Review of the 2nd Vector Automotive Cyber Security Symposium
Please Download the Lectures and Have a Look on the Impressions

Solutions for Automotive Cyber Security

The rapidly growing connectivity of vehicles is opening up numerous opportunities for new functions and attractive business models. At the same time, the potential for cyber-attacks on vehicle networks is also growing. Such attacks threaten the functional safety of the vehicle and could cause financial damage.

Automotive manufacturers and suppliers rely on Vector as trusted partner. We support you with services, embedded software and tools for securing embedded systems against cyber-attacks.

Schematic graphic showing the three main use cases of Vector's Security products

Protect your product effectively and efficiently by taking advantage of Vector’s many years of experience and knowledge. We offer thorough consulting on security issues, from threat analysis to security strategies and architectures to the implementation and testing of all security functions. In the implementation of security functions in ECU software, Vector supports a wide range of hardware trust anchors from various hardware manufacturers. The well-known Vector tools are also designed for the entire development process of cyber-security-relevant systems.

Basic Essentials

Protecting vehicle functions against unauthorized access and manipulation is a central challenge for current and future ECUs. Vector has already been working closely with automotive OEMs and suppliers for a number of years in this area. By using our consultation services, we can make a contribution toward protecting your valuable data by using fast and resource-efficient cryptographic functions in the ECU.

The Goals of Security

Security lets you assure that information is transmitted fully and unchanged and that only certain receivers have access to this information. In attaining these goals, Security defines the following terms:

  • Authenticity: trustworthy data exchange between senders and receivers
  • Integrity: checking to ensure that information contents are complete and unmodified
  • Confidentiality: data is encrypted and can only be read by authorized nodes.

Application Areas of Automotive Cyber Security

Requirements for security of information in the vehicle are growing along with the complexity of vehicle functions. In addition to protecting internal vehicle data, the vehicle’s connections to the outside world in particular require heightened protection against unauthorized access. Some use cases that illustrate security needs:

Internal Vehicle Communications

  • Secure data storage
  • Authenticated frame transmission, e.g. by secure on-board communication (SecOC), to prevent manipulation of critical signals
  • Communication with tire monitoring systems (e.g. via Bluetooth)

Vehicle Connectivity:

  • Intelligent charging: secure communication with an electric charging station
  • Car2X/V2X: authenticated data transmission between vehicles and infrastructure
  • Internet access and hotspot for infotainment in the vehicle
  • Diagnostics, flash programming, remote access and software updates via the (mobile) radio network (OTA)

Services

Security Engineering

Reducing the issue of security to the selection of cryptographic algorithms is insufficient. Instead, security must be consistently taken into account from the concept phase to the after-sales processes. Vector provides you with support during the evaluation of your current processes (Vector SecurityCheck) and the introduction and application of security engineering processes. You benefit from the experience and competence of our security experts, who, among other things, also offer automotive-specific in-house training on security engineering.

Concept Validation for Security Mechanisms

Vector implements your security mechanisms within the framework of advance development projects with automotive technologies. This helps you to validate the qualification of your concepts for serial production and forestall integration problems.

people around a table discussing technical details

Development and Evaluation of Security Concepts

Vector analyzes your security concepts and teams up with you to develop optimizations with an appropriate cost/benefit ratio. This gives you a solution that has been specifically tailored to your product. The following are typical projects we can execute:

  • Analyzing and improving existing products with respect to concrete attacks (incident response)
  • Developing and analyzing security concepts for specific security-relevant applications such as remote diagnostics, remote software updates, and data collection campaigns
  • Analyzing and assessing complete vehicle security architectures, including the development of anonymized benchmarks

Advantages

You benefit from our know-how in automotive technologies and our experience in the following areas:

  • Security engineering methods
  • Hardware trust anchors (SHE, HSM, TPM)
  • Cryptographic processes
  • Management of crypto material (keys, certificates)
  • Secure boot
  • Intrusion detection and intrusion prevention systems
  • Secure on-board and off-board communication

Our experience in the integrated development of safety and security concepts will also be helpful to you.

