functional safety and cybersecurity – experiences and trends...between functional safety,...

V1.1 | 2018-10-17

Dr. Christof Ebert, Vector Consulting Services, @VectorVCSVector Security/Functional Safety Symposium, Detroit, 17. Oct. 2018

Functional Safety and Cybersecurity – Experiences and Trends

© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17

Vector GroupWelcome

Employees:> 2,000

Vectoriansin 24 Locations

Portfolio: PLM/ALM Embedded SW Testing Diagnostics Calibration Consulting

Turnover:520 Mio. €

in 2017 Associations: participation in

ISO standards etc.

Customers:> 7,500 companies

in 72 countries

Affiliated Companies:GiN | CSM | BASELABS

2/25


Current Challenges – Vector Client Survey 2018Welcome

Innovation

Competences

Efficiency

FlexibilityDistributed teams

Connectivity

Safety and security

Complexity

Digital transformation

Compliance

Others0%

10%

20%

30%

40%

50%

60%

70%

80%

0% 10% 20% 30% 40% 50% 60% 70%

Mid

-ter

m c

halle

nges

Short-term challenges

Magic Triangle

Vector Client Survey 2018. Details: www.vector.com/trends. Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 200% due to 5 answers per question. Strong validity with >4% response rate of 2000 recipients from different industries worldwide.

The magic triangle is back:Cost and Efficiency – Quality – Innovation

3/25


1. Welcome

2. Safety needs Security

3. Risk-Oriented Development

4. Practical Guidance and Vector Experiences

5. Conclusions and Outlook

Agenda

4/25


Automotive Trends Impact Safety and SecuritySafety needs Security

1. Powertrain

Energy efficiency

2. Driver Assistance

Autonomous driving

3. Connectivity

Always connected

Unintended speed change

Signal confusion

Sudden Driver distraction

5/25


4/5G

OBD DSRC

SuppliersOEM

Public Clouds

Service Provider

ITS Operator

ACES (Autonomy, Connectivity, e-Mobility, Services)Safety needs Security

Automotive cybersecurity will be the major liability risk in the future.Average security gap is detected in 70% of cases by a third party – and soon exploited.

Cyberattacks Hazards

Password attacks

Application vulnerabilities

Rogue clients, malware

Man in the middle attacks

Eavesdropping, Data leakage

Command injection, data corruption,

back doors

Physical attacks,Sensor confusion

Trojans,Ransomware

6/25


1. Welcome





Agenda

7/25


Standards Demand Risk-Oriented ApproachRisk-Oriented Development

Functional Safety (IEC 61508, ISO 26262, ISO 21448)

Hazards and risk mitigation Increasing focus on SOTIF and compliance Safety engineering and culture

ISO 26262 ed.2 refers to shared methods, e.g. TARA

architecture methods data formats & functionality

+ Security (ISO 27001, ISO 15408, ISO 21434, SAE J3061)

Security and Safety are interactingand demand holistic systems engineering

Threat and risk mitigation Abuse, misuse, confuse cases Security engineering

Safety Goals and

Requirements

Functional and Technical

Safety-Concept

Op. Scenarios, Hazard, Risk Assessment

Safety Implemen-

tation

Safety Validation

Safety Case, Certification,

Approval

Safety Verification

Assets, Threats and Risk

Assessment

Security Goals and

Requirements

Technical Security Concept

Security Implemen-

tation

Security Validation

Security Case, Audit,

Compliance

Security Verification

Safety Management

after SOP

Security Management

in POS

For (re) liable and efficient ramp-up connect security to safety governance8/25


Relevance of ISO 26262 is understood

Many companies implement it highly inefficient, e.g. standard copy/paste, and too much test

Typical implementation risks: Interfaces between organizations, DIA, “out of context”, SOTIF (Safety of intended functionality)

Consider security: “The organization shall institute and maintain effective communication channels between functional safety, cybersecurity and other disciplines that are related to functional safety.

State of the Art: Functional SafetyRisk-Oriented Development

Interfaces situations are most critical1. Driving Situations OEM2. Hazards OEM3. Risks and Safety Integrity Level OEM4. Safety Goals Safety Requirements OEM5. Technical Safety Concept OEM/Tier16. Safety requirements on ECU level OEM/Tier17. Software Safety Requirements Tier1/Vector

Functional safety can be efficiently achieved on the basis of mature development processes.State of the practice is never stable, because methods and standards evolve fast.

