On the Secure and Resilient Design of Connected Vehicles: Methods and Guidelines

Vehicles have come a long way from being purely mechanical systems to systems that consist of an internal network of more than 100 microcontrollers and systems that communicate with external entities, such as other vehicles, road infrastructure, the manufacturer’s cloud and external applications. This combination of resource constraints, safety-criticality, large attack surface and the fact that millions of people own and use them each day, makes securing vehicles particularly challenging as security practices and methods need to be tailored to meet these requirements.This thesis investigates how security demands should be structured to ease discussions and collaboration between the involved parties and how requirements engineering can be accelerated by introducing generic security requirements. Practitioners are also assisted in choosing appropriate techniques for securing vehicles by identifying and categorising security and resilience techniques suitable for automotive systems. Furthermore, three specific mechanisms for securing automotive systems and providing resilience are designed and evaluated. The first part focuses on cyber security requirements and the identification of suitable techniques based on three different approaches, namely (i) providing a mapping to security levels based on a review of existing security standards and recommendations; (ii) proposing a taxonomy for resilience techniques based on a literature review; and (iii) combining security and resilience techniques to protect automotive assets that have been subject to attacks. The second part presents the design and evaluation of three techniques. First, an extension for an existing freshness mechanism to protect the in-vehicle communication against replay attacks is presented and evaluated. Second, a trust model for Vehicle-to-Vehicle communication is developed with respect to cyber resilience to allow a vehicle to include trust in neighbouring vehicles in its decision-making processes. Third, a framework is presented that enables vehicle manufacturers to protect their fleet by detecting anomalies and security attacks using vehicle trust and the available data in the cloud

Extending AUTOSAR\u27s Counter-based Solution for Freshness of Authenticated Messages in Vehicles

Nowadays vehicles have an internal network consisting of more than 100 microcontrollers, so-called Electronic Control Units (ECUs), which control core functionalities, active safety, diagnostics, comfort and infotainment. The Controller Area Network (CAN) bus is one of the most widespread bus technologies in use, and thus is a primary target for attackers. AUTOSAR, an open system platform for vehicles, introduced in version 4.3 SecOC Profile 3, a counter-based solution to provide freshness in authenticated messages to protect the system against replay attacks. In this paper, we analyse and assess this method regarding safety constraints and usability, and discuss design considerations when implementing such a system. Furthermore, we propose a novel security profile addressing the identified deficiencies which allows faster resynchronisation when only truncated counter values are transmitted. Finally, we evaluate our solution in an experimental setup in regard to communication overhead and time to synchronise the freshness counter

Towards a Standardised Framework for Securing Connected Vehicles

Vehicular security was long limited to physical security - to prevent theft. However, the trend of adding more comfort functions and delegating advanced driving tasks back to the vehicle increased the magnitude of attacks, making cybersecurity inevitable. Attackers only need to find one vulnerability in the myriad of electronic control units (ECUs) and communication technologies used in a vehicle to compromise its functions. Vehicles might also be attacked by the owners, who want to modify or even disable certain vehicle functions.Many different parties are involved in the development of such a complex system as the functions are distributed over more than 100 ECUs, making it difficult to get an overall picture of the achieved security. Therefore, moving towards a standardised security framework tailored for the automotive domain is necessary.In this thesis we study various safety and security standards and proposed frameworks from different industrial domains with respect to their way of classifying demands in the form of levels and their methods to derive requirements. In our proposed framework, we suggest security levels appropriate for automotive systems and continue with a mapping between these security levels and identified security mechanisms and design rules to provide basic security. We further study in detail a mechanism which provides freshness to authenticated messages, namely AUTOSAR SecOC Profile 3, and present a novel extension that offers a faster synchronisation between ECUs and reduces the number of required messages for synchronisation

V2C: A Trust-Based Vehicle to Cloud Anomaly Detection Framework for Automotive Systems

Vehicles have become connected in many ways. They communicate with the cloud and will use Vehicle-to-Everything (V2X) communication to exchange warning messages and perform cooperative actions such as platooning. Vehicles have already been attacked and will become even more attractive targets due to their increasing connectivity, the amount of data they produce and their importance to our society. It is therefore crucial to provide cyber security measures to prevent and limit the impact of attacks.As it is problematic for a vehicle to reliably assess its own state when it is compromised, we investigate how vehicle trust can be used to identify compromised vehicles and how fleet-wide attacks can be detected at an early stage using cloud data. In our proposed V2C Anomaly Detection framework, peer vehicles assess each other based on their perceived behavior in traffic and V2X-enabled interactions, and upload these assessments to the cloud for analysis. This framework consists of four modules. For each module we define functional demands, interfaces and evaluate solutions proposed in literature allowing manufacturers and fleet owners to choose appropriate techniques. We detail attack scenarios where this type of framework is particularly useful in detecting and identifying potential attacks and failing software and hardware. Furthermore, we describe what basic vehicle data the cloud analysis can be based upon

