New Cyber Security Solution MICROSAR IDS rel

V1.1 | 2020-10-12

MICROSAR Intrusion Detection System (IDS)

Cybersecurity IDS

© 2020. Vector Korea IT Inc. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2020-10-12

� Motivation

IDS Overview

IDS Software Architecture

IDS Protocol

AUTOSAR Standardization

MICROSAR IDS Roadmap

Summary

Agenda

2/24


The Big Picture: Detection and Mitigation of Security Incidents

Motivation

Attack

2. Report

Propagate data of onboard security

incidents, based on priority and SOC needs

3. Analyze

Analyze reported onboard security incident data for single vehicles and the whole fleet

(e.g. impact analysis, root cause analysis)

4. Develop

Develop threat response (e.g. identification, implementation

and test of countermeasures)

5. Deploy

Deploy software updates to mitigate threats

Security Operations Center (SOC) with SIEM

solution

1. Detect

Aggregate data from onboard security event sensors to identify and record potential

onboard security incidents

3/24


Distributed onboard IDS as an additional Security Control

IDS Overview

ADASDomain Controller

InfotainmentDomain Controller

Telematic Control UnitPowertrain

Domain Cont.

ChassisDomain Controller Body

DomainController

Intrusion Detection System (IDS)

Diagnostic port

1.Remote access

2.Access to

in-vehicle network

3.Bridge domain

boundaries

4.Access to

target ECU

5.Manipulate ECU orvehicle behavior

Defense barriers

4/24


Distributed onboard IDS as an additional Security Control

IDS Overview

ADASDomain Controller

InfotainmentDomain Controller

Telematic Control UnitPowertrain

Domain Cont.

ChassisDomain Controller Body

DomainController

Diagnostic port

IdsM

Sensors

IdsM

Sensors

IdsM

Sensors

IdsM

SensorsIdsR

IdsM

Sensors

Intrusion Detection System Reporter (IdsR)

Intrusion Detection System Manager (IdsM)

Security Sensors

SOC

5/24


� Standardized BSW module IdsM (Intrusion Detection System Manager) for buffering, qualifying and processing onboard security events (SEv)

� Non standardized SW component IdsR (Intrusion Detection System Reporter) for receiving QSEvfrom IdsM and transmitting it to the backend

� Standardized interfaces for reporting onboard security events (SEv)

� Standardized qualification filters for SEv

� onboard security events (SEv) qualified onboard security events (QSEv)

� Standardized persistence concept for QSEv

� Standardized protocol for transmission of QSEv from IdsM to IdsR

� Standardized SEv for BSW modules

� KeyM

� Dcm

� SecOC

� TLS

� …

Elements of the comprehensive solution for IDS

IDS Overview

6/24


Motivation

IDS Overview

� IDS Software Architecture

IDS Protocol



Summary

Agenda

7/24


Security Event Sensor

Concept of Security Events


Security Event Sensor

Intrusion Detection System Manager

(IdsM)

Intrusion Detection System Reporter

(IdsR)

Security Event Memory (Sem)

Security Event (SEv)

Qualified Security Event

(QSEv)

8/24


Concept of Filters


…

Sensor

IDS M

anager

IDS

Report

er

Reporting Mode

MachineState

Forward Every n-th

Event Aggregation

Event Threshold

Event Rate Limitation

Traffic Limitation

to sink

Reporting Mode

MachineState

Forward Every n-th

Event Aggregation

Event Threshold

Blockers

Sampling

Aggregation

Rate Limitation

Event ID

specific

instance

specific

Event ID p Event ID qEvent IDs p+1 … q-1

9/24


Integration of IdsM in the AUTOSAR CP Layered Architecture


Microcontroller (µC)

Crypto Drivers

Crypto HW Abstr.

RTE

Crypto

Services

Application Layer

Crypto Services

Crypto Service

ManagerKey Manager

Intrusion

Detection

System

Manager

10/24


IdsM Interfaces in AUTOSAR CP Architecture


Microcontroller

RTE

CRYPTO

CAN

COM

ETH

MCAL

DIAG

Csm

Crypto (HSM)

CryIf

ApplicationApp

KeyM

HSM

SecOC

Dcm

PduR

IdsM

MEM

Dem

Sem

Nvm

BSW Modules and Applications can act as security sensors and report SEV to the IdsM

The IdsM passes QSEV to the Sem for locally persisting QSEV records

The IdsM passes QSEV to the PduR for transmission to the IdsR

Optionally integrity and confidentiality of the QSEVrecords can be enforced via the crypto stack

CanDrv EthDrv

CanIf EthIf

11/24


IdsM Interfaces in AUTOSAR Adaptive Architecture


12/24


Motivation

IDS Overview


� IDS Protocol



Summary

Agenda

13/24


Propagation of QSEV from IdsM to IdsR

IDS Protocol

ECU A(ASR Classic)

I-PDU

ECU C(ASR Classic)

IdsM

PduR

CAN Stack

PduR

ECU B(ASR Classic)

I-PDU

IdsM

PduR

CANStack

CAN Stack

Eth Stack

ECU D(ASR Adaptive)

Communication Management

IdsR

CAN Bus CAN Bus Ethernet

Gateway Routing

I-PDU

IdsM

IdsM

MobileData Link

Gateway Routing

PDU Daemon

Reporting Interface

PduRIdsM

The IdsM on Classic Platform (CP) uses a specific protocol which is defined in an AUTOSAR PRS (Protocol Requirement Specification) to transfer its data to the IdsR on Adaptive Platform (AP).

