The core component of automotive safety: Electronic Control Unit (ECU)
To discuss safety, we must first discuss electronic control units (ECUs). In the past, vehicle safety strategies often relied on multiple ECUs. ECUs acted like the car's "managers," controlling various functions. However, today, automakers increasingly favor using a single, more powerful ECU. This is because a single, enhanced ECU can improve a car's performance and power efficiency.
However, this reduces redundancy. To compensate for this deficiency, automakers have taken several measures. On the one hand, they have increased data encryption to make it difficult for hackers to spy on and tamper with data; on the other hand, they have introduced robust security IP to strengthen security defenses. Simultaneously, they have required more types of engineers to receive a certain level of security training, ensuring that the entire automotive manufacturing team has a stronger security awareness.
Bill Stewart, Vice President of Automotive Americas at Infineon, mentioned that the steering, braking, and powertrain systems of a car, whether it's an internal combustion engine vehicle or an electric vehicle, are all mission-critical systems. Even many Advanced Driver Assistance Systems (ADAS) are no exception. ADAS collects sensor data and converts it into commands for vehicle direction, which in turn translates into braking or accelerator commands. The proper functioning of these critical systems is crucial for driving safety, therefore requiring high-quality equipment with safety features. Furthermore, as technology advances, safety standards are constantly evolving and improving.
Identifying attack vectors: Finding vulnerabilities in vehicle security
Just as an excellent sports team needs to understand its opponent's offensive plan to defend well, the key to ensuring automotive information security lies in finding the system's weaknesses, that is, identifying attack vectors.
David Glasco, Vice President of Cadence's Computing Solutions Group, points out that, strictly speaking, cars have a direct attack vector: the Wi-Fi used to upload all software updates. Once a malicious actor breaches this Wi-Fi defense, it's like opening the "door" to the car's system, allowing them countless ways to damage it. For example, once a hacker enters the system, they can access chips and deduce keys by monitoring their electromagnetic radiation—a dangerous side-channel attack. Such attacks are quite easy to execute if the security system lacks side-channel protection. Therefore, cars not only need a root of trust to establish a security foundation, but this root of trust must also possess all the necessary side-channel defense capabilities to effectively resist such attacks.
David Fritz, Vice President of Hybrid and Virtual Systems at Siemens Digital Industrial Software, also stated that threats can originate from anything external to the computing system itself. Numerous sensors within a car could become an unconventional attack avenue, allowing hackers to feed malicious data into the central computing system. However, modern automotive architectures incorporate a security island, mandated by the ISO/SAE 21434 standard, typically in the form of an ECU. This security island acts as a rigorous "censor," verifying the legitimacy of all externally input data before it is transmitted to the central computing system.
In the past, car designs often deployed multiple ECUs (Electronic Control Units). The current trend is to use a single, more powerful ECU to run management programs, which in turn run multiple operating systems. For example, there might be a safety operating system dedicated to handling critical tasks like controlling braking and steering, while another operating system on the same ECU serves non-critical tasks such as playing videos in the back seat. This is called hybrid criticality, integrating different critical tasks together, which brings many benefits, such as reducing car weight, lowering power consumption, thus increasing the driving range of electric vehicles, and significantly reducing costs. However, because non-critical and critical tasks run in the same environment, ensuring that the data entering this integrated ECU is not corrupted and does not carry data or programs that could disrupt critical tasks becomes crucial.
Encryption: The Core Defense Line of Automotive Information Security
The ECU can be viewed as a reinforced gateway where encryption operations are performed. Encryption is like adding a special lock to the data; only those with the correct key can unlock and read it. At the same time, the ECU needs continuous functional enhancements to prevent any potential malfunctions, whether caused by human attack or other reasons.
Fritz noted that automotive systems perform various routine security operations such as error correction, encryption/decryption, and public/private key management. However, if the hardware itself has ways to bypass these security mechanisms, then all security measures are ineffective. Therefore, specially designed security chips are needed to ensure that security protection does not stop working even when the battery is low.
At the heart of all security measures is accurate and robust encryption technology. Encryption algorithms and software are constantly evolving, further highlighting the need for reliable hardware. Encryption is particularly crucial in ECUs, and it can also be used as a fail-safe measure for data within the vehicle. For example, Infineon uses a dedicated security processor that operates independently of other components on the same chip, providing a layer of redundancy by encrypting in-vehicle data streams.
Stewart of Infineon stated that to comprehensively ensure vehicle system security from the outside in, the network traffic within the vehicle also needs to be encrypted, primarily at the microcontroller level with built-in hardware security modules. Since a large amount of data flows within a car, such as Ethernet messages, radar data, and camera data, encrypting and decrypting each piece of data would require a massive amount of intensive processing. The biggest characteristic of Software-Defined Vehicles (SDVs) is the decoupling of hardware and software functions, which necessitates the transmission of even more data, meaning higher security requirements and the need to encrypt all this data simultaneously. Having a high-efficiency processor is highly advantageous; these processors have isolated regions that can handle all these encryption tasks without interrupting the main processor.