Open Problems when Mapping Automotive Security Levels to System Requirements

Securing the vehicle has become an important matter in the automotive industry. The communication of vehicles increases tremendously, they communicate with each other and to the infrastructure, they will be remotely diagnosed and provide the users with third-party applications. Given these areas of application, it is evident that a security standard for the automotive domain that considers security from the beginning of the development phase to the operational and maintenance phases is needed. Proposed security models in the automotive domain describe how to derive different security levels that indicate the demand on security, but do not further provide methods that map these levels to predefined system requirements nor security mechanisms. We continue at this point and describe open problems that need to be addressed in a prospective security framework for the automotive domain. Based on a study of several safety and security standards from other areas as well as suggested automotive security models, we propose an appropriate representation of security levels which is similar to, and will work in parallel with traditional safety, and a method to perform the mapping to a set of predefined system requirements, design rules and security mechanisms

Towards a Standardized Mapping from Automotive Security Levels to Security Mechanisms

Modern vehicles are becoming targets and need to be secured throughout their lifetime. There exist several risk assessment models which can be used to derive security levels that describe to what extent components, functions and messages (signals), need to be protected. These models provide methods to gather application specific security requirements based on identified threat and item combinations that need to be coped with. However, a standardized mapping between security levels and required mandatory security mechanisms and design rules is currently missing. We address this problem first by suggesting that the risk assessment process should result in five security levels, similar to the functional safety standard ISO 26262. Second, we identify suitable security mechanisms and design rules for automotive system design and associate them with appropriate security levels. Our proposed methodology is as much as possible aligned with ISO 26262 and we believe that it should therefore be realistic to deploy in existing organizations

Resilient Shield: Reinforcing the Resilience of Vehicles Against Security Threats

Vehicles have become complex computer systems with multiple communication interfaces. In the future, vehicles will have even more connections to e.g., infrastructure, pedestrian smartphones, cloud, road-side-units and the Internet. External and physical interfaces, as well as internal communication buses have shown to have potential to be exploited for attack purposes. As a consequence, there is an increase in regulations which demand compliance with vehicle cyber resilience requirements. However, there is currently no clear guidance on how to comply with these regulations from a technical perspective.To address this issue, we have performed a comprehensive threat and risk analysis based on published attacks against vehicles from the past 10 years, from which we further derive necessary security and resilience techniques. The work is done using the SPMT methodology where we identify vital vehicle assets, threat actors, their motivations and objectives, and develop a comprehensive threat model. Moreover, we develop a comprehensive attack model by analyzing the identified threats and attacks. These attacks are filtered and categorized based on attack type, probability, and consequence criteria. Additionally, we perform an exhaustive mapping between asset, attack, threat actor, threat category, and required mitigation mechanism for each attack, resulting in a presentation of a secure and resilient vehicle design. Ultimately, we present the Resilient Shield a novel and imperative framework to justify and ensure security and resilience within the automotive domain

REMIND: A Framework for the Resilient Design of Automotive Systems

In the past years, great effort has been spent on enhancing the security and safety of vehicular systems. Current advances in information and communication technology have increased the complexity of these systems and lead to extended functionalities towards self-driving and more connectivity. Unfortunately, these advances open the door for diverse and newly emerging attacks that hamper the security and, thus, the safety of vehicular systems. In this paper, we contribute to supporting the design of resilient automotive systems. We review and analyze scientific literature on resilience techniques, fault tolerance, and dependability. As a result, we present the REMIND resilience framework providing techniques for attack detection, mitigation, recovery, and resilience endurance. Moreover, we provide guidelines on how the REMIND framework can be used against common security threats and attacks and further discuss the trade-offs when applying these guidelines

CONSERVE: A framework for the selection of techniques for monitoring containers security

Context:\ua0Container-based virtualization is gaining popularity in different domains, as it supports continuous development and improves the efficiency and reliability of run-time environments.\ua0Problem:\ua0Different techniques are proposed for monitoring the security of containers. However, there are no guidelines supporting the selection of suitable techniques for the tasks at hand.\ua0Objective:\ua0We aim to support the selection and design of techniques for monitoring container-based virtualization environments.\ua0Approach: First, we review the literature and identify techniques for monitoring containerized environments. Second, we classify these techniques according to a set of categories, such as technical characteristic, applicability, effectiveness, and evaluation. We further detail the pros and cons that are associated with each of the identified techniques.\ua0Result:\ua0As a result, we present CONSERVE, a multi-dimensional decision support framework for an informed and optimal selection of a suitable set of container monitoring techniques to be implemented in different application domains.\ua0Evaluation:\ua0A mix of eighteen researchers and practitioners evaluated the ease of use, understandability, usefulness, efficiency, applicability, and completeness of the framework. The evaluation shows a high level of interest, and points out to potential benefits

Modelling the Level of Trust in a Cooperative Automated Vehicle Control System

Vehicle-to-Vehicle communication is the key technology for achieving increased perception for automated vehicles where the communication allows virtual sensing with the use of sensors placed in other vehicles. In addition, this technology also allows recognising objects that are out-of-sight. This thesis presents a Trust System that allows a vehicle to make more reliable and robust decisions. The system evaluates the current situation and generates a Trust Index indicating the level of trust in the environment, the ego vehicle, and the other vehicles. Current research focuses on securing the communication between the vehicles themselves, but does not verify the content of the received data on a system level. The proposed Trust System evaluates the received data according to sensor accuracy, behaviour of other vehicles, and the perception of the local environment. The results show that the proposed method is capable of correctly identifying various situations and discusses how the Trust Index can be used to make more robust decisions