How To Ensure Safety In An Automotive System

Transcription

1 1 / 6 No Safety without Security Dr. Günther Heling, Vector Informatik GmbH Dr. Christof Ebert, Vector Consulting Services GmbH V

2 No Safety without Security Automotive Trends Vector Congress Electrification Hybrid concepts 2. Driver Assistance Lane control, collision avoidance 3. Connectivity Infotainment 2/28

3 No Safety without Security Automotive Trends Vector Congress Electrification Zero Emission (locally) 2. Driver Assistance Autonomous Driving 3. Connectivity Always Connected 3/28

4 No Safety without Security Meet Captain Crunch 1970s: Telephone Systems were 2014: Automotive Systems are Complex Complex Distributed Distributed Software Intensive Software Intensive Perceived as secure Perceived as secure Easy to manipulate.? 4/28

5 No Safety without Security Evolution of Security Challenges Increasing complexity, open interfaces Weaknesses, vulnerabilities Attacks, mistakes, accidents High follow-up costs, damage to reputation IT Infrastructure today Mobile Communication today Automotive 2010 today Medical implants today - Chip tuning - Privacy abuse in car2x communication - Compromised security certificates - Car-Jacking 5/28

6 No Safety without Security Software is the top driver for innovations Car connectivity enables a lot of value-added features (Car2X/V2V) Connected cars show comparable vulnerability as connected computers Risks to assets: Infringe of privacy Theft Cheating (e.g. for smart charging) Manipulation of program and/or data: mileage, calibration, configuration data financial loss functionality safety Influence on vehicle behavior (e.g. faked traffic jam via Car2X) 6/28

7 No Safety without Security Survey Industry Trends 2014 Results 60% 50% Important for own responsibility Efficiency improvement 40% 30% Distributed development Flexibility Cost reduction Innovation Robust products 20% Infrastructure Reuse Standardization 10% Important for Others own industry Big data 0% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Note: Sum > 100% because 3 answers per question were allowed Clear focus: Robust products in terms of security and safety 7/28

8 No Safety without Security Vector Stimulus Automotive Safety is well established and 1 well supported by ISO and AUTOSAR 2 Automotive Security is increasingly relevant and addressed by AUTOSAR 3 4 Security and Safety must be systematically aligned using best practices You should introduce Security Engineering in your organization and in your projects 8/28

9 No Safety without Security Automotive Safety is well established and 1 well supported by ISO and AUTOSAR /28

10 Automotive Safety General approach according ISO Driving Situations OEM 2. Hazards OEM 3. Risks and Safety Integrity Level OEM 4. Safety Goals Safety Requirements OEM 5. Technical Safety Concept OEM/Tier1 6. Safety Requirements ECU level OEM/Tier1 7. Software Safety Requirements Tier1/Vector 10/28

11 Automotive Safety Software Elements inherit ASIL from Software Safety Requirements Software Safety Requirements Software Elements ECU Software Mixed ASIL approach is often the basis of the ECU Safety Concept 11/28

12 Automotive Safety Safety architecture based on AUTOSAR ASIL Partition QM Partition SafeCom (E2E) SWC1 SWC2 SWC3 SWC4 SafeRTE RTE MICROSAR Safe supports Technical Safety Concept by Safe Watchdog Silent RTE BSW SafeBSW Safe Context (OS) BSW Core Test RxM Test MCAL MCAL Hardware 1. Protection of your Safety Software SafeContext FfI Memory SafeWatchdog FfI Time 2. Safe Communication a) between ECUs SafeCom FfI Communication b) within ECU SafeRTE with RTE Verify: BSW to be used in Safety Partitions SilentBSW without safety features 4. BSW with safety features SafeBSW /28

13 Automotive Safety Guidelines and standards complement each other ISO 26262: Guidelines Safety architecture methods process Project related top-down approach + AUTOSAR: Standards Reuse architecture methods architecture data methods formats & functionality data formats & functionality Combination & configuration of modules ( Safety Elements out of Context ) 13/28

14 1 Automotive Safety is well established and well supported by ISO and AUTOSAR 2 Automotive Security is increasingly relevant and addressed by AUTOSAR /28

15 Automotive Security Relevant access points Smart Charging Off-Board Tester Connectivity 3G/LTE WiFi / Car2X Gateway (or Backbone) Vehicle Dynamics Assistance & Protection SD USB Head Unit Body Control EMS Radar Airbag ESP Camera Camera 15/28 Powertrain / Chassis ADAS avoid & Safety misuse of services Infotainment offered by the Body vehicle avoid unintended modification of vehicle software CAN LIN FlexRay Ethernet/IP

16 Automotive Security Available solutions based on MICROSAR 1. ECU diagnostics and reprogramming Cryptographic routines for authorization and authentication Data encryption/decryption 2. Smart charging TLS (Transport Layer Security) secured communication 3. Secured in-vehicle communication Signal encryption and decryption (per AUTOSAR SWC) 16/28

17 Automotive Security AUTOSAR supports security AUTOSAR defines a. abstract interfaces for cryptographic routines: CSM - Crypto Service Manager (Service) CAL - Crypto Abstraction Layer (Library) OS OS SYS CSM RTE COM LIBS CAL b. modules to implement cryptographic routines (without specifying the content) CRY for CSM - hardware support possible (SHE, HSM) CPL for CAL CRY DRV MCAL Microcontroller CPL AUTOSAR supports security methods Not covered: - handling of certificates and keys - cryptographic algorithms itself - intrusion detection,... New AUTOSAR working group just started 17/28

