Optimizing Cybersecurity in Autonomous Vehicle Designs

The automotive industry has achieved full autonomy in six levels of advanced driver assistance systems (ADAS). Drivers of today’s models can choose to use some no-mention and some no-attentive driving features. Common examples include:

• Waymo™ (Google)

• Super Cruise™ (GM)

• Autopilot (Tesla)

• ProPILOT Assist® (Nissan)

• DISTRONIC PLUS® (Mercedes-Benz)

• Traffic Jam Assist (Audi)

• Pilot Assistance Systems (Volvo)

With the convenience that comes with increased automation comes the challenge of protecting cars from cybersecurity attacks. Every week we read news reports about businesses being hacked and suffering data breaches through their computer networks. Calling our modern cars “data centers on wheels” means that they are also subject to computer security issues.

The next generation of connected cars

Think about how many ways our cars are connected now: our smartphones using Bluetooth® to take calls using the car speaker system, cellular connections for roadside assistance, Wi-Fi® for over-the-air (OTA) updates, key fobs to control door locks, USB connectors, and even plugging electric vehicles into commercial chargers. Each of these connections increases the attack surface that intruders can exploit.

Automotive designers must be proactive in new designs to consider ways to mitigate security attacks on every connection. Inside each car there are dozens of electronic control units (ECUs) operating in different areas to collect sensor data and make decisions. Adding cybersecurity to the functional safety of each ECU needs to be a design goal. Using a system-level approach to provide both safety and cybersecurity for the vehicle is the best strategy. If a hacker can exploit a security vulnerability, then the driver's safety is at risk, which is a very dangerous outcome that we must avoid.

Automotive Safety Market Drivers

Today, a luxury car can contain up to 10 billion lines of code across all the ECUs and CPUs in use. This means that vehicles rely heavily on software to sense, control, and make decisions. Most automotive cyberattacks target wireless interfaces such as Bluetooth, Wi-Fi, and cellular networks. For OTA updates, the update must be securely verified before it is allowed to be installed.

The ubiquitous Controller Area Network (CAN bus) has been used in vehicles for years to enable communication between ECUs, but security has never been part of the definition of classic CAN. The advent of CAN FD (Controllable Data Rate) has an additional payload byte that allows the addition of a CAN MAC (Message Authentication Code). Ethernet connectivity in the automotive space is the new trend, and hardware vendors know how to protect this network. Making hardware systems secure usually starts with secure boot, followed by message authentication, both of which rely on truly secure key storage.

The ideal automotive safety solution would not require a complete redesign of all electronics, but rather an approach that layers new safety features.

Automotive designers must protect more attack surfaces

Cars are probably considered the most complex Internet of Things (IoT) devices that consumers use every week. With our smartphones and computers, we know how often applications and operating systems are updated to fix security vulnerabilities. Our connected cars have similar attack surfaces as our smartphones and computers, so each must be continuously defended.

Automotive OEMs can follow best practices to provide cybersecurity by ensuring that only authorized software is loaded and run (secure boot operation). Since dozens of ECUs communicate with electronic messages, only authorized ECUs are allowed, and messages are authenticated using a message authentication code (CMAC) algorithm based on an AES block cipher. Firmware update signatures are cryptographically verified before anything is allowed to be changed. Even traffic in each electronic network should be checked on each port to ensure that only valid packets are allowed.

A complete vehicle protection approach: from trunk to connected systems

Microchip is active in the field of cybersecurity for automotive applications and secure boot, which allows only authenticated content to run. This is provided by the CryptoAutomotive™ security IC, TrustAnchor100 (TA100). Designers do not have to redesign the entire system because this external hardware security module (HSM) provides multiple security functions:

• Secure Boot

• Authentication of CAN messages

• Electric Vehicle (EV) Battery Management System and Module Certification

• Message encryption using Transport Layer Security (TLS)

• Supports Qi® 1.3 certification from Wireless Power Consortium

• Cryptographic verification of module manufacturer origin

Compared to redesigning a new MCU to add safety features, this Microchip approach will save cost and design time. MCU code changes have little impact on the host MCU functional safety level. TA100 has programmed safety features and can be quickly learned without the need for safety experts. Project risk is reduced because MCU code changes are very small.

Innovations like this make cybersecurity in automotive design much easier, helping to safely accelerate the adoption of self-driving cars.