EuroSPI 2017 6.-8.9.17 1

Integrated Assessment of AutomotiveSPICE 3.0,

Functional Safety ISO 26262, Cybersecurity SAE J3061

Christian KreinerInstitute of Technical InformaticsTUGraz

Richard MessnarzISCN GesmbH

The “AQU” project is financially supported by the European Commission in the Erasmus+ Programme under the project number 2015-1-CZ01-KA203-013986– P1 TUG. This website and the project’s publications reflect the views only of the authors, and the Commission cannot be held responsible for

any use which may be made of the information contained therein.

EuroSPI 2017 6.-8.9.17 2

Institute of Technical InformaticsIndustrial Informatics Workgroup

Workgroup hot topics:

• Functional safety and embedded systems security• ISO 26262, IEC61508, J3061• ECQA Certified Training Provider for Functional Safety• ECQA Certified Training Provider for AQUA

• Development methods• Product Line Engineering• Standard Quality models (AutomotiveSPICE)• Agile Systems Engineering

• Model-based system development• Domain specific languages• models@runtime

• (Embedded) software architecture• Component and middleware architectures

Contact: christian.kreiner@tugraz.at

mailto:christian.kreiner@tugraz.at

EuroSPI 2017 6.-8.9.17 3

• Accreditated iNTACS™ training provider for ISO/IEC 15504 and Automotive SPICE®

• VDA-QMC certified training provider• ECQA Certified Training Provider for Functional Safety• Moderator of SoQrates group

> 20 leading German and Austrian companies share knowledge concerning process improvement, safety, security. http://soqrates.de

3

Contact: Dr Richard Messnarz, rmess@tugraz.at

http://soqrates.demailto:rmess@tugraz.at

EuroSPI 2017 6.-8.9.17 4

Contents

Example integration of ASPICE, Functional Safety and Cybersecurity (ASQ – SQP Volumes)

Extended and integrated review and assessment approach (SOQRATES Working Group)

Future of Static and Dynamic Cybersecurity System Architectures and Function Groups in Cars

4

EuroSPI 2017 6.-8.9.17 5

Running example: Electronic Power Steering (EPS)

EuroSPI 2017 6.-8.9.17 66

Integrated Teams

Assembler Manufacturer

SW Safety & Security Designer

Mechatronic Designer

Technical Project Leader

HW Safety & Security Designer

System Safety

& Security Engineer

EuroSPI 2017 6.-8.9.17 7

AUTOMOTIVE SPICE 3.0

EuroSPI 2017 6.-8.9.17 8

The relationships between element, component, software unit, and item, which are used consistently in the system and software engineering processes.

Automotive SPICE 3.0 terminology:"Element", "Component", "Unit", and "Item"

EuroSPI 2017 6.-8.9.17 9

Automotive SPICE key concept:Traceability of System Design and Domain Plug-Ins

• System Architectural Design describes system functions and their decomposition into hardware, software, mechanical components and functions

EuroSPI 2017 6.-8.9.17 10

Automotive SPICE key concept:Traceability and Consistency between the life cycle phases

EuroSPI 2017 6.-8.9.17 11

STEERING

EuroSPI 2017 6.-8.9.17 12

ASIL-D

ASIL-D

ASIL-D

Typical Scope of Supplier

Classic EPS scope

EuroSPI 2017 6.-8.9.17 13

Risk Classification

13

EuroSPI 2017 6.-8.9.17 1414

Risk Classification

EuroSPI 2017 6.-8.9.17 1515

Risk Classification

EuroSPI 2017 6.-8.9.17 16

Building a Requirements Traceability as Part of the Safety Case

Customer Requirements

e.g. Steering angle assured by ASIL-D

e.g. Mechanical and software based

steering endstop

Hazard AnalysisIdentification and classification of

safety risks and hazards. e.g. Safety Goal : no uncontrolled

actuation of steering systemRisk: uncontrolled actuation can

happen with wrong sensor input or steering command

FMEA / FMEDAAnalysis of hazards and

safety risks and measures by FMEA and FMEDA

e.g. Measure: redundant and diverse rotor position

sensors, comparing internal steering angle with external (ADAS command)

steering angle.