18 Automotive Security Summary - security methods used today 1. Establish a secure communication Goal: - ensure authenticity ( right partner? ) Method: - distribution of certificates - verification by asymmetric encryption (private key and public key) 2. Secure Communication with a trusted partner Goal: - protect communication (modification and eavesdropping) Method: - exchange keys (for one session) - symmetric encryption (often hardware supported) 3. Firewall 4. Intrusion detection system 18/28

19 No Safety without Security 1 Automotive Safety is well established and well supported by ISO and AUTOSAR 2 Automotive Security is increasingly relevant and addressed by AUTOSAR 3 Security and Safety must be systematically aligned using best practices 4 19/28

20 Security and Safety must be Aligned Safety and Security must be addressed in parallel New functionality... Fail-safe and fail-operational behaviors Complex feature interaction High data volume External interfaces (V2X; vehicle as IP node)... Drives new challenges New safety concepts (architectures with more redundancy) Support of high-performance micro-controllers Support of high-performance software development Safety functions have to be secured against attacks > Avoid misuse of services and functions > Prevent unintended change of functions Cost-effective evolution and support over the entire life-cycle Learn from other industries to cost-effectively implement security 20/28

21 The Automotive world has to catch up 1. Take benefit from security experience in other critical domains Apply cybersecurity principles and methods to harden distributed embedded systems Adopt the IT standard Common Criteria for automotive IT infrastructure usage 2. Align the approaches for safety and security engineering to stay cost-effective Apply threat modelling as part of hazard and risk analysis Use security levels in relation to safety integrity levels > Different security aspects, e.g. authenticity, integrity, confidentiality > Relevance of assets and access options, e.g. attack intensity Align underlying development methods and processes > Architecture design and evaluation, security design, coding rules, hardening, robustness and misuse testing, life-cycle robustness > Tool support for combined safety and security engineering and consistency across the entire life-cycle 21/28

22 Security and Safety must be Aligned Example: Common Criteria Initiative of so far 26 countries Goal Consistent security evaluation and certification of products and protection profiles Applicability Operating systems, key management systems, ICs, smart cards, crypto libraries,... Common criteria have been adopted for different critical systems, such as automation, aerospace, defense, Approach 7 Evaluation Assurance Levels (EAL) Automotive experiences Many automotive players so far have unclear security targets and thus no consistent consideration in architecture and life-cycle processes Unnecessary high risk and cost due to overdoing in one area and failing on others Tailored subset of Common Criteria together with safety/security engineering help in providing a thorough yet cost-effective solution 22/28

23 Security and Safety must be Aligned Activities to Leverage Security Engineering Activity Adapt mature development processes to factor in security engineering. Benefit Security engineering activities are known, scheduled, and executed within normal development Security techniques in the life-cycle are combined with safety engineering Elicit security requirements in the beginning of the project. Assets to be protected are clearly identified Traceability is maintained to ensure consistency over the life-cycle Test cases for security validation are derived from requirements Review or test every security relevant artefact, use analysis and test tools. Use security competencies. Identification of issues at the earliest possible time Automated tools increase confidence and reduce effort Specific embedded security expertise available when necessary Economic and engineering trade-off analysis Systematically implement security engineering. 23/28

24 No Safety without Security 1 Automotive Safety is well established and well supported by ISO and AUTOSAR 2 Automotive Security is increasingly relevant and addressed by AUTOSAR 3 4 Security and Safety must be systematically aligned using best practices You should introduce Security Engineering in your organization and in your projects 24/28

25 Introduce Security Engineering Safety and Security Impacts: Complexity and Competences 25/28 Increasing number and complexity of functions Rising safety requirements and liability risks Inefficient processes Lack of safety / security competence Electronic fuel injection Cruise control Gearbox control Traction control Anti lock brakes Electronic fuel injection Cruise control Airbags Electronic stability control Active body control Adaptive gearbox control Adaptive cruise control Emergency call Gearbox control Traction control Anti lock brakes Electronic fuel injection Cruise control Adaptive Headlights Steer-by-wire Lane Assistant Stop and Go Parking Distance Control Emergency Break Assist Curve-Warning Hybrid Drive Road Trains Electronic Brake Control Telediagnostics Car-2-car Communication Online Software Updates Airbags Electronic stability control Active body control Adaptive gearbox control Adaptive cruise control Emergency call Gearbox control Traction control Anti lock brakes Electronic fuel injection Cruise control

26 Introduce Security Engineering Safety and Security An Odd Couple In many aspects safety and security are comparable It is not only about technical solutions and processes it is also about culture A joint approach including OEM, ECU supplier and provider of basic SW and HW is needed A failure can mean severe image problems... but Security is a bit special: Complex and expensive to cover the whole system and its lifecycle Probabilities don t matter, it is always 100% Necessary competences and methods not yet available in E/E departments Security Safety ISO It needs the ability to think like a Criminal and preemptively act as an Engineer 26/28

27 Introduce Security Engineering Benefit from our Portfolio on Automotive Safety and Security Standard Software Technical measures to protect hardware and software security Examples: Robustness and Hardening in AUTOSAR, Security adjusted to safety integrity needs Tools Consistent approach for all development activities. Examples: Threat and Hazard analysis during concept definition, consistent modeling in PREEvision Consulting Support for methods and skills as well as the necessary cultural changes. Examples: Security engineering, culture change, hazard analysis Security Culture needs to address products, processes and people 27/28

28 For more information about Vector and our products please visit Author: Dr. Christof Ebert, Dr. Günther Heling, with Dr. Dominik Lieckfeldt, Armin Happel, Jonas Wolf Vector Informatik GmbH Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V