Automotive Ethernet is increasingly becoming the communication standard for the next generation of digitally connected vehicles. Ethernet-based electrical systems allow for larger volumes of data and higher bitrates. But they also offer new attack vectors. At the same time, increasing automation of driving functions means that any security loopholes harbor even greater risks.
IT security for the entire vehicle life cycle
Providing effective protection for these vehicles over many years – long enough for many development cycles of cyberattacks – calls for integrated automotive security solutions in which attack detection and defense interact in a dynamically learning control system. To achieve that, various IT security components need to be united within an integrated intrusion detection and prevention solution (IDPS).
This means security software in the vehicle monitors the central ECUs and gateways. Any anomalies in the electrical system communications are detected, documented, and forwarded to a security operations center in the backend. There, tools analyze the aggregated data and in the event of cyberattacks, security updates are carried out for the whole fleet in line with defined incident response procedures. The major advantage is that new attack patterns are detected as soon as one vehicle is targeted and trigger the roll-out of protection measures for the entire fleet. What you get is a kind of immune system in which IT security mechanisms are sustainably maintained over the entire life cycle.
Firewall for automotive Ethernet
Monitoring and controlling communications in the vehicle’s electrical system is then handled by an automotive Ethernet firewall. What’s special about this is that the firewall is implemented directly in the Ethernet switch. In this way, the data traffic is monitored and managed centrally – with no resulting interference with the host controller or vehicle ECUs. This also means the firewall can make the most of the hardware acceleration on the switch and process most of the data packets at wire speed.
This kind of firewall provides protection against denial-of-service attacks, controls the authorized communication within the vehicle’s own network, and supports its segmentation into virtual local area networks (VLANs). Since it is highly configurable, the firewall can be easily implemented in future automotive-Ethernet-based electrical system architectures. Tied into a comprehensive security solution with intrusion detection, attack analysis in the backend, and corresponding security updates for the vehicle fleet, the automotive firewall rule sets are updated continuously.