STPA-Sec Applied to Path Planning: Quantum-Safe Autonomous Vehicles

Autonomous vehicles and quantum computers are two emerging technologies that will transform our world in the not-too-distant future. This thesis examines the safety and security of autonomous vehicles in a world where adversaries have access to large-scale quantum computers. Large-scale quantum computers are relevant to automotive security because they can defeat the cryptographic foundation underlying critical safety systems such as path planning, perceptual unit, braking, steering, and engine electronic control units (ECUs). Peter Shor discovered a quantum computer algorithm in 1994 that can defeat modern-day public-key cryptography, including digital signatures (e.g., RSA, EdDSA), due to the algorithm’s ability to factor large numbers and find discrete logarithms efficiently [23]. According to existing mathematical theory, classical computers cannot factor large numbers or find discrete logarithms efficiently. The critical insight derived from this thesis is that an adversary can defeat an autonomous vehicle’s security of safety-critical systems with a large-scale quantum computer. In particular, the digital signatures used for authentication of over-the-air (OTA) software updates can be forged by an adversary with a large-scale quantum computer which, in the worst-case scenario, could enable a fleet-wide hack of an autonomous vehicle system potentially compromising a million vehicles simultaneously. The thesis explicitly identifies Tesla as a significant risk through their use of Ed25519, a discrete logarithm-based digital signature for OTA software updates [77], [78], [79]. Likely, most automotive manufacturers are at risk, but Tesla was the only company whose digital signature protocols were found to be publicly available on the internet. The analysis was completed using STPA-Sec (System-Theoretic Process Analysis for Security), an engineering risk management framework for identifying safety issues caused by security breaches. Overviews of quantum computing and quantum-safe cryptography are given. In addition, a Monte Carlo simulation framework is proposed to estimate the probability and severity of a large-scale quantum computer attack on autonomous vehicles. In addition to outlining the attack, countermeasures are provided to mitigate the risk, such as automotive companies upgrading to quantum-safe cryptography that NIST is currently standardizing. The NIST standardization is scheduled for completion in 2024. If automotive companies upgrade to quantum-safe cryptography, the risk against known attacks is eliminated, but there is a residual risk regarding currently unknown attacks. There is a reasonable amount of time to mitigate this risk as large-scale quantum computers are not expected to exist until the end of the decade. However, the section on quantum cyber risk analytics focuses on estimating the risk in the worst 1 in 1,000 chance scenario. Based on a model that estimates quantum risk, whose details including assumptions are outlined in Chapter 11, the central insight from the analytics is that there is an approximate 99 in 100 chance the RSA-2048 will be broken in 24 hours within the next 15 years in the worst 1 in 1,000 chance scenario. A vision of a quantum-safe and quantum-enhanced autonomous vehicle future is painted where quantum computers and quantum sensors may significantly enhance many aspects of autonomous vehicles. Recommendations to improve STPA-Sec are provided. The main contributions of this work are identifying a worst-case scenario where a million cars could be compromised by an adversary with access to a large-scale quantum computer, conducting a formal STPA-Sec analysis on the path planning control loop of an autonomous vehicle in the presence of an adversary with a large-scale quantum computer, providing suggestions on how to improve STPA-Sec, and the section on quantum risk management. In particular, conducting the first known quantum stress test by estimating the risk of the worst 1 in 1,000 chance scenario for RSA-2048 to be broken in 24 hours within 15, 20, and 30 years completes the contributions of this thesis

An investigation into hazard-centric analysis of complex autonomous systems

This thesis proposes a hypothesis that a conventional, and essentially manual, HAZOP process can be improved with information obtained with model-based dynamic simulation, using a Monte Carlo approach, to update a Bayesian Belief model representing the expected relations between cause and effects – and thereby produce an enhanced HAZOP. The work considers how the expertise of a hazard and operability study team might be augmented with access to behavioural models, simulations and belief inference models. This incorporates models of dynamically complex system behaviour, considering where these might contribute to the expertise of a hazard and operability study team, and how these might bolster trust in the portrayal of system behaviour. With a questionnaire containing behavioural outputs from a representative systems model, responses were collected from a group with relevant domain expertise. From this it is argued that the quality of analysis is dependent upon the experience and expertise of the participants but this might be artificially augmented using probabilistic data derived from a system dynamics model. Consequently, Monte Carlo simulations of an improved exemplar system dynamics model are used to condition a behavioural inference model and also to generate measures of emergence associated with the deviation parameter used in the study. A Bayesian approach towards probability is adopted where particular events and combinations of circumstances are effectively unique or hypothetical, and perhaps irreproducible in practice. Therefore, it is shown that a Bayesian model, representing beliefs expressed in a hazard and operability study, conditioned by the likely occurrence of flaw events causing specific deviant behaviour from evidence observed in the system dynamical behaviour, may combine intuitive estimates based upon experience and expertise, with quantitative statistical information representing plausible evidence of safety constraint violation. A further behavioural measure identifies potential emergent behaviour by way of a Lyapunov Exponent. Together these improvements enhance the awareness of potential hazard cases