System Requirements Specification

System Requirements

e.g. Steering angle is measured internally and

reported on the bus.

Safety Requirementse.g.

we need to trust the steering angle at ASIL D, 2 redundant diverse rotor positions, plausi check, safe state in

case of deviation.Safe state is assured by a 6 or 12 phase motor with a limp home

mode (in ADAS mode with no driver interference).

Requirements, safety requirements, and traceability

EuroSPI 2017 6.-8.9.17 17

Independent confirmation measures [ISO 26262-2, 6.4.7 Tab1]:•Confirmation reviews•F.Safety audit•F.Safety assessment

Independence of elements after decomposition:•No dependent failures

or•Dependent failures have safety mechanism

17

Decomposition (ISO 26262)

EuroSPI 2017 6.-8.9.17 18

Functional flow

ASIL-D

ASIL-B

ASIL-D

ASIL-BRotor Position 1 Rotor Position 2

ASIC

ASIL-D

Sin,Cos,IndexPos 1

Sin,Cos,IndexPos 2

Functional Signal Flow

EuroSPI 2017 6.-8.9.17 19

INTEGRATION OF AUTOMOTIVE SPICE, FUNCTIONAL SAFETY, CYBERSECURITY

EuroSPI 2017 6.-8.9.17 20

ASIL-D

ASIL-B

ASIL-D

ASIL-BRotor Position 1 Rotor Position 2

ASIC

ASIL-D

Sin,Cos,IndexPos 1

Sin,Cos,IndexPos 2

Functional Signal Flow

Steering Command

Network around the car

ASIL-D

Functional flow for ADAS scenarios

need „external“ steering commands

with ASIL-D

EuroSPI 2017 6.-8.9.17 21

IT Secure vehicleUnderstanding interference from IT Security

• Prio 1: Analyse IT Threats which can lead to the hazardouus failure

• Prio 2: Analyse additional IT Security Threats

21

EuroSPI 2017 6.-8.9.17 22

Attack Type* Impact HowSpoofing Commands Messages on CAN

are used to simulate car is stopping. Checksum algorithm and message structure hacked.

Sending a wrong steering commandwith the correct encryption and identification.

Denial of service Messages on CAN are used to simulate car is never stopping.

Overloading the bus with speed < 3 km/h so that the steering lock is activated.

Tampering Changing configuration data in a memory (setting speed limit for activating steering lock)

Changing parking mode from < 10 kmhto < 200 kmh so that parking mode steering is used at high speed (resulting in a too big steering angle)

*Following STRIDE security analysis method

Dependable vehicleUnderstanding interference from Cybersecurity

EuroSPI 2017 6.-8.9.17 23

Attack Type* Impact How

Identity Spoofing Spoofing identity of garageSpoofing identity of message

Presumptipon of above scenarios.

Information Disclosure Memory dump and copying of data, gaining knolwedge about encryption keys, checksum algorithms.

Presumptipon of above scenarios.

Elevation of privilege Access to the gateway and access to the priviliged bus in the car

Presumptipon of above scenarios.

*Following STRIDE security analysis method

Dependable vehicleUnderstanding interference from Cybersecurity

EuroSPI 2017 6.-8.9.17 24

Dependable vehicleUnderstanding interference from Cybersecurity

24

Maintenance tools, listening

tools

Information Disclosure

Elevation ofPriviliges

Vehicle Bus and Gateway

Spoofing Identity

Vehicle Steering Related ECUs

Spoofing ofCommands

Tampering

Vehicle Function Steering

Lock

Denial of service

Spoofing ofCommands leading to locking

Auto

mot

ive

Defe

nse

Laye

r 1

Auto

mot

ive

Defe

nse

Laye

r 2

Auto

mot

ive

Defe

nse

Laye

r 3

ASIL-D

Compared to function chains in Safety, we have to analyse a completely different - „intrusion“ - structure

EuroSPI 2017 6.-8.9.17 25

Attack Type* Impact HowSpoofing Commands Messages on CAN

are used to simulate car is stopping. Checksum algorithm and message structure hacked.

