An Holistic Approach to Verifying Cybersecurity in Design
A powerful new generation of test and sim solutions aims to address specific security concerns associated with automotive designs.
Today’s vehicle is a mobile computer growing in complexity. From infotainment systems to propulsion, to advanced driver assistance systems (ADAS) and autonomous vehicles (AV), computers now drive how automobiles and trucks are designed, how they operate and how they’re increasingly connected. For that reason, the transformation of vehicles, roadways and cities has created new design considerations for engineers. One aspect that can’t be overlooked is cybersecurity and the need for an all-encompassing approach to ensure vehicle safety.
A 2019 study conducted by SAE International (in conjunction with Synopsis) highlights the level of angst around securing the advanced technologies designed into automobiles. Eighty-four percent (84%) of survey respondents are concerned that cybersecurity practices are not keeping up with the security landscape. As worrisome, 63% of survey respondents admitted they test less than half of hardware, software and other technologies for security vulnerabilities.
The National Highway Traffic Safety Administration (NHTSA), recognizing the growing trepidation, has suggested a multi-layered approach to cybersecurity. The focus is on a vehicle’s entry points, both wireless and wired, that can be potentially vulnerable to a cyberattack. Among the recommendations suggested by the agency are:
- establishing a risk-based prioritized identification and protection process for safety-critical vehicle control systems
- architectures, methods and measures that design-in cyber resiliency and facilitate rapid recovery from incidents when they occur
Implementing the proper verification processes can ensure products and systems meet the NHTSA recommendations. Part of those processes — for both OEMs and suppliers — is to create test environments that can perform all the necessary tests accurately and efficiently.
The rollout of 5G and Internet of Things (IoT) advances have received much attention. Other technologies are also impacting designs, particularly from a security perspective. One example is Open Radio Access Network (O-RAN). Traditionally, the focus to prevent nefarious cyberattacks has been solely on the user equipment (UE). While that remains important, the integration of O-RAN technologies results in the need to take a more holistic approach.
O-RAN architecture (Fig. 1) comes with many advantages, particularly in terms of connectivity and compatibility. Open interfaces facilitate multi-vendor cooperative deployments, thus enabling a more competitive and vibrant supplier system.
Network efficiency and performance are also improved through RAN automation. O-RAN makes it easy to import new network capability via easy software upgrades. Its native cloud infrastructures provide more flexibility and eliminate the reliance on a single vendor for all aspects of RAN implementation and optimization.
All those benefits are realized due to the open-source architecture. Historically, open source was predominantly in small applications. O-RAN expands the open architecture to the network scale. Open networks also introduce many more players with limited experience in the wireless space. Because O-RAN allows off-the-shelf hardware and open-source software from multiple vendors, increased opportunities for cyber breaches that compromise security are created.
The responsibility for cybersecurity lies both with OEMs and Tier 1s. That is the case for all wireless testing, not just security. More OEMs have become proactive and are conducting tests upon receipt of the systems being integrated into the vehicle, as the software running in the vehicle and the hardware architecture of the vehicle are important for cybersecurity. This is particularly true when it comes to AVs.
Testing takes on additional importance at all levels of the ecosystem due to these advances. It is one thing for the system to meet specification as a stand-alone product, quite another when it is integrated into a vehicle environment. There must be testing to ensure there is no interference and/or mechanisms within the network that can serve as a back door for cyber criminals to enter.
As an open-source architecture, there are myriad of potential configurations by countless manufacturers. All need to be tested for security. Ensuring they are not vulnerable to cyberattacks lies on the individual stake-holders. Unfortunately, most are conducting verification in silos. It is particularly challenging on the network side, as there is no established process for an end-to-end verification from the Central Unit (CU) to Distributed Units (DU) and Radio Units (RU), as well as controlling network slices connected to specific use cases.
