“Securing vehicles permanently and in a multilayered way”
In the future, the continuous risk management of vehicles in the field must be based on effective intrusion detection. Marcel Mulch, Security Architect Intrusion Detection System (IDS), and Dr. Michael Peter Schneider, Project Manager AUTOSAR Security and representative in the AUTOSAR consortium, explain the important role that the AUTOSAR standard plays and where it reaches its limits.
Mr. Schneider, we know that AUTOSAR is the software standard for E/E architecture. To what extent is it important for vehicle cybersecurity?
Michael Peter Schneider: It’s quite straight-forward. The broad range of AUTOSAR components that can be used for in-vehicle applications includes several security modules. One great example is the SecOC. This is a well-known standardized protocol specially developed by the AUTOSAR consortium to secure onboard communication in the vehicle. There are now quite a few specific AUTOSAR security components of this type, including a crypto stack or one for identity and access management. AUTOSAR defines the specifications that embedded software providers such as ETAS need to implement in their AUTOSAR stacks for OEMs and suppliers.
Since the end of 2020, there have also been AUTOSAR specifications for intrusion detection in the vehicle using an intrusion detection system, or IDS for short. Why IDS and why now?
“AUTOSAR makes it easy to integrate IDS components”
Marcel Mulch: The main reason is the new UNECE regulations for automotive cybersecurity. In order to receive type approval in the future, manufacturers must prove that they can detect and mitigate cyberattacks on their vehicle fleets. An IDS, which monitors communication in the electrical system and detects anomalies and typical intrusion signatures, is essential. That is why the sensors for intrusion detection in the vehicle network are standardized according to AUTOSAR. What is known as the IDS manager then collects the potential security events registered by the sensors and pre-filters them for forwarding to a vehicle security operations center in the backend. The big advantage is that, since AUTOSAR is now widely used for E/E architectures and is already applied in many ECUs, it is relatively easy to integrate the IDS components specified by AUTOSAR.
Are the security modules contained in AUTOSAR enough to adequately protect the vehicle against cyberattacks?
Schneider: Not really. AUTOSAR and its security modules are only one aspect of this, albeit an important one. It’s not only AUTOSAR ECUs that are built into the vehicle, but also microprocessor-based systems such as telematics units, infotainment systems, and vehicle computers that rely on native operating systems such as Linux, QNX, or Android. In addition, vehicle networks are becoming increasingly com-plex and automotive Ethernet is becoming more and more important. That is why network sensors that, for instance, monitor Ethernet traffic on domain controllers are also needed. And even on classic ECUs, IT security beyond AUTOSAR can be further improved with, say, hardware security modules for the secure management of key material or with automotive-specific crypto libraries.
„From a security point of view, the only thing that matters is which attack vectors the particular E/E architecture has and how it can be protected.”
Mulch: That also applies to the continuous security monitoring required by UNECE. The IDS components specified by AUTOSAR are important elements here. But in addition to AUTOSAR, it’s also important to have an IDS reporter in the vehicle to report all potential security events to the backend – the vehicle security operations center – for evaluation, where the alleged attacks are investigated using software and security analysts. And it requires a security update management system, which ultimately – again with AUTOSAR support – closes security gaps and, if necessary, adapts the IDS sensors to the new risk situation. In other words, from a security point of view, the only thing that matters is which attack vectors the particular E/E architecture has and how it can be protected. I’m happy to use AUTOSAR security modules wherever they fulfill the purpose; otherwise, I use additional security measures.
What are your thoughts on the future? What role will AUTOSAR still have in the E/E architecture in ten years’ time, and what role will intrusion detection then play in the vehicle?
Mulch: I am convinced that in ten years’ time, AUTOSAR will still play a central role in vehicle architecture as a common software standard. But then the weight will definitely have shifted from AUTOSAR Classic to AUTOSAR Adaptive. The E/E architectures will be tailored to a few powerful central computers and will move toward using microprocessors instead of microcontrollers. But that’s exactly what AUTOSAR Adaptive is designed for.
Schneider: At the same time, the new binding rules and regulations show how important security is for increasingly connected and automated mobility. For the safety of all of us, we will have to secure the vehicles and fleets permanently and in a multilayered way. I am sure that onboard IDS solutions and the associated monitoring of the fleets by a vehicle security operations center will be standard in future vehicle generations.