Automotive Cyber Security

Responses from Peter Davies, Thales UK to questions posed on the Automotive Cybersecurity Webinar in January.

Q. Is the WP.29 from UNECE include a regulatory framework for cybersecurity?
Peter. Yes, it includes requirements for on and off vehicle.  There are also inteprtation documents which help to understand what you might need to do for international recognition.

Q. Which International IEC standard is applicable for Automotive Cyber Security applications?
Peter. In late 2019 BSI sponsored an analysis of potentially relevant standards including IEC.  This came out with 6 A4 pages of standards that could be applied but set out why they should not be. The outcome was verified by another independent study undertaken by Warwick in Q1 of 2020.

Q. What do you think, should we look Automotive - Functional Safety and Cybersecurity - separately or integrated?
Peter. Integrated absolutely, how can you be safe if you are not cyber safe with the amount of digitalisation we currently have.

Q, With that scaling of complex issues; is it going to be possible to protect vehicles as they age and drop out of warranty?
Peter. That will certainly be an issue, however we have not really done anything yet to consider how we might protect vehicles even before that.  We are currently doing some work to show the issues associated with fixed SW / HW / Firmware in a changing environment.  Complex systems yield many, many benefits, our challenge is to get the security monitoring to a point where it is part of recognising positive (money making) aspects of complexity as well as the negative outcomes.  We have to stop thinking of security as a compliance issue and start seeing it as a benefit.

Q. Were the brake attacks carried out remotely or from the car?
Peter.  They have been carried out both remotely and locally.  One of the really important aspects when demonstrating attacks of this type is to do so safely, no one wants to see a potentially lethal attack escape into the wild and start spreading.

Q.  Regarding the post accident investigation.  Is there / will there be, something similar to OBD so that key data can be accessed?
Peter. This is being worked on at the moment so yes I would expect so.  Similar to eg. aircraft black boxes what is being looked for is a standard set of data which when used in conjunction with other information sources will provide the 'Pattern of Life' that provides evidence for forensic investigation.  Those with a background in IT have a tendancy to want to collect 'all the data' whereas in fact this is neither feasible nor useful.

Q. Are there increased concerns that security will invalidate safety analysis?
Peter.  Yes.  This is one of the reason why we say that security is not an objective, it is a mechanism by which you achieve other objectives.  However, to take some examples encryption techniques are often creating DoS situations for safety critical systems, they change the failure mode eg. if I enrypt the CAN bus and lose the key then I can't read the data so can't decide just to use it or compare it with other sources.  If the security forms part of a safety case then the absence of it becomes part of the FEMTA and this can be extraordinarily difficult to calculate.

Q. Do you think technological developments in the automotive industry are outpacing the security around them?
Peter. Indeed, some aspects (autonomy, connectivity, etc) are racing ahead, so there is some catching up to do. From experience, some of this is inevitable: this helps drive the use cases which then drive requirements for security/resilience. In an ideal world, developments should go hand-in-hand. That is, in an ideal world.

Q. Is the new methodology aligned with the new automotive law from the UN WP29 and The new ISO standard for Road Security?
Peter. Yes, AESIN has begun work on showing the alignment point by point for both.  But the methodology is more extensive and better founded for the long term.

Q. Who do you see will be the centre of building the secure ecosystem. The Vehicle OEM or players such as Thales?
Peter.  Generally, the reason for referring to this as an ecosystem rather than a supply chain is because the there are many suppliers of techniques, products and capabilities at all levels and the necessary relationships to achieve a good (or bad) outcome are different than they might have been in the past.  Overlay on that the legal responsibilities of various entities worldwide and there is no simple answer to your question.  I do believe there is a place for all individuals and organisations with the necessary expertise for this new system and that every organisation within that ecosystem must be expert in and take responsibility for the aspects for which they are claiming expertise ie. every organisation is the centre of trust for the claims that they make.  Since you ask about Thales it has fantastic international expertise in delivering safe and secure systems and components that must continue to operate in highly challenged environments .... that would not make it an automotive OEM but it might well give an indication of what and OEM, Tier supplier or other significant part of the auto ecosystem might be looking for.

