Post on 29-Dec-2015
transcript
ISSSC 2015, 8.9.2015 09.00 – 12.00
Functional Safety and
IT Security Example
Dr Richard Messnarz
Dr Christian Kreiner
ISSSC 2015, 8.9.2015 09.00 – 12.00
Company Profile
• Accreditated iNTACS™ training provider for ISO/IEC 15504 and Automotive SPICE®
• Accreditated VDA-QMC training provider and partner• Moderator of the German SOQRATES initiative, where 23
leading Germany companies share knowledge concerning process improvement.
• EU Research Projects since 1995
2
ISSSC 2015, 8.9.2015 09.00 – 12.00
Company Profile• ISCN Ltd Ireland (Coordination Office) founded 1994 in
Ireland– Development and consulting offices in Austria
• ISCN Regionalstelle founded 1997• I.S.C.N. GesmbH founded 2001
– Further Offices in ISCN Group in different countries
• EuroSPI Conference and Network Coordinator since 1994• Vice President and Technology Provider for the European
Certification and Qualification Association since 2005• SPICE Assessments and Improvement Projects since 1994
3
ISSSC 2015, 8.9.2015 09.00 – 12.00
Integrated Safety Design
4
AssemblerAssembler Manufacturer
Manufacturer
SW Safety + Security Designer
SW Safety + Security Designer
Mechatronic Designer
Mechatronic Designer
Technical Project Leader
Technical Project Leader
HW Safety + Security Designer
HW Safety + Security Designer
System Safety + Security Engineer
System Safety + Security Engineer
ISSSC 2015, 8.9.2015 09.00 – 12.00
Automotive Example
5
Understanding functional chains beyond and including the software
steering wheel
Driver steering torque
Steering column (mechanicallayout and torque)
Torque-Index-Sensor Rack
Powerpack torque sensor signal
transmission
X mm = Y° Steering Angle
Powerpack
EC
U
SW
Con
nec-
tor
E-
Mot
or
Item = Electric Power Steering
CAN CL15
CL30
In – Vehicle SpeedIn – Ignition On
Out – Steering Angle
ISSSC 2015, 8.9.2015 09.00 – 12.00
Automotive Example
6
Understanding functional chains beyond and including the software
Item Extended by Steering Lock
EC
U
SW
E-Motor
Con
nec
-to
r
CANCL15Ignition On
M
Locking Bolt
CL30Battery
ISSSC 2015, 8.9.2015 09.00 – 12.00
Risk Classification
ISSSC 2015, 8.9.2015 09.00 – 12.00
ISSSC 2015, 8.9.2015 09.00 – 12.00
ISSSC 2015, 8.9.2015 09.00 – 12.00
Independent confirmation measures [ISO 26262-2, 6.4.7 Tab1]:
•Confirmation reviews•F.Safety audit•F.Safety assessment
Independence of elements after decomposition:•No dependent failures
or•Dependent failures have safety mechanism
ISSSC 2015, 8.9.2015 09.00 – 12.00
Automotive Example
11
Understanding functional chains beyond and including the software
Item Extended by Steering Lock
EC
U
SW
E-Motor
Con
nec
-to
r
CAN CL15
In – Digital Ignition On 0/1
ASIL-B (D)In – Vehicle Speed
ASIL-B (D)
M
Locking Bolt
CL30
Lock-ControlASIL- D
In – Ignition OnASIL-A (D)
ISSSC 2015, 8.9.2015 09.00 – 12.00
L1 Base Software
L2 Speed versus Ignition On/Off
L2 Motor Position Check
Actuator Activation
Veh
icle Sp
eed
Ign
ition
On
/off
Safe S
tate
Function-Software
L3 System Diagnosis
Processor still working, workflow control, etc.