Multilevel Runtime Verification for Safety and Security Critical Cyber Physical Systems from a Model Based Engineering Perspective

Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. CPS consists of multiple coordinating and cooperating components, which are often software-intensive and interact with each other to achieve unprecedented tasks. Such highly integrated CPSs have complex interaction failures, attack surfaces, and attack vectors that we have to protect and secure against. This dissertation advances the state-of-the-art by developing a multilevel runtime monitoring approach for safety and security critical CPSs where there are monitors at each level of processing and integration. Given that computation and data processing vulnerabilities may exist at multiple levels in an embedded CPS, it follows that solutions present at the levels where the faults or vulnerabilities originate are beneficial in timely detection of anomalies. Further, increasing functional and architectural complexity of critical CPSs have significant safety and security operational implications. These challenges are leading to a need for new methods where there is a continuum between design time assurance and runtime or operational assurance. Towards this end, this dissertation explores Model Based Engineering methods by which design assurance can be carried forward to the runtime domain, creating a shared responsibility for reducing the overall risk associated with the system at operation. Therefore, a synergistic combination of Verification & Validation at design time and runtime monitoring at multiple levels is beneficial in assuring safety and security of critical CPS. Furthermore, we realize our multilevel runtime monitor framework on hardware using a stream-based runtime verification language

Comprehensive concept-phase system safety analysis for hybrid-electric vehicles utilizing automated driving functions

2019 Summer.Includes bibliographical references.Automotive system safety (SS) analysis involving automated driving functions (ADFs) and advanced driver assistance systems (ADAS) is an active subject of research but highly proprietary. A comprehensive SS analysis and a risk informed safety case (RISC) is required for all complex hybrid-vehicle builds especially when utilizing ADFs and ADAS. Industry standard SS procedures have been developed and are accessible but contain few detailed instructions or references for the process of completing a thorough automotive SS analysis. In this work, a comprehensive SS analysis is performed on an SAE-Level 2 autonomous hybrid-vehicle architecture in the concept phase which utilizes lateral and longitudinal automated corrective control actions. This paper first outlines a proposed SS process including a cross-functional SS working group procedure, followed by the development of an item definition inclusive of the ADFs and ADAS and an examination of 5 hazard analysis and risk assessment (HARA) techniques common to the automotive industry that were applied to 11 vehicle systems, and finally elicits the safety goals and functional requirements necessary for safe vehicle operation. The results detail functional failures, causes, effects, prevention, and mitigation methods as well as the utility of, and instruction for completing the various HARA techniques. The conclusion shows the resulting critical safety concerns for an SAE Level-2 autonomous system can be reduced through the use of the developed list of 116 safety goals and 950 functional safety requirements

Considerations in Assuring Safety of Increasingly Autonomous Systems

Recent technological advances have accelerated the development and application of increasingly autonomous (IA) systems in civil and military aviation. IA systems can provide automation of complex mission tasks-ranging across reduced crew operations, air-traffic management, and unmanned, autonomous aircraft-with most applications calling for collaboration and teaming among humans and IA agents. IA systems are expected to provide benefits in terms of safety, reliability, efficiency, affordability, and previously unattainable mission capability. There is also a potential for improving safety by removal of human errors. There are, however, several challenges in the safety assurance of these systems due to the highly adaptive and non-deterministic behavior of these systems, and vulnerabilities due to potential divergence of airplane state awareness between the IA system and humans. These systems must deal with external sensors and actuators, and they must respond in time commensurate with the activities of the system in its environment. One of the main challenges is that safety assurance, currently relying upon authority transfer from an autonomous function to a human to mitigate safety concerns, will need to address their mitigation by automation in a collaborative dynamic context. These challenges have a fundamental, multidimensional impact on the safety assurance methods, system architecture, and V&V capabilities to be employed. The goal of this report is to identify relevant issues to be addressed in these areas, the potential gaps in the current safety assurance techniques, and critical questions that would need to be answered to assure safety of IA systems. We focus on a scenario of reduced crew operation when an IA system is employed which reduces, changes or eliminates a human's role in transition from two-pilot operations

