Security for the Autonomous Vehicle Identifying the Challenges Mike Parris Head of Secure Car Division November 2016
Today s agenda A Definition Developing a Threat Model Key Findings Conclusions 2
A Definition Developing a Threat Model Key Findings Conclusions 3
SAE levels of vehicle autonomy Car manufacturers are working towards deploying systems corresponding to Level 3. SAE Level 0 No Automatio n SAE Level 1 Driver Assistan ce SAE Level 2 Partial Automat ion SAE Leve l 3 Conditiona l Automatio n SAE Level 4 High Automati on SAE Level 5 Full Automation *(Society of Automotive Engineers) 4
SAE Level 3 SAE Level 4 SAE Level 5 SAE levels of vehicle autonomy We re going to focus from Level 3 onwards. Conditional Automation High Automation Full Automation 5
Autonomous Technologies Complementary to Connected Services Camera Ultrasonic Radar Laser Sensing needs The sensors all have different characteristics and therefore can t replace each-other but rather complement each-over, leading to complex sensor fusion schemes. 6
ADAS Partitioning Piecemeal ADAS development over the years - 3 main groups Forward Facing Rear Facing All Around Adaptive Cruise Control Blind Spot Information 360 degree view Automatic Emergency Braking Side Collision Mitigation Fully Autonomous Lane Keeping Assistance SAE SAE Level 3 SAE Level 3 systems fuses forward facing and rear facing sensors (hybrid approach between hardwired and networked topology) Level 4 SAE Level 4 will fuse all sensors in a centralised unit 7
A Definition Developing a Threat Model Key Findings Conclusions 8
Threat Modelling Attacker view System Architecture Defender view Attack Objective DFDs Attack Tree toolkit Attack Trees Auto-generated Report STRIDE toolkit Potential Attack List Security Requirements Bringing it all together 9
Threat Modelling Attacker view System Architecture Defender view Attack Objective DFDs Attack Tree toolkit Attack Trees Auto-generated Report STRIDE toolkit Potential Attack List Security Requirements Bringing it all together 10
Developing a Threat Model Identify generic layers and entities Cloud layer AI Sensors layer Driver Monitoring Map data Ultrasonic Radar Lidar Cameras Human Machine Interface layer Instrument Cluster On/Off Activation Head-up Display Vehicle Data layer Door Status Vehicle Speed Steering Wheel Position Throttle Position Brake Pedal Position Gear Position Actuators layer Accelerator Demand Braking Demand Steering Demand 11
Developing a Threat Model Create a system architecture ADAS SENSOR FUSION Driving Assistance OTA Update Real-time Traffic Updates V2X Cloud Computing AI CENTRAL GATEWAY MODULE Powertrain Chassis Convenience Infotainment Suspension Control Driver Monitoring Hi-Fi Amplifier Switch Pack Gearbox ECU Steering Control Head Unit Anti-theft System EMS Dynamic Stability Control Door Module Rear-Seat Entertain. Accessory Power Management Telematics Control Instrument Cluster Fuel Pump Brake Control HVAC Seat Control ABS Head-up 12
Developing a Threat Model Create a data flow diagram (DFD) Bringing it all together 13
Developing a Threat Model Auto-generate DFD threat report Bringing it all together Identifies all possible threats from system architecture perspective Not all threats are relevant and there may be considerable duplication 14
Threat Modelling Attacker view System Architecture Defender view Attack Objective DFDs Attack Tree toolkit Attack Trees Auto-generated Report STRIDE toolkit Potential Attack List Security Requirements Bringing it all together 15
Developing a Threat Model Identify attack objectives and create attack trees Bringing it all together All threats are relevant Difficult to demonstrate completeness of attack tree 16
Threat Modelling Attacker view System Architecture Defender view Attack Objective Primary Functions Attack Tree toolkit Attack Trees DFDs STRIDE toolkit Auto-generated Report Potential Attack List Bringing it all together Security Requirements All Potential Attacks and Security Requirements are relevant with full 2-way traceability Completeness demonstrated by reference to DFD Auto-generated report 17
A Definition Developing a Threat Model Key Findings Conclusions 18
Findings Vehicle level threat examples Forced crash direct control Some obvious Complete Denial of Service: fail to start/engage operational failure SAE L4&L5 - no driver fall-back Leakage (theft) of Personally Identifiable Information (PII) real-time historical 19
Findings Vehicle level threat examples Partial system failure driver unaware including calibration errors Some less obvious Leakage (theft) of Personally Identifiable Information (PII) predictive Breach of an Autonomous vehicle geo-fence (SAE L4) Pedestrian provoked injury Congestion management 20
Findings Vehicle level threats Key Mitigations Resilience to Sensor interference Need for duplicate/redundant sensors Multiple verification special case of fusion: Like sensors (duplicate/redundant) Unlike sensors (e.g. correlate wheel speed with GPS speed) Security validation at point of manufacture Security validation during operational service: Calibration Roadside/Service Facility (windscreen mounted sensors/accident repair) OEM parts vs After-market parts Supply Chain Integrity Supplier-OEM-Distributor / Dealer Customer / Driver Service - Repair Vehicle Behaviour: Monitoring of one vehicle (use misuse abuse) Standard operations of systems between vehicles Fail-safe / Limp-home modes AI Integrity: Digital Forensics/Data Recorder/PII Privacy Failure Misuse Abuse is a spectrum of resilience 21
A Definition Developing a Threat Model Key Findings Conclusions 22
Conclusions Are all Industry Stakeholders Being Sufficiently Proactive? Collaboration (pre-competitive) between OEMs and Suppliers System behaviours automated driving vehicle licences HMI behaviours user interaction user licences Collaboration across extended supply chain Beyond point of manufacturer Beyond point of first sale change of ownership After-market and independent service centres Resilient Fusion Technology Balancing cost vs resilience Balancing performance (accuracy, security, safety) Security Audits and Vehicle Health Reports At point of manufacture Within operational service (what, frequency, who, where) Enforcement Regulatory Frameworks Regional flexibility vs Global harmonisation Activity and progression vs fragmentation Marketing advantage homologation 23
More about SBD Since 1995 we live, eat and breath automotive We enable data-driven decisions We are here to help! Our Mission To be the world-leading knowledge partner for the automotive industry Our Intelligence & Insight Services Model-level databases Technology forecasts Supplier intelligence Market regulations News analysis Our Approach We are committed to adapting to our client s needs and always strive for the highest quality of service Our Expertise The largest team of in-car technology specialists recruited from over 10 OEMs & suppliers Our Evaluation Services Expert UX testing Consumer UX testing Iterative prototype evaluation KPI setting Our Offices SBD NA (Michigan, USA) SBD EU (Milton Keynes, UK) SBD Japan (Nagoya, Japan) Cyber security testing SBD India (Bangalore, India) Our Customers 95% of OEMs 65% of Tier-1s 60% of Service Providers Our Strategy Services New market entry support RFP/RFQ management M&A due diligence Strategic workshops Supplier positioning support Your Contact Person Mike Parris MikeParris@sbdautomotive. com +44 (0)1908-305105