The increasing intelligence of vehicles is accompanied by the necessity to communicate with the infrastructure and other traffic participants, resulting in a growing number of interfaces and hence entry gates. In order to protect processes and keep everything under control, several security measures must be used in combination and, above all, continuously rethought, Jochen Schoenweiss and Harry Knechtel from Secunet explain.
Jochen Schoenweiss is Account Manager at Secunet responsible for industrial customers in the regions of southeastern Germany and Austria, including those from the mobility, critical infrastructure (KRITIS) and financial sectors. One of his main focuses is on public key infrastructures. He also represents Secunet in initiatives such as CharIN and The Autonomous.
Harry Knechtel is Head of Development in the Industrial division at Secunet that develops security systems suitable for industry and also individual customer solutions in the areas of Key Management Systems (KMSs) and Public Key Infrastructures (PKIs). Since 2001, Secunet has supported OEMs and tier-1 suppliers in building backend security solutions. Knechtel also participated in developing the ISO 15118 and VDE-AR-E 2802-100-1 standards in the electric mobility sector and is currently providing support for the PKI task force in the CharIN initiative.
ATZelectronics _ The transition of vehicles from a made-once, monolithic complete system to a software-controlled, always-on device places great importance on the authentication of communication and all changes in state. What is your view on this?
Advertisement
Schoenweiss _ The networking of vehicles represents an enormous shift. Many modern comfort functions, as well as advanced driver assistance systems, are only possible because of it. Networking creates the foundation for autonomous driving. Electric vehicles do not just need to communicate with each other, but also with the infrastructure. The flip side is that highly networked systems offer a large attack surface. This can have serious consequences for individual drivers and also for the entire infrastructure, for example if the flow of traffic is deliberately disrupted. This is why the security of both vehicles and infrastructure is so important. The information upon which critical decisions are made must be trustworthy and unadulterated at all times. It must also be guaranteed that no one is able to manipulate the configuration or the software in the vehicle.
How secure can a vehicle be in the long term?
Knechtel _ A vehicle has a lifetime, including its development time, of more than 20 years. Over such a time span, no one can guarantee that a system remains secure. For example, it is possible that the implemented hardware is no longer able to fulfill the necessary requirements via updates. At this point, software-based solutions are no longer sufficient. This is where the automotive industry sees itself up against significantly greater challenges compared to IT or entertainment electronics where operating systems and hardware are typically completely exchanged after a few years. In addition, vehicles will be reliant on large amounts of information from external systems, for example from other vehicles, roadside units, traffic management systems and online services. It is therefore not sufficient that vehicles themselves are secure. The other systems need to be secure too.
What is needed to guarantee security and where are the greatest fault sources?
Advertisement
Schoenweiss _ Security cannot be created with one individual product or measure. For example, so-called Public Key Infrastructures (PKIs), and Hardware Security Modules (HSMs), can ensure that key material is manufactured in the required levels of quality. The fundamental mathematical processes ensure that stored data cannot be manipulated or read. An HSM also helps to ensure that the implemented key material cannot be simply copied, for example to then carry out attacks. However, this alone does not protect the entire system if the process is not properly implemented or access to it is not secure. In the worst case, HSM and PKI continue to perfectly help encrypt and sign after an attack - but to the attacker who has penetrated the system. A further example: A security chip implemented as a Secure Element, Smartcard or Trusted Platform Module (TPM) can confirm the integrity of the data. However, if the evaluation of the results can be skipped by manipulating the invoked software, then the measure has failed to achieve its objective. True security can therefore only be achieved in a network, within the scope of an aligned and consistently secure system design in which a range of measures complement one another. PKI systems and HSMs can be critical components of this.
What does the homework for vehicle manufacturers in terms of security improvements look like?
Schoenweiss _ The sector needs to strive for standardization and also a certain level of modularization. Fundamental security requirements for a certain product should form a universally accepted baseline that does not need to be continually discussed. This would simultaneously increase the economic viability of cybersecurity measures. It is also important that IT security is considered right from the start and not at a point in time when corrective measures are expensive.
How can security be ensured over the entire lifetime if the power of future computers cannot even be assessed?