Existing PduR-Gateway-Mechanism can be used to route data between CP ECUs.

14/24


Propagation of QSEV from IdsM to IdsR

IDS Protocol

CAN ECU(ASR Classic)

I-PDU 1 I-PDU 2

CAN Bus

IdsM

PduR

CanTp

CanIf

The goal of the IdsM implementation is to keep the CAN Bus Load as low as possible while providing all necessary information towards the Security Operation Center (SOC). Therefore it is necessary to use two separate PDUs. It must be ensured that reports without ContextData and without Timestamp fit into a single CAN frame.

I-PDU 1

Used to send IdsM data including ContextData and/or Timestamp

Uses CAN Transport Protocol (CanTp) to send segmented messages

I-PDU 2

Used to send IdsM data without ContextData and without Timestamp

Sends unsegmented, size optimized data

15/24


Protocol: Transmission of Qualified Security Events

IDS Protocol

FieldName Length Purpose

Protocol Version 4 Bit The version of the IdsM protocol

Protocol Header 4 BitIdsM protocol header information: Bit 0: 0- No ContextData included, 1- ContextData included

Bit 1: 0- No Timestamp included, 1- Timestamp included

Bit 2-3: reserved

SourceId 10 Bit Unique identifier of the sending IdsM instance 0-1023

Module Instance

Id6 Bit Identifier to differ between multiple instances of modules

EventId 16 Bit

Unique identifier of a Security Event

Range of AUTOSAR internal IDs: 0…0x7FFF

Range of Customer specific IDs: 0x8000…0xFFFF

Count 16 BitNumber of IdsM calls which result in the current event after processing the configured

filter, e.g. EventAggregation.

Timestamp 64 Bit

Timestamp/Tickstamp when event was detected:

Bit 0: 0 - AUTOSAR Standard 1 - Auxiliary/ OEM Specific

Resolution in ms. Maybe not necessary for every event type (optional).

If not set, field is filled by IdsR. If not authentic time, IdsR might recalculate the time

and insert a new value

Context Data0…(2^32-9)

BytesBinary blobs attached by the sensor

16/24


Motivation

IDS Overview


IDS Protocol

� AUTOSAR Standardization


Summary

Agenda

17/24


Release Plan


� Target release: R20-11

� BSW module IdsM (Intrusion Detection System Manager)

� for buffering, filtering and processing onboard security events (SEv)

� Interfaces for reporting onboard security events (SEv)

� Protocol for transmission of QSEv from IdsM to IdsR

� Security Extract (SecXT) to define Security Events and their properties

� SEv for BSW modules

18/24


New Work Products


Work Product Platform ID

Concept Document IdsM n.a. n.a.

RS IdsM Foundation 976

SWS IdsM CP 977

SWS IdsM AP 978

RS SecurityExtractTemplate Foundation 979

TPS SecurityExtractTemplate Foundation 980

PRS IdsM Foundation 981

19/24


Impacted Work Products


Work Product Platform

SRS BSW General CP

SWS BSW General CP

SWS NvM CP

SWS SecOC CP

SWS Keym CP

SWS Dcm CP

SWS TCP/IP (for TLS) CP

20/24


Motivation

IDS Overview


IDS Protocol


� MICROSAR IDS Roadmap

Summary

Agenda

21/24


IdsM CP


IdsM Beta 1

2020/07

IdsM Beta 2

2020/11

IdsM QM

2021/04

� API for reporting SEv from BSW and SWC to Idsm

� Support of buffering and filtering of SEv

� Propagation of security events to Idsraccording to PRS Idsm

� Postbuild loadable of

� Support BSW-Sensors & SEv

� vSCC

� Support of time stamps

� Support of Idsm Sev

� Comfort View for Davinci Configurator


� CanDrv

� CanIf

� EthIf

� Store QSEv in Security Event Memory

� Reconfigure reporting mode at runtimevia diagnostic routines


� TCPIP

� SOAD

� Dem Extensions

� Synchronous API for setting eventstatus with snapshot data

� Independent user defined eventmemories

� Nvm Extensions

� MAC for Nvm Blocks

22/24


� Provides a standardized technical framework for implementing onboard IDS

� Specified for interoperability of AUTOSAR CP and AP

� Allows a distributed approach (no single point of failure)

� Scalable approach to balance available ressources and reporting needs

� Configurable detection and reporting behavior to meet OEM needs and constraints of vehicle E/E-architecture

� Set of standardized security event types provided for standard SW

� Framework serves as a Automotive Industry “state of the art” reference concept for onboard IDS

� OEMs can rely on the continuous evolution and maintenance of the specification

� No need for OEMs to coordinate suppliers on detailed technical level to achieve a distributed onboard IDS

Benefits of the Concept

Summary

23/24


Son, MyeonghyeonVector Korea

For more information about Vectorand our products please visit

www.vector.com

Documents

New Cyber Security Solution MICROSAR IDS rel