Sending a wrong steering commandwith the correct encryption and identification.

Denial of service Messages on CAN are used to simulate car is never stopping.

Overloading the bus with speed < 3 km/h so that the steering lock is activated.

Tampering Changing configuration data in a memory (setting speed limit for activating steering lock)

Changing parking mode from < 10 kmhto < 200 kmh so that parking mode steering is used at high speed (resulting in a too big steering angle)

Dependable vehicle Understanding interference from Cybersecurity

EuroSPI 2017 6.-8.9.17 26

Traceability

Threat Specification per Safety Goal

Safety – Security traceability

EuroSPI 2017 6.-8.9.17 27

SPOOFING OF COMMANDSLEADING TO UNINTENDED

STEERING

Automotive Defense Layers

EuroSPI 2017 6.-8.9.17 28

OBDOn Board Diganose

GWGateway

DDCDynamic Drive

Control

Electronic Steering ECU and Sensors

Motor and

Steering Rack

Aut

omot

ive

Def

ense

Laye

r 1

Aut

omot

ive

Def

ense

Laye

r 2

Aut

omot

ive

Def

ense

Laye

r 3

Aut

omot

ive

Def

ense

Laye

r 4

Flow Case 1 : vehicle infrastructure

Flow Case 2 service garage

Flows are highlighted by variables that can be monitored

Defence MechanismsLayer 1

Defence MechanismsLayer 2

Defence MechanismsLayer 3

Defence MechanismsLayer 4

28

Indicator: steering command

Indicators to be monitored: Combining steering command e.g. with speed (active steering), requested torque, etc.

Indicator: Comparing steering angle with internally measured angle by rotor position sensors

Dynamic Flow through Layers

EuroSPI 2017 6.-8.9.17 29

SteeringLockAPP

X (e.g. 10) -Core HW

Realtime VM

Defence Layer ModelModelling New Car Architectures and App-Communication

29

FUNCTION GROUP STEERING

Steering APP

PLA APP …

Safe Operating System

SecureEthernet

X (e.g. 10) -Core HW

Realtime VM

FUNCTION GROUP POWERTRAIN

Gearbox APP

Motor Control

APP…

Safe Operating System

EuroSPI 2017 6.-8.9.17 30

SupplierAPP

X (e.g. 10) -Core HW

Realtime VM

Customer SSL AppsModelling New Car Architectures and App-Communication

30

FUNCTION GROUP STEERING

Customer

SSL …

Safe Operating System

SecureEthernet

X (e.g. 10) -Core HW

Realtime VM

FUNCTION GROUP POWERTRAIN

Gearbox APP

Motor Control

APP…

Safe Operating System

Encryption bye.g. Autosar

Encryption By Customer

Function Flow with Autosar Encryption plus Internal Customer SSL Encryption on Application Layer (all signals along this critical path are encrypted)

EuroSPI 2017 6.-8.9.17 31

Nodewith

Service A[i]

X (e.g. 10) -Core HW

Realtime VM

SDN Driven SystemThe System is not just the car any more! What is the system scope?

31

CAR i

Nodewith

Service B[i]

Nodewith

Service C[i] ..

Safe Operating System

X (e.g. 10) -Core HW

Realtime VM

CAR 1

Nodewith

Service A[1]

Nodewith

Service B[1]…

Safe Operating System

SDN Software Defined Network is a methid for a network set up where the dependency on the hardware architecture is substituted by a software controlled network where comtrolers

offer services in the network.

A[n]B[n]C[n]

EuroSPI 2017 6.-8.9.17 32

ASPICE 3.0 Integration Integrating Into Base Practices –Extended Assessment Questions

32

(ASPICE) SYS.2.BP3 Analyze the impact on the operating environment. Determine the interfaces between the system requirements and other components of the operating environment, and the impact that the requirements will have. [Outcome 3]

ISO 26262-4, 6.4.1 Specification of the technical safety requirementsISO 26262-4, 6.4.1.1 The technical safety requirements shall be specified in accordance with the functional

safety concept, the preliminary architectural assumptions of the item and the following system properties:

a) the external interfaces, such as communication and user interfaces, if applicable;b) the constraints, e.g. environmental conditions or functional constraints; andc) the system configuration requirements.NOTE: The ability to reconfigure a system for alternative applications is a strategy to reuse existing systems. NOTE: See questions for ISO 26262-4, 6.4.1 and ENG.2 BP1.

