01/27/2021

AUTOSAR for security lifecycle management

As the digital transformation of mobility advances, the cybersecurity of connected vehicles will become a critical factor of central importance. Two developments are currently making this especially apparent: first, the binding UN regulations on cybersecurity and software updates, and second, the new security specifications in AUTOSAR.

These developments are very closely linked, especially with regard to continuous risk management for vehicles in the field. After all, AUTOSAR is the ideal technological answer to the UN regulations, which stipulate a certified cybersecurity management system that achieves and maintains an appropriate level of vehicle IT security. AUTOSAR thus paves the way for implementing the new security requirements relevant to type approval.

UNECE regulations: 4 disciplines

In the regulations it adopted in June 2020, UNECE WP.29 names four disciplines:

  • Managing cyberrisks to vehicles
  • Securing vehicles “by design” to mitigate risks along the value chain
  • Detecting and responding to security incidents across vehicle fleets
  • Safely and securely updating the vehicle software, including a legal basis for over-the-air updates

From now on, automotive industry regulations will stipulate a process approach to organizing IT security management. The first discipline – managing cyberrisks to vehicles – is especially important given that it is a central organizational task. As a superordinate maxim for action, it must map the other “sub-”disciplines – security by design, risk management for the fleet on the road, and over-the-air security updates – at the company and process level. It must also combine these subdisciplines in an effective cybersecurity management system (CSMS).

Intrusion detection and software updates

Not only must the abovementioned disciplines be firmly anchored in an organizational framework and processes; they must also be grounded in technology. The vehicle’s E/E architecture has to contain the security components for realizing the risk management of vehicles in the field and the required over-the-air updates. After all, the vehicle’s internal network is essentially both the starting point and the end point of a security lifecycle management system – the CSMS. One essential aspect is detecting attacks at an early stage, for example using an intrusion detection system (IDS). Another is mitigating the identified threats by rolling out suitable measures in the vehicle through, say, software updates. AUTOSAR helps lay the key cornerstones. First, AUTOSAR offers standardized modules for both these use cases, and OEMs can use these modules directly. Second, widespread use of the AUTOSAR standard means that the features can be rolled out quickly and effectively to a large number of ECUs.

Distributed intrusion detection system in AUTOSAR

Figure 1: Distributed IDS for attack detection in the vehicle

The main task of an IDS is to identify attacks on the vehicle and report them to a vehicle security operations center (VSOC) in the backend, from where appropriate countermeasures can be initiated. To fulfill this task, a distributed IDS in the vehicle comprises several components: IDS sensors, IDS managers (IdsMs), and an IDS reporter (IdsR).

The IDS sensors monitor the relevant resources in the ECUs (e.g. network traffic or memory access) and generate warning notifications in the event of suspicious activity (e.g. anomalies or typical attack signatures), known as security events. In addition, smart IDS sensors in the gateway ECU can monitor all CAN data traffic as well as Ethernet communication, too, if needed. This lets them detect more complex attacks, plus identify and filter out false-positive security events. Meanwhile, distributed IDS managers (IdsMs) in the ECUs and gateways collect the security events from the local sensors assigned to them, filter out non-relevant events and noise to minimize the bus load, and pass the information on to the IDS reporter (IdsR) in the telematics unit, which – after further preliminary analysis – transmits it to the VSOC.

For such a distributed intrusion detection system, AUTOSAR proves to be a real asset: that’s because IdsMs – as aggregators at the ECU level – must play several roles in the vehicle’s internal network. Therefore it makes sense to integrate the IdsMs directly into AUTOSAR. For this reason, the latest AUTOSAR release, R20-11, is the first to feature IdsM specifications for in-vehicle attack detection using a distributed intrusion detection system.

Firmware updates over the air (FOTA)

Figure 2: Modules for firmware updates over the air (FOTA) in AUTOSAR

Next, the secure update function in AUTOSAR helps close up any identified weaknesses and attack vectors by receiving and processing security updates for individual applications or even for the entire platform. The individual update blobs are signed by the backend, so that only updates from trustworthy sources are executed. This update package is then processed in the vehicle by the UCM master module. The UCM master module runs on an Adaptive AUTOSAR instance; it first checks the signature of the update package, and then distributes the various software updates to their targets within the vehicle.

However, the individual ECUs must undergo further security checks before they are updated. These checks verify the authenticity of the software update and ensure that the software imported is not an old version that potentially contains security gaps (downgrade attack). Such checks are performed in AUTOSAR Adaptive by the UCM client. For AUTOSAR Classic, a comparable UCM client module for FOTA is currently still in the specification cycle.

Summary: AUTOSAR as part of the solution

To manage the security of vehicles in the field in line with UNECE, an intrusion detection system (IDS) and firmware updates over the air (FOTA) will be indispensable. This is where AUTOSAR comes in: creating the requisite conditions in the vehicle by offering the relevant IDS and FOTA modules. These modules make it possible to provide the majority of ECUs within the E/E architecture with the components necessary for intrusion detection and software updates. The conclusion is clear: AUTOSAR is an important part of the solution for achieving UNECE-compliant cybersecurity management.