Safety and Security for Connected Cars
Connected Cars must be Demonstrably Secure!


The connection of automotive systems with other systems such as road-side units, other vehicles, and various servers in the Internet opens up new ways for attackers to remotely access safety relevant subsystems within a connected car. This safety critical technology presents major challenges in the secure design of the involved systems and protocols. Security of vehicular ecosystems is thus of utmost importance for the acceptance of such systems. Given the evergrowing news on new threats, it is unavoidable to assume that there are always some remaining vulnerabilities and it is very likely that attackers will attempt to exploit them. It is thus very important to improve security of in-vehicle networks and as long as there are no effective means to prevent specific attacks, there should be methods in place to automatically detect them and react to the alerts.
Security Requirements for Automotive Systems



The security requirements elicitation step in the security engineering process for automotive systems and ecosystems not only provides input to the secure on-board architecture design but also contributes to security compliance verification for testing and runtime monitoring. In the project EVITA we participated in the development of a method which is described in detail in EVITA deliverable D2.3 [D2.3]. This method is referenced in the SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, an important document on recommended practice for the automotive industry.

Behavior Conformance Tracking for Automotive Systems

Conformance tracking is the capability to detect deviations of observed events from expected events in the current state.



We analyze the behavior of an automotive system based on monitored messages of electronic control units. The aim is to compare the measured behavior of the system with a model that reflects the expected behavior and to reason about possible attack attempts.
Publications on Security for Connected Cars
[Top]
Roland Rieke, Marc Seidemann, Elise Kengni Talla, Daniel Zelle, and Bernhard Seeger (2017),
Behavior Analysis for Safety and Security in Automotive Systems,
The 25th Euromicro International Conference on Parallel, Distributed and Network-based Computing (PDP 2017)
Abstract: The connection of automotive systems with other systems such as road-side units, other vehicles, and various servers in the Internet opens up new ways for attackers to remotely access safety relevant subsystems within connected cars. The security of connected cars and the whole vehicular ecosystem is thus of utmost importance for consumer trust and acceptance of this emerging technology. This paper describes an approach for on-board detection of unanticipated sequences of events in order to identify suspicious activities. The results show that this approach is fast enough for in-vehicle application at runtime. Several behavior models and synchronization strategies are analyzed in order to narrow down suspicious sequences of events to be sent in a privacy respecting way to a global security operations center for further in-depth analysis.
BibTeX:
@INPROCEEDINGS{pdp2017,
  booktitle={Parallel, Distributed and Network-Based Processing (PDP), 2017 25nd Euromicro International Conference on},
  author={Roland Rieke and Marc Seidemann and Elise Kengni Talla and Daniel Zelle and Bernhard Seeger},
  title={Behavior Analysis for Safety and Security in Automotive Systems},
  year={2017},
  month={Mar},
  pages={381-385},
  keywords={automotive security; connected car; predictive security analysis; 
            security modeling and simulation; security monitoring; 
            complex event processing; process discovery},
  doi={10.1109/PDP.2017.67},
  url={http://ieeexplore.ieee.org/document/7912675/},
  publisher = {IEEE Computer Society},
}
Andreas Fuchs and Roland Rieke (2010),
Identification of Security Requirements in Systems of Systems by Functional Security Analysis,
In Architecting Dependable Systems VII, (Springer LNCS 6420)
Abstract: Cooperating systems typically base decisions on information from their own components as well as on input from other systems. Safety critical decisions based on cooperative reasoning however raise severe concerns to security issues. Here, we address the security requirements elicitation step in the security engineering process for such systems of systems. The method comprises the tracing down of functional dependencies over system component boundaries right onto the origin of information as a functional flow graph. Based on this graph, we systematically deduce comprehensive sets of formally defined authenticity requirements for the given security and dependability objectives. The proposed method thereby avoids premature assumptions on the security architecture's structure as well as the means by which it is realised. Furthermore, a tool-assisted approach that follows the presented methodology is described.
BibTeX:
@incollection{fuchs:rieke:2010,
author = {Andreas Fuchs and Roland Rieke},
title = {{Identification of Security Requirements in Systems of Systems by Functional Security Analysis}},
booktitle = {Architecting Dependable Systems VII},
editor = {Antonio Casimiro and Rogério de Lemos and Cristina Gacek},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {6420},
year = {2010},
pages = {74--96},
doi={10.1007/978-3-642-17245-8_4},
url={http://dx.doi.org/10.1007/978-3-642-17245-8_4},
isbn = {978-3-642-17244-1}
}
Andreas Fuchs and Roland Rieke (2010),
Identification of Security Requirements for Vehicular Communication Systems,
2010 CAST-Workshop on Mobile Security for Intelligent Cars (EVITA project workshop)
BibTeX:
@inproceedings{talks-CAST:2010,
  editor = {Olaf Henniger},
  booktitle = {Presentation slides from the EVITA project workshop},
