The interdependence of safety and security in autonomous driving
Autonomous vehicle safety is now inextricably linked with cybersecurity.
Extremely strong cybersecurity is essential to protect tomorrow’s road users, whether they are in full- or near-autonomous vehicles.
As in any industry, suitable standards help OEMs validate their work in the eyes of regulators and the marketplace. The major automotive cybersecurity standard in place today is ISO/SAE 21434, which provides a structured process to ensure cybersecurity considerations are incorporated into automotive products. It requires automotive manufacturers and suppliers demonstrate due diligence in the implementation of cybersecurity engineering and that cybersecurity management is applied throughout the supply chain.
The quest for increased road safety is an important factor in the development of higher levels of driving automation, as also defined by the SAE J3016’s levels of driving automation standard.
Many automobiles on the roads today contain systems up to Level 2, which are classed as driver-support features. These include Level 0 features like automatic emergency braking and lane-departure warnings, while higher levels include lane centering and adaptive cruise control. Things get more interesting at Levels 3, 4 and 5, which define automated modes where the human driver is no longer in control.
Clearly, this progression offers some exciting opportunities. By definition, human error can be eliminated from driving. As this is the dominant cause of road accidents, the promise of a reduction in mortality and serious injuries is welcomed.
On the other hand, some may struggle to cede control to a machine. Indeed, it’s big step to place the necessary trust in technology; to sit back and let the robot do the driving.
For sure, the safety of automated driving features is a concern. Historically, automotive electrical and electronic systems have been regulated according to the functional safety standard ISO 26262. Systems that comply can assure a high level of resilience in the event of failure of the system or components. However, automated driving technology brings the potential for the system to make errors, such as incorrectly interpreting a situation on the road. For instance, what would happen if sensors become momentarily “blinded” by reflections or sunlight?
Automated driving systems can cause hazards without system failure. Hence, although applying ISO 26262 remains necessary, it is no longer sufficient.
New approaches and challenges
A new approach to safety is explicitly aimed at the challenges presented by automated driving: safety of the intended function (SOTIF), documented in the standard ISO/PAS 21448:2019.
But another potential challenge to the safety of autonomous driving exists. As vehicle manufacturers seek to make their products software-defined for flexibility and connect them to the cloud for user convenience, the threat of cyberattack is a very real danger.
A hacker’s target may simply be to steal user data like passwords, credit card information or intellectual property. An automaker could suffer financial loss and the cost of fines imposed for failing to protect customer privacy.
Additionally, hacking vehicles can threaten human safety and lives. The notorious test hacking of a Jeep Cherokee, which managed to take control of the vehicle while on a highway and render the driver powerless, showed vividly that this is a serious issue.
Without adequate cybersecurity, conventional, human-controlled x-by-wire systems are vulnerable. The prospect is distressing enough for a driver who may be able to retain partial control of the vehicle. In a fully autonomous vehicle — with no steering wheel or pedals — occupants are at the mercy of their remote, invisible cyber-assailant.
Today’s connected, software-defined cars have ceased to be the independent, shielded entities that can be regarded as being functionally safe simply through conformance with ISO 26262. Automated driving has raised the stakes, drawing the hazard-based SOTIF approach into the safety mix.
With the possibility for cars to be hacked, cybersecurity and safety have become inextricably linked.
No safety without security
Accordingly, regulations and standards have evolved to deal with automotive cybersecurity. The U.S. National Highway Traffic Safety Administration (NHTSA) conducted research to establish a lifecycle process to investigate tools and methods for design and validation and create guiding principles. It published Cybersecurity Best Practices to help the automotive industry improve cybersecurity for safety. ENISA, the European Union Agency for Cybersecurity, also reported on best practices for the security of smart (connected and semi-autonomous) vehicles.
The United Nations World Forum for Harmonization of Vehicle Regulations, a working party (WP.29) of the Economic Commission for Europe (UNECE), proposed regulation on cybersecurity and cybersecurity management systems, which the EU is expected to adopt. The regulation requires manufacturers to implement measures for managing vehicle cyber-risks, securing vehicles by design to mitigate risks along the value chain, detecting and responding to security incidents across vehicle fleet, providing secure software updates for the vehicle lifetime, and ensuring vehicle safety is not compromised.
