Security monitoring: Keeping an eye on the fleet

No matter how high the level of protection against cyberattacks established during development, it will inevitably diminish over the course of the vehicle’s service life. For that reason, vehicles and vehicle fleets will require an active, ongoing security approach in the future, one that monitors known risks and attack vectors and also identifies and mitigates new risks. Especially because when UN regulation R155 comes into force, type approval will become contingent upon furnishing proof of appropriate risk management throughout the vehicle lifecycle.

Obtaining a meaningful picture of the overall threat situation requires examination of several areas and action on several levels. Two key components are necessary: first, embedded in-vehicle attack detection in the form of an intrusion detection system (IDS); and second, a vehicle security operations center (VSOC) in the backend, where the attacks are aggregated and evaluated to prevent scaling of attacks across the entire fleet.

In-vehicle intrusion detection system

Figure 1: Distributed system for intrusion detection in the vehicle – from the IDS sensor to the IDS manager to the IDS reporter.

Truly effective security monitoring calls for attack detection that is embedded deep in the distributed system. In particular, to detect local attacks on a specific vehicle, intrusion sensors – integrated into the E/E architecture of the individual vehicle – are indispensable. As a result, two important tasks emerge: first, investigate right from the vehicle development stage what potential vulnerable points could exist in the E/E architecture; and second, incorporate this knowledge into a consistent monitoring concept based on a distributed intrusion detection system (IDS) in the vehicle’s internal network.

The core components of this kind of IDS are the IDS sensors, which monitor data traffic and system behavior in the ECUs and, among other things, compare them to the “normal behavior” specified by the OEM. Suspicious activities (such as anomalies in cyclical messages or abusive diagnostic requests) are logged by the IDS sensors as security events. Sensible placement of smart IDS sensors (in a gateway, for example) allows them to monitor all CAN data traffic and also keep track of all Ethernet communication via an automotive firewall / IDS solution built into the Ethernet switch. In this way, even highly complex attacks can be detected and false-positive security events can be filtered out.

It is important to group together the information from the individual IDS sensors in a productive way and to run data through an initial analysis inside the vehicle so as to optimize it for transmission to the vehicle security operations center (VSOC) in the backend. This task is performed by distributed IDS managers (IdsMs) in the ECUs; they collect the security events from the IDS sensors allocated to them, filter out non-relevant events and noise, and pass the cleaned-up information on to the IDS reporter (IdsR) in the telematics unit. There, in the IdsR, all security events from the vehicle converge and are transmitted to the VSOC following further preliminary analysis.

VSOC: Intelligence in the backend

Figure 2: Continuous security monitoring from intrusion detection in the vehicle to the vehicle security operations center in the backend.

The vehicle security operations center (VSOC) has four tasks: continuously evaluate security events from the entire fleet as communicated by the in-vehicle IDS, plus further data relevant to IT security from the connected automotive ecosystem; validate the events and data with regard to particular anomalies; analyze acute and potential threats; and derive suitable countermeasures. To carry out these tasks, the VSOC draws on two instances that work together in a complementary fashion: automated analysis by security incident and event management (SIEM) and in-depth review of individual incidents by specialized automotive security analysts.

First, SIEM collects all security events reported to the OEM backend and subjects them to automated real‑time investigation and analysis. To do so, modern SIEM solutions can develop their own models using machine-learning functionalities. Via dashboards and security reports, SIEMs directly illustrate the current risk situation. However, SIEM solutions are ill-suited to detecting intrusion scenarios that are new and unknown. Specifically in automotive security environments, moreover, with components that are specially developed for the vehicle platform, there are no standard vulnerability management solutions that could be directly connected to SIEM.

This is why it is essential to technically implement a SIEM solution in the VSOC so as to complement specialized technical- and content-related functionalities. This includes an integrated threat intelligence solution, which looks for new indicators of compromise and attack methods in its own database and also shares the resulting findings with other (V)SOC operators. But most of all, the VSOC needs highly specialized automotive security experts who analyze the attack pathways and expand the methodology for threat detection, such that SIEM and IDS sensors will automatically register new threat scenarios in the future and check the fleet retrospectively for the existence of such attacks. By bringing together automatic analysis and human expertise, a VSOC supplies the fleet operator with actionable information that enables the latter to develop and roll out suitable countermeasures.

Alignment of vehicle components and VSOC

The ongoing risk minimization is based on distributed intrusion detection in the vehicles and in-depth incident assessment in the VSOC. However, the processing of data from connected vehicles is not without its own challenges. And given how limited and potentially expensive data transmission is with today’s vehicles, it is important to determine exactly what data the VSOC actually needs for its assessment. Preprocessing and aggregating the data in the vehicle can reduce its volume accordingly – this is a sensible approach also because, in the future, VSOCs may be collecting data from millions of vehicles.

In addition, the VSOCs need to enrich the data in an automotive-specific way, taking into account typical threat scenarios and specific knowledge of vehicle architecture and the components used there. Then SIEM’s automated processing should prepare and group the data and events so that analysts can further process them in a focused and efficient fashion. Ideally, this means the findings from the field data for millions of vehicles will be “encoded” in the rules by the automotive security experts on an ongoing basis. Among other things, that will optimize the classification of “false reports” and steadily improve the detection rate in the system.

New regulations will require OEMs and fleet operators to protect their vehicle fleets from cyberattacks across their entire lifecycles. IDS components provide an effective solution for in-vehicle intrusion detection, and their interoperability is now guaranteed thanks to their standardization, e.g. in AUTOSAR. In addition, VSOCs can be used to analyze detected attacks and respond with appropriate countermeasures.

Also available in our Newsroom