Automotive Cybersecurity Engineering Handbook: The automotive engineer's roadmap to cyber-resilient vehicles 9781801076531
ccelerate your journey of securing safety-critical automotive systems through practical and standard-compliant methods K
115 20 13MB
English Pages 393 Year 2023
Table of contents :
Automotive Cybersecurity Engineering Handbook
Contributors
About the author
About the reviewers
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
Part 1:Understanding the Cybersecurity Relevance of the Vehicle Electrical Architecture
1
Introducing the Vehicle Electrical/Electronic Architecture
Overview of the basic building blocks of the E/E architecture
Electronic control units
Looking at MCU-based ECUs
Looking at SoC-based ECUs
Looking inside the MCU and SoC software layers
ECU domains
Fuel-based powertrain domain
Electric drive powertrain domain
Chassis safety control domain
Interior cabin domain
Infotainment and connectivity domain
Cross-domain
Exploring the in-vehicle network
CAN
FlexRay
LIN
UART
SENT
GMSL
I2C
Ethernet
J1939
Sensors and actuators
Sensor types
Actuators
Exploring the vehicle architecture types
Highly distributed E/E architecture
Domain-centralized E/E architecture
Zone architecture
Commercial truck architecture types
Summary
Answers to discussion points
Further reading
2
Cybersecurity Basics for Automotive Use Cases
Exploring the attack classes
Passive attacks
Active attacks
Identifying security objectives
Integrity
Authenticity
Confidentiality
Accountability
Availability
Cryptography applied to automotive use cases
Building blocks
One-way hash functions
Message authentication code algorithms
Random number generators
Public key cryptography
Key management
NIST defined security strength
Chinese cryptography
PQC algorithms
Security principles
Defense in depth
Domain separation
Least privilege
Least sharing
Mediated access
Protective defaults
Anomaly detection
Distributed privilege
Hierarchical protection and zero trust
Minimal trusted elements
Least persistence
Protective failure
Continuous protection
Redundancy
Use of standardized cryptography
Summary
Further reading
3
Threat Landscape against Vehicle Components
Threats against external vehicle interfaces
Backend-related threats
Connectivity threats
Threats against the E/E topology
Highly distributed E/E architecture
Domain-centralized E/E architecture
Central vehicle computer architecture
Threats against in-vehicle networks
CAN
FlexRay
Ethernet
The Unified Diagnostic Services (UDS) protocol
SAE J1939 protocols
SAE J2497 (PLC4TRUCKS)
Threats against sensors
Common ECU threats
Debug ports
Flash programming
Power and mode manipulation
Tampering with machine learning algorithms
Software attacks
Disclosure and tampering of cryptographic keys
Summary
References
Part 2: Understanding the Secure Engineering Development Process
4
Exploring the Landscape of Automotive Cybersecurity Standards
Primary standards
UNECE WP.29
Chinese regulation and standardization
Secondary standards
IATF 16949:2016
Automotive SPICE (ASPICE)
Trusted Information Security Assessment Exchange (TISAX)
SAE J3101 – hardware-protected security for ground vehicles
Coding and software standards
NIST cryptographic standards
Supporting standards and resources
MITRE Common Weakness Enumeration (CWE)
US DoT NHTSA Cybersecurity Best Practices for the Safety of Modern Vehicles
ENISA good practices for the security of smart cars
SAE J3061 – cybersecurity guidebook for cyber-physical vehicle systems
ISO/IEC 27001
NIST SP 800-160
Uptane
Summary
References
5
Taking a Deep Dive into ISO/SAE21434
Notations
At a glance – the ISO 21434 standard
Organizational cybersecurity management
Management systems
Intersection of cybersecurity with other disciplines
Tool management
Planning
Acquisition and integration of supplier components
Supplier capability assessment and the role of the CSIA
The concept phase
Item-level concept
Cybersecurity concept
Implications to component-level development
Design and implementation
Post-development requirements
Configuration and calibration
Weakness analysis
Unit implementation
Verification testing
Validation testing
Product release
Cybersecurity case
Cybersecurity assessment
Production planning
Operations and maintenance
Monitoring
Vulnerability analysis
Vulnerability management
Updates
End of life
Summary
6
Interactions Between Functional Safety and Cybersecurity
A tale of two standards
A unified versus integrated approach
Establishing a foundational understanding of functional safety and cybersecurity
Understanding the unique aspects and interdependencies between the two domains
Differences between safety and security scope
Differences in the level of interdependence between safety and security requirements
Conflict resolution
Extending the safety and quality supporting processes
Planning
Supplier management
Concept
Design
Implementation
Testing and validation
Release
Production
End of life
Creating synergies in the concept phase
Item functions
Item boundaries and operational environments
Damage scenarios and hazards
Safety and security goals
Safety and security requirements
Finding synergies and conflicts in the design phase
Leveraging safety and security mechanisms
Self-tests across safety and security
Leveraging error detection safety mechanisms