Knechtel _ We design our solutions to be as flexible as possible so that we can fulfill even future requirements. Agility in the backend systems is helpful, even if the aforementioned challenges exist in the vehicle. In addition, we are not limited to one specific security technology. Legacy requirements of individual suppliers can also be modelled or prototypes built for which there are not yet any hardware solutions available on the market. In any case, we are planning to implement even quantum-computer-resistant algorithms, so-called post-quantum cryptography, as early as this year. Then we are well prepared, even if there are powerful quantum computers in the future that could pose a danger to current encryption procedures.
You also use hardware security modules. This is nothing new and there are many suppliers. What differentiates your solution technically speaking from the others?
Knechtel _ We haven't committed ourselves to any specific HSM manufacturer for our PKI. Our proprietary hardware abstraction layer allows us to support HSMs from different suppliers in mixed operation. Even classic HSMs based on hardware, as the name suggests, are not a must. Since the beginning of 2021, we have also supported the Cloud-HSM solution from AWS. Even a microservice deployment is possible, allowing us to offer our PKIs in the form of docker containers.
The automotive industry is up against significantly greater challenges compared to IT or entertainment electronics where operating systems and hardware are typically completely exchanged after a few years, Knechtel comments
According to Schoenweiss, in the worst case of wrongly implemented procedures, HSM and PKI would continue to provide perfect support for encryption and signing after an attack, but for the benefit of the attacker who has penetrated the system
Schoenweiss _ Should the customer wish to change the HSM manufacturer and migrating the key material is not possible, then we can model use-cases relevant to the customer on existing HSMs from one manufacturer and connect HSMs from a different manufacturer to the PKI for new use-cases. This is a decisive advantage.
Will there (have to) be a separate security computer in the vehicle?
Knechtel _ In my view, a single, dedicated cybersecurity computer in the vehicle is not expedient. It is rather a question of a secure overall architecture. It should feature a modular design and permit individual elements to be exchanged easily, but also securely.
At the end of the day, who bears the additional costs of rendering modern and intelligent vehicles secure?
Schoenweiss _ That is a good point. End users also do not want to assume the extra costs for safety belts or airbags. Hence, cybersecurity has to become a standard that has to be considered in the planning of every product development and whose costs are integrated into it. For a manufacturer, this is still cheaper than the costs arising from a serious IT security breach resulting in recalls, lawsuits and image loss.
Is blockchain being considered to make communication secure?
Schoenweiss _ Blockchain is certainly relevant for the communication between the vehicle and the infrastructure. This is particularly true if contracts and charging processes between different participants such as OEMs, charge point operators and mobility operators are to be subject to decentralized authorization. I don't currently envision blockchain being used in real-time-critical functions such as when IT systems intervene in the driving process of a vehicle in order to prevent an accident.
Are there norms and standards for security that still need to be created?
Knechtel _ Yes, legal requirements would be desirable, for example a binding protection profile for security-relevant components in the vehicle and in the infrastructure. This would allow a unified security level to be established and competitive distortion to be avoided.
What is the best way to protect the infrastructure when charging, how to protect the vehicle when everyone is communicating with the same infrastructure?
Schoenweiss _ When it comes to car2car and car2infrastructure, standards, certifications and legal requirements are also beneficial. All participants need to sit together to develop and implement mutual standards. There are approaches for this. The charging infrastructure is a good example: Secunet participated in defining the ISO 15118 standard and actively supports the initiative CharIN that aims to implement "plug and charge." IT security is being paid due attention with these standards.
Value-added services are involved at different levels in the vehicle and originate from different sources: Do they require particular protection?
Knechtel _ The so-called "Added Value Services" in the ISO 15118 protocol at the moment describe future applications. The idea is that one will be able to perform flash software updates or download audio and video data, for example. So far, the use has not been precisely defined. We will continue to observe the situation, but currently the priority is that "plug and charge" is successfully, compatibly and securely implemented.
Harry Knechtel and Jochen Schoenweiss, thank you very much for the information.
ATZlectronics worldwide is up-to-speed on new trends and developments in automotive electronics on a scientific level with a high depth of information.
Order your 30-days-trial for free and without any commitment.
