Vehicle Cyber Security - · PDF fileISO‐26262 (1~10) has already been published. It defines...
-
Upload
phungthien -
Category
Documents
-
view
215 -
download
1
Transcript of Vehicle Cyber Security - · PDF fileISO‐26262 (1~10) has already been published. It defines...
March 28, 2014SD IEEE Cyber Workshop
1
Approach for Vehicle Cyber Security with Functional Safety Concept
Hiro OnishiAlpine Electronics Research of America, Inc.honishi@alpine‐la.com
© 2013 Alpine Electronics, Inc. Not for commercial distribution.
2
1. Background: Cyber Risks for Cyber‐Physical System 2. Background: Cyber Risks for Vehicle3. Difficulties in Maintaining Vehicle Cyber Security4. Functional Safety for Vehicle Cyber Security
+. Overview of Functional Safety (= ISO‐26262)
+. Applying Functional Safety (concept) – Vehicle level
+. Applying Functional Safety (concept) – Component level
5. Summary6. Next steps
INDEX
1. Cyber Risks for Cyber‐Physical System – Case 1
Davis‐Besse Nuclear Plant, Ohio (Jan. 25, ’03)
16:00: Noticed network slow down
16:50: Safety Parameter Display System (SPDS) crashed
17:13: Plant process computer crashed (had analog backup)
Reference: Edward Fok. (Dec. 7, ’11) “Introduction to Cyber Security Issues forTransportation” [Web seminar]
3
1. Cyber Risks for Cyber‐Physical System – Case 2
Air plane manipulation (Apr. ’13, US)+ Security consultants pointed:
They were able to manipulate airplane’s navigation systemwith android application*1.
+ 4 days later, Dept. of Transportation denied the possibility*2. Reference:*1: ~ WIRED www.wired.co.uk/news/archive/2013‐04/11/android‐plane‐hijack*2: ~ Information Weekly www.informationweek.com/security/application‐security/faa‐dismisses‐android‐app‐airplane‐takeo/240152838 4
1. Cyber Risks for Cyber‐Physical System – Case 3
Lodz, Poland(Jan. ’08)
4 light rail trams derailed, 12 people injuredTool used: Converted television IR remote
Exploit: Locks, disabling track changes when vehicle are present were not installed
Reference: Edward Fok. (Dec. 7, ’11) “Introduction to Cyber Security Issues for Transportation” [Web seminar]
Pictures: Courtesy of EUROPICS
5
6
Currently, “Cyber Security for ICS” can be a serious social concern, as it may impact the following:
+ (Nuclear / chemical) plants+ Military facilities and weapons+ Government facilities and systems+ Transportation (Trains, Airplanes, Vehicles, Ships, etc)+ Utilities (Electric‐grid, Water‐line, etc)+ Finance (ATM, Ticket machines, etc)+ Medical / Health related equipment and others
1. Cyber Risks for Cyber‐Physical System
7
1. Cyber Risks for Cyber‐Physical System
Actions for transportation cyber risks in the US
Reference: *1: ~ Tim Johnson (NHTSA) in ITS America annual meeting, (May, 2012, DC)*2: http://www.wired.com/autopia/2012/09/camp-car-virus-squad/?utm_source=twitter&utm_medium=socialmedia&utm_campaign=twitterclickthru
Federal Congress: Senate and HR have been discussing Cyber security bills though they have notbeen enacted yet.– i.e. S‐3414, S‐3342, S‐2105, HR‐3523, HR‐2096, etc.
White House: President issues multiple ‘Security’ related Executive Orders.‐ i.e. E.O. 13587, E.O. 13636 and PPD(Presidential Policy Directive)‐21.
NHTSA (National Highway Safety Administration) of Dept. of Transportation: ‐ Established “Electronics Systems Safety’ research division for vehicle cyber security*1.‐ Provided test vehicles to researchers /engineers /college and high school students to assess cyber security @ Summer CAMP*2(Aug. ’12).