A potential solution is the establishment of cybersecurity plugfests. Manufacturers of base stations, CUs, DUs, RUs and test companies, as well as software developers can conduct scenarios to determine how well an entire network can withstand cyberattacks, not just the individual elements. It is particularly important given the multiple mission-critical use cases of vehicles.
Establishing test environments
To further ensure systems can withstand cyberattacks efficiently, test environments that can simulate real-world scenarios in a controlled setting need to be created. These tests should be done by Tier 1 suppliers to ensure their specific network components meet specification. Second-level testing based upon the use case also needs to be conducted at the system level.
Common test hardware is critical so that different software applications can be loaded. It is also important that a single vendor provides this software-centric solution that can conduct cybersecurity, as well as RF and application tests. Cybersecurity elements sit atop the RF and application layers, so a software solution that can test all layers creates efficiencies that improve design confidence and lowers cost-of-test.
A software-based solution has another advantage. Most Tier 1 suppliers work with multiple auto manufacturers. Software allows for a seamless and efficient testing environment that is flexible and can be enhanced to meet specific requirements.
Support of legacy wireless technologies is another consideration. Vehicles will continue to utilize 3G, 4G and 5G technologies. Each presents opportunities for cyberattacks. Therefore, test solutions must be robust enough to conduct reliable tests on all three wireless technologies to ensure vehicle safety.
Test sim scenarios
A powerful new generation of test and simulation solutions has been developed to address the specific security concerns associated with automotive designs. These systems can efficiently verify compliance with 3GPP by connecting with actual servers. Comprehensive testing can take place without the influence of an RF channel, as well as under specific network conditions. Such an approach can also reproduce bugs and cyberattacks common in the field while the UE is in the lab.
Dedicated software packages can let the base station emulator (Fig. 2) create an interactive test environment without complicated test scripts. So, the engineer does not have to have a thorough understanding of wireless standards for the required tests to be performed. A network simulator can emulate critical cybersecurity attacks in a controlled environment to ensure systems can withstand an attack. Among the critical tests are:
Denial of Service — With dedicated software installed on a signaling tester, an encryption algorithm can be simulated. A call/transmission with the designated algorithm is established. The test solution injects mechanisms to attack the network or send different packets to the network that appear legitimate but are actually from a malicious source.
Network Bombardment — The network simulator establishes a scenario in which signals from numerous UEs bombard the network. The goal is to overload the servers, so the network can’t provide the required service. The solution replicates end-of-service to reveal how devices/network elements handle a scenario if a similar nefarious act occurs.
Practical Security Testing — As mentioned, UE testing remains critical. As such, another test is conducted in which a signaling tester or wireless communications test set serves as a base station. Software connects with the UE and a testing server. Functional security measurements are conducted to verify the UE performs according to specification.
Penetration Testing — This is an aggressive, all-up exercise of system-wide security. Penetration tests are typically done by security experts who use their experience to determine vulnerabilities. This type of testing (Fig. 3) may go beyond simulation to conducting certain attacks on the UE or telematic control unit (TCU) while connected to a live wireless network. In this case, the simulator creates a Rogue Base Station (RBS) scenario. The RBS masquerades as a legitimate base station to facilitate a Man-in-The-Middle (MiTM) attack between handsets, or another mobile UE, and the mobile network.
Cellular Fuzzing — Another test attempts to uncover vulnerabilities that might be the basis for future attacks. This technique is commonly used to explore the dark corners of a computer program, network, embedded system or other device’s threat space. For UE verification, the network simulator generates inputs that have been systematically malformed to be invalid, unexpected or random commands, replies or data packets. Crashes, incorrect code assertions or other unexpected, potentially security-critical behavior is monitored by the network simulator.
The evolution of the automobile has created a new level of cybersecurity testing. It has gone beyond the vehicle itself and extends to the entire network. Establishing a comprehensive testing approach that verifies all levels of the ecosystem requires solutions that emulate the real-world environment. Implementing this approach will bring greater confidence in how vehicles will withstand cyberattacks.