Today, a key aspect of the automotive shift towards holistic safety is the installation of roots of trust (USTRs) within the various integrated circuits of the vehicle's systems. These USTRs act as the "cornerstone" of the vehicle's security network, establishing a secure network within the vehicle. They determine the vehicle's security, link the vehicle's identity to the manufacturer's network, and provide methods for software authentication and security updates—all stemming from the hardware USTR within the chip. This approach of using USTRs to ensure security will continue even as we transition to software-defined vehicles.
The critical role of security IP in software-defined vehicle security
In software-defined vehicles, security IP plays a crucial role in ensuring safety. While some security-critical issues can be addressed at the software level, software-based solutions may introduce more vulnerabilities compared to hardware-based solutions. Rob Fisher, Senior Director of Product Management at Imagination Technologies, stated that creating virtual environments within GPUs offers superior security. His company first adopted this approach in mobile phones and is now applying it to the automotive sector.
In GPUs, non-safety-critical tasks can run in parallel with safety-critical tasks without interference. Simply put, this involves creating multiple isolated environments within the GPU that cannot communicate with each other, entirely for security reasons. One strategy for creating secure environments on a System-on-Chip (SoC) is to partition these environments and set permission levels. This allows specific applications to access different parts of the architecture, while running third-party applications do not have the same access levels.
Implementing this type of safety IP in the automotive field enables SoCs to perform a series of different tasks by splitting execution cycles, such as infotainment tasks or ADAS-related tasks. These two tasks are distributed across physically separate hardware registers. This approach not only makes a significant contribution to functional safety but also has a positive impact on vehicle cybersecurity.
Fisher gives the example of having multiple environments, which is like setting different privilege levels in the CPU architecture. This allows you to assign very low privilege levels to third-party applications. For instance, if you download a new parking lot app in your car, you don't know who wrote it or whether they wrote it in a reasonable and secure way. The app might even be an application attempting to hack into the car. Therefore, you can run it in a highly isolated area within the SoC, assigning it a very low privilege level that prevents it from accessing the GPU, vehicle buses, sensor buses, and other critical components, thus ensuring the security of the vehicle system.
The safety mission of software-defined vehicle designers
From robust ECUs and multi-layered redundancy to safety IP, implementing these safety features, while costly, is essential. In the context of software-defined vehicles, safety should be prioritized over considerations of other factors such as performance, power consumption, and area (PPA).
Cadence's Glasco emphasizes that security is as crucial to automobiles as the vehicle's inherent safety features; it's a top priority. If someone were to breach a car's systems, the consequences could be dire, potentially leading to serious traffic accidents. Therefore, having skilled security architects who deeply understand various threat vectors is essential. Today, the widespread adoption of internet-connected cars, Wi-Fi-connected cars, and OTA updates has significantly increased attack vectors, and attackers are likely to explore every possible avenue for attack.
Adiel Bahrouch, Rambus's Director of Automotive Business Development, believes that automobiles are highly complex systems, and this complexity is precisely the biggest enemy of functional and information security. Modern cars are constantly connected to the outside world, collecting and processing vast amounts of data from sensors for ADAS and autonomous driving. Therefore, both types of safety become extremely important. Incorporating safety features into vehicle design influences specific system choices and system architecture selection.
Glasco agrees. While attackers attempting remote access to a vehicle will most likely go through the ECU, cars still require multiple layers of redundancy for security. This redundancy can exist throughout the vehicle system in the form of Hardware Security Modules (HSMs). Although setting up so many HSMs might seem excessive considering that all incoming data ultimately passes through the ECU, it is essential for ensuring automotive information security. Infineon's Stewart says that security is a system-level decision; you can't say that one part is secure while the surrounding parts are insecure. Setting up HSMs in various parts such as the zone controller, braking module, and steering module is precisely to ensure that all network traffic is secure.
Furthermore, since the lifespan of a car typically exceeds ten years, enhanced security is paramount. Synopsys' Borza points out that security measures implemented during vehicle manufacturing must be flexible enough to accommodate updates that may not be uploaded until the distant future. There should be at least a plan for continuous updates throughout the first ten years of a vehicle's lifespan, ensuring timely resolution of security issues, their discovery, and threats. This involves the interaction between hardware root of trust and software to verify all downloaded content and all communication within the vehicle and between the vehicle and the network.
Conclusion
Cybersecurity is crucial for software-defined vehicles. We cannot view a car as a collection of isolated components, but rather as a holistic system. In the past, cars achieved safety through multiple ECUs; the trend is now towards using a single, powerful ECU at the car's weakest point, supplemented by varying redundancy and updates throughout the vehicle's lifecycle. The challenge for automakers is to gain a deep understanding of how these systems work individually and collaboratively, which may necessitate making safety training a prerequisite for all aspects of vehicle design. In the future, cars will only become more complex, making safety an increasingly important responsibility for everyone in the automotive industry, concerning the safety and rights of every driver and passenger.
