SECURITY CHALLENGES IN THE SMART CAR BASED ON ELA / SYSTEMX (http://www.irt-systemx.fr/project/ela/?lang=en) & ECO-FEV / FP7 PROJECTS RESULT (https://www.eco-fev.eu/) W. KLAUDEL 26/11/2015 GROUPE RENAULT
AGENDA Car evolution and cybersecurity threats Why such interest today? ELA/SystemX project contribution to cybersecurity challenges Methods, Architecture and Technology eco-fev/fp7 project contribution to the Identity and right management for extended car & enterprise Service delivery and identity management separation, federative approach (OpenID) W. KLAUDEL 26/11/2015 2
CAR EVOLUTION AND CYBERSECURITY THREATS In the past Today Threats electronics dysfunction Threats. + direct attacks from the Internet! theft of personal data navigation and infotainment dysfunction mass attacks possible Threats. + car theft theft of personal data TCU safety critical electronics W. KLAUDEL 26/11/2015 3
CAR EVOLUTION AND CYBERSECURITY THREATS Tomorrow Services Remote access to the car sensors (position, temperature, cameras,...) Diagnostic and remote update (OTA) Remote control (PC, smartphone...): preconditioning, opening Keyless access & start (smartphone, biometric wearable...) => car sharing ADAS (passive, active, cooperative) Autonomous driving Production After sale / Help Desk Services RSU Biometric Isolated TCU architecture no more possible remote (mass) sabotage threats have to be considered!!!! W. KLAUDEL 26/11/2015 4
CYBER SECURITY THREATS: MITIGATION ACTIONS Strengthening cybersecurity milestones in the V cycle & objectification of the about risk evaluation, standardization and certification (like ISO 2700x and Common Criteria) EE architecture adaptation to new threats More cyber security technology in all EE components W. KLAUDEL 26/11/2015 5
SystemX ELA project Projet ELA Electronique et Logiciel pour l Automobile Challenges Create architectural patterns ensuring the tradeoffs between scalability, safety, security and cost Propose methods and tools to control the costs of design and validation Create the technological components for "affordable architectures Tasks (work packages) T1: Real time virtualization T2: Image processing, data fusion for ADAS T3: Safe algorithms for Autosar multicore architectures T4: Cybersecurity
ELA : end user use cases / services ADAS Emergency stop, raised by ITS geonet or pedestrian recognition Automatic parking (monitored by the user from his smart device) Lane and Distance Keeping Assistance NAVIGATION AND INFOTAINMENT Internet access, Internet radio Connected navigation with Points of Interest Integrated HMI and vehicle equipment personalization OTHERS Vehicle access, preconditioning and start through Internet using Smartphone Software installation and update through Internet (OTA) E-Tolling, ecall Display of vehicle environment on the driver smartphone or tablet Remote diagnostics
Cybersecurity Risk Management: an optimization problem Design space {product definition x architecture & protections} => {attacks, consequences of successful attacks} Attack tree Attack goal: attacker aim, e.g. car theft, sabotage of brakes while driving at high speed Attacked function: attacked vehicle function, e.g. automatic brake Attack method: technical idea of attack, e.g. install unauthorized software Attack on asset: attack technique which is applied to an asset, e.g. message injection on the Ethernet interface of the Image Processing Unit (i.e. the asset) Attack entry point: attack entry point in the vehicle, e.g. 3G/4G interface of the Communication Unit (CU). consequences attack probabilities Optimization objectives Propose architecture and protection mechanism in order to: Min. cost Max. performance, usage facilities Min. risk, i.e. (consequence * probability) Problem definition Degree of freedom
ELA RISK ANALYSIS METHOD: ATTACK TREE Attack goal: attacker aim, e.g. inhibit/lock brakes while driving at high speed R=F(S,C,A): attack goal risk (vector) S: severity vector : Safety, Privacy, Financial, Operational C: controllability for safety related attacks A: attack probability Attacked function: attacked vehicle function, e.g. automatic brake Attack method: technical idea of attack, e.g. install unauthorized software, communicate falsified information Attack on asset: attack technique which is applied to an asset, e.g. message injection on the Ethernet of the IPU (Image Proc. Unit) Attack entry point: attack entry point to the vehicle, e.g. 3G/4G interface of the Communication Unit (CU). Two applications for elaborated method: 1. Security requirement establishment for all Attack goals qualified by R, S & C => maximum of accepted probability A for all Attacks on assets: 2. Security audit for all Attack goals qualified by S & C and known A for all Attacks on assets => R for all Attack goals (A calculated according to known protections) 9
