Fully autonomous driving vehicles are expected to be on our roads in just a few years. The networking required for this requires a new dimension of digital protection.
With the imminent evolution of road transport towards fully autonomous vehicles, cars are increasingly evolving from a means of transport to a personalized information hub. As entertainment options and security systems in a motor vehicle become more numerous and connected to the driving environment, the requirements for fast processing of the growing amounts of data also increase. But all-round radar detection, permanent V2X communication, premium infotainment, ADAS and Co. not only increase the data volume. In parallel to the increased performance requirements, the permanent networking of many different components with each other and with the traffic infrastructure simultaneously makes the protection of the entire vehicle IT against cyber attacks increasingly important.
The enormous amount of data to be processed in autonomous driving vehicles in the future requires not only extensive integration of all systems, but also new security concepts to protect against malfunctions but also to defend against cyber attacks. NXP has developed a high-performance broadband network that replaces all previous network protocols in the vehicle and defines the future standard as Automotive Ethernet.
Increased security requirements
The fully autonomous driving car is increasingly becoming a reality. As soon as the technical requirements for the necessary system hardware (CPU, GPU and memory modules) and the traffic infrastructure are met, corresponding vehicles will even be possible in mass production within a few years. The necessary integration of a multitude of infotainment and other mobile services as well as interactive communication with other vehicles and the respective environment (V2X) basically redefines the automotive industry. Since in the future hundreds of individual messages per second will have to be processed per vehicle, a drastic increase in the current performance level of data processing and the security infrastructure of the individual automobiles will be required.
V2X technologies enable vehicles to receive alerts. NXP
In the future, however, manufacturers will not only have to equip their connected autonomous vehicles with every conceivable technical option and convenience, but at the same time protect them from cyber attacks on a variety of security levels and in the respective IT components. Increasingly, solutions from IT and telecommunications are coming into play here, which are comparatively new to the automotive sector. These new technologies include, for example, the use of multi-level firewalls, encryption and authentication procedures, and secure software updates via the Internet.
Staggering of safety components
Most hacking attacks on vehicles follow clear steps. The first thing attackers usually do is look for a weak point in a system with remote access. Once an attacker has gained access to a car’s telematics unit, for example, he then tries to access other networked components from there. The theft of personal data or the creation of a movement profile are only some of the problems here. If an attacker succeeds in taking control of an ECU (Electronic Control Unit) for the brakes, engine control or cruise control, for example, the real danger for road users and the explosive nature of an attack becomes abundantly clear. Accordingly, all conceivable threats, including their potential damage, as well as the actual vulnerability of an IT component to an attack, must be taken into account when developing an electronic vehicle infrastructure. Since hackers are always on the lookout for weak points, all areas must be equally well secured so as not to leave any unsecured back doors open. Once the vulnerability analysis has been completed, sensible countermeasures and their implementation must be defined. This results in a system-level plan to eliminate risk. Standardized methods, such as Microsoft’s STRIDE system, help to evaluate common threats in a structured way.
Proven defenses in connected vehicles include using a variety of layered security technologies and techniques to prevent individual solutions from being outwitted or bypassed. At the same time, the entire connectivity and IT infrastructure of autonomous vehicles must be protected on several levels and with security solutions that work both behind and alongside each other. In the example above, for example, not only would the telematics module have to be shielded against the attack, but the connected individual components of the vehicle’s IT would also have required a separate protective shield. This is done, for example, by operating system-critical ECUs in isolation from non-safety-relevant units and protecting the car’s respective networks through a gateway with firewalls.
Physical interfaces such as the connection of a diagnostic device are the easiest way into the digital heart of a car, but at the same time they are relatively well protected against unauthorized access due to their placement inside the vehicle. In addition, the diagnostic interface of a vehicle can only be accessed locally by hand, and attacks cannot be carried out on entire vehicle fleets. In the future, however, fully autonomous driving will require linking automobiles by means of external, wireless interfaces with the relevant traffic infrastructure, other road users and the cloud. The focus of most hacker attacks, and thus the greatest risk for connected vehicles, therefore lies in the growing number of wireless external communication channels. If these are compromised, digital attackers can also attack a car’s internal systems remotely, creating a whole new threat landscape. In contrast to the past, car manufacturers must therefore plan much further ahead when it comes to securing their vehicles than just the physical protection of the bodywork.
To holistically secure autonomous vehicles, the external interfaces in particular must be protected. For example, it is necessary to secure all open communication paths against misuse by means of dynamic PKI encryption. At the same time, it is also necessary to prevent the manipulation of data files or commands. This is done by authenticating the integrity of all transmitted data and commands. To exclude unauthorized access as best as possible, all interconnected end devices must also mutually verify each other. This ensures that only communication partners intended for this purpose are connected to each other. All these techniques are used, for example, in V2X communication solutions (Vehicle to Vehicle& Vehicle to Infrastructure) from NXP is used. Thus, in the IEEE 802.11p has already standardized a correspondingly powerful wireless communication environment for vehicle environments, which will be available in production vehicles from 2017 onwards.
