vehicle cyber security - · pdf fileiso‐26262 (1~10) has already been published. it defines...

March 28, 2014SD IEEE Cyber Workshop

1

Approach for Vehicle Cyber Security with Functional Safety Concept

Hiro OnishiAlpine Electronics Research of America, Inc.honishi@alpine‐la.com

© 2013 Alpine Electronics, Inc. Not for commercial distribution.

2

1. Background: Cyber Risks for Cyber‐Physical System 2. Background: Cyber Risks for Vehicle3. Difficulties in Maintaining Vehicle Cyber Security4. Functional Safety for Vehicle Cyber Security

+. Overview of Functional Safety (= ISO‐26262)

+. Applying Functional Safety (concept) – Vehicle level

+. Applying Functional Safety (concept) – Component level

5. Summary6. Next steps

INDEX

1. Cyber Risks for Cyber‐Physical System – Case 1

Davis‐Besse Nuclear Plant, Ohio (Jan. 25, ’03)

16:00: Noticed network slow down

16:50: Safety Parameter Display System (SPDS) crashed

17:13: Plant process computer crashed (had analog backup)

Reference: Edward Fok. (Dec. 7, ’11) “Introduction to Cyber Security Issues forTransportation” [Web seminar]

3


Air plane manipulation (Apr. ’13, US)+ Security consultants pointed:

They were able to manipulate airplane’s navigation systemwith android application*1.

+ 4 days later, Dept. of Transportation denied the possibility*2. Reference:*1: ~ WIRED www.wired.co.uk/news/archive/2013‐04/11/android‐plane‐hijack*2: ~ Information Weekly www.informationweek.com/security/application‐security/faa‐dismisses‐android‐app‐airplane‐takeo/240152838 4


Lodz, Poland(Jan. ’08)

4 light rail trams derailed, 12 people injuredTool used: Converted television IR remote

Exploit: Locks, disabling track changes when vehicle are present were not installed

Reference: Edward Fok. (Dec. 7, ’11) “Introduction to Cyber Security Issues for Transportation” [Web seminar]

Pictures: Courtesy of EUROPICS

5

6

Currently, “Cyber Security for ICS” can be a serious social concern, as it may impact the following:

+ (Nuclear / chemical) plants+ Military facilities and weapons+ Government facilities and systems+ Transportation (Trains, Airplanes, Vehicles, Ships, etc)+ Utilities (Electric‐grid, Water‐line, etc)+ Finance (ATM, Ticket machines, etc)+ Medical / Health related equipment and others

1. Cyber Risks for Cyber‐Physical System

7

1. Cyber Risks for Cyber‐Physical System

Actions for transportation cyber risks in the US

Reference: *1: ~ Tim Johnson (NHTSA) in ITS America annual meeting, (May, 2012, DC)*2: http://www.wired.com/autopia/2012/09/camp-car-virus-squad/?utm_source=twitter&utm_medium=socialmedia&utm_campaign=twitterclickthru

Federal Congress: Senate and HR have been discussing Cyber security bills though they have notbeen enacted yet.– i.e. S‐3414, S‐3342, S‐2105, HR‐3523, HR‐2096, etc.

White House: President issues multiple ‘Security’ related Executive Orders.‐ i.e. E.O. 13587, E.O. 13636 and PPD(Presidential Policy Directive)‐21.

NHTSA (National Highway Safety Administration) of Dept. of Transportation: ‐ Established “Electronics Systems Safety’ research division for vehicle cyber security*1.‐ Provided test vehicles to researchers /engineers /college and high school students to assess cyber security @ Summer CAMP*2(Aug. ’12).

TRB(Transportation Research Board) of National Research Council: Established “Cyber Security subcommittee” (under the “Critical Transportation Infrastructure Protection” committee).

SAE(Society of Automotive Engineers) international: Established “Vehicle Electrical System Security committee”.

8

1. Cyber Risks for ICS (Industrial Control System)

Actions for vehicle cyber risks worldwide

Reference: *1: www.sevecom.org*2: http://evita‐project.org/*3: http://preserve‐project.eu/*4: www.oversee‐project.com*5: (Japanese) www.ipa.go.jp/files/000014164.pdf*6: (Japanese) www.ipa.go.jp/security/fy24/reports/emb_car/index.html

(’06‐’08)(’08‐’11)

(’10‐’13)

(’11‐’14)

*1

*3

*4

*2

+ Published “Movements of Vehicle Cyber Security” (Apr. ’13)+ Published “Vehicle Cyber Security Guideline” (Mar. ’13)

Information‐TechnologyPromotion Agency

9

1. Cyber Risks for ICS (Industrial Control System)

Vehicle system model of IPA ”Vehicle Security Guideline”

Reference:*: IPA, Published “Vehicle Cyber Security Guideline” (Mar. ’13), (Japanese). http://www.ipa.go.jp/security/fy24/reports/emb_car/index.html

