Attack detection for hybrid vehicle networks
The direction of development is clear: vehicle computers (VCs) and broadband automotive Ethernet will complement today’s vehicle electrical systems with dozens of ECUs connected by CAN, LIN, and FlexRay data buses. The latter remain in demand where high real-time requirements and cyclically recurring functions need to be implemented. In other instances, microprocessor-based central computers partitioned into virtual machines will take over, because they are better equipped to meet the challenges of connected, automated vehicles.
But how can hybrid CAN-Ethernet architectures and their data processes be effectively secured? Fundamentally, there are two principles: communication shielding and partitioning. Seamless monitoring of communication is required in order to detect cyberattacks at an early stage; domain-specific virtual subnets (VLANs) minimize the penetration depth in the case of an attack. Both are feasible in hybrid electrical systems, but require different methodical approaches for the CAN and Ethernet worlds.
Efficient attack detection for CAN
An intrusion detection system (IDS) can be integrated into gateways or ECUs to monitor the CAN buses. It detects anomalies in CAN data traffic by comparing it with the “normal behavior” specified by the OEM. The embedded security component looks out, for example, for anomalies in cyclical messages and abusive diagnostic requests, which it classifies as potential attacks and logs or reports (Figure 1).
The performance of the CAN IDS (CycurIDS) depends directly on the quality of its configuration. This is why efficient initial rules from the OEM should be continuously supplemented by new detection mechanisms based on analyses of current attack vectors in order to achieve a high detection rate with as few false alarms as possible. The implementation stands and falls with the quality of the toolbox, which is used for the initial configuration and the continuous development of the rule sets. As ready-to-use software, such an IDS (CycurIDS) can be used as a CAN attack detection system in hybrid electrical systems at any time.
Figure 1: The CAN IDS detects anomalies in cyclical messages and any abuse of diagnostic requirements.
Automotive firewall in the Ethernet switch
In contrast, an automotive Ethernet firewall (CycurGATE) is advisable for secure, smooth Ethernet communication in hybrid electrical systems. This is implemented directly in the Ethernet switch, allowing it to monitor the complete packet flow without risking any interference with ECUs or the host controller. Balanced hardware and software co-design means that the firewall can make use of the hardware acceleration on the switch. As a result, most of the data packets are processed at wire speed. The main task is to defend against denial of service attacks. But by maintaining partitioning in all network layers, the firewall also supports secure data exchange between partitioned domains. To this end, a packet filter filters the incoming and outgoing data, checking each by way of stateful packet inspection and deep packet inspection.
So, the automotive Ethernet firewall (CycurGATE) not only protects the electrical system against unauthorized access and manipulation – it also serves to control onboard communication (Figure 2). It completely covers the Ethernet/IP including the common automotive protocols (e.g. SOME/IP), and it monitors access to networks and VLANs at MAC level. Communication is filtered by means of whitelists or blacklists that can be updated at any time, which ensures fast, effective reaction to new attack patterns.
Figure 2: Automotive Ethernet firewall assumes gatekeeper and router functions.
Intelligent load distribution
In addition to implementation in the central Ethernet switch, it is also possible to integrate host-based firewalls directly into ECUs. This requires high-performance solutions. The firewall must be powerful enough to check in real time and decide whether and where to route individual data packets. However, it cannot cover complex attack detection patterns, such as the frequency of stateful SOME/IP communication. Here, an additional Ethernet IDS is required that detects patterns of anomalies based on the message frequency, sequence, payload, data, and services and logs or reports them as attack attempts. For optimum performance, this approach requires intelligent load distribution between switch and microcontroller. Firewalling and intrusion detection can take place partly in the switch and partly in the target controller.
Together, CAN IDS, automotive Ethernet firewall, and Ethernet IDS can protect hybrid E/E architectures reliably and without noticeable latencies. Embedded in integrated security concepts, they are central components of risk prevention and functional safety in the connected and increasingly automated vehicle of the future.