TRB(Transportation Research Board) of National Research Council: Established “Cyber Security subcommittee” (under the “Critical Transportation Infrastructure Protection” committee).
SAE(Society of Automotive Engineers) international: Established “Vehicle Electrical System Security committee”.
8
1. Cyber Risks for ICS (Industrial Control System)
Actions for vehicle cyber risks worldwide
Reference: *1: www.sevecom.org*2: http://evita‐project.org/*3: http://preserve‐project.eu/*4: www.oversee‐project.com*5: (Japanese) www.ipa.go.jp/files/000014164.pdf*6: (Japanese) www.ipa.go.jp/security/fy24/reports/emb_car/index.html
(’06‐’08)(’08‐’11)
(’10‐’13)
(’11‐’14)
*1
*3
*4
*2
+ Published “Movements of Vehicle Cyber Security” (Apr. ’13)+ Published “Vehicle Cyber Security Guideline” (Mar. ’13)
Information‐TechnologyPromotion Agency
9
1. Cyber Risks for ICS (Industrial Control System)
Vehicle system model of IPA ”Vehicle Security Guideline”
Reference:*: IPA, Published “Vehicle Cyber Security Guideline” (Mar. ’13), (Japanese). http://www.ipa.go.jp/security/fy24/reports/emb_car/index.html
1. Vehicle Control Function 2. Extensive Function
Vehicle Bus
Powertrain Chassis
ITS Telematics Infotainment
Information
Control
Body Safety & Comfortable
Diagnosis & Maintenance
External connectionBluetooth,WiFi, USB,OBD-II…
3. ConventionalFunction
Carry-in Devices
Smart Phone,Navigation,PC, Tablet,
Music players,Hands-free…
Diagnosis,Eco-meter…
Vehicle SystemFunctions to be protected. (Red Bold) fonts show critical functions
10
References:~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11~ Information‐Technology Promotion Agency. (Apr. ’11)“Movements of Vehicle Cyber Security”, (Japanese)
+ Vehicles can be used to inflict serious bodily injury+ Vehicles are high value items+ Vehicles are frequently parked in un‐secured locations+ Vehicle could be targeted for anti‐social activity (ex. terrorism)
Stop/control massive number of vehicles
Create massive panic through false information
2. Cyber Risks for Vehicle
Vehicles can be targets of cyber attacks, because …
11
Modern cars come with up to 80 CPUs, 2 miles of cable, several hundred MB of software, and 5 in‐vehicle networks, “Vehicle” is no longer just a “Mechanical System”
2. Cyber Risks for Vehicle
Reference: A. Weimerskirch ‐ ESCRYPT, “Security Considerations for Connected Vehicles”, in SAE Government and Industry Meeting, Washington DC, Jan. ’12
Cruise controlABS
Car Telephone
Air BagNavigation
Emergency call
TelematicsACCLDW
??V2I communicationV2V communicationAutonomous driving
electronics based
12
Internet
Computer
Smart-phone
Music-player
Hacker
2. Cyber Risks for Vehicle
Virus or malware carried in smart‐phones or music‐players can easily invade automotive electronics
13
+ 82.2 million people in the US owned smart‐phones (Jul. ’11)*1
+ Application downloads on mobile phones is forecasted to
reach 48 billion by ’15*2
+ Detected malware of AndroidTM OS smart‐phone haveincreased by 472%, within 5 months (Jul. ’11 ~ Nov. ’11)*3
2. Cyber Risks for Vehicle
Smart‐phone is a vulnerable IT product, with limited cyber security mechanisms