The protection of the car’s wireless interfaces is system-critical for all networked vehicles, especially for autonomous driving vehicles. In addition, the wired interfaces to and in the car must also be given optimum protection, because it is of course not possible to completely rule out the possibility of attackers attempting to gain access to the vehicle network via such interfaces. This can be done, for example, by adopting or mimicking a trusted external end device. The next security level is therefore logically the internal data network. In a sense, this represents the nervous system of vehicle IT and connects both the external terminals with the vehicle electronics and the individual control units (ECU) with each other. As with interfaces, all security-relevant data in the network must be encrypted, and commands transmitted between ECUs must be authenticated to prevent data misuse. At the same time, this makes replay attacks, i.e. the faking of a foreign identity using previously recorded data, impossible within the network. To make manipulation of vehicle IT by internal attacks from the network impossible, the individual ECUs must be physically or logically separated from each other. This is done either through firewalls or separate subnetworks. The security of the internal vehicle network can also be further enhanced by additional authentication of the ECUs each time the engine is started and at irregular intervals during operation.
V2X technology helps avoid congestion and downtime. NXP
The implementation of these increased security requirements and the sheer size of the future data volume generated, for example, by 360° digital traffic monitoring and the resulting applications, require a very powerful in-vehicle data network. To meet these requirements, NXP, together with other leading IT and automotive companies, has founded the Open Alliance Special Interest Group and defined and developed Automotive Ethernet as the future standard for broadband data usage in vehicles. This protocol for broadband IVNs (in-vehicle networks) can replace all previous network protocols and offers numerous advantages over other network technologies in addition to high transmission rates. Automotive Ethernet, for example, uses only a single, unshielded twisted pair cable for bidirectional communication, thus saving weight and costs. It is robust enough for the temperatures required in the vehicle and meets all current requirements for electromagnetic compatibility (EMC).
Electronic Control Units
Once the interfaces and internal networks are secured, the next step is to protect the vehicle’s individual data centers, the ECUs. These generate, link and manage huge amounts of data, and are therefore a tempting target for attackers. In addition to data theft, there is of course a risk that attackers can trigger malfunctions in the control units. This is remedied by encrypting both program codes and data within the memories and regularly checking them for tampering.
More than a hundred ECUs are installed in modern vehicles, which together control and monitor all electronic processes in the car. Manipulation of the control software of an ECU can be prevented by using secure boot mechanisms. If multiple software applications are running in parallel on an ECU chipset, they must be isolated from each other, for example through virtualization techniques, to prevent a compromised memory stack from becoming a problem for other applications.
A key role in managing and securing the ECUs is played by the central gateway. It not only shields different network areas from one another with a firewall, but also monitors the legitimacy of the messages transmitted in the network as a router before forwarding them to the various domains and subnetworks.
Firmware management and patching
A particular challenge in modern, networked vehicles is the need for subsequent updates and patches for the ECUs. Modern vehicles already contain around 100 million lines of code, with a strong upward trend. It is absolutely impossible to design such complex systems to be completely error-free at all times. Security always requires an update capability to keep the systems up to date and to be able to respond to threats. At the same time, hardware components are recycled in a modular fashion and multiple software applications are consolidated on a single computing unit, often from different vendors and with varying degrees of criticality to system security. Accordingly, vulnerabilities in a vehicle’s IT security sometimes only become apparent some time after its delivery.
In the worst case, a gap in hardware or software security can affect not only individual vehicles, but also an entire model series or different Internet-based end devices at the same time. And since a networked vehicle is a highly complex IT system, patches may also be required here from time to time at very short notice, for example after components have been installed or replaced. To be able to react as quickly as possible in all these cases and always ensure the best possible protection for the car, secure over-the-air updates of firmware and application software must be possible.
Key management and variable cryptography
Individual and unique PKI-based device keys are required for the cryptographic security of vehicle IT and the preservation of the privacy of vehicle occupants. These must be managed securely throughout their lifetime and exchanged for new ones if necessary. In the future, these keys will also be generated outside the vehicles and must be securely transferred from there (via the cloud) to the individual vehicles. Since vehicles generally have a service life of 15 years, new algorithms and larger keys will also be needed during this time to ensure the security of the vehicle network in the long term, given the continuing high pace of development of IT technologies.
Ideally, therefore, the software and hardware requirements for growing encryption will already be in place in future generations of autonomously driving cars, otherwise the only option over time will be the potentially cost-intensive replacement of control units that are outdated in terms of data technology.
Autonomous driving will be a reality in just a few years, and the current requirements for performance and security of communication and data processing systems in road traffic and within vehicles will multiply. The necessary protection of networked and autonomously driving vehicles against digital attacks will become increasingly complex and expensive in the future. These investments represent a kind of basic investment that must be offset against the risks and possible follow-up costs of a successful cyberattack on a vehicle.
The technological prerequisites and standards for secure autonomous driving are already being created today. What is important here is a mix of high-performance individual solutions for each subarea that can be integrated simultaneously into a multilayered, redundant security structure with always the same security levels at the highest standard. And the effort is worth it. If the technologies needed for autonomous driving are implemented across the board, drivers and the environment will benefit from optimized traffic flows, reduced exhaust emissions and lower accident rates that we can only dream of today.