Preliminary Recommendations for the Collection, Storage, and Analysis of UAS Safety Data

Although the use of UASs in military and public service operations is proliferating, civilian use of UASs remains limited in the United States today. With efforts underway to accommodate and integrate UASs into the NAS, a proactive understanding of safety issues, i.e., the unique hazards and the corresponding risks that UASs pose not only through their operations for commercial purposes, but also to existing operations in the NAS, is especially important so as to (a) support the development of a sound regulatory basis, (b) regulate, design and properly equip UASs, and (c) effectively mitigate the risks posed. Data, especially about system and component failures, incidents, and accidents, provides valuable insight into how performance and operational capabilities/limitations contribute to hazards. Since the majority of UAS operations today take place in a context that is significantly different from the norm in civil aviation, i.e., with different operational goals and standards, identifying that which constitutes useful and sufficient data on UASs and their operations is a substantial research challenge

Application of Project Management Strategies and Tools for an Efficient and Successful Competition-based Engineering Senior Capstone Design Project

The industry-level engineering workforce for a project in modern times requires a clear plan and management process to execute the goals of the consumer and the producer. The engineers of tomorrow need the ability to be competitive and successful upon entry into the industry, where there have already been established management tactics for the execution of the company\u27s goals. The mentality within the industry is adaptable to senior collegiate-level competition-based capstone projects. Therefore the West Virginia University EcoCAR Mobility Challenge team has adapted, altered, or adjusted industry-level practices in order to have an overall functioning and effective team that follows a project management plan evaluating industry. The main intention of the EcoCAR Mobility Challenge is to convert a stock vehicle into an hybrid electric vehicle over four years following the Vehicle Development Process (VDP). The team started with fresh new members and team management at the start of the competition, and over the course of the competition, the team was able to adapt, alter and adjust industry-level management tactics and practices into the overall successful team. In Year 1 of the competition the team placed seventh and through the practice of using the tools from industry finished in third place in Year 3 of the competition. By executing a project management plan, teams at the university level can mitigate risk, develop proper schedules, team structures, communicate efficiently, and be successful. The skills adapted and used from industry for a competitive and efficient competition-based senior-level capstone not only will make the project itself successful as it would in industry, but knowledge of these tools prepares the students for the demanding rigorous career within a project-based or product-based industry of choice. The methods of management and tactics adopted by the team cover traditional and agile management, along with understanding management tactics in terms of communication, team structure and organization, scheduling, risk management, requirements management and change management. The tactics of management covered in this document can be adapted and applied to any engineering competition project with the desire to produce a successful product and manage and operate an efficient team for continued sustainability for future endeavors

Managing Epistemic Uncertainties in the Underlying Models of Safety Assessment for Safety-Critical Systems

When conducting safety assessment for safety-critical systems, epistemic uncertainty is an ever-present challenge when reasoning about the safety concerns and causal relationships related to hazards. Uncertainty around this causation thus needs to be managed well. Unfortunately, existing safety assessment tends to ignore unknown uncertainties, and stakeholders rarely track known uncertainties well through the system lifecycle. In this thesis, an approach is described for managing epistemic uncertainties about the system and safety causal models that are applied in a safety assessment. First, the principles that define the requirements for the approach are introduced. Next, these principles are used to construct three distinct steps that constitute an approach to manage such uncertainties. These three steps involve identifying, documenting and tracking the uncertainties throughout the system lifecycle so as to enable intervention to address the uncertainties. The approach is evaluated by integrating it with two existing safety assessment techniques, one using models from a system viewpoint and the other with models from a component viewpoint. This approach is also evaluated through peer reviews, semi-structured interviews with practitioners, and by review against requirements derived from the principles. Based on the evaluation results, it is plausible that our approach can provide a feasible and systematic way to manage epistemic uncertainties in safety assessment for safety-critical systems