Connected and autonomous vehicles can be regarded as Internet of Things (IoT) devices – or groups of devices – operating at the edge. Automakers face similar security challenges as other adopters of connected devices, and they need to get to grips with the concepts behind IoT security if increasingly autonomous vehicles are to be safeguarded.
Similar cyberthreats face autonomous industrial assets such as robots and particularly cobots that work alongside humans with minimal guarding, as well as mobile robots – aka drones – that are expected to be present in urban airspace in increasing numbers.
As with autonomous vehicles, cyberattackers can cause grave injury or seriously damage public confidence in the technologies that are expected to support life and work in the future.
Cybersecurity experts say a strategy for protecting vehicles against attack should deal with three key aspects:
- authentication and access control to manage the privileges of parties such as the user, OEM and partner organizations
- protection against external attacks to prevent unauthorized controls, block malware and protect data and communications
- incident detection and response to identify, respond to and report attacks and threats
The sensors in connected cars present a particular security threat. There are so many of them: radar, lidar, ultrasonic, vision, temperature, pressure, etc. Most will have microcontrollers or ASICs within the sensor modules, and they will be connected to gateways for internal and external communications. All these devices – sensors and gateways alike – are potential open windows for hackers.
Hardware-based security for sensors: creating a root of trust in every semiconductor
Automobiles, like most other IoT devices, are subject to tight constraints on electrical power and computing performance. Relying on software-based approaches to security, alone, will not deliver the protection and safety required while meeting physical constraints and preserving the real-time performance of safety-critical functions.
Trust needs to be established between the devices interconnected throughout the vehicle network, and between the vehicle and equipment and services connected through external interfaces. If the identity and integrity of each can be trusted, so can the instructions and data they send.
Hardware-based authentication, such as secure boot, relies on a chain of trust rooted in some credential that is an immutable feature of the IC. This may be a cryptographic key burned into the device under secure conditions using one-time-programmable fuses. Alternatively, a newer technology establishes the chip identity with a physically unclonable function (PUF) that is unique to the IC, such as random nanoscale characteristics of the chip structure that influence the quantum behavior of charge carriers. Each chip has its own “fingerprint” in this respect, which can be used to identify the device and generate cryptographic keys on demand instead of storing keys permanently in the chip.
Whichever way it is established, the chip’s unalterable identity provides the hardware root of trust that anchors the high-assurance boot process. This provides the foundation for cybersecurity by ensuring that only authorized software is allowed to load and execute on the system, preventing manipulation of the operating system and application.
Securing the next link in the chain: the connected gateway
Connected gateways direct the signals from the plethora of sensors installed in vehicles, routing them internally between systems and externally, typically over cellular connections. Evolving 5G technologies will accelerate the use of external communications as higher-bandwidth, lower-latency connections become available.
Connected gateways, therefore, have a vital role to play in ensuring vehicle security and safety.
Infineon's AURIX family of automotive microcontrollers is one example of devices designed specifically for this application. At their heart is a 32-bit multicore microcontroller with a built-in hardware security module (HSM). The HSM is used to manage the cryptographic keys needed for secure communications. At the system level, real-time, security-critical functions can be given additional protection using the company’s complementary OPTIGA TPM security controllers and secure elements. The figure below shows how the system blocks fit together.
All connected automobiles are vulnerable to cyberattacks, with the potential for hackers to interfere with major functions such as steering, braking and speed. As future generations of autonomous vehicles minimize and ultimately eliminate driver engagement, the potential arises for hackers to take control of vehicles on the roads. Safety is now inextricably linked with cybersecurity.
To safeguard autonomous vehicles within practical constraints on size, weight, power and cost, vehicle makers need to leverage the concepts behind IoT security. A multi-layered approach, rooted in robust hardware-based protection at the chip level, is essential.