ASIL D: independent memory, 2 independent CPUs
synchronised
ISSSC 2015, 8.9.2015 09.00 – 12.00 13
Building a Requirements Traceability as Part of the Safety Case
Automotive Example
Customer Requirements
e.g. Life time 15 years of steeribng lock
e.g. Lock the steering as standstill
Hazard AnalysisIdentification and
classification of safety risks and hazards.
e.g. Safety Goal : no uncontrolled actuation of
steering lockRisk: uncontrolled
actuation can happen with wrong clamp 15 input
FMEA / FMEDAAnalysis of hazards and
safety risks and measures by FMEA and FMEDA
e.g. Measure: redundant digital ignition on/off is needed to assure that
speed is < 3 km/h, otherwise steering lock
stays open
System Requirements Specification
System Requirements
e.g. Activating steering lock at stand still within 1
seconde.g. during life time the
system can manage up to 16000 locks/unlocks
Safety Requirementse.g. we need to trust the speed
information by ASILDe.g. In case of speed > 3 km/h do not activate the steering
locke.g. safe state is steering lock open, also to be reached in
case of ECU failure
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicleUnderstanding interference from IT Security
• Prio 1: Analyse IT Threats which can lead to the hazardouus failure
• Prio 2: Analyse additional IT Security Threats
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicleUnderstanding interference from IT Security
Attack Type Impact How
Spoofing Commands Messages on CAN are used to simulate car is stopping. Checksum algorithm and message structure is hacked.
Sending key-less-go off signal, and at the same time sending speed is 0 and rpm is 0.
Denial of service Messages on CAN are used to simulate car is never stopping.
Sending wrong digital on/off signal and speed always > 5 km/h (steering lock never actuates)
Tampering Changing configuration data in a memory (setting speedlimit for activating steering lock)
Changing from < 3 kmh to < 100 kmh during drive (activates when decreasing speed lower 100)
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicleUnderstanding interference from IT Security
Attack Type Impact How
Identity Spoofing Spoofing identity of garageSpoofing identity of message
Presumptipon of above scenarios.
Information Disclosure Memory dump and copying of data, gaining knolwedge about encryption keys, checksum algorithms.
Presumptipon of above scenarios.
Elevation of privilege Access to the gateway and access to the priviliged bus in the car
Presumptipon of above scenarios.
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicle
17
Understanding interference from IT Security
Maintenabnce tools, listening
tools
Information Disclosure
Elevation ofPriviliges
Vehicle Bus and Gateway
Spoofing Identity
Vehicle Steering Related ECUs
Spoofing ofCommands
Tampering
Vehicle Function Steering
Lock
Denial of service
Spoofing ofCommands leading to locking
Aut
omot
ive
Def
ense
Lay
er 1
Aut
omot
ive
Def
ense
Lay
er 2
Aut
omot
ive
Def
ense
Lay
er 3
ASIL-D
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicleUnderstanding interference from IT Security
Attack Type Impact How
Spoofing Commands Messages on CAN are used to simulate car is stopping. Checksum algorithm and message structure is hacked.
Sending key-less-go off signal, and at the same time sending speed is 0 and rpm is 0.
Denial of service Messages on CAN are used to simulate car is never stopping.
Sending wrong digital on/off signal and speed always > 5 km/h (steering lock never actuates)
Tampering Changing configuration data in a memory (setting speedlimit for activating steering lock)
Changing from < 3 kmh to < 100 kmh during drive (activates when decreasing speed lower 100)
ASIL-D
ASIL-D
ISSSC 2015, 8.9.2015 09.00 – 12.00
Traceability
Threat Specification per Safety Goal
ISSSC 2015, 8.9.2015 09.00 – 12.00
Exercise• Steering system – self steering – use the ASIL-D rated
case• Threat analysis using the table• Threat analysis diagram with Automotive Defense
Layers (AutoDLs)
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicleUnderstanding interference from IT Security
Attack Type Impact How
Spoofing Commands
Denial of service
Tampering
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicleUnderstanding interference from IT Security
Attack Type Impact How
Identity Spoofing
Information Disclosure
Elevation of privilege
ISSSC 2015, 8.9.2015 09.00 – 12.00
Dependable vehicle
23
Understanding interference from IT Security
Information Disclosure
Elevation ofPriviliges
Spoofing Identity
Spoofing ofCommands
Tampering
Vehicle Function
Denial of service
Spoofing ofCommands leading to locking
Aut
omot
ive
Def
ense
Lay
er 1
Aut
omot
ive
Def
ense
Lay
er 2
Aut
omot
ive
Def
ense
Lay
er 3