Integrated Assessment of AutomotiveSPICE 3.0, Functional Safety ISO 26262, Cybersecurity SAE J3061

Transcription

1 Integrated Assessment of AutomotiveSPICE 3.0, Functional Safety ISO 26262, Cybersecurity SAE J3061 Christian Kreiner Institute of Technical Informatics TUGraz Richard Messnarz ISCN GesmbH The AQU project is financially supported by the European Commission in the Erasmus+ Programme under the project number CZ01-KA P1 TUG. This website and the project s publications reflect the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein. EuroSPI

2 Workgroup hot topics: Institute of Technical Informatics Industrial Informatics Workgroup Functional safety and embedded systems security ISO 26262, IEC61508, J3061 ECQA Certified Training Provider for Functional Safety ECQA Certified Training Provider for AQUA Development methods Product Line Engineering Standard Quality models (AutomotiveSPICE) Agile Systems Engineering Model-based system development Domain specific languages (Embedded) software architecture Component and middleware architectures Contact: EuroSPI

3 Contact: Dr Richard Messnarz, Accreditated intacs training provider for ISO/IEC and Automotive SPICE VDA-QMC certified training provider ECQA Certified Training Provider for Functional Safety Moderator of SoQrates group > 20 leading German and Austrian companies share knowledge concerning process improvement, safety, security. 3 EuroSPI

4 Contents Example integration of ASPICE, Functional Safety and Cybersecurity (ASQ SQP Volumes) Extended and integrated review and assessment approach (SOQRATES Working Group) Future of Static and Dynamic Cybersecurity System Architectures and Function Groups in Cars 4 EuroSPI

5 Running example: Electronic Power Steering (EPS) EuroSPI

6 Integrated Teams HW Safety & Security Designer Mechatronic Designer System Safety & Security Engineer SW Safety & Security Designer Assembler Manufacturer Technical Project Leader 6 EuroSPI

7 AUTOMOTIVE SPICE 3.0 EuroSPI

8 Automotive SPICE 3.0 terminology: "Element", "Component", "Unit", and "Item" The relationships between element, component, software unit, and item, which are used consistently in the system and software engineering processes. EuroSPI

9 Automotive SPICE key concept: Traceability of System Design and Domain Plug-Ins System Architectural Design describes system functions and their decