September 2016
33
I
nternet
-
of
-T
hings
telematics unit, you have a good chance of get-
ting into just about any other part of the car
such as the ECUs that control engine speed,
braking, cruise control, valet parking etc. It
is good practice to use multiple security tech-
niques to mitigate the risk of one component
of the defense being compromised or circum-
vented. Implementing a framework of 4 secu-
rity layers will lead to a highly secure vehicle
network:
To secure the connected car, one has to start
with the external interfaces themselves. First
of all, the communication channels need to be
protected against data theft, e.g. by encrypt-
ing the data, and against manipulation, e.g.
by authenticating the messages that are
exchanged to protect their authenticity and
integrity. Furthermore, the interfaces need
to prevent unauthorized access. This involves
processes such as machine-to-machine
authentication to check that you are commu-
nicating with a known or authorized device.
As we saw with last year’s Jeep hack, once hack-
ers obtain access to a network, they can send
messages anywhere. This is where layer 2, the
secure gateway, plays its part. A central gate-
way ECU separates the TCU and OBD from
the network and breaks up the vehicle network
into functional domains, with the gateway
firewall deciding what nodes can legitimately
communicate with other nodes. In the Tesla
Model S hack of 2015, the protection offered by
the gateway was highlighted as a key security
feature for modern vehicles. In the Jeep hack,
hackers could switch off brakes remotely due
to the lack of a gateway. In the Tesla hack, the
worst they could do was sound the horn! Apart
from isolation, the most important function of
the secure gateway is the firewall that separates
the external interfaces from the safety-critical
inner vehicle network. The gateway engine is a
contextually aware routing function that deter-
mines, by a number of increasingly sophisti-
cated checks, which messages are currently
legitimate, and will pass through the gateway
onto the destination.
Securing the interfaces is a critical require-
ment, but on its own may not be enough to
stop hackers. For example, they could com-
promise and impersonate a trusted device and
use this to bypass access control. Therefore,
one has to apply additional lines of defense.
One logical place to do so is in the in-vehicle
network, which forms the spine of the vehi-
cle and connects all the different parts of the
brains (ECUs). For example, countermeasures
may need to be implemented on the network
level. Once the external interfaces and inter-
nal networks are secured, the brains of the
connected car must also be protected. These
brains are formed by up to (and in some cases,
over) a hundred individual computers (ECUs)
that together implement the control functions
in the car, including many advanced (auto-
mated) driving functions. These ECUs contin-
uously generate, process, exchange and store
large amounts of valuable (sensitive) data.
And this protection helps in different ways.
1) Prevention of access, e.g. using machine-to-
machine authentication and gateway firewalls,
to ensure that hackers cannot access and tam-
per with the safety critical nodes in the vehicle.
2) Detection, e.g. secure boot of the controller,
to validate that the software is genuine and
trusted.
3) Reduction of impact, e.g. by isolating the
network domains, to prevent a compromised
infotainment unit being used to control e.g.
the brakes.
4) Fixing vulnerabilities e.g. enable full vehicle
OTA update capability through the secure
gateway, to fix vulnerabilities before they can
be exploited (at large scale) by hackers. The
connected car, as part of a smarter world, is
highly connected and constantly interacting
with its environment. In a new era of vehicle
complexity and connectivity, these connec-
tions bring enormous promises for increased
comfort, safety and efficiency. But with
that there opens a new era of ingenuity and
resourcefulness for car hackers, as with all con-
nected devices, and the connected car becomes
a target for cyberattacks. The security of the
vehicle electrical architecture is vital to ensure
the safety of the vehicle occupants. To secure
all of this, an integral approach is needed where
countermeasures are applied at all levels. The
exact security requirements for a specific vehi-
cle need to be determined using a thorough risk
analysis thatmust be part of its designprocess.
n
The four layers of automotive security
Product News
u-blox: automotive grade qualified
positioning and connectivity modules
u-blox announced the expansion of its
product offering with automotive qual-
ified product variants added to their
range of positioning and cellular wire-
less connectivity modules. The addi-
tions comprise the NEO-M8Q-01A and
NEO-M8L-01A, and respectively the
SARA-G350-02A and LISA-U201-03A.
Manufactured according to the ISO/TS
16949 automotive supply chain quality
management standard, the modules are
thoroughly tested with an extended qual-
ification process aimed at achieving the
lowest level of failure rates.
