Zhiji Auto: When the electronic and electrical architecture iterates to a centrally integrated type, how to lay out its information security and functional safety?

Intelligent and connected cars are changing rapidly, and in-vehicle connected functions and products based on user needs are emerging in an endless stream. The intelligence and connectedness of cars are also accompanied by higher safety risks and challenges.

“The security risks of intelligent connected cars are divided into four layers of threats and twelve major risks. These four layers include: cloud platform threats, communication link transmission risks, risks of the intelligent terminal of the car itself, and external devices such as charging piles and mobile APPs. The risks brought about." On December 7, 2023, at the 2023 China Automotive Functional Safety and Quality Management Summit, Yao Jin, director of the Zhiji Automotive Electronics and Electrical Department and Cloud-Pipe-End Software and Security Department, said.

In response to the above risks, Yao Jin said: "We must formulate corresponding security measures, such as network security, intranet security and key ECU security."

What solutions are available in the field of information security development and functional safety for centrally integrated electrical and electronic architectures? Yao Jin shared based on his practical experience.

Yao Jin | Zhiji Automotive Electronics and Electrical Department and Director of Cloud-Pipeline Software and Security Department

The following is the summary of the speech:

Development trends of electronic and electrical architecture

Under the current automobile development system, automobiles have become intelligent terminals similar to mobile phones. The traditional feature phone and automotive electronics industries are no longer able to meet consumers' needs for safety and smart experiences. For users, they need greater data processing capabilities, a better open environment, and faster software development and iteration speeds.

The problem with the traditional automotive network topology architecture is that the stacking of hardware leads to rising costs. The software mainly relies on Tier1 development and does not have the ability to develop quickly. The communication bandwidth is low and cannot meet the needs of real-time transmission of big data. It also has poor security and insufficient redundancy design.

Image source: Speaker material

Now, the industry has completed the upgrade and reform from distributed architecture to centralized computing architecture. Transition from the initial distributed architecture to the domain converged architecture, and then to the "central computing + regional network management" model that combines the entire electronic and electrical architecture of the cloud, pipe and end. Its development model has also changed from the traditional "chimney" architecture to a horizontal layered approach, integrating all functions together, and then integrating, releasing and deploying them by the car manufacturer. This model can speed up the iteration and deployment of software and better meet consumer needs for automotive product functions.

Image source: Speaker material

From the current point of view, the logic behind the development of EE architecture mainly includes user needs, car manufacturer expectations and the development of new technologies. From the perspective of user needs, they mainly include needs in terms of experience, cost performance, service and security. From the perspective of a car manufacturer, factors such as economy, supply chain controllability, supply guarantee, technological advancement, and development agility need to be considered. The development of new technologies includes the rapid iteration of various chip technologies, significant improvements in processor computing power, development of in-vehicle communication technology, R&D or mass production experience of software standard middleware and service architecture, etc. These new technologies will promote the upgrade of the entire electronic and electrical architecture and realize the dual benefits of 2B and 2C.

The core points of a good electronic and electrical architecture mainly include high integration, reusability, growth, high performance, low coupling and high openness.

Image source: Speaker material

The form of central computing and regional control physical architecture mainly moves the hierarchical functions of the controller up to the entire large computing platform, and focuses software iteration on this platform. At the same time, the standard middleware platform and SOR architecture design can realize the decoupling of software and software, the standardized interactive interface can realize the decoupling of hardware, and the interconnection of car cloud and intelligent terminal can realize the sharing of computing power.

From the perspective of communication, service and equipment management, it includes the regional controller that provides the vehicle's device abstraction to the upper layer and provides a platform-based signal interface to realize the decoupling of IO and computing; it also provides device drivers to the downward layer and is compatible with standard ECU, actuators and reserved peripheral interfaces; it also supports high-bandwidth and low-latency communication technology to realize regional gateways and regional intelligent power distribution.

Drivers, sensors and actuators are more platform-based and standard. It simplifies the software complexity and has basic functions of high security and high real-time performance. It is also our goal to achieve hot-swappable and plug-and-play hardware in the future, and create an electronic and electrical platform that is scalable, upgradeable, and replaceable. Through software and hardware decoupling, platform-based interface design, and standard middleware platforms, rapid iteration of software and hardware is enabled.

Image source: Speaker material

Computing power requirements are clearly reflected in functional rendering, logical decision-making, image rendering, audio and video, and storage settings, covering various fields such as cockpit, intelligent driving, and domain control. So far, Qualcomm's mainstream smart cabin chips provide 200k DMIPS computing power, which can meet the needs of intelligent driving below L3, and can also meet L2+ within 500TOPS. In terms of vehicle control, 20kDMIPS are generally reserved to meet decision-making needs. For regional controllers, 2-5kDMIPS real-time computing and control capabilities are required, while standard actuators are generally less than 2k.

In terms of bandwidth requirements, with the upgrade of the architecture, we have developed from the early CAN, LIN and 100M Ethernet to the current stage where shared storage and OTA upgrades are required, and the bandwidth requirements are also increasing day by day. At present, 1G Ethernet has become the mainstream in the industry, and cinfd has greatly expanded cin's instant messaging capabilities. GMSL and TI's FPD can meet the 24G video data bandwidth transmission requirements. For the platform, the main task of the regional controller is the transmission of control signals, and currently 100M Ethernet can meet its needs.

Upgrading the electronic and electrical architecture will also bring some technical challenges. From a security perspective, it mainly involves two aspects: one is the need for information security, and the other is functional security.

Information security development of centrally integrated electrical and electronic architecture

With the vigorous development of big data, cloud computing, artificial intelligence, 4G/5G cellular communication technology, V2X technology, intelligent driving technology, information security and chip/camera technology, it has driven the rapid transformation of intelligent connected cars and user demand-oriented In-vehicle networking functions and products are emerging one after another, but the intelligence and connectivity of cars are also accompanied by higher safety risks and challenges. Since 2014, security risks have been increasing day by day, especially in terms of information security and data security.

We divide the security risks of intelligent connected cars into four layers of threats and twelve major risks. These four layers include: cloud platform threats, communication link transmission risks, smart terminal risks in the car itself, and risks brought by external devices such as charging piles and mobile APPs. In response to these risks, we need to develop corresponding security measures. In response to four-layer security threats, we will adopt a three-layer security mechanism: network security, intranet security and central computing controller security. 

Fully consider security risks through the security standard components defined by AUTOSAR, including how to implement the design during design, how to ensure authenticity, integrity, identity authentication, encryption, identity management, key update and storage, etc. From the perspective of AUTOSAR itself, safety design components are also considered.

In the overall cloud-pipe-end design, not only the safety of the car itself must be considered, but also the integrated network security solution in terms of the operating platform, system access requirements, and system construction. First of all, we need to match the safety process system access requirements of the vehicle life cycle, including the CSMS system certification often mentioned in the industry and the VTI certification for vehicle export. In terms of operations, we need to establish a comprehensive vehicle safety service management platform and operations center as well as a situation awareness platform to cooperate with IDPS. On the vehicle side, we need to establish a multi-layered defense-in-depth security system for the vehicle, including the national secret PKI certificate system, security chips, and component security testing and penetration testing of the vehicle and products. This is a comprehensive process that requires our continued attention and execution throughout the vehicle's life cycle.