Automotive cybersecurity and trustworthiness
In this three-part blog series, readers will learn the importance of automotive cybersecurity and the impact it has on the overall safety and trustworthiness of a vehicle.
Part 1 describes the current state of automotive cybersecurity and the need for trustworthiness. Part 2 examines the industry’s largest cybersecurity vulnerability: the manufacturing supply chain. Part 3 looks at cybersecurity standards and the path forward, including an automotive security maturity framework.
For several years, the automotive industry has been in a state of technological volatility. New, complex inter-connectable technologies continue to emerge that manufacturers and OEMs are embracing at a blistering pace. These include infotainment systems, advanced driver-assistance systems (ADAS), and a variety of modern electric vehicle systems. The modern automobile is increasingly moving toward a networked array of mobile computers and, as a consequence, carmakers have grown to consist of many, large software development groups. Today, a new vehicle might include over 100 million lines of code to manage and monitor a large array of subsystems.
Though modern features bring benefits and convenience, they are shadowed by concerns regarding the trustworthiness of connected vehicles and the risk to safety-critical systems. The advancing technology includes more autonomy, a greater number of electronic control units, and increasing complexity overall. Yet, the adoption of security associated with the embedded software, connectivity of vehicles, and the digital interfaces in the manufacturing process is lagging.
The National Highway Traffic Safety Administration defines automotive cybersecurity as the “protection of automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation.” Much to the frustration of the automotive manufacturing industry, this manipulation includes malice, such as a hacker who disables vehicle communications, disrupts navigation, or interferes with powertrain controls.
Automobile manufacturers have extensive economic motivation for connecting vehicles to the Internet since it allows remote wireless vehicle software updates (rather than more expensive recalls), collection of valuable data on vehicle performance, and influence over where consumers shop. By the year 2022, approximately two-thirds of new-model cars on North American roads will have over-the-air connections that could expose safety-critical systems. Unfortunately, this will put vehicle owners at risk of potentially deadly cyber hacks.
California-based Consumer Watchdog issued a 49-page report that paints the dire picture and urges automakers to install 50-cent "kill switches" to allow vehicles to be disconnected from the Internet. The report highlights numerous widely reported instances of remote vehicle hacking, such as a 2015 demonstration involving a Jeep Cherokee left crawling along a St. Louis-area freeway. This was the first remote hack, whereas all previous attacks were local, physical access attacks. Though this was done by researchers demonstrating the feasibility of a wireless attack, it was successful. The method was to send erroneous data through the radio head unit of the vehicle that had a strong password. The key vulnerability in this scenario was that the attackers were able to use salted password hashing to reverse engineer the password-generation process.
Though attacks directly on vehicles may steal more headlines, the most serious vulnerabilities are found among the manufacturers.
The automotive industry has one of the largest supply chains in the U.S. This includes the frequent integration of third-party software, components, applications, and communications protocols, presenting an array of major cybersecurity weaknesses and quality-control issues. The interconnected nature of suppliers, the Internet linkage to most production lines, and the huge volume of software embedded in vehicles all provide many avenues of attack. With so many potential entry points, the supply chain is a prime target for hackers and nation-state actors. (Part 2 in this blog series addresses the supply chain in more detail.)
With significant potential impact and plentiful entry points for malevolent action, there is a clear need in the automotive industry for proper security controls on both their products and their development processes. Yet, industry technologists continue to warn that manufacturers and suppliers are grossly unprepared to deal with cybersecurity challenges.
Though standards and processes related to cybersecurity exist for the IT industry at large, these do not translate well to the automotive business. Standards and governance that fit the automotive environment need to be developed. One avenue to pursue is the development of a maturity model that addresses security surrounding vehicle development. (Part 3 in this blog series discusses these aspects more fully.)
Safety is the primary driver for ensuring that vehicles are cybersecure considering that unwanted intrusion in critical automotive systems could raise the risk of harm to users, the public, and the environment.
Additionally, manufacturers seek to create automotive systems that maintain their functionality across various operating environments, possible disruptions, system faults, human errors, and attacks.
The critical question is: Are new-generation vehicles trustworthy?
Trustworthiness is the assurance that a system continues to function properly and appropriately in all circumstances. The five characteristics that have the greatest effect on automotive trustworthiness are:
- Security — The system must have sufficient protection from unauthorized access, change, or destruction. Information must not be available or provided to any unauthorized entity or process.