(Security) SAE J3061, 8.3.1 Feature DefinitionThe feature definition defines the system being developed to which the Cybersecurity process will be

applied. The feature definition identifies the physical boundaries, Cybersecurity perimeter, and trust boundaries of the feature, including the network perimeter of the feature. …

EuroSPI 2017 6.-8.9.17 33

SAFETY FUNCTIONS ANDCONNECTED VEHICLES

EuroSPI 2017 6.-8.9.17 34

Mobile internettechnologies

Infrastructure base stations

Driving events databases(OEM, authorities)

Driving data analysis

Cloud driving services

Vehicles report driving events into the cloud:

E.g. position, speed, steering angle, obstacles

detected, ...

Vehicles get driving situation, recommendations, commands from the cloud:E.g. steering related:* instantaneous steering angle of neighbor cars* typical steering angle for road position, * obstacles detected, ...

Radio-navigation satellite systems

Cloud based infrastructure for driving support

The world is biggerADAS (connected) environments

Critical signal path scenario

1. Vehicle local sensors (correctness?)

2. signals sent to service infrastructure (correctly related to position etc.?)

3. Cloud storage (corruption?)

4. merge with other cars signals (data poisoning?) in the current vicinity (correct location?) and those ever operated near the current position (depending on the algorithm for driving data analysis, and its correctness).

5. Up-to date steering angle recommendation& road conditions for the current position sent to all the cars (availablitiy, low latency, correctness, scalability?).

6. Steering angle is applied to the cars’ steering (correct in the current context?).

EuroSPI 2017 6.-8.9.17 35

Proposed ASPICE extension for Automotive Service Infrastructure (ASI processes)

Expected typical properties • “ASIL-D” QoS (Quality of Service) service monitoring for correct operation,

availability, scalability and low latency. • Preparedness for interruption of connectivity - local take-over (challenging for

eg. platooning) • Cybersecurity of service infrastructure (eg. wrong data injected, services

spoofed, stored data and algorithms tampered with, messages altered) • Etc.

EuroSPI 2017 6.-8.9.17 36

Extension of ASPICE for Automotive Service Infrastructure ASI processes

By example: ASI.2 Requirements Analysis Base practice BP4

ASI.2.BP4: Analyze the interfaces between the vehicle and the service infrastructure. • Analog and linked to “SYS.2.BP4: Analyze the impact on the operating environment” • Identify the interfaces between the vehicle and the service infrastructure.• Analyze the impact that the service infrastructure interfaces will have on the vehicle

operating environment. • OUTCOMES: Quality of Service (Availability), Defined reaction in case of no availability,

criticality of information, safety classification (if provided as QM or validated among a set of data to be provided with an ASIL), encryption and identification mechanisms to be implemented.

Extended Cybersecurity (SAE J3061:2016) Assessment Questions :• Related to SAE J3061:2016, clauses 8.3.1 Feature Definition – identifies

• physical boundaries, • Cybersecurity perimeter, and • trust boundaries of the feature, including the network perimeter of the feature.• The feature definition defines the scope and interfaces of the feature.