  author = {Andreas Fuchs and Roland Rieke},
  title = {Identification of Security Requirements for Vehicular Communication Systems},
  institution = {EVITA European project},
  type = {Deliverable},
  number = {D1.2.5.1},
  year = {2010},
  month= {July},
  note = {CAST-Workshop on Mobile Security for Intelligent Cars, Darmstadt, Germany},
  url = {http://evita-project.org/Publications/EVITAD1.2.5.1.pdf}
}
Alastair Ruddle, David Ward, Benjamin Weyl, Sabir Idrees, Yves Roudier, Michael Friedewald, Timo Leimbach, Andreas Fuchs, Sigrid Gürgens, Olaf Henniger, Roland Rieke, Matthias Ritscher, Henrik Broberg, Ludovic Apvrille, Renaud Pacalet, and Gabriel Pedroza (2009)
Security requirements for automotive on-board networks based on dark-side scenarios,
EVITA Deliverable D2.3
Abstract: The objective of the EVITA project is to design, verify, and prototype an architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise. Thus, EVITA will provide a basis for the secure deployment of electronic safety aids based on vehicle-to-vehicle and vehicle-to-infrastructure communication. A key activity for the EVITA project is the capture of security requirements for the secure system architecture and associated software and hardware components based on a set of use cases and an investigation of security threat scenarios (dark-side scenarios). This document outlines the processes used to identify and evaluate security requirements, and details the results of their application to automotive on-board networks. It provides input to the secure on-board architecture design.
BibTeX:
@techreport{other-evita-d2.3,
  author = {Alastair Ruddle and David Ward and Benjamin Weyl and Sabir Idrees
	and Yves Roudier and Michael Friedewald and Timo Leimbach and Andreas
	Fuchs and Sigrid G\"urgens and Olaf Henniger and Roland Rieke and
	Matthias Ritscher and Henrik Broberg and Ludovic Apvrille and Renaud
	Pacalet and Gabriel Pedroza},
  title = {Security requirements for automotive on-board networks based on dark-side
	scenarios},
  institution = {EVITA project},
  year = {2009},
  type = {{EVITA Deliverable D2.3}},
  url = {http://evita-project.org/deliverables.html}
}
Christophe Jouvray, Antonio Kung, Michel Sall, Andreas Fuchs, Sigrid Gürgens, Roland Rieke (2009)
Security and trust model,
EVITA Deliverable D3.1
Abstract: The objective of the EVITA project is to design, verify, and prototype an architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise. Thus, EVITA will provide a basis for the secure deployment of electronic safety aids based on vehicle-to-vehicle and vehicle-to-infrastructure communication. Designing a system respecting the criteria of security and trust is a complex task. Security will cover various aspects such as dependability, integrity, authenticity, or even privacy. It is thus possible to have confidence in a system where evidence is provided to the user. To do this, taking into account security issues should begin early in the product life cycle. Currently, model driven approaches are used in application design. Model oriented approaches must be adjusted to take into account the security mechanisms. This document analyzes different approaches to security architecture models and specifies a suitable security and trust model for automotive on-board networks. Two main solutions are proposed to adapt model approaches. The first one concerns directly the model driven engineering by introducing all needed concepts into a model. The second solution proposes a formal method for the refinement of security properties. High level properties specified within a platform-independent model can be refined to properties required by certain security mechanisms which in turn reflect the platform-specific architecture chosen.
BibTeX:
@techreport{other-evita-d3.1,
  author = {Christophe Jouvray and Antonio Kung and Michel Sall and Andreas
	Fuchs and Sigrid G\"urgens and Roland Rieke},
  title = {Security and trust model},
  institution = {EVITA project},
  year = {2009},
  type = {{EVITA Deliverable D3.1}},
  url = {http://evita-project.org/deliverables.html}
}
Andreas Fuchs and Roland Rieke (2009),
Identification of authenticity requirements in systems of systems by functional security analysis,
In Workshop on Architecting Dependable Systems (WADS 2009), in Proceedings of the 2009 IEEE/IFIP Conference on Dependable Systems and Networks, Supplemental Volume.
Abstract: Cooperating systems typically base decisions on information from their own components as well as on input from other systems. Safety critical decisions based on cooperative reasoning, such as automatic emergency braking of a vehicle, raise severe concerns to security issues. In this paper we address the security engineering process for such systems of systems. The presented authenticity requirements elicitation method is based on functional dependency analysis. It comprises the tracing down of functional dependencies over system boundaries right onto the origin of information. A dependency graph with a safety critical function as root and the origins of decision relevant information as leaves is used to deduce a set of authenticity requirements. This set is comprehensive and defines the maximal set of authenticity requirements from the given functional dependencies. Furthermore, the proposed method avoids premature assumptions on the architectural structure and mechanisms to implement security measures.
BibTeX:
@inproceedings{fuchs:rieke:2009,
  author = {Andreas Fuchs and Roland Rieke},
  title = {Identification of authenticity requirements in systems of systems by functional security analysis},
  booktitle = {Workshop on Architecting Dependable Systems (WADS 2009), in Proceedings of the 2009 IEEE/IFIP Conference on Dependable Systems and Networks, Supplemental Volume},
  year = {2009},
  pages={E29-E34},
}