CYBERSECURITY MILESTONES IN THE V CYCLE Attack goals (*) Concepts of operation Verification and validation Operation and maintenance New risk monitoring and countermeasures (*) Risk analysis and security requirements (*) Requirements and architecture System verification and validation Risk analysis and audit (*) Security mechanism selection (*) Detailed design Integration, tests and verification Pentesting, certification (*) Implementation Security mechanism implementation (*) (*) security add-ons
ELA attack goals Car stealing Personal data theft (credentials included) Sensor information access (position, camera, temperature ) Navigation/infotainment malfunction Preconditioning/personalization activation/deactivation/malfunction Vehicle immobilization Braking inhibition, untimely braking or steering movement
ELA, Secure architecture, defense perimeters Internet radio source Internet web sites OEM OEM & partner clouds radio GPS Internet Internet network access : 3/4 G, WI-FI Internet network access : 3/4 G, WI-FI, G5 Internet Vehicle Communication Unit Switch/Router Ethernet IP Dashboard Other displays Three defense perimeters Infotainment Control Unit Vehicle Control Unit Image Processing Unit CAN ECU ECU ECU ECU ECU ECU Body & multimedia Powertrain & chassis
SECURE ARCHITECTURE: VIRTUALISATION Cellular GNSS G5 BT Radio broadcasting IP connectivity gateway Safety related service gateways (ecall, G5, GPS,..) Hypervisor No safety related service gateways (phone, radio, http...) Communication Unit (Antenna module) - Virtualization & partitioning - IDS & IPS - Secure boot IP comm. Ethernet USB Hypervisor Autosar GENEVI Android IP comm. Infotainment Control Unit - Virtualization & partitioning - Secure boot CAN Ethernet
Execution environment and security Secure boot and signed dynamic modules Application security : authentication and access rights (vehicle access included) Application separation OS applications Virtualization Communication and security Protocols & authentication/signature/encryption (authenticity, non repudiation, confidentiality, anonymization) CAN (*), Ethernet, WI-FI, 3/4/5 G, G5, Bluetooth, USB But also application level: http, CoAP, Some IP, Webservices. Hardware Security Modules (HSM) TECHNOLOGICAL COMPONENTS / FUNCTIONALITIES Cryptographic hardware acceleration, secure storage, secure execution zones (*) project proposed patent
eco-fev efficient Cooperative infrastructure for Fully Electric Vehicles Witold KLAUDEL, Renault This project is co-funded by the European Union
Identity and right management, extended car & enterprise, eco-fev/fp7 project eco-fev: efficient Cooperative infrastructure for Fully Electric Vehicles (Sept 2012-June2015, 4,3 M ) set of mobility services based on learning machine Hitachi Europe (coordinator), CEA, Centro Ricerche FIAT, Conseil Général de l Isère, EICT, ENERGRID, Facit Research,Politecnico di Torino, RENAULT (use cases, architecture, system spec), TECNOSITAF and TU Berlin Public transport operators Road infra operators Car rental operators Services Trip planning, assistance & monitoring Charging & parking facility operators Urban delivery operators Data collection & mining Monitoring & Optimization Weather info & map providers Banks 16 FEV, drivers & travelers
Design orientation eco-fev IT solutions as a support for business model flexibility Banking Banking Identity Management (users, cars) OpenID & OAuth Unique subscription Service delivery and identity management separation, federative approach (OpenID) Route planning & navigation Data collection & aggregation Integration & applications Operator Operator Internet of things style, web-services eco-fev ontology HMI & raw service separation Road infra. Road infra. Operator Operator Parking & Charging Parking & Charging facility operator facility operator 17 Backend function Reference implementation Energy provider
STILL NEED TO BE WORKED Normative approaches, risk management, validation / certification ISO, SAE (J3061)=>ISO, ETSI (TVRA) Identity and Right management life cycle: production, sale, after sale, second hand market, destruction Cars, parts Drivers & passengers Car makers, parts manufacturers, road infrastructure (car2x), service providers Federative approach introduction Architecture Hardware acceleration on SOCs & Linux, Autosar integration Communication protocols, network management Defense in Depth Embedded IDS / IPS (use of hardware acceleration) W. KLAUDEL 26/11/2015 18 18