.
It is through these sorts of frameworks that standards and best practices can be developed to provide harmonized approaches to securing processes like OTA updates, but also to protect the data being communicated. Industry advances and cooperation is dynamic in the space. These include (but are not limited to):
- The UNECE Recommendation on Software Update Processes is an initiative of the UNECE set on providing a secure and standardized manner for OTA updates to take place, while still keeping involved parties certified for that exact process. The recommendation was approved and published in June 2020.
- ISO/SAE DIS 21434 Road vehicles — Cybersecurity engineering is a standard that defines a cybersecurity management and risk-oriented approach to robustly define cybersecurity requirements for E/E systems, hardware and software components, and a life cycle management procedure, including cybersecurity monitoring and the handling of vulnerabilities after the vehicle has been deployed. The standard includes a section on updates and provides information on how to define the basic cybersecurity requirements and attributes of updates, as well as how to securely apply them.
- SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems is a best practice by U.S.-based SAE International, a global standards development organization and professional association of engineers and technical experts in the aerospace, automotive, and commercial-vehicle industries. The guidebook was developed by the SAE’s Vehicle Cybersecurity Systems Engineering Committee, which is responsible for developing and maintaining recommended practices and information reports in the area of vehicle electrical systems’ security. J3061 specifically provides the guiding principles for implementing a complete cybersecurity process for incident response and end of life (among others). This includes maintaining cybersecurity across operational and the servicing phases, such as repair and normal maintenance activities (i.e., connecting to the on-board diagnostics port, telematics system updates, vehicle/cloud computing interfaces, etc.).
- The Auto-ISAC stems from Presidential Decision Directive 63 (PDD-63) in 1998 on the creation of public-private sector partnerships for the protection of the U.S. critical infrastructure. In 2016, Auto-ISAC published a series of best practices (seven in total, plus an executive summary), which included incident response; collaboration and engagement with appropriate third parties; Threat detection, monitoring, and analysis; and Security development life cycle.
Other relevant standards and guides that deal with data security include NHTSA Cybersecurity Best Practices for Modern Vehicles, IPA Approaches for Vehicle Information Security, PAS 1885:2018 The fundamental principles of automotive cyber security, ENISA Cyber Security and Resilience of Smart Cars.
Critically, the future of the connected vehicle relies very much on the ability to provide security throughout the vehicle’s lifecycle. This means that OTA will play a key role going forward in providing such security. And it is important to remember that the OTA functionality must itself be protected. Data and communication integrity can only be realized through effective end-to-end secure processes.
Michela Menting delivers analyses and forecasts focusing on digital security. Through this service, she studies the latest solutions in cybersecurity technologies, blockchain, IoT and critical infrastructure protection, risk management and strategies, and opportunities for growth. She then delivers end-to-end security research, from the silicon to cyber-based applications, closely analyzing technology trends and industry-specific implementations.
Published in Telematics Wire