Christian Kreiner,TUGraz Richard Messnarz, ISCN

EuroSPI 2017 6.-8.9.17 37

RELATED SKILLS PROJECTS

AQUA ECOSYSTEM

EuroSPI 2017 6.-8.9.17 38Christian Kreiner,TUGraz Richard Messnarz, ISCN

AQUA - Knowledge Alliance for Training Quality and Excellence in Automotive

http://automotive-knowledge-alliance.eu

EU Sector Skills Alliance for AutomotiveAims:

• A unique, sustainable strategic alliance for• modern certified VET Curricula for the automotive sector• Industry aligned• Capable of Europe-wide implementation

• Certified VET training course:• Integrated Quality, Functional Safety, and Six Sigma in Automotive

• Certification by European Certification and Qualification Association (http://ecqa.org)

• Incorporated into • Automotive Clusters Qualification programmes • University Education (TUGraz, Grenoble INP)

This project has been funded with support from the European Commission under agreement EAC-2012-0635. This publication/communication reflects the views only of the author, and the Commission

cannot be held responsible for any use which may be made of the information contained therein.

http://automotive-knowledge-alliance.euhttp://ecqa.org)

EuroSPI 2017 6.-8.9.17 39

AQUA Skills Set„Automotive Quality Manager with AQUA Skills”

UnitID Unit Name Element ID Element NameAQUA.U1 Introduction AQUA.U1.E1 Integration view and general part

AQUA.U1.E2 Organisational readiness

AQUA.U2 ProductDevelopment

AQUA.U2.E1 Lifecycle

AQUA.U2.E2 Requirements

AQUA.U2.E3 Design

AQUA.U2.E4 Integration and Testing

AQUA.U3 Quality and Safetymanagement

AQUA.U3.E1 Capability

AQUA.U3.E2 Hazard & Risk management

AQUA.U3.E3 Assessment and audit

AQUA.U4 Measure AQUA.U4.E1 Measurements

AQUA.U4.E2 Reliability

Each element contains four views:• integrated perspective• Automotive SPICE perspective• Functional Safety perspetcive• Six Sigma perspective

EuroSPI 2017 6.-8.9.17 40Christian Kreiner,TUGraz Richard Messnarz, ISCN

SafEUr - ECQA Certified Functional Safety Manager http://safeur.eu

• Industry training and TUGraz course:• Functional Safety Introduction, Management, Engineering,

Production, Legal, Qualification topics• Modular: 15 course elements• Face-to-face and online delivery• Heavily based on Industry Best Practice• ISO26262, IEC61508

• Skills set aligned with Industry• Europe-wide certification by European Certification and

Qualification Association (http://ecqa.org)• Contact: Christian.Kreiner@tugraz.at

http://safeur.euhttp://ecqa.org)mailto:Christian.Kreiner@tugraz.at

EuroSPI 2017 6.-8.9.17 41

Automotive Quality Universities (AQU) AQUA alliance extension to higher education

Partners• VŠB - Technical University of Ostrava, CZ• Graz University of Technology, AT• UAS Joanneum, Graz, AT• University of Maribor EE + CS, SLO• ISCN IE/AT

Christian Kreiner

• EMIRAcle (European Innovation in Manufacturing Association), BE/FR

• Grenoble INP (EMIRAcle)• Hochschule Düsseldorf (EMIRAcle)• ECQA Online Campus for Industry

•The “AQU” project is financially supported by the European Commission in the Erasmus+ Programme under the project number 2015-1-CZ01-KA203-013986– P1 TUG. This website and the project’s publications reflect

the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.

EuroSPI 2017 6.-8.9.17 42

AQUA/AQU @ TU Graz• Regular student‘s course from 2014• AQUA university course for industry (TU

Graz Life-long-learning progm. & ECQA)• 1st ECVET-ECTS bridge between

university and industry education• Coordinator of AQUA project - EU

funded Sector Skills Alliance 2013-15• Automotive Quality Universities EU

project (partner)

Christian Kreiner

EuroSPI 2017 6.-8.9.17 43

The AQUA ecosystem – current state

Christian Kreiner

ECQA Functional SafetyManager /Engineer

Yellow BeltOrange Belt

Green BeltBlack Belt

intacs Automotive SPICE®

„AQUA for ROC“ (EQF Level 4-5)

AQUA extensionAQUA extensionIntegrated Cybersecurity

automotive & medical & automation

Planned

AQUA MOOCs ?

SPI manager/facilitatorIntegrated, interdisciplinaryInnovation and improvment

ECQA Integrated Design Engineer More …

AQU - AQUA Quality Universities(EQF Level 6-8)