1. Vehicle Control Function 2. Extensive Function

Vehicle Bus

Powertrain Chassis

ITS Telematics Infotainment

Information

Control

Body Safety & Comfortable

Diagnosis & Maintenance

External connectionBluetooth,WiFi, USB,OBD-II…

3. ConventionalFunction

Carry-in Devices

Smart Phone,Navigation,PC, Tablet,

Music players,Hands-free…

Diagnosis,Eco-meter…

Vehicle SystemFunctions to be protected. (Red Bold) fonts show critical functions

10

References:~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11~ Information‐Technology Promotion Agency. (Apr. ’11)“Movements of Vehicle Cyber Security”, (Japanese)

+ Vehicles can be used to inflict serious bodily injury+ Vehicles are high value items+ Vehicles are frequently parked in un‐secured locations+ Vehicle could be targeted for anti‐social activity (ex. terrorism)

Stop/control massive number of vehicles

Create massive panic through false information

2. Cyber Risks for Vehicle

Vehicles can be targets of cyber attacks, because …

11

Modern cars come with up to 80 CPUs, 2 miles of cable, several hundred MB of software, and 5 in‐vehicle networks, “Vehicle” is no longer just a “Mechanical System”


Reference: A. Weimerskirch ‐ ESCRYPT, “Security Considerations for Connected Vehicles”, in SAE Government and Industry Meeting, Washington DC, Jan. ’12

Cruise controlABS

Car Telephone

Air BagNavigation

Emergency call

TelematicsACCLDW

??V2I communicationV2V communicationAutonomous driving

electronics based

12

Internet

Computer

Smart-phone

Music-player

Hacker


Virus or malware carried in smart‐phones or music‐players can easily invade automotive electronics

13

+ 82.2 million people in the US owned smart‐phones (Jul. ’11)*1

+ Application downloads on mobile phones is forecasted to

reach 48 billion by ’15*2

+ Detected malware of AndroidTM OS smart‐phone haveincreased by 472%, within 5 months (Jul. ’11 ~ Nov. ’11)*3


Smart‐phone is a vulnerable IT product, with limited cyber security mechanisms

Reference:*1: (Aug. ’11) “comScore Reports July ’11 U.S. Mobile Subscriber Market Share”, [Internet]*2: R. Vogelei, (Jun. ’11) “Mobile Application Downloads to Approach 48 Billion in ’15”, [Internet]*3: E. Chickowski, (Dec. ’11) “Android Mobile Security: A Growing Threat”, [Internet]

14

DIFFICULTY 1:Limited vehicle external connectivity Difficulty in updating security software Difficulty in monitoring automotive electronics status

DIFFICULTY 2:Limited computational performance, Due to high endurance and long vehicle life‐cycle(10 years) Difficulty to compete against hacker’s PC

DIFFICULTY 3:Unpredictable attack scenarios and threats

DIFFICULTY 4:Hazard to drivers and passengers lives

3. Difficulties in Maintaining Vehicle Cyber Security

Reference: ~ Information‐Technology Promotion Agency (of Japanese government). (Apr. ’11)“ ’10 report: Movements of Vehicle Cyber‐security”, (Japanese)

~ A. Weimerskirch, “Security Considerations for Connected Vehicles”, in SAE Government and Industry Meeting, Washington DC, Jan. ’12

~ P. Kleberger, T. Olovsson and E. Jonsson, "Security aspects of the in‐vehicle network in the connected car“, Intelligent Vehicles Symposium (IV), ’11 IEEE , vol., no., pp.528‐533, 5‐9 Jun. ’11

15

Mobile phone

Vehicle

Base station

Vehicles are only able to communicate externally through mobile phone


Communication for crash‐avoidanceLimited time (100ms order)

CASE‐1 CASE‐2

Vehicle ‐ A

Vehicle ‐ B

Special difficulties

16

Critical MissionHow to maintain ‘Safety’ even when ‘Security’ is compromised!


17

5. Functional Safety for Vehicle Cyber Security

Reference: *1: J. D. Miller, "Overview and Impact of the Automotive Functional Safety Standards ISO 26262“,SAE web seminar, Mar. ’12

*2: D. Hartfelder “Objectives of the SAE Automotive Functional Safety Committee”,SAE Government and Industry meeting, Washington DC, Jan. ’12

ISO‐26262*1:ISO‐TC22‐SC3 is working on “Automotive Functional Safety” standard, ISO‐26262, based on IEC ‐ 61580 (Functional Safety of Electrical/Electronic /Programmable Electronic Safety‐related Systems ). ISO‐26262 (1~10) has already been published. It defines ASIL(Automotive Safety Integrity Level)

and safety process for automotive electronics, according to each ASIL.(Originally, ISO‐26262 did not specify cyber security.)

SAE J2980*2: SAE Functional Safety committee is working on the recommended practiceJ2980 ‐ “Considerations for ISO‐26262 ASIL Hazard Classification” . Create more practical recommendations of ISO‐26262 and focus on

“Propulsion & Driveline”, “Steering & Suspension” & “Braking”.

