Baking in Protection

With vehicles joining the Internet of Things, connectivity is making cybersecurity a must-have obligation for automotive engineers, from initial designs through end-of-life.

Many techniques are combined in Harman’s defense in depth strategy.

Consumer demands for connectivity open the vehicle up to the dark side of the Internet, making cybersecurity an important design requirement for vehicle providers. Automakers have several unique challenges as they attempt to provide connectivity in vehicles that have burgeoning amounts of software that must remain secure and efficient over long vehicle lifetimes.

Throughout the industry, there’s a race to leverage safeguards used in other industries in ways that meet automotive safety and reliability requirements. A number of tools will be employed, many using over-the-air (OTA) updating to fix vulnerabilities and adapt to changing threats.

Intel’s Automotive Security Review Board aims to help foster best practices for security.

Pathways for hackers come when vehicles join the Internet of Things, and security defects in software provide vulnerabilities that hackers can exploit. That’s a challenge being addressed by suppliers of semiconductors through systems.

“One challenge is the sheer amount of software on a chip,” said Amrit Vivekanand, Segment Marketing Manager at Renesas Electronics America. “The more software you have, the more potential there is that weaknesses can be exploited.”

Software defects are being reduced, but debuggers can’t catch them all. Cars run far more software than most embedded systems, so even rare security faults add up to significant vulnerabilities.

Most OEMs are moving towards over-the-air updates that use the infotainment systems’ connectivity, according to Red Bend.

“In high-quality software, there’s roughly one defect for every 10,000 lines of code,” said IP Park, Harman’s CTO. “If you’ve got 100 million lines of code in a car, you’ve already got 10,000 defects in your system. It’s almost impossible to get rid of all of them.”

Throughout the industry, there’s an emergent effort to protect vehicle electronics. Last fall, Intel set up the Automotive Security Review Board, which it says will encompass top security industry talent across the globe. Researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cybersecurity solutions. Intel designed a test platform and created a security white paper.

Ford and Microsoft teamed to develop over-the-air updating for Sync 3.

“We will provide a platform to be hacked, or more politely said, tested,” said Intel Automotive Solutions Division General Manager Elliot Garbus. “As we find vulnerabilities, the white paper will be updated.”

E pluribus unum

Automakers will be able to leverage expertise from many entities to create their proprietary protective schemes. Military and telecommunications companies have focused on cybersecurity for years, creating standards and techniques that can easily be adapted to automotive systems. In vehicles, one of the key issues is to securely detach connected infotainment systems from the other electronic modules.

Operating system providers like QNX Software and Green Hills Software use partitioning to ensure that a problem with an app on the infotainment system won’t impact any other functions. Other vendors such as Wind River Systems uses hypervisors to prevent any unwanted interactions or cycle stealing between modules.

Microcontrollers from Renesas and others now include many peripherals that help system designers protect and update growing volumes of software.

“A hypervisor splits functions into separate operating systems,” said Oren Betzaleli, Automotive Business Manager at Redbend. “It isolates down to the hardware level; nothing is shared.”

Gateways can also block messages from moving deeper into vehicle systems. Regardless of safeguards being used, security software must be continuously updated to close newly discovered vulnerabilities and adapt to ever-changing threats.

“Putting in a gateway largely isolates the rest of the car, but the problem is that you need to pass messages between modules,” Vivekanand said. “OTA updating is a big factor.”

Keep it fresh

OTA will let OEMs upgrade software without requiring owners to take vehicles into shops. That’s not popular with dealerships, but many observers say that eventually, automotive firmware will be updated much like on mobile phones.

IHS Automotive says that the OTA-capable vehicle fleet will grow from barely more than 200,000 units in 2015 to more than 96 million by 2022. While security is a critical driving force, cost reductions are also fueling adoption. IHS estimates that global OEM cost savings from OTA updates will grow to more than $35 billion in 2022.

While many proponents say that OTA is a necessity in the battle against malware, automakers haven’t exactly been racing to roll it out. There are myriad challenges for technologists, and the potential that a single bit error could cause major liability issues brings corporate attorneys into the discussion.

“There’s been a reluctance to move towards OTA updating, which is needed to address evolving security threats,” Garbus said. “Tesla has embraced it, but that’s certainly not the case at most automotive OEMs.”

However, there are signs of change. For example, Ford teamed with Microsoft in March 2015, to create the Ford Service Delivery Network, which will deliver over-the-air software updates for Sync 3. OTA specialists say that interest is definitely rising.

“It’s only been the last few years that OEMs have understood the benefits of OTA,” Betzaleli said. “Three years ago, they showed minimal interest. But we’re involved with nearly everyone now.”

Trusted OTA updates

Security systems rely on defense in depth, using layered safeguards to ensure that malware can be blocked or detected if it gets through one defensive element. In the vehicle, the hardware side of security begins with microcontrollers.

Chipmakers provide encryption modules that help prevent outsiders from sending communications over vehicle networks. These chips also have secure sections where they store the keys that help certify authenticated communications. That’s important when programs are being updated so malware does not alter any programs.

“Hardware provides the root of trust,” Park said. “Without it, OTA can’t be trusted.”

Making sure that updates are authentic is critical for any OTA technique. Hackers intent on harming a driver or extorting funds from an automaker may try to intercept signals at any phase of their lifetime. Constant checking will be mandatory.

“Every sub-package will be verified when it’s received by the ECU, which will also ensure that what was sent was the same as what was received,” Betzaleli said. “That ensures that nothing has been altered or hacked.”

Security is only one facet of this. OTA upgrades must do no harm. Downloads will typically occur when the vehicle is turned off, making battery power something of a concern. Additionally, cell phone users might accept a restart or some other step, but car owners probably won’t be as forgiving.

“In general, beyond security, the challenges all relate to ensuring that the update arrives into the vehicle complete, that the vehicle is in a safe state for an update to be applied when it arrives, and that the vehicle is left in an operational state when the update is finished,” said Walter Sullivan, Head of Elektrobit’s Silicon Valley Innovation Lab.