11th Japan ITS Promotion Forum
SIP-adus Activities Report
February 14, 2017 Satoru Taniguchi, Chairperson
SIP-adus Cyber Security Sub-working group / Toyota InfoTechnology Center Co., Ltd.
Cross-Ministerial Strategic Innovation Promotion Program Innovation of Automated Driving for Universal Services
—Cyber Security—
<Translated Version>
Table of contents
1
I. Cases of cyber security attacks against vehicles
II. Vehicle system architecture,
and cyber security countermeasure examples
III. Target of SIP-adus Cyber security
IV. Four-year plan
Ⅰ. Cases of cyber security attacks on vehicles
2
Fiat Chrysler recalls 1.4 million cars after Jeep hack
Ⅰ. Cases of cyber security attacks on vehicles
3
Researchers remotely hack Tesla Model S The company said the vulnerabilities that Keen Security Lab uncovered would only be accessible under a very specific circumstance: when the vehicle’s Web browser was in use and the car was connected to a malicious WiFi hotspot.
Ⅱ. Vehicle system architecture, and cyber security countermeasure examples
4
Smartphone Vehicle-to-vehicle and vehicle-to-infrastructure communication (V2X communication)
Dedicated line Diagnostic device
Dedicated line Charging station
Chassis
Air conditioning Doors
Steer Brakes V2X
H/U
Bluetooth Wi-Fi
In-vehicle GW
TCU
PLC
Data center
Cloud
Bluetooth Wi-Fi
Multimedia
Body
Vehicle
Threat
ADAS ADAS Locator
XXX エンジン Powertrain
…
Telematics dedicated wireless
(LTE) …
…
…
… …
Digital signature
Encryption
Key management
Anomaly detection
ECU authentication
Secure log
Secure programming
Secure storage
Tampering detection
Secure boot
Access control (filtering)
Encryption
Access control (Authentication, filtering)
External communication devices GW In-vehicle LAN ECU
Layer 1 Entire mobility society
Layer 2 Entire vehicle
Layer 3 In-vehicle system
Layer 1 Layer 4 Layer 3 Layer 2
Layer 4 Components
Examples of security measures
TCU: Telematics Communication Unit PLC: Power Line Communication GW: Gateway H/U: Head Unit ADAS: Advanced Driver Assistance Systems ECU: Electronic Control Unit
There has been an increase in cases of layer 2–4 in-vehicle systems being controlled and manipulated through attacks that use layer 1 telematics and WiFi as the entry point.
The countermeasures and detection technology combination at each layer ensure the vehicle system resilience. And, the system architecture is different for each OEM.
Ⅲ. Vehicle system architecture, and cyber security countermeasure examples
5
Smartphone Vehicle-to-vehicle and vehicle-to-infrastructure communication (V2X communication)
Dedicated line Diagnostic device
Dedicated line Charging station
Chassis
Air conditioning Door
Steer Brakes V2X
H/U
Bluetooth Wi-Fi
In-vehicle GW
TCU
PLC
Data center
Cloud
Bluetooth Wi-Fi
Multimedia
Body
Vehicle
Threat
ADAS ADAS Locator
XXX エンジン Powertrain
…
Telematics Dedicated wireless
(LTE) …
…
…
… …
Digital signature
Encryption
Key management
Anomaly detection
ECU authentication
Secure log
Secure programming
Secure storage
ジ
Tampering detection
Secure boot
Access control (filtering)
Encryption
Access control (Authentication, filtering)
External communication devices GW On-board LAN ECU
Layer 1 Entire mobility society
Layer 2 Entire vehicle
Layer 3 In-vehicle system
Layer 1 Layer 4 Layer 3 Layer 2
Layer 4 Components
Examples of security measures
TCU: Telematics Communication Unit PLC: Power Line Communication GW: Gateway H/U: Head Unit ADAS: Advanced Driver Assistance Systems ECU: Electronic Control Unit
“SIP Cyber-Security for Critical Infrastructure” researches data center security.
Conduct research targeted at vehicles’ layer 2 and below with an eye toward industry and global standardization
Ⅲ-1. Threat analysis
6
① Usage case database
② System-level threat analysis method
③ Security request requirement
④ Architecture diagram
⑤ Metrics calculation
[Overview of all tools (Conceptual completed diagram)]
(1) Research of threat analysis methodology from cyber attacks [FY2016] ・Incorporate defense-in-depth, multi-stage attack countermeasure strategy ・Refer threat database (Auto-ISAC, NVD, etc.) ・Compatibility with JasPar analysis specification
(2) Development of integrated analysis [from FY2017] ・Tool development to integrate threat analysis and functional safety analysis. ・Development of industry standard tools collaborate with JAMA, and JasPar
Ⅲ-2. Evaluation method
7
(1) Development of vehicle black box evaluation method Confirm resilience and functional safety with WiFi and telematics as point of entry for attack a) Sniffing b) Port scan c) Fuzzing d) Penetration e) Jamming
Layer 2 Entire vehicle
WiFi Telematics
Large-scale field operational test from 2017 Reflection into industry standardized evaluation method Cooperation with Auto-ISAC
Ⅲ-2. Evaluation method
8
(2) Development of evaluation method for in-vehicle communication (CAN bus)
Layer 3 In-vehicle system
① Using in-vehicle communication simulator, confirm - Assumed attack method - Communication behavior [Create evaluation database] a) DoS attack 1) High-frequency transmission b) Spoofing attack 1) Message replay 2) Message collision 2) Message Tampering 3) Transmission of malfunction message 3) Transmission frequency Tampering
Evaluation section
Evaluation (attack) method example
In-vehicle communication protocol simulator
DoS attack / high frequency transmission (specific node) Monitor transmitted messages for ECU subject to evaluation, and send same CAN-ID/meaningless data messages to virtual bus using shortest cycle for simulator specification
Microcomputer, etc.