18


Reference: J. D. Miller, "Overview and Impact of the Automotive Functional Safety Standards ISO‐26262“SAE web seminar, Mar. ’12

ConventionalQuality Management

HighestHazard Level

“QM” < “A” < “B” < “C” < “D”

+. Severity:S1 S3 (Highest)

ASIL is determined by 3 scales

+. (Probability of) Exposure:E1 E4 (Highest)

+. Controllability:C1 C3 (Highest)

19


Functional safety approach – vehicle level

To quarantine virus or malware at the point B , i.e. prior to the safety critical areas. Safety critical areas means “Drive(propulsion)”,

“Stop(braking)” and “Control(steering/vehicle control)”*.

Reference: D. Hartfelder “Objectives of the SAE Automotive Functional Safety Committee”SAE Government and Industry meeting, Washington DC, Jan. ’12

Entertainment /Information system

A

Powertrain

B

VehicleCarry‐in device

20


Reference: *1: A. Weimerskirch, “Security Considerations for Connected Vehicles”, in SAE Government and Industry Meeting, Washington DC, Jan. ’12

*2: For example, http://www.ariloutech.com/pages/carcyber.htm*3: NIST SP800‐82 “Guide to Industrial Control Systems Security”

http://csrc.nist.gov/publications/nistpubs/800‐82/SP800‐82‐final.pdf

1. Basic cyber‐security technique:Secure‐boot*1, Virtualization*1, Encryption, Cryptographic hashes, etc.

2. Separation of safety critical areas: Install firewalls between Infotainment and safety critical areas*2.

3. Review and clarify functions:3‐a.) Review commands/messages from Infotainment areas

to safety critical areas.e.g. keep “Slow‐down”, but delete “Speed‐up”.

3‐b.) Protect against software manipulation.

4. IDS(Intrusion Detection System)*3:Periodically monitor especially for safety critical areas.

Functional safety approach – vehicle level

21


1.) Based on our internal preliminary assessment

List functions and assess hazard‐levels, ASIL – e.g. center console Countermeasure, according to ASIL.

Rearview camera(Monitoring)

1.)

2.)

2.) Reference: R. Hamann et al., "ISO 26262 Release Just Ahead: Remaining Problems and Proposals for Solutions" in SAE World Congress, Detroit, MI, Apr. ’11

Functional safety approach – component level

CD/DVD control

Functions

Navigation

Emergency Call

ASIL

Power window A

Exposure Controllability Severity

E2 C2 S3

C3 S3E1 A

Air conditionerControl E3 C3 S3

E3 C1 QMAE2 C2 S3

E3 C2 S2 A

Air bag DE4 C3 S3Fault activation during driving

Sample Malfunctions

Unwanted window closing

Emergency call is not placedat accident

Heating is not workingduring the winter in Canada

Erroneous guidance,e.g. opposite direction on freeway

CD/DVD is not working

During backing, image of rearview camera freeze (show old image)

S1

Turn signalIn cluster panel QME1 C2 S3Shows signal activation in cluster,

though actual signal is not working

C

22


Reference: ~ NIST SP800‐82 “Guide to Industrial Control Systems Security”http://csrc.nist.gov/publications/nistpubs/800‐82/SP800‐82‐final.pdf


1. Hardware/analog control*:Critical functions should be controlled by hard‐switches or analog back‐ups with priority. e.g. temperature and wind‐level of air‐conditioners

Note: Guidelines about emerging EV battery information may be required.

23


Cooperation with “Technical design”, “Legislation”,“Supply‐chain (dealer shops, etc)” and others are required!

Reference: ~ NIST SP800‐82 “Guide to Industrial Control Systems Security”http://csrc.nist.gov/publications/nistpubs/800‐82/SP800‐82‐final.pdf


2. Failure/intrusion detection*:a.) Periodically check operations for critical usages e.g. emergency call

b.) Abnormal conditions should be notified to drivers immediately,in order for drivers to avoid critical hazards. e.g. rearview camera monitor, navigation, etc.

24

Intelligent modern vehicles with more MCU(Micro Controller Unit)s and software codes have higher cyber risks than ever.

Difficulties in maintaining vehicle cyber security:‐ Limited vehicle external connectivity‐ Limited computational performance‐ Unpredictable attack scenario and threats‐ Hazard to drivers and passengers lives

For vehicle cyber security, it is important to maintain “safety”,even when “security” is broken.

Functional safety (concept) at vehicle‐level/component‐level is effective to maintain vehicle safety, when security is broken.

5. Summary

25

6. Next steps

This approach can be applied for other embedded systems’ security, as well as automotive electronics cyber security.

This approach only focuses on hazards within a vehicle, while DoS (Denial of Service), e.g. emergency calls from huge # of vehicles can damage the entire community,(even if the hazard within a vehicle is small).

Hazard assessments for community‐level damages andcountermeasures for these assessments are essential,as our next step.

26

Thank you for your attention!!

Hiro OnishiAlpine Electronics Research of America, Inc.honishi@alpine‐la.comTel: +1‐310‐783‐7281

Slide design:Mari Hatazawa

mhatazawa@alpine‐la.com

vehicle cyber security - · pdf fileiso‐26262 (1~10) has already been published. it defines...

Documents