Eliminating inconsistencies in the error response
Parallels in design principles
Secure coding practices versus safe coding techniques
Synergies and differences in the testing phase
Summary
References
Part 3: Executing the Process to Engineer a Secure Automotive Product
7
A Practical Threat Modeling Approach for Automotive Systems
The fundamentals of performing an effective TARA
Assets
Damage scenarios
Threat scenarios
Attacker model and threat types
Attack paths
Risk assessment methods
Risk treatment
Common pitfalls when preparing a TARA
Defining the appropriate TARA scope
The practical approach
Know your system
Make your assumptions known
Use case-driven analysis
Prepare context and data flow diagrams
Damages versus assets – where to start
Identifying assets with the help of asset categories
Building threat catalogs
Creating attack paths using a system flow diagram
Risk prioritization
Defining cybersecurity goals
Choosing security controls and operational environment (OE) requirements
Tracking shared and accepted risks
Review and signoff
Case study using a digital video recorder (DVR)
Assumptions
Context diagram
Identifying the assets
Damage scenarios
Cybersecurity requirements and controls
Summary
References
8
Vehicle-Level Security Controls
Choosing cybersecurity controls
Challenging areas
Vehicle-level versus ECU-level controls
Policy controls
Secure manufacturing
Challenges
Secure off-board network communication
Wi-Fi
Bluetooth
Cellular
Host-based intrusion detection
Network intrusion detection and prevention (NIDP)
Domain separation and filtering
Sensor authentication
Secure software updates
In-vehicle network protection
CAN message authentication
Ethernet
Securing diagnostic abilities
Security access control via UDS service 0x27
Role-based access control via UDS service 0x29
Securing flash programming services
Secure decommissioning
Summary
Further reading
9
ECU-Level Security Controls
Understanding control actions and layers
Exploring policy controls
Exploring hardware controls
RoT
OTP memory
Hardware-protected keystore
Secure Universal Flash Storage
Cryptographic accelerators
Lockable hardware configuration
CPU security
Isolation through MMUs and MPUs
Encrypted volatile memories
Debug access management
Exploring software security controls
Software debug and configuration management
Secure manufacturing
Key management policies
Multi-stage secure boot
Trusted runtime configuration
TEEs
Secure update
Spatial isolation
Temporal isolation
Encrypted and authenticated filesystems
Runtime execution hardening
Security monitors
Exploring physical security controls
Tamper detection and prevention
Printed circuit board layout pin and trace hiding
Concealment and shielding
Summary
Further reading
Index
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book
Automotive Cybersecurity Engineering Handbook
Contributors
About the author
About the reviewers
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
Part 1:Understanding the Cybersecurity Relevance of the Vehicle Electrical Architecture
1
Introducing the Vehicle Electrical/Electronic Architecture
Overview of the basic building blocks of the E/E architecture
Electronic control units
Looking at MCU-based ECUs
Looking at SoC-based ECUs
Looking inside the MCU and SoC software layers
ECU domains
Fuel-based powertrain domain
Electric drive powertrain domain
Chassis safety control domain
Interior cabin domain
Infotainment and connectivity domain
Cross-domain
Exploring the in-vehicle network
CAN
FlexRay
LIN
UART
SENT
GMSL
I2C
Ethernet
J1939
Sensors and actuators
Sensor types
Actuators
Exploring the vehicle architecture types
Highly distributed E/E architecture
Domain-centralized E/E architecture
Zone architecture
Commercial truck architecture types
Summary
Answers to discussion points
Further reading
2
Cybersecurity Basics for Automotive Use Cases
Exploring the attack classes
Passive attacks
Active attacks
Identifying security objectives
Integrity
Authenticity
Confidentiality
Accountability
Availability
Cryptography applied to automotive use cases
Building blocks
One-way hash functions
Message authentication code algorithms
Random number generators
Public key cryptography
Key management
NIST defined security strength
Chinese cryptography
PQC algorithms
Security principles
Defense in depth
Domain separation
Least privilege
Least sharing
Mediated access
Protective defaults
Anomaly detection
Distributed privilege
Hierarchical protection and zero trust
Minimal trusted elements
Least persistence
Protective failure
Continuous protection
Redundancy
Use of standardized cryptography
Summary
Further reading
3
Threat Landscape against Vehicle Components
Threats against external vehicle interfaces
Backend-related threats
Connectivity threats
Threats against the E/E topology
Highly distributed E/E architecture
Domain-centralized E/E architecture
Central vehicle computer architecture
Threats against in-vehicle networks
CAN
FlexRay
Ethernet
The Unified Diagnostic Services (UDS) protocol
SAE J1939 protocols
SAE J2497 (PLC4TRUCKS)
Threats against sensors
Common ECU threats
Debug ports
Flash programming
Power and mode manipulation
Tampering with machine learning algorithms
Software attacks
Disclosure and tampering of cryptographic keys
Summary
References
Part 2: Understanding the Secure Engineering Development Process