9/25


Security demands are growing fast Connectivity and open channels allow security attacks Exploits will persist beyond “zero-day” because so far no OTA governance Safety-critical systems connected to potentially unsecure bus systems

Vector recommendations Extend hazard analysis with pentest-driven

threat analysis and automotive attack models Separate subnets, especially infotainment and HU Reuse proven artefacts to ensure robust safety case Implement tailored security protection with fail

operational strategies for safety-critical systems Encrypt communication end-2-end,

while considering performance needs Protect ECUs with secure boot and HW-defined security

State of the Art: CybersecurityRisk-Oriented Development

Do not copy paste standards because it increases overheads and complexityTailor standards according to your needs and environment.

10/25


1. Welcome





Agenda

11/25


Concept of Combined Threat/Hazard Analysis and Risk AssessmentPractical Guidance and Vector Experiences

Consider specific automotive assets derived from CIAAG (Confidentiality, Integrity, Authenticity, Availability, Governance) scheme

Assets Threat-Model & Risks Measures Concept for

Solution Verification

Example: Identified threats

Safety

Injuries because of malfunctioning Passive Entry

Financial

Extra cost due to call-back and law-suits

Operational Performance Car cannot be started, doors cannot be opened

Privacy/Legislation

Theft of personal data

Specific automotive asset categories

Privacy,Legislation,Governance

e.g. private data

Operational Performance

e.g. Drivingexperience

Finance

e.g. Liability, brand image

Safety

e.g. Vehicle functions

12/25


Model-Based Dependency AnalysisPractical Guidance and Vector Experiences

Traceability from changes based on hierarchic modelling & update of analysis and tests

SystemRequirements

Logical SystemArchitecture

ComponentArchitecture

SimulationImplementation

PowerMirrorCtrl

Type: PowerMirrorCtrl

SwitchMatrix

Type: SwitchMatrix

PowerMirrorPass

Type: PowerMirr...

PowerMirrorDriver

Type: PowerMirr...

PowerManagement

Type: PowerMan...

x+:pm_pass_x+

y+:pm_pass_y+

y-:pm_pass_y-

x-:pm_pass_x-

y+:pm_driv_y+

x+:pm_driv_x+

y-:pm_driv_y-

x-:pm_driv_x-

y:PM_y

x:PM_x

sel:PM_selection

def12:KeyIn

sel:PM_selection

x:PM_x

y:PM_y x+:pm_pass_x+

y+:pm_pass_y+

y-:pm_pass_y-

x-:pm_pass_x-

y+:pm_driv_y+

x+:pm_driv_x+

y-:pm_driv_y-

x-:pm_driv_x-

KeyIn:KeyIn Assembly Net

Assembly Net

Body Ctrl

Driver Door CtrlPass Door Ctrl

Gateway

SwtichMatrix

PassengerMirror DriverMirror

BatMng

-

-

-

-

-

-

-

-

-

DoorLIN:LIN

Ground

PowerSupply

- cv2:4w -KA_Pass Door Ctrl _0

-

-

CANPT:CANC

System FTA/FMEA

ComponentFTA/FMEA

Fault Injection /

TDD

13/25


Agile Scaling for Safety and Security EngineeringPractical Guidance and Vector Experiences

Manage dependencies between teams for safety and security related changes

LegendSW Lead Team 1SW Lead Team 2Technical Lead Testing

Team MemberHardware LeadMechanical Lead

Chief Technical Lead

Kanban Board

Testing Team

HW TeamSW Team 2SW Team 1 Mechanical Team

Scrum of Scrums

Location 1 Location 1

Location 1Location 2

Location 2 Location 3

Safety Manager

Safety Engineering

14/25


Tools for Safety and SecurityPractical Guidance and Vector Experiences

Customer Benefits Efficient

implementation of cybersecurity and functional safety

Full Life-Cycle support from requirements to concept, design, test and after-sales

Traceability and governance

Support for heterogeneous environments

Package offer for gap analysis and mitigation activities with Vector SafetyCheck or Vector SecurityCheck

Continuous Safety Case

Vector SafetyCheck and SecurityCheck

PREEvision Safety support

15/25


Vector SecurityCheck with COMPASSPractical Guidance and Vector Experiences

Vector SecurityCheck facilitates Systematic risk assessment and mitigation Traceability and Governance with auditable risk and measure list Heuristic checklists with continuously updated threats and mitigation

16/25


Design Defensive coding, e.g. memory allocation, avoid

injectable code, least privileges Selected programming rules such as MISRA-C, CERT High cryptographic strength

in line with performance needs Key management and HW-based security Awareness and governance towards social engineering

V&V Methods and Tools Static / dynamic code analyzer Unit test with focused coverage, e.g. MCDC Interface scanner, layered fuzzing tester,

encryption cracker, vulnerability scanner Penetration testing, starting with TARA concept

Safety and Security by Design: Implementation, Verification and ValidationPractical Guidance and Vector Experiences

Classic coverage test is not sufficient anymore.Test for the known – and for the unknown.