Actual CAN bus Testing (attacking) ECU
Virtual CAN bus
Section where processing occurs based on in-vehicle communication protocols and in-vehicle communication protocols within the ECU subject to the evaluation
Ⅲ-2. Evaluation method
9
(2) Development of evaluation method for in-vehicle communication (CAN bus)
Level 3 In-vehicle system
② Intrusion detection guidelines ・CAN message cycle disturbance ・CAN message cycle omission, etc.
Virtual TCU/ Adus device (Security ECU)
Robocar ® MV2 system configuration (Type B) Attack data to verify
Wi-Fi (option)
Control PC and SDK
User program
CAN (publish protocol) Added
Network monitoring
device (secure ECU)
Robocar ® MV2 system configuration example (Type B platform + control PC & SDK)
Ⅲ-2. Evaluation method
10
(3) Development of evaluation method for key distribution and reprogramming Certification
Layer 4 Components
reprogramming at dealer attack
Research the appropriate/standard durability levels for the reprograming corresponding to the each in-vehicle computer (ECU) security risk ・Cryptogram algorithms ・Random bit number, Entropy
[Assessment methodology] ① Evaluation of actual device attack by testing board ② Key management research for other industries (*) (*) Bank ATMs, credit card payment terminals, smart meters
Ⅲ-3. V2X signature validation
11
[Background] Secure real-time communication at time of V2X becomes common [Research] Simplification of message signature verification process in V2X communication [Target] 1,000 messages/sec
周辺車両及び路側機からの情報の署名検証を高速
に行う必要がある
Using a message verification method with priority levels, complete performance target. - Confirm evaluation on actual devices - Try standardization proposals, for ISO/TC204/WG16
Need to rapidly conduct signature verification in
information received from surrounding vehicles and
roadside devices
Message verification method with priority levels Control part
Status Status determination part
Importance determination part
Reception processing
part
Wireless communication
part
Message
Request queue for
verification of messages
with priority level
Verification results queue
Application processing part
Message verification part
Security processing part
Priority level determination
policy
Request verification of messages with priority level Verification results
Suspension request
Request to change priority
level
Ⅳ. Four-year plan
12
テーマ
A
① 共通モデル検討 ・脅威分析
②評価技術・評価環境
a) コンポーネント・ 車内システム
b) 車外連携システム ・車両レベル
c) 通信プロトコル に基づく評価
d) 実機を用いた 評価
e) 第三者認証の 調査
テーマ
B
③ V2X署名検証の 簡略化
④ V2X海外調査・ 情報共有
Build common model for automated driving systems, formulate security requirements through threat analysis, and aim to build evaluation environment (test bed) and standardize evaluation methods.
For V2X communication, research simplification of signature verification, and aim for standardization.
FY2015 FY2016 FY2017 FY2018
Them
e A
① Examine common model ・Threat analysis
②Ev
alua
tion
tech
nolo
gy a
nd e
valu
atio
n en
viro
nmen
t a) Component, in-vehicle system
b) Vehicle external link system ・Vehicle level
c) Evaluation based on communication protocol
d) Evaluation using actual device
e) Research authentication by third party
Them
e B
③ Simplify V2X signature verification
④ V2X overseas research and sharing of information
Desk study Communication evaluation Mounting test Comprehensive verification test
Standardization activities
Examine V2X operation
Research Develop, determine, derive Develop prototype Build, evaluate, improve
Develop and research standards for target of component evaluation
Complete system evaluation technology, test bed trial run
Complete component evaluation technology, develop system evaluation environment
Develop component evaluation environment and target of system evaluation
Research overseas trends
Examine framework for information sharing Operate framework for information sharing
Research ICT attack cases Research audiovisual countermeasure sections
Provide feedback on verification results and create guidelines
Verify evaluation pointers and indicators
Countermeasure technology evaluation pointers and research and development of indicators
Research authentication in other industries
Examine automotive application
Examine third-party authentication body
Research (protocol specifications, attack methods)
Examine evaluation methods and evaluation standards Develop and improve evaluation environment through simulator
Research attack methods against components
Research attack methods against systems
Research attack methods against vehicles
Research attach methods against mobility society
END
13
Thank you for your attention.