- Safety — The system must operate without causing unacceptable risk of physical harm to any person, other property, or the environment.
- Reliability — The system and its components must perform their functions according to their specifications and for a specific period of time.
- Resilience — The system should be built to manage, avoid, and absorb changing and potentially adverse conditions while completing all expected tasks.
- Privacy — The right of an entity or individual to control what information may be collected, stored, and processed.
There is a strong interaction between these characteristics. Safety and reliability depend directly on security to maintain integrity. Similarly, privacy controls are unenforceable without proper security considerations. Finally, security is a primary ingredient in a resilient system that continues to function in the face of hazards and attacks.
These five characteristics should not be considered as individual disciplines, but rather treated collectively. Addressing them holistically avoids the compartmentalization of individual characteristics that could potentially compromise important aspects of trustworthiness that span across the whole. Together, they create a robust solution that is fully trustworthy.
To support trustworthiness, assurance must be achieved for each of the five characteristics. This requires the collection and analysis of conclusive evidence that supports the system design, manufacturing, deployment, testing, and operation. This process consists of both a hazard analysis and risk assessment (HARA) and threat analysis and risk assessment (TARA).
An event model is generated for both the HARA and TARA. The model identifies the most damaging pathways by which a system may be compromised. The overall aim is to identify as many hazards and threats as practicable. A hazard is something that has the potential to harm; threats are malicious acts that can result in harm.
After identifying hazards and threats, the development team assesses both the probability of a specific event causing harm and the impact of harm from that event.
Specifically for cybersecurity, assurance and abuse cases can be created from the HARA and TARA. Assurance cases exhibit the rationale of specific security behaviors, features, or strengths. Such cases aim to provide evidence about the relative lack of weaknesses and vulnerabilities. Abuse cases are built to subject the system to invalid inputs and provides an assessment of the response.
From this information, a cybersecurity team can develop elaborate security measures to be applied during system design, manufacturing, testing, and maintenance.
Testing for trustworthiness
Developing a testing process that ensures trustworthiness necessarily involves augmenting functional safety with cybersecurity. Standard ISO 26262 states that cybersecurity is an essential part of functional safety but provides no guidance on the topic. To firmly establish the trustworthiness of the vehicle system and its subcomponents, a cybersecurity team must define safety and security requirements and apply reliability and privacy constraints. Only then can a manufacturer fully test the integrity and resilience of the vehicle.
Test cases are defined based on the hazards, threats, and risks identified through the HARA and TARA. These test cases are then input to verification and validation (V&V) testing. During V&V testing, it is critically important to expose systems to all corner cases and ensure coverage across all environmental conditions and abuse cases. Rigorous testing of the hardware and software of the components, as well as the overall system, is required to assure trustworthiness.
To enable trustworthiness testing throughout the product life cycle, any robust solution must consist of various flexible interfaces that permit testing of many different types of systems and components. For example, to test an infotainment system, it is essential to exercise all the many wired and wireless adapters (including cellular, wi-fi, and Bluetooth). Extensive and differentiated testing of all combinations is necessary to gain full confidence in reliability, safety, resilience, and privacy. Also, it’s important to add easily connectable custom adapters for components such as powertrain systems.
Manufacturers will want a testing environment that exhibits a standards-based, scalable, secure, and extensible toolset that covers: remote test engine connectivity; a test code deployment/delivery framework; test monitoring; management of results and key performance indicators (KPI); search and analysis in test results; and over-the-air upgrade capability.
The latest vehicles are flooded with electronic control units and embedded software and are becoming more and more connected. The manufacturing is handled by numerous suppliers in an elaborate supply chain. These factors combine to create gaps and holes through which cyber threats can pass. Yet, manufacturers have taken little cybersecurity action to tighten the products and processes. Considering that the overall vehicle trustworthiness relies heavily on cybersecurity, these issues deserve urgent attention.
Typical hacker incentives are glory (“Look at what I did!”) and financial gain (e.g., ransomware) rather than a specific attack on safety. However, the driving public could easily be caught in the crossfire – injuries and deaths that the industry cannot condone through lack of attention or action on cybersecurity issues.
Interested in learning more about automotive cybersecurity for your organization? Contact our team today!
Further reading and references