Ensure automatic regression tests are running with each delivery.17/25


Game Changer: OTA Facilitates Security Across the Life-cyclePractical Guidance and Vector Experiences

There is no security without continuous Over the Air (OTA) update strategy

OEM Side Update Process

18/25


Case Study Powertrain: Threats and HazardsPractical Guidance and Vector Experiences

Change Gears

During driving on high speed (Highway) the gear is changing to a higher gear thus reducing acceleration when it is needed during overtaking

S3/E4/C3 C

Adjust speed Speed is unintentionally increased during normal operation in cruise control while driving in a city

S3/E3/C1 C

Function Hazard S/E/C ASIL

Adjust Speed

Velocity

Throttle pedal,Engine control Lock/Unlock

Change GearsTransmission

ASIL C

Throttle

Safety Item

ASIL C

Relate identified security threats to safety hazard analysis

19/25


Case Study Powertrain: From TARA to Technical Safety/Security ConceptPractical Guidance and Vector Experiences

Elements of functional architecture

Sec

urity

goa

l and

der

ived

fu

nctio

nal s

ecur

ity r

eq.

Allo

catio

n of

req

. to

ar

chite

ctur

e el

emen

ts

2

1 3ID Level Security Goal ID Requirement

Upd

ate

sw c

omm

and

Auth

entic

ity a

nd

Inte

grity

of s

w u

pdat

e

(Signa

ture

)

sw u

pdat

e

Prev

ent u

naut

horiz

ed

upda

te

Inst

all s

w in

ECU

sw s

tora

ge (e

.g. f

lash

mem

ory)

. . . .

FSR 1The authenticity and integrity of the user_command signal during reading and transmission shall be assured. x x

FSR 2The authenticity and integrity of the authenticity signal during reading and transmission shall be assured. x x

FSR 3The authenticity and integrity of the sw_update during reading and transmission shall be assured. x x x

FSR 4It shall be assured that the signal allow_update generated from the input signals is calculated correctly.

x x x x

FSR 5The authenticity and integrity of the allow_update signal during transmission shall be assured. x x

FSR 6It shall be assured that the signal change_sw generated from the input signals is calculated correctly.

x x

FSR 7

If an error with regards to authenticity and integrity during reading, transmission or calculation of signals or the actuator status occurs, the system will not install the sw update.

x x x x x x

Security Goal Functional Security Requirement Entities of Functional Security ArchitectureInputs Function Blocks

SG05 High

It shall be prevented that unauthentic software is installed on vehicle ECUs.

Transform technical security concept to security requirements.Handle security requirements exactly like functional requirements.

20/25


Case Study Powertrain: Separate ConcernsPractical Guidance and Vector Experiences

Connectivity Gateway

CU

Instrument Cluster DSRC 4G

LTE

Laptop

WiFI

Smart-phone

Central Gateway

ADAS DC

Smart Charging

Powertrain DC

Chassis DC

Body DC

Head Unit

Diagnostic Interface (OBD evolution)

Firewall

Key Infrastructure

Secure On Board Comm.

Secure Off Board Comm.

ID / IP

Monitoring / Logging

Hypervisor

Crypto Primitives Download Manager

Secure Flash/Boot

Secure Synchronized Time Manager

Incrementally harden your E/E and IT functions, architectures and components.21/25


1. Welcome





Agenda

22/25


Risk-Oriented Development Must Cover the Entire Life-CycleConclusions and Outlook

Systematic safety and security engineering Scaleable incident monitoring and response Multiple modes of operation (normal, attack, emergency, fail operational, fail safe, etc.)

Safety hazards

and security threats

Safety / Security by design

Development

Secured supply chain

Production

Incident responseand upgrades

Operations

Secure provisioningand governance

Services

23/25


Vector Offers Comprehensive Portfolio for Cybersecurity and Functional SafetyConclusions and Outlook

Vector Cybersecurity and Safety Solutions

Trainings

Compliance audits

SecurityCheck, SafetyCheck

Security/Safety support, e.g. virtual safety/security

manager and pentesting

AUTOSAR Basic Software:

MICROSAR Safe

Tools for Design, Test and Lifecycle support:

PREEvision

DaVinci

CANoe

CANdela and Indigo

Engineering Services for Safety and Security

HW based Security

24/25


Thank you for your attention.For more information please contact us.

Passion. Partner. Value.

Vector Consulting Services

@VectorVCS

www.vector.com/[email protected]: +49-711-80670-1520

functional safety and cybersecurity – experiences and trends...between functional safety,...

Documents