Reference:*1: (Aug. ’11) “comScore Reports July ’11 U.S. Mobile Subscriber Market Share”, [Internet]*2: R. Vogelei, (Jun. ’11) “Mobile Application Downloads to Approach 48 Billion in ’15”, [Internet]*3: E. Chickowski, (Dec. ’11) “Android Mobile Security: A Growing Threat”, [Internet]
14
DIFFICULTY 1:Limited vehicle external connectivity Difficulty in updating security software Difficulty in monitoring automotive electronics status
DIFFICULTY 2:Limited computational performance, Due to high endurance and long vehicle life‐cycle(10 years) Difficulty to compete against hacker’s PC
DIFFICULTY 3:Unpredictable attack scenarios and threats
DIFFICULTY 4:Hazard to drivers and passengers lives
3. Difficulties in Maintaining Vehicle Cyber Security
Reference: ~ Information‐Technology Promotion Agency (of Japanese government). (Apr. ’11)“ ’10 report: Movements of Vehicle Cyber‐security”, (Japanese)
~ A. Weimerskirch, “Security Considerations for Connected Vehicles”, in SAE Government and Industry Meeting, Washington DC, Jan. ’12
~ P. Kleberger, T. Olovsson and E. Jonsson, "Security aspects of the in‐vehicle network in the connected car“, Intelligent Vehicles Symposium (IV), ’11 IEEE , vol., no., pp.528‐533, 5‐9 Jun. ’11
15
Mobile phone
Vehicle
Base station
Vehicles are only able to communicate externally through mobile phone
3. Difficulties in Maintaining Vehicle Cyber Security
Communication for crash‐avoidanceLimited time (100ms order)
CASE‐1 CASE‐2
Vehicle ‐ A
Vehicle ‐ B
Special difficulties
16
Critical MissionHow to maintain ‘Safety’ even when ‘Security’ is compromised!
3. Difficulties in Maintaining Vehicle Cyber Security
17
5. Functional Safety for Vehicle Cyber Security
Reference: *1: J. D. Miller, "Overview and Impact of the Automotive Functional Safety Standards ISO 26262“,SAE web seminar, Mar. ’12
*2: D. Hartfelder “Objectives of the SAE Automotive Functional Safety Committee”,SAE Government and Industry meeting, Washington DC, Jan. ’12
ISO‐26262*1:ISO‐TC22‐SC3 is working on “Automotive Functional Safety” standard, ISO‐26262, based on IEC ‐ 61580 (Functional Safety of Electrical/Electronic /Programmable Electronic Safety‐related Systems ). ISO‐26262 (1~10) has already been published. It defines ASIL(Automotive Safety Integrity Level)
and safety process for automotive electronics, according to each ASIL.(Originally, ISO‐26262 did not specify cyber security.)
SAE J2980*2: SAE Functional Safety committee is working on the recommended practiceJ2980 ‐ “Considerations for ISO‐26262 ASIL Hazard Classification” . Create more practical recommendations of ISO‐26262 and focus on
“Propulsion & Driveline”, “Steering & Suspension” & “Braking”.
18
5. Functional Safety for Vehicle Cyber Security
Reference: J. D. Miller, "Overview and Impact of the Automotive Functional Safety Standards ISO‐26262“SAE web seminar, Mar. ’12
ConventionalQuality Management
HighestHazard Level
“QM” < “A” < “B” < “C” < “D”
+. Severity:S1 S3 (Highest)
ASIL is determined by 3 scales
+. (Probability of) Exposure:E1 E4 (Highest)
+. Controllability:C1 C3 (Highest)
19
5. Functional Safety for Vehicle Cyber Security
Functional safety approach – vehicle level
To quarantine virus or malware at the point B , i.e. prior to the safety critical areas. Safety critical areas means “Drive(propulsion)”,
“Stop(braking)” and “Control(steering/vehicle control)”*.