Embedded Software

AUTOSAR Basic Software: MICROSAR

Vector supports your ECU development with efficient modules for meeting your security requirements. The MICROSAR basic software includes security modules that can be tailored specifically to your project requirements:

  • Crypto Abstraction Library (CAL) and Crypto Service Manager (CSM)
  • Software implementation for Crypto Primitive Library (CPL) and Crypto Library Module (CRYDRV (SW)) on the basis of an efficient crypto library
  • Drivers (CRYDRV (HW)) for various types of hardware trust anchors such as SHE or HSM from leading microcontroller manufacturers
  • Interface for crypto algorithms (CRYIF)
  • Secure On-Board Communication (SecOC)
  • Transport Layer Security (TLS) client for secure communication using Ethernet
  • XML Security in conjunction with Efficient XML
  • Ethernet Firewall (ETHFW)
  • Security Log (SLOG) for tamper-proof storage of security events
  • Key Manager (KEYM) and Key Storage Manager (KSM) for managing and distributing key material such as symmetrical and asymmetrical keys and certificates
Advantages

The following topics are currently under development and will soon be available as part of the MICROSAR basic software:

  • CAN Firewall (CANFW)
  • Network-based Intrusion Detection System (NIDS) for Ethernet and CAN
  • Host-based Intrusion Detection System (HIDS) for ECU-internal process monitoring

We would be happy to discuss your special requirements on these modules with you. Please contact us.

Advantages

  • The Vector crypto library was developed by experienced cybersecurity experts and is optimized to meet the special performance and resource requirements.
  • Proven software modules are embedded in the AUTOSAR basic software and can therefore be configured with less effort.
  • The security modules are designed as standard software modules and are configured to suit your application. This gives you a high degree of cost control and planning security.
  • Selected MICROSAR modules can be executed on the hardware trust anchor’s processor in order to improve your ECU’s security and performance.

Flash-Bootloader

The Vector Flash-Bootloader (FBL) includes security modules that can be tailored to specific project requirements and the capabilities of available hardware trust anchors:

  • Secure Boot Manager – can be executed on a hardware trust anchor (optional)
  • Secure Update Manager for validating software updates
  • Update Authorization for role- and privilege-based access to the ECU
  • Run-time Protection to prevent manipulation of parameters and software during run-time
  • HIS Security Module for implementing various security classes

Availability

The AUTOSAR basic software MICROSAR and the Vector Flash Bootloader are available for various microcontrollers. The software is adapted to the hardware at the best possible rate because we are in active exchange with the microcontroller manufacturers. Among others, Vector is a member of the Infineon Security Partner Network.

Testing of Security-Protected ECUs and Networks

Management and Configuration of Security Parameters

Schematic graphic showing the logical connections between the Vector Security Manager, the related tools like CANoe, CANalyzer and CANape, as well as the combination with a Security backend.

Security mechanisms in the ECU secure the vehicle and its functions against manipulation and unauthorized access. However, for testing and diagnostic purposes, it must be possible for an authorized individual to participate in vehicle communication during development and later operation.

Vector’s Security Manager offers a uniform solution for the relevant tools (CANoe, CANalyzer, Indigo, etc.).

Testing of Security Mechanisms

Fuzz-Testing with CANoe

Despite careful analysis, design, and implementation of security mechanisms, it remains necessary to test them. Fuzz testing is one method of doing so that has been successfully used in IT for years. Vector offers the capability of efficiently and professionally executing fuzz testing in the automotive area with the help of CANoe.

Interplay of CANoe and boofuzz for fuzz testing

Advantages

  • The Vector Security Manager offers uniform and secure interfaces for using crypto materials (keys and certificates) with Vector Tools.
  • The fuzzing solution integrated into CANoe allows the efficient performance of fuzz testing.

Applications

For end-to-end applications, Vector’s services, embedded software, and tools complement each other, forming a complete and optimal solution. Using our proven off-the-shelf products, we develop specific solutions that are precisely tailored to your requirements in an interdisciplinary team. You benefit from our comprehensive experience in the following security-intensive fields of application (among others):

Please contact us if you would like to get further information about the areas of application.

Training

Risk-based Cyber-Security in Practice

Training situation

Vector Consulting Services offers training classes about Automotive Cyber Security. The training provides an introduction to the fundamentals and practice of cyber security engineering. It introduces the basic techniques for specification, analysis, testing and proofing of security. Since there can be no absolute cyber-security, the focus of the training is on a risk-based approach and of the necessary consistent methodology.