Cyber threats are constantly evolving. Systems that are considered secure today can be vulnerable to attack tomorrow. The long service life of modern cars demands that action also be taken to avert potential, as yet unknown threats. Closed-loop integrated intrusion detection and prevention systems (IDPS) offer effective protection here.
An IDPS fends off attacks on critical vehicle systems on a case-by-case basis and, by continuously analyzing data from security events across the entire fleet, permits constant adaptation to the latest threats. To achieve this, a backend system is set up to record and analyze anomalies from individual vehicles, enabling suitable countermeasures to be initiated and thus preventing attacks from spreading.
Closed loop comprising firewall, intrusion detection and response
A closed-loop system of this kind is dependent on periodic reports from the embedded intrusion detection systems (IDS) of numerous vehicles. Ideally, these reports are then augmented with data sets that are already available in the manufacturer’s system.
One factor that limits the capture of IDS data is the sometimes limited or inconsistent vehicle connectivity. The integrated intrusion detection isn’t always able to reliably upload data to the network at any time. On the other hand, even vehicles with no wireless connectivity can still provide valuable security event data if experts can extract this data with diagnostic and service tools. Therefore, a closed-loop solution is needed that is compatible with various types of connectivity.
Security analysts use powerful machine-learning algorithms to evaluate the augmented IDS data received, visualize attack patterns across the entire fleet, and classify new types of attacks. The fleet manager then decides how best to mitigate the new threats. The scope of practical responses is directly dependent on vehicle connectivity, the architecture and functionality of the vehicle software, and on the individual attack.
To supply vehicles with new software versions – even if only for individual ECUs – the vehicles must have built-in firmware-over-the-air (FOTA) update capability. However, vehicles that are not fully FOTA-capable can also be protected. For instance, new threats can be averted relatively quickly and easily by remotely updating the firewall or the IDPS rule set. Another effective approach is to filter traffic at the external network layer, where vehicle-specific filtering rules prevent attackers’ connection attempts, but this requires close cooperation between the vehicle manufacturer and the network operator.
Continuously growing attack database
ESCRYPT already offers a closed-loop system for intrusion detection and protection. It entails the embedded automotive firewall CycurGATE blocking initial known attack signatures. In addition, the embedded intrusion detection system CycurIDS identifies and logs new potential attacks and reports them directly to a cyber defense center, where the big-data analysis tool CycurGUARD is then used to aggregate and analyze the IDS data from the entire vehicle fleet. CycurGUARD draws on its continuously growing attack database to reliably identify acute threats in real-time. If necessary, the system alerts the cybersecurity team, which can then initiate additional forensic analyses and take the required countermeasures.
In short, more than ever before, the next vehicle generation will be exposed to ever-changing, highly sophisticated cyber threats. The solution is a closed-loop intrusion detection and protection system.