Q.  interesting point about previous techniques not scalable any more. Does this mean new techniques are required, or we need to find different ways to develop the previous techniques to meet the challenges?
Peter. I believe that in areas of safety we have done a fantastic job of developing techniques that we first developed for electro mechnical systems which were small scale and designed for a single purpose.  Increasingly we are getting are benefits from systems that are neither small scale, nor designed for a single purpose and where we have to combine often pre-existing digital components.  I believe that on any rational analysis there is no foreseeable way in which we can simply upgun existing techniques  to meet the challenge.  That said, many techniques that we have developed if used in different places will be the basis of what we need to do going forward.

Q.  I was recently reading in a standard that historical accident data/statistics should be used as part of validation and verification of automated systems, but Peter was saying this is actually not such a good approach, can he expand on this?
Peter. There are different categories it's true, so for instance if the nature of an accident is that a pedestrian stepped out 2m in front of a vehicle travelling at 80kph then at that stage the physics of the accident will dominate.  Accidentologists argue that we have been able to make assumptions for which the human being is part based on historical evidence.  For cyber / digital attacks this is not true however which is what we have been trying to demonstrate with examples such as braking where ABS and High Speed Emergency Braking give good early examples of automated systems in vehicles.  So I think that where a standard is saying that we are able to control the physics of a situation such that the potential for harm can be controlled and quantified then the historical accident data is useful for calculating this; where that is not true and we cannot control the potential for harm then less so or not at all.

Q. Do those who are drafting standards in this area understand that they need to focus on requiring outcomes rather than defining designs?
Peter. There is a massive change underway in standards based on digitalisation and it is wrong to say that those drafting standards are not trying to achieve outcomes; though for some that may be the case, and we have already been seeing a shift in emphasis eg. on quality standards where the management plan and the feedback loop is becoming a far more importent part of the standard.  The issue we now have in the automotive area is that whereas in the past we would have trialled techniques and measured their effectiveness before standardising them we do not have that luxury here.  This is happening at the same time that many of the excellent and positive standards that we have developed are starting to have negative consequences in the scale and type of systems that we are now deploying and which we will certainly be deploying in the near future.  This has given those who are defining standards a very difficult task which they are certainly not getting right on all occasions and for which they need all of our help.  The defining of certain design patterns that demonstrably are unachievable or which produce negative outcomes in significant cases is certainly one area where these difficulties are being brought into sharp relief.

Q. How can I participate in AESIN workstreams?
Peter. Please contact me. 

Responses from Peter Davies, Thales UK to questions posed on the Automotive Cybersecurity Webinar in January.

Q. Is the WP.29 from UNECE include a regulatory framework for cybersecurity?
Peter. Yes, it includes requirements for on and off vehicle.  There are also inteprtation documents which help to understand what you might need to do for international recognition.

Q. Which International IEC standard is applicable for Automotive Cyber Security applications?
Peter. In late 2019 BSI sponsored an analysis of potentially relevant standards including IEC.  This came out with 6 A4 pages of standards that could be applied but set out why they should not be. The outcome was verified by another independent study undertaken by Warwick in Q1 of 2020.

Q. What do you think, should we look Automotive - Functional Safety and Cybersecurity - separately or integrated?
Peter. Integrated absolutely, how can you be safe if you are not cyber safe with the amount of digitalisation we currently have.

Q, With that scaling of complex issues; is it going to be possible to protect vehicles as they age and drop out of warranty?
Peter. That will certainly be an issue, however we have not really done anything yet to consider how we might protect vehicles even before that.  We are currently doing some work to show the issues associated with fixed SW / HW / Firmware in a changing environment.  Complex systems yield many, many benefits, our challenge is to get the security monitoring to a point where it is part of recognising positive (money making) aspects of complexity as well as the negative outcomes.  We have to stop thinking of security as a compliance issue and start seeing it as a benefit.

Q. Were the brake attacks carried out remotely or from the car?
Peter.  They have been carried out both remotely and locally.  One of the really important aspects when demonstrating attacks of this type is to do so safely, no one wants to see a potentially lethal attack escape into the wild and start spreading.

Q.  Regarding the post accident investigation.  Is there / will there be, something similar to OBD so that key data can be accessed?
Peter. This is being worked on at the moment so yes I would expect so.  Similar to eg. aircraft black boxes what is being looked for is a standard set of data which when used in conjunction with other information sources will provide the 'Pattern of Life' that provides evidence for forensic investigation.  Those with a background in IT have a tendancy to want to collect 'all the data' whereas in fact this is neither feasible nor useful.

