The art of security orchestration
With the digital transformation, if not before, cyber security is becoming a prerequisite for success. After all, every single loophole discredits the OEM and shakes consumer confidence in the new technologies and business models. That is why security has to be future-proof right from the start. The greater the degree to which vehicle platform systems are to be connected to the outside world, the bigger the target for attack. And the more complex the E/E architectures and the more refined the electronically controlled vehicle functions, the more complex is the risk protection solution. For this reason, security must be thought about and planned by starting at the end and working backwards. Specifically, security experts need to design and implement an approach that effectively protects the intended vehicle functions as required – carefully weighing up vehicle protection, costs, and the user experience.
Holistic security approach calls for central management
This security approach must cover the requirements of future vehicle functions over the long term while remaining economically viable. After all, to qualify as holistic automotive security, the measures have to be designed and implemented on three levels:
1. The technological level concerns the entire vehicle system, including its infrastructure – from each individual control unit to the backend in the cloud.
2. The process level involves the entire vehicle life cycle – from the initial requirements analysis to vehicle decommissioning.
3. The organizational level addresses the whole organization – from the established security processes to binding security governance.
On all three levels, the status quo must be analyzed and then compared with the defined security goals. This highlights where action is needed for the planned vehicle platform and which players need to be involved. If not apparent before, at this point it should become clear that a holistic security approach requires comprehensive orchestration.
Just as the conductor sets the tempo, coordinates the cues, and tweaks the sound with a well tuned ear, it takes a central management structure to control and time all security measures across all levels. This central security management must set the pace – for technology development and for planning and implementing security life cycle processes – and take the lead in establishing clear-cut organizational structures. In doing so, it involves all internal and external stakeholders. In other words, it orchestrates the diverse, highly complex planning and implementation of the holistic security approach, while keeping an eye on the details as well as the big picture.
From string quartet ...
As the degree of vehicle platform connectivity increases, the need for security measures and the number of stakeholders involved both grow; simply put, the orchestration required becomes more sophisticated. At a low level of connectivity, the effort is comparable to conducting a string quartet. Secure boot and secure flashing functions as well as a crypto library are enough to protect isolated ECUs. The OEM provides guidelines and dictates how security experts and those responsible for protected functions are to work together.
Cyber security orchestration gets more complicated for a connected vehicle in which functions are distributed across several connected ECUs and which uses communication interfaces to periodically be in contact with the outside world. This is akin to conducting a chamber orchestra. Central management plans and controls implementation of a secure E/E architecture in the vehicle. It takes input from those responsible in development, distributed production facilities, legal departments, and security service providers and incorporates it into the security concepts and ongoing security operations. Also, it creates the organizational conditions for cryptographic key management so that players can identify themselves each time prior to gaining access to vehicle systems and software. Such an approach is easily calculable, but limited in its scalability.
... to symphony orchestra
In contrast, securing disruptive technologies – such as autonomous driving, complete bidirectional connectivity with vehicle-to-X communication, or all-round operation of carsharing fleets – can be done only with continuous orchestration of all players, stakeholders, processes, and connected services. As such, it is a higher discipline of cyber security orchestration, comparable to conducting a full symphony orchestra in its complexity, intricacy, and range of tasks.
Conductors – central security management – must interpret and conduct a wide range of different “scores.” Besides preparing and coordinating all stakeholders, they guide all processes so as to minimize risk throughout the vehicle platform’s life cycle, in all development stages of connected vehicle systems, and during production. Since during development it’s not known what methods cybercriminals will use to attack the electrical system 10 or even 15 years after production starts, the conductor must ensure that the connected vehicle system’s immunization is always up to date. This may be through a system that learns from attack detection via IDS, attack analysis, and the development of defense mechanisms through connected backend services, e.g. in the form of a security operations center (SOC) and OTA security updating for the entire vehicle fleet.