Reference: D. Hartfelder “Objectives of the SAE Automotive Functional Safety Committee”SAE Government and Industry meeting, Washington DC, Jan. ’12
Entertainment /Information system
A
Powertrain
B
VehicleCarry‐in device
20
5. Functional Safety for Vehicle Cyber Security
Reference: *1: A. Weimerskirch, “Security Considerations for Connected Vehicles”, in SAE Government and Industry Meeting, Washington DC, Jan. ’12
*2: For example, http://www.ariloutech.com/pages/carcyber.htm*3: NIST SP800‐82 “Guide to Industrial Control Systems Security”
http://csrc.nist.gov/publications/nistpubs/800‐82/SP800‐82‐final.pdf
1. Basic cyber‐security technique:Secure‐boot*1, Virtualization*1, Encryption, Cryptographic hashes, etc.
2. Separation of safety critical areas: Install firewalls between Infotainment and safety critical areas*2.
3. Review and clarify functions:3‐a.) Review commands/messages from Infotainment areas
to safety critical areas.e.g. keep “Slow‐down”, but delete “Speed‐up”.
3‐b.) Protect against software manipulation.
4. IDS(Intrusion Detection System)*3:Periodically monitor especially for safety critical areas.
Functional safety approach – vehicle level
21
5. Functional Safety for Vehicle Cyber Security
1.) Based on our internal preliminary assessment
List functions and assess hazard‐levels, ASIL – e.g. center console Countermeasure, according to ASIL.
Rearview camera(Monitoring)
1.)
2.)
2.) Reference: R. Hamann et al., "ISO 26262 Release Just Ahead: Remaining Problems and Proposals for Solutions" in SAE World Congress, Detroit, MI, Apr. ’11
Functional safety approach – component level
CD/DVD control
Functions
Navigation
Emergency Call
ASIL
Power window A
Exposure Controllability Severity
E2 C2 S3
C3 S3E1 A
Air conditionerControl E3 C3 S3
E3 C1 QMAE2 C2 S3
E3 C2 S2 A
Air bag DE4 C3 S3Fault activation during driving
Sample Malfunctions
Unwanted window closing
Emergency call is not placedat accident
Heating is not workingduring the winter in Canada
Erroneous guidance,e.g. opposite direction on freeway
CD/DVD is not working
During backing, image of rearview camera freeze (show old image)
S1
Turn signalIn cluster panel QME1 C2 S3Shows signal activation in cluster,
though actual signal is not working
C
22
5. Functional Safety for Vehicle Cyber Security
Reference: ~ NIST SP800‐82 “Guide to Industrial Control Systems Security”http://csrc.nist.gov/publications/nistpubs/800‐82/SP800‐82‐final.pdf
Functional safety approach – component level
1. Hardware/analog control*:Critical functions should be controlled by hard‐switches or analog back‐ups with priority. e.g. temperature and wind‐level of air‐conditioners
Note: Guidelines about emerging EV battery information may be required.
23
5. Functional Safety for Vehicle Cyber Security
Cooperation with “Technical design”, “Legislation”,“Supply‐chain (dealer shops, etc)” and others are required!
Reference: ~ NIST SP800‐82 “Guide to Industrial Control Systems Security”http://csrc.nist.gov/publications/nistpubs/800‐82/SP800‐82‐final.pdf
Functional safety approach – component level
2. Failure/intrusion detection*:a.) Periodically check operations for critical usages e.g. emergency call
b.) Abnormal conditions should be notified to drivers immediately,in order for drivers to avoid critical hazards. e.g. rearview camera monitor, navigation, etc.
24
Intelligent modern vehicles with more MCU(Micro Controller Unit)s and software codes have higher cyber risks than ever.
Difficulties in maintaining vehicle cyber security:‐ Limited vehicle external connectivity‐ Limited computational performance‐ Unpredictable attack scenario and threats‐ Hazard to drivers and passengers lives
For vehicle cyber security, it is important to maintain “safety”,even when “security” is broken.
Functional safety (concept) at vehicle‐level/component‐level is effective to maintain vehicle safety, when security is broken.
5. Summary
25
6. Next steps
This approach can be applied for other embedded systems’ security, as well as automotive electronics cyber security.
This approach only focuses on hazards within a vehicle, while DoS (Denial of Service), e.g. emergency calls from huge # of vehicles can damage the entire community,(even if the hazard within a vehicle is small).
Hazard assessments for community‐level damages andcountermeasures for these assessments are essential,as our next step.