As intelligent and automated vehicles evolve, there is growing awareness of the need for stronger vehicle cybersecurity measures.
The network gateway holds the key to security and enhanced safety of connected and automated vehicles
As intelligent and automated vehicles evolve, there is growing awareness within the industry and among consumers of the need for stronger vehicle cybersecurity measures. The risks of malicious hacking are high and could result in serious damage to property and vehicles in addition to potentially deadly consequences for drivers and passengers.
Legacy and even newer network systems are often fragmented, leaving them porous and especially vulnerable to cyberattack. The solution is to introduce an element common in IP enterprise networking — the network gateway. The network gateway acts as a communications routing and policy engine for the vehicle network: it directs traffic from sensors to processing nodes and commands from processing nodes to actuators or other processing nodes (all while ensuring the isolation, integrity, and flow of communications).
Security and safety must always be at the core of the vehicle network gateway. It is important to take the entirety of the Ethernet gateway system into account in order to identify requirements needed to create an absence of reasonable risk. That means support for new and legacy vehicle bus protocols and the ability to support field-based replacement of sensitive electronic components and subsystem upgrades without compromising vehicle safety. The vehicle gateway also must support automated sub-network provisioning — in effect, knowing which components are authorized to communicate in which groups and ensure secure enrollment of new ECUs (or electronic control units) into appropriate networks with minimal support from a back-end system. The gateway must discern trusted ECU modules from untrusted or potentially compromised devices, and use this information to effectively manage network policy.
These requirements depend on the gateway establishing secure communication using trusted device identities, cryptographically robust client authentication, and key management schemes that are best suited for the heterogenous in-vehicle network environment.
Fortified against attack A key facet of creating a secure environment is the use of trusted partners and solutions within that environment. These components must have the proper security and safety features and be verified to be hardened against security attacks.
A layered security architecture solution minimizes the risks of single-point security vulnerability by creating multiple layers of security — with the gateway serving as a trust anchor.
A robust gateway security certificate manager oversees connections between vehicle electronics subsystems and functions as the arbiter of trusted relationships. It leverages the public key infrastructure (PKI)-based authentication and key management principles of a modern network platform — with a gateway-based key master to support the heterogenous networks of today’s vehicles to secure CAN, CAN FD (CAN with flexible data-rate) and Ethernet-based subsystems and secure vehicle communications.
Building up trust The process of provisioning digital identities and sensitive keying material requires trust rooted in a local key manager within each automotive ECU. This enables the ECU to interact with the gateway to establish secure connections via an authenticated key agreement.
Gateway connections are established using an embedded trust anchor list detailing known and trusted suppliers, which is provisioned during vehicle assembly. Occasional communication with an OEM back end for trust anchor management and certificate status checks keeps trust lists up-to-date.
The security scheme must also include isolation mechanisms to protect the integrity of the key manager, provide firewall access to safety-critical network interfaces, and — when appropriate — allow for ‘run-safe’ mode if anomalies are detected. All applications that are downloaded should be certified and signed by proper authorities to set the permissions of these resources in the system.
Resilience is another fundamental requirement. Enhanced security must not disrupt the functionality or limit the serviceability of systems it is meant to protect. Thus, the trusted key manager is able to coordinate key distribution for a closed network in a normal operating mode.
A modern network platform should be able to police the entire vehicle network with an identity-based access control policy for automating subsystem provisioning — while working in conjunction with an OEM back end to facilitate counterfeit and blacklisted part detection. For example, the OEM can control which functionality in the vehicle is to be disabled when untrusted, used, or stolen components are used in a vehicle repair. This in turn enables OEMs to manage their liability with respect to vehicle warranties as well as security updates and safety-critical operations.
A PKI-based approach for trusted key management within the vehicle gateway to policy manage and secure communication between ECUs is the logical pathway to enhanced security and manageability for the increasingly connected vehicle.
Joe Stenger is Advanced Technology Development Manager at Molex.