ETAS security experts spearhead development of new AUTOSAR firewall specification

Vehicle architectures are becoming increasingly complex and automotive Ethernet more and more important. In light of this, AUTOSAR presented a new specification at this year’s feature release on November 24. Experts from ETAS spearheaded the development of this innovation. From now on, the standardized “Firewall” security module will be included in the middleware security portfolio. This makes it easier for OEMs to achieve uniform configuration of firewalls across the vehicle.

Automotive Ethernet will be a communication standard in the software-defined vehicle (SDV) of the future, and this technology is already becoming a more common feature of the vehicle electrical system. This is because Ethernet-based electrical system architectures allow for larger volumes of data and higher bitrates. But since they also offer new attack vectors, Ethernet-specific security components are required to fend off cyberattacks.

The goal of AUTOSAR, the software standard used by leading automotive manufacturers and suppliers alike, is to achieve more control over the growing complexity of the software used in today’s vehicles with the help of a middleware specification. AUTOSAR offers a range of modules that can be used in conjunction with vehicle applications – in particular, IT security modules. Experts from ETAS have served on the AUTOSAR partnership’s security steering committee for many years. This allowed them to first define the requirements for the new “Firewall” security module. The next step was to develop and standardize the module, and ETAS was instrumental in advancing and managing this process. As a result, the new feature has now been released; it is already available for AUTOSAR Adaptive and will be added to the Classic platform next year. This new specification means that AUTOSAR fulfills a key requirement for mastering future cybersecurity challenges in highly connected, increasingly software-defined vehicles (SDVs).

AUTOSAR is thus now also defining the specifications for firewalls that security solution providers such as ETAS need to implement in their AUTOSAR stacks for OEMs and suppliers. The big advantage is that, since AUTOSAR is now widely used for E/E architectures and is already applied in many ECUs, it is easy to integrate the firewall guidelines specified by AUTOSAR.

“An important aspect of the new specification is the introduction of standard language to describe firewall configuration, which leads to a greatly simplified exchange of requirements with a lower error rate and improved traceability,” explains Dr. Michael Peter Schneider, spokesperson for AUTOSAR’s Security working group and Lead Technical Officer AUTOSAR Security at ETAS.

Firewall for automotive Ethernet

ETAS drew on its many years of firewall experience to develop the new security module: the ESCRYPT CycurGATE automotive Ethernet firewall is already designed with the future vehicle electrical system architecture in mind, and multiple customers have put it through its paces in practice. This firewall provides protection against denial-of-service attacks, and it controls the authorized communication within the vehicles own network. Furthermore, it supports its segmentation into virtual local area networks (VLANs). ESCRYPT CycurGate is available as a switch-based and a software-based variant. The switch-based variant can be directly implemented in smart Ethernet switches and the software-based variant can run in any microcontroller, microprocessor running Adaptive, Classic AUTOSAR or any other operating system. Specific integration to popular operating systems like QNX and Linux are also available.

“The configuration of the Ethernet firewall and the intrusion detection system (IDS) will be a core activity for future E/E architectures. In the future, having a common language for firewall rules and for connecting to the IDS manager will be immensely helpful – especially for distributed firewalls,” adds Dr. Siddharth Shukla, Senior Product Manager, Network Intrusion Detection System (IDS) & Firewall.