Q. Are there increased concerns that security will invalidate safety analysis?
Peter.  Yes.  This is one of the reason why we say that security is not an objective, it is a mechanism by which you achieve other objectives.  However, to take some examples encryption techniques are often creating DoS situations for safety critical systems, they change the failure mode eg. if I enrypt the CAN bus and lose the key then I can't read the data so can't decide just to use it or compare it with other sources.  If the security forms part of a safety case then the absence of it becomes part of the FEMTA and this can be extraordinarily difficult to calculate.

Q. Do you think technological developments in the automotive industry are outpacing the security around them?
Peter. Indeed, some aspects (autonomy, connectivity, etc) are racing ahead, so there is some catching up to do. From experience, some of this is inevitable: this helps drive the use cases which then drive requirements for security/resilience. In an ideal world, developments should go hand-in-hand. That is, in an ideal world.

Q. Is the new methodology aligned with the new automotive law from the UN WP29 and The new ISO standard for Road Security?
Peter. Yes, AESIN has begun work on showing the alignment point by point for both.  But the methodology is more extensive and better founded for the long term.

Q. Who do you see will be the centre of building the secure ecosystem. The Vehicle OEM or players such as Thales?
Peter.  Generally, the reason for referring to this as an ecosystem rather than a supply chain is because the there are many suppliers of techniques, products and capabilities at all levels and the necessary relationships to achieve a good (or bad) outcome are different than they might have been in the past.  Overlay on that the legal responsibilities of various entities worldwide and there is no simple answer to your question.  I do believe there is a place for all individuals and organisations with the necessary expertise for this new system and that every organisation within that ecosystem must be expert in and take responsibility for the aspects for which they are claiming expertise ie. every organisation is the centre of trust for the claims that they make.  Since you ask about Thales it has fantastic international expertise in delivering safe and secure systems and components that must continue to operate in highly challenged environments .... that would not make it an automotive OEM but it might well give an indication of what and OEM, Tier supplier or other significant part of the auto ecosystem might be looking for.

Q.  interesting point about previous techniques not scalable any more. Does this mean new techniques are required, or we need to find different ways to develop the previous techniques to meet the challenges?
Peter. I believe that in areas of safety we have done a fantastic job of developing techniques that we first developed for electro mechnical systems which were small scale and designed for a single purpose.  Increasingly we are getting are benefits from systems that are neither small scale, nor designed for a single purpose and where we have to combine often pre-existing digital components.  I believe that on any rational analysis there is no foreseeable way in which we can simply upgun existing techniques  to meet the challenge.  That said, many techniques that we have developed if used in different places will be the basis of what we need to do going forward.

Q.  I was recently reading in a standard that historical accident data/statistics should be used as part of validation and verification of automated systems, but Peter was saying this is actually not such a good approach, can he expand on this?
Peter. There are different categories it's true, so for instance if the nature of an accident is that a pedestrian stepped out 2m in front of a vehicle travelling at 80kph then at that stage the physics of the accident will dominate.  Accidentologists argue that we have been able to make assumptions for which the human being is part based on historical evidence.  For cyber / digital attacks this is not true however which is what we have been trying to demonstrate with examples such as braking where ABS and High Speed Emergency Braking give good early examples of automated systems in vehicles.  So I think that where a standard is saying that we are able to control the physics of a situation such that the potential for harm can be controlled and quantified then the historical accident data is useful for calculating this; where that is not true and we cannot control the potential for harm then less so or not at all.

Q. Do those who are drafting standards in this area understand that they need to focus on requiring outcomes rather than defining designs?
Peter. There is a massive change underway in standards based on digitalisation and it is wrong to say that those drafting standards are not trying to achieve outcomes; though for some that may be the case, and we have already been seeing a shift in emphasis eg. on quality standards where the management plan and the feedback loop is becoming a far more importent part of the standard.  The issue we now have in the automotive area is that whereas in the past we would have trialled techniques and measured their effectiveness before standardising them we do not have that luxury here.  This is happening at the same time that many of the excellent and positive standards that we have developed are starting to have negative consequences in the scale and type of systems that we are now deploying and which we will certainly be deploying in the near future.  This has given those who are defining standards a very difficult task which they are certainly not getting right on all occasions and for which they need all of our help.  The defining of certain design patterns that demonstrably are unachievable or which produce negative outcomes in significant cases is certainly one area where these difficulties are being brought into sharp relief.

Q. How can I participate in AESIN workstreams?
Peter. Please contact me.