Protecting the driverless car in a hackers world, explored by Andrew Williams.

As autonomous vehicles edge ever closer to market, the need to ensure adequate protection from cyber-security risks is a pressing concern for developers.  So TU-Automotive went in search of the expert opinion on how these threats can be mitigated.

'Repeatable' process

According to André Weimerskirch, vice-president of automotive and IoT cyber-security and privacy at ‎Lear Corporation, the most important step developers should take to ensure that autonomous vehicles are safe from cyber-security threats is to establish a 'repeatable' cyber-security engineering process that is continuously monitored for maturity and continuously improved and which covers the entire life-cycle of the product.

“A good starting point is a thorough threat analysis and risk assessment to identify risks, determine necessary mitigations and use available resources in an optimum manner.  Another crucial aspect is to create security awareness in the entire company, and train all developers,” he says. “Furthermore, thorough security testing, continuous monitoring for security vulnerabilities and a proper incident response are essential.  There are many more aspects of a proper cyber-security engineering process, and these are listed in the SAE J3061 standard,” he adds.

Elsewhere, Robert Gee, head of product management, software and connected solutions at Continental, believes that before development begins, it is critical that the overall end-to-end system architecture be “discussed with the other related companies and designed with security requirements in mind”.  He also points out that a structured, well-designed architecture is “critical to appropriately allocate, separate, and monitor interfaces for various services” and urges strict adherence to defined secure development processes and coding standards during development.

Moreover, he advises developers to carry out appropriate reviews at each level of development and ensure that testing to provide in-phase corrections and improvement, and verification and validation processes that incorporate testing for potential cyber-security issues, are performed. “Provision should be made for the development of intrusion detection, anomaly detection, and other key functions to detect any attempt at an attack.  In addition, a product security incident response management (PSIRM) process should be established in order to manage incidents in a timely, coordinated and professional way,” he says.

Attack vectors

In Weimerskirch's view, the increasing connectivity, sensor input and software complexity associated with autonomous vehicles will each add to the attack surface and be believes it reasonable to assume that attackers will try to mount attacks that are financially rewarding, such as stealing cars, extracting personal information, and executing ransomware attacks. “Eventually attackers will go for the low-hanging fruits and it's worth noting that these might be in other industry domains, such as the financial industry, if the automotive industry establishes high security levels,” he says.

Because software controls an increasing number of functions in vehicles, Gee argues that any type of attack is possible and from nearly any direction, including wired interfaces, wireless interfaces, or even direct hardware manipulation. “Of course, the most critical attacks will be those that can affect the driving capabilities and performance of the vehicle, but also to those human-machine interfaces that could distract or mislead the human occupants and thus to reduce the likelihood that the vehicle occupants would detect a problem and then take action,” he says.

System layout

When it comes to selecting the most appropriate system layout, Weimerskirch argues that ensuring a smart separation between exposed interfaces and control applications is more important than choosing a particular network or computing architecture.  For him, such separation is ideally implemented 'both in the network and computing platform.

“Network segmentation with firewalls in-between, typically implemented in a so-called central gateway, will heavily increase cyber-security and separate safety-critical components from external interfaces,” he says. “The use of domain controllers can introduce network separation in similar manners.  The use of separate micro-controllers as well as hypervisors and software containers introduce separation within an electronic unit,” he adds.

Although Gee believes there are benefits to both decentralised and centralised network configurations, he believes the most critical thing is to enable a secure mechanism for updates of software, and especially over the air software updates. 

“The in-vehicle approach for software updates will change and may be somewhat more complex for an architecture with many modules, as compatibility must be tested and ensured for new software versions across the different communicating systems,” he says. Ultimately, Weimerskirch thinks a good starting point for autonomous vehicle developers to scale up their cyber security is to perform a risk assessment of the AV system or application, and then “use the available resources in the smartest manner to mitigate the identified risks”.

Looking ahead, Gee also argues that security must not be considered for vehicles alone and, like any other electronic device, points out that vehicles are increasingly becoming part of a networked ecosystem that includes servers, other vehicles, roadside infrastructure, and vulnerable road users, with data becoming the additional sensor to help enable safe and comfortable driving. “Therefore, consideration must be given to protecting the entire chain of data providers and conduits, with appropriate digital and physical protections at each element in the chain,” he says.

[Auto.Williams.2017.09.20]

TU-Automotive Detroit 2018

06 Jun 2018 - 07 Jun 2018, Novi, USA

With 150 speakers, a 200,000 sq ft exhibition and 3000 attendees, TU-Automotive Detroit is the world's biggest conference & expo for connected & autonomous cars.