4
Exploring the Landscape of Automotive Cybersecurity Standards
Primary standards
UNECE WP.29
Chinese regulation and standardization
Secondary standards
IATF 16949:2016
Automotive SPICE (ASPICE)
Trusted Information Security Assessment Exchange (TISAX)
SAE J3101 – hardware-protected security for ground vehicles
Coding and software standards
NIST cryptographic standards
Supporting standards and resources
MITRE Common Weakness Enumeration (CWE)
US DoT NHTSA Cybersecurity Best Practices for the Safety of Modern Vehicles
ENISA good practices for the security of smart cars
SAE J3061 – cybersecurity guidebook for cyber-physical vehicle systems
ISO/IEC 27001
NIST SP 800-160
Uptane
Summary
References
5
Taking a Deep Dive into ISO/SAE21434
Notations
At a glance – the ISO 21434 standard
Organizational cybersecurity management
Management systems
Intersection of cybersecurity with other disciplines
Tool management
Planning
Acquisition and integration of supplier components
Supplier capability assessment and the role of the CSIA
The concept phase
Item-level concept
Cybersecurity concept
Implications to component-level development
Design and implementation
Post-development requirements
Configuration and calibration
Weakness analysis
Unit implementation
Verification testing
Validation testing
Product release
Cybersecurity case
Cybersecurity assessment
Production planning
Operations and maintenance
Monitoring
Vulnerability analysis
Vulnerability management
Updates
End of life
Summary
6
Interactions Between Functional Safety and Cybersecurity
A tale of two standards
A unified versus integrated approach
Establishing a foundational understanding of functional safety and cybersecurity
Understanding the unique aspects and interdependencies between the two domains
Differences between safety and security scope
Differences in the level of interdependence between safety and security requirements
Conflict resolution
Extending the safety and quality supporting processes
Planning
Supplier management
Concept
Design
Implementation
Testing and validation
Release
Production
End of life
Creating synergies in the concept phase
Item functions
Item boundaries and operational environments
Damage scenarios and hazards
Safety and security goals
Safety and security requirements
Finding synergies and conflicts in the design phase
Leveraging safety and security mechanisms
Self-tests across safety and security
Leveraging error detection safety mechanisms
Eliminating inconsistencies in the error response
Parallels in design principles
Secure coding practices versus safe coding techniques
Synergies and differences in the testing phase
Summary
References
Part 3: Executing the Process to Engineer a Secure Automotive Product
7
A Practical Threat Modeling Approach for Automotive Systems
The fundamentals of performing an effective TARA
Assets
Damage scenarios
Threat scenarios
Attacker model and threat types
Attack paths
Risk assessment methods
Risk treatment
Common pitfalls when preparing a TARA
Defining the appropriate TARA scope
The practical approach
Know your system
Make your assumptions known
Use case-driven analysis
Prepare context and data flow diagrams
Damages versus assets – where to start
Identifying assets with the help of asset categories
Building threat catalogs
Creating attack paths using a system flow diagram
Risk prioritization
Defining cybersecurity goals
Choosing security controls and operational environment (OE) requirements
Tracking shared and accepted risks
Review and signoff
Case study using a digital video recorder (DVR)
Assumptions
Context diagram
Identifying the assets
Damage scenarios
Cybersecurity requirements and controls
Summary
References
8
Vehicle-Level Security Controls
Choosing cybersecurity controls
Challenging areas
Vehicle-level versus ECU-level controls
Policy controls
Secure manufacturing
Challenges
Secure off-board network communication
Wi-Fi
Bluetooth
Cellular
Host-based intrusion detection
Network intrusion detection and prevention (NIDP)
Domain separation and filtering
Sensor authentication
Secure software updates
In-vehicle network protection
CAN message authentication
Ethernet
Securing diagnostic abilities
Security access control via UDS service 0x27
Role-based access control via UDS service 0x29
Securing flash programming services
Secure decommissioning
Summary
Further reading
9
ECU-Level Security Controls
Understanding control actions and layers
Exploring policy controls
Exploring hardware controls
RoT
OTP memory
Hardware-protected keystore
Secure Universal Flash Storage
Cryptographic accelerators
Lockable hardware configuration
CPU security
Isolation through MMUs and MPUs
Encrypted volatile memories
Debug access management
Exploring software security controls
Software debug and configuration management
Secure manufacturing
Key management policies
Multi-stage secure boot
Trusted runtime configuration
TEEs
Secure update
Spatial isolation
Temporal isolation
Encrypted and authenticated filesystems
Runtime execution hardening
Security monitors
Exploring physical security controls
Tamper detection and prevention
Printed circuit board layout pin and trace hiding
Concealment and shielding
Summary
Further reading
Index
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book
- Author / Uploaded
- Dr. Ahmad MK Nasser
