Standard emerges to help fight threat of automotive hacks
Crucial to the advancements in ADAS are rapidly improving sensor technologies. Image sensors, in particular, are driving the improved effectiveness of ADAS. Backup cameras are already warning drivers of obstacles behind them when they are parking. Other cameras mounted around the vehicle body provide drivers with a 360° view of their surroundings, eliminating the dangerous blind spots that lead to accidents during lane changes. Increasingly, sensor technologies are being used in automated systems that prevent the car from moving into danger. Sophisticated features such as LED flicker mitigation and high dynamic range overcome the problems caused by bad lighting conditions that would otherwise disrupt the ADAS algorithms.
At the same time, vehicle manufacturers are taking advantage of sensor fusion to blend data from modalities that include visual images, infrared, radar, LiDar and ultrasound. In this way, sensors can compensate for the situations that would otherwise compromise performance, such as driving in heavy fog, rain or when the sun is close to the horizon. Coupled with advanced control algorithms, the network of sensors makes the prospect of fully autonomous driving on public highways feasible in the near future.
With the increased use of electronic sensing and computation comes risk. Although fusion can handle the highly varied driving environments ADAS-enabled vehicles will face, the systems can be forced to misbehave if the data streams they handle are corrupted. Sensor fusion can help overcome the corruption from a malfunctioning device but a bigger problem is that of deliberate tampering, especially if the corruption is designed to overcome normal error-correction routines.
The spectre of hacking has shifted from being a theoretical concern to become a genuine threat as exemplified by a number of proof-of-concept hacks demonstrated by several security researchers. So far, the proof-of-concept attacks have focused on individual subsystems, such as the engine control or attempts to fool different types of sensor. A growing problem for safety assessments is the increasingly complex nature of the ADAS algorithms, which are turning to forms of machine learning. This leaves them vulnerable to novel forms of attack such as adversarial examples, where physical changes that humans might not notice completely change the how car’s electronics interpret the situation.
In practice, adversarial examples and similar attacks on machine learning present a limited threat as they are very sensitive to the filtering effects of lenses and often only work at specific distances. Sensor-fusion techniques will, as much as they can with adverse weather conditions, provide a degree of protection. But hackers may take advantage of highly focused techniques as parts of a larger strategy: they first weaken the defences of the overall system using seemingly unrelated attacks with the attack on the machine-learning systems being the point at which the overall vehicle fails to respond in the correct manner.
The network of ECUs and sensor modules in a car forms a complete distributed computer. For an attacker, if defences are not put in place, the interlinked modules provide many potential points of attack that, as has been found with hacks performed on corporate networks, may involve multiple compromises that when combined disrupt the system’s operation.
Figure 1: Examples of attack points
The types of attack that are open to hackers can take many forms. A tampering based attack may involve a module that is inserted when the vehicle is being serviced or during a break-in. The corrupted module is used to send sensor data over the in-vehicle network that mislead the vehicle into making undesirable decisions. An altered image-sensor module might show frames out of sequence or replay old frames that make it impossible for the ADAS to respond to actual road conditions correctly.
A physical attack could go further using a denial-of-service attack: removing access to keys sensors entirely or causing one or modules to generate garbage that floods the network, making it impossible for any ECUs to receive valid data. Alternatively, hackers might use a physical attack to weaken network defences and then use remote attacks launched over a wireless network at an infotainment subsystem to compromise data sent over the safety-critical networks.
The problem facing the vehicle OEM is the sheer variety of potential attacks and the problems of detecting each of them. The after-effects of tampering-type corruption can be very difficult to detect because it demands close attention to the synchronisation between sensor modules. If a denial-of-service attack happens, the vehicle will most likely have to stop in order for any type of fix to take place.
To address these issues related to cybersecurity in vehicles, in 2016 the ISO and Society of Automotive Engineers (SAE) began work on a number of standards including the new ISO/SAE 21434. Along with 82 contributors including OEMs, semiconductor companies, cybersecurity experts, academic institutions and others a first Draft International Standard (DIS) was released in early 2020, with a final standard planned for late 2020.
ISO/SAE 21434 is focused on the cybersecurity aspects of an automotive system that affect its safety. The standard under development follows a similar approach to ISO 26262 in that it uses risk assessment to identify the key threats and find ways to mitigate them, using processes based on V-diagrams to manage their implementation. It specifically does not mandate product or technology solutions but, in common with ISO26262, it defines a process that must be followed throughout the lifetime of the vehicle from design to decomissioning.
As existing standards do not adequately cover cybersecurity topics, ISO/SAE 21434 will cover all electronic systems, components, sensors and software in the vehicle and span the entire supply chain. To be compliant with the new standard, automotive manufacturers and suppliers will have to be able to demonstrate that cybersecurity engineering and cybersecurity management has been applied throughout the design, in all elements of the associated supply chain.
The use of the V-diagram approach provides for layered solutions to risk assessment and mitigation that will greatly help to monitor and suppress hacking attempts. For example, secure protocols are likely to form a key part of the underlying set of technologies that will be used to defend the system. In tampering and denial-of-service attacks, one of the core problems is that compromised modules can affect system operation because their outputs are not controlled. A lack of security on the networks also allows for eavesdropping and replay attacks that use data sent over the network earlier. As the in-vehicle data is time-sensitive, repetition of those frames can easily disrupt correct operation.
Fig. 2: Sample of threat analysis
To prevent attacks on the network and provide the support needed by vehicle manufacturers to follow the ISO/SAE 212434 procedures, sensor and ECU manufacturers are moving to incorporate secure protocols that allow the system to check data integrity on each and every packet. onsemi is among the suppliers that have already implemented support for data encryption, error-checking and secure communications into their sensor components. By encrypting and hashing packets with unalterable timestamps, replayed packets can readily be rejected. Modules that fail to respond correctly to encrypted challenges can be removed from the network or the vehicle put into a limp-home or immobilised mode until the offending module is removed or replaced with an authentic version.
Other approaches being taken include support for specialised modes such as fault injection embedded into the silicon. These provide manufacturers and tier-one integrators to test the effectiveness of procedures and protocols that ensure safe and secure operation.
Although the new standard is not yet mandated by law, as it becomes available automakers are expected to adopt it as best practice and put a compliance requirement upon their suppliers, meaning that it will rapidly become part of future connected vehicles.
While the exact impact of ISO/SAE 21434 on individual products cannot be fully understood until the standard is finalized, there will inevitably be some changes in the software and hardware of many components, including sensors. These may result in new ISO/SAE 21434 compliant products, or enhanced versions of existing products that are able to claim compliance to the standard. There will certainly be changes to the ways in which secure devices and vehicles are developed and tested.
It is vital that the safety benefits of ADAS are not damaged by the threat of hacking issues. onsemi already embraces multiple standards, including the draft of ISO/SAE 21434 through their entire product development process, ensuring that the cybersecurity capabilities meet the threats that sensor-based systems are likely to encounter. By working together with the industry and helping to develop standards such as ISO/SAE 21434, onsemi is helping to enable security and deliver on the promise of ADAS, and pave the way to fully autonomous vehicles.
About the author:
Giri Venkat is Technical Marketing & Solutions Architecture, onsemi.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
