Securing V2X

Dr Paul Martin

CTO

Contents

• What

• Why

• How

• When

World class Products, Systems and Services

• Innovative, Independent, Entrepreneurial

• Based near Cambridge, UK

• Part of Plextek Group

• Privately owned - established 1989

• 120 staff

• Markets

• Automotive and Transport

• Defence and Security

• Healthcare

• IOT

• Wearable Devices

Contents

What

V2V

• V2V1) Driver information

• Cascaded video – reason for queue

2) Vehicle safety assistance

• Braking assistance

• Erratic vehicle warning

3) Platoon control

• Real time vehicle control

• Maintenance of vehicle Platoons

• Joining/leaving Platoon

• Short note on Platoons – SARTRE trial

– Fuel saving between 7% to 16%,

– Safety – less driver fatigue and mistakes

– Ease road congestion – less gap between cars

V2i

• V2i - Personal1) Online purchasing smartphone to vendor

• V2i - Car1) Purchasing from Android terminal in car eg

• Road tolls

• Car rental

2) Telematics data – used for

• Real time vehicle insurance

• Accident notification and investigation

• Fraud prevention

3) Vehicle assistance

• Find parking spaces

• Organise traffic flow

V2i – Relationship Example

• V2i Android terminal in car – real time insurance

TRUST

TRUST

TRUST

I verify I am the driver and I

will pay for the insurance

I will not allow the car to start

unless a valid driver is present

and the insurance is paid

I check insurance is OK

on the road

I provide valid insurance

V2V – Relationship Example

• V2V Platooning (TNO Demonstration)

TRUST

I trust the Platooning System

Each car has compatible systems

which are functioning correctly

Role is to ensure legislation

supports the required level of

safety for society as a whole

HMG

Regulator

Public

TRUST

TRUST

Security Context Scope

• Application Model Peer Entities

• End points vary

• Categorisation Important

V2X Application Peer Peer Timeliness Importance

Software update OEM (Tier 1/2) Target ECU Delay tolerant Variable

Virtual Signing Highways Agency In car display (ECU) < 2 seconds Important/Legal

Platoon Control Other vehicle Steering/braking/acceleration

ECUs

Minimum delay Urgent/D2L

Real Time Insurance Insurance Company Security ECU(s) Delay tolerant Urgent/D2L

Real Time Insurance Law Enforcement Security ECU(s)/Navigation Delay tolerant Important/Legal

Contents

Why

Protection

Why Protect V2X?

• Physical Danger that a vehicle system is compromised by a remote

wireless operation (Cyber Attack)

• Physical Danger that a vehicle system is compromised by a local

(plugged-in) operation

• Motivations

– Identical to “standard” internet

• Physical effect

• Monetary advantage

• For fun

Three Primary Functions

The Three Primary Information Security Functions

ANTI-TAMPERProtecting customers IP

(Reverse Engineering,

Cloning, etc)

INFORMATION

ASSURANCEProtecting customers information/data

through Cryptography and Fault

Tolerant Design

TRUSTSilicon, software,

firmware and IP is

“trojan-free”

Actors

• OEMs1) Reputation risk

2) Legal Liability

3) Revenue

• Supply Chain1) Reputation risk

2) Legal Liability

3) Revenue

• Standards Bodies1) Functional Safety Guidance

2) Interworking

Actors

• Government1) Public safety

2) Cost of clearing up

3) National reputation

4) Desire for improved transport systems

• Insurance Industry1) Reducing claims

2) Clear insurance framework

• Threat Landscape1) Internet transition into the vehicle

2) Change in attack motivation

3) Development of attack capability

Contents

How

Techniques

• Categorise and manage Threat Landscape

• Match principles from IT industry

• Treat Cyber threat as a functional safety threat

• Ensure development processes use robust Cyberresistance principles

• Establish a chain of Trust throughout supply chain

• Establish a Cyber incident management scheme throughout supply chain

• Cooperate with competitors and other members of the supply chain to improve the resistance of the whole

• Use well understood tools and techniques

Threat Landscape

• Create List of all threats

• Calculate potential cost of each threat

• Detail countermeasures to each threat

• Calculate cost of each countermeasure

• Decide where to draw the line

• Repeat for each significant variant

Prioritisation

• Implement features above red line

Function Threat Difficulty Cost if active Priority Countermeasure Effectiveness Cost

Active Lane Assist Left camera spoofed Difficult Cost to retrofit anti-spoofing D2L

Authenticate ALA ECU camera information link

functions L L

Encrypt ALA ECU - camera link L M

Right camera spoofed Difficult Cost to retrofit anti-spoofing D2L

Authenticate ALA ECU camera information link

functions L L

Encrypt ALA ECU - camera link L M

ALA ECU compromised Medium D2L Remove default hardcoded debug entry points H L

Use h/w encrypted programme code store H M

Use s/w encrypted programme code store H M

Selectively adopt IT Principles

Functional Safety

• Consider V2X end to end function

• How does it interact with functional safety?

• Example

– Vehicle disabled when insurance is invalid

– Example of external service interacting with a

functional safety feature

– Vehicle disabled while moving – No

– Vehicle disabled while engine stopped - Possibly

– Exception conditions – Yes (level crossing)

– Cyber threat – Yes

Trust in V2X Supply Chain

• Trust landscape

1) Threats understood and documented by all

members of supply chain

2) Appropriate countermeasures in place

3) Software verified to threat model on delivery

4) Hardware verified to threat model on delivery

5) Service verified to threat model

Tier 3/4/5

Tier 2

Tier 1

OEMData transport

Service

Provider Service

ProviderService

Provider

Incident Management

Use Examples from IT Industry

• Qualify and train supply chain

– Be prepared to remove uncooperative suppliers

• Setup peer incident management teams throughout supply chain

– When incidents occur, these teams provide the options

• Run simulated scenarios to exercise team

• Extend to cover

– Multiple OEMs

– Multiple Tier 1/2/3/4

– Multiple service providers

Detailed Tools

Use security capability developed for automotive industry

Use security capability developed for other industries

Initiatives

Collaboration Group formed to explore

Cyber Security for connected vehicles

Contents

When

Investment

• Balance to be struck

1) Perceived threat

2) Available investment to counter threat

• Balance re-evaluated regularly

1) New model design

2) New feature development

3) Changing threat landscape

4) Standards iteration

5) Time

Risk Counter

When

• Is the threat to your products and services managed?

1) Threat assessment drives budgeting

2) “When” spend is required is driven by budget

• Begin budgeting now for V2X services threat

assessment

• Invest resources in cross-industry collaboration

Summary

• Introduced context of securing V2X

– Categorisation

• Introduced motivations behind securing V2X

– Attacks, interested parties

• Provided top level suggestions for approaches

– 8 approaches discussed

• Looked at possible timescales

– Risk vs Investment

Contents

Thank You

Dr Paul Martin