Cybersecurity | So that car hackers do not have a chance

Today’s cars are full of electronic components and are increasingly connected to the internet as a very complex system. This makes cars vulnerable to hacker attacks. Once again, standards have proven to be the foundation of cybersecurity.

New technology such as Automotive Ethernet is finding its way into modern vehicles to connect different vehicle components. Ethernet is available for different data speeds up to 10 Gbit / s, explains Kai Borgeest in the chapter on data communication in vehicles in the book Elektronik in der Fahrzeugtechnik. Ethernet components that meet the requirements for vehicle reliability according to the AEC standard Q100 [AEC] are currently available for data rates of 100 Mbit / s and more recently 1,000 Mbit / s. And for network sensors, driver assistance systems and much more on this basis, the communication interface SOME / IP is used. This software, which has meanwhile established itself, organizes “which recipient receives which information and when” (page 150).

Editor’s recommendation

2022 | Original paper | book chapter

basics

The increasing complexity of electronic systems in vehicles and networking with the outside world increases the risk of vehicles becoming targets for cyber attacks. Automotive Cybersecurity identifies these risks and introduces methods and measures to reduce them. This chapter introduces the basic technical terms and cryptographic basics. In addition, the importance and benefits of cyber security for the automotive sector will be discussed and the biggest challenges will be highlighted.

Researchers led by Christoph Krauß from the Department of Computer Science at Darmstadt University of Applied Sciences took a closer look at the security aspects of the service-oriented middleware SOME / IP (Scalable Service-Oriented Middleware over IP) – and identified possible attacks, even if security mechanisms were in place. “It was interesting that the measures that are usually used to secure communication do not offer any protection against the attacks we found,” says Krauss. Thus, hackers can take complete control of a car remotely – and cause a potential fatal accident, for example.

Darmstadt’s research group is also approaching the subject from a digital forensics perspective. After a crash, it must be possible to determine with legal certainty whether a notch has occurred – and in the case of semi-autonomous vehicles, also who had control of the car at the time of the accident. Their article “Analyzing and Securing SOME / IP Automotive Services with Formal and Practical Methods”, where the authors explain how the investigated cyberattacks can be presented, was presented in 2021 at the 14th International Conference on Accessibility, Reliability and Security (ARES), ACM, received the “Best Research Document” award.

Less mechanics, more electronics and software

Modern cars are really very complex, software- and information-driven mechanical systems, states Springer author Ashish Jadhav in the chapter Automotive Cybersecurity in the book Automotive Embedded Systems. “More than 50 percent of the cost of today’s cars comes from the electronics and software they contain. There may be more than 100 million lines of code in the various controllers” (page 105). Jadhav describes general cybersecurity principles, analyzes the differences between traditional cybersecurity and vehicle cybersecurity, examines threats to cybersecurity in cars and the infotainment system in vehicles – a crucial component from a cybersecurity perspective – and finally provides an overview of three very important standards, namely Autosar, ISO / 26262 SAE 21434:

  • Automotive Open Software Architecture (Autosar) is an international standard for developing the software stack for a vehicle control unit. The aim of this standard is to ensure interoperability between different ECU providers. Since this standard was developed almost two decades ago, safety aspects have been discussed several times in the meantime and included in the standard in its various versions. Autosar’s safety focus is the definition of procedures and interfaces for secure communication on board.
  • The ISO 26262 standard deals with the functional safety of vehicle systems. Overall, a vehicle is a safety-critical system, as a fault can lead to death. All safety-critical subsystems of a motor vehicle must be inherently safe. Endangering the security of a subsystem can easily jeopardize the security of the entire system. According to Jadhav, functional safety and reliability for a car system are well-known areas for which standards, tools and techniques exist. But the intersection between cybersecurity and functional security is an area that deserves further research.
  • The need for a cybersecurity standard in the automotive industry is due to the fact that several parties are involved in the manufacture of a vehicle. The manufacturer of the original equipment has many Tier 1 and Tier 2 suppliers who supply parts such as mechanics, hardware and software that are mounted on a specific vehicle. Because cybersecurity for cars involves the security of all these components assembled and works together as one system, a seamless implementation of security in these subsystems is required. With the ISO / SAE 21434 standard, there is now a standardized approach to this.

Practical advice on cybersecurity

In their journal article Cybersecurity with ISO 21434 in practice ATZelektronik 3-4-2022, the authors Christof Ebert and Jerome John provide not only an overview of the standard, but also detailed information for practitioners on security technology with ISO 21434 in eight steps. a case study. However, they emphasize that ISO / SAE 21434 only provides a framework for implementation and should not be misunderstood as a guide or even as a basis for a development process: “Cyber ​​security is the responsibility of every engineer, not a separate organization. It needs a holistic approach starting with systems development and is traceable throughout the product life cycle. “

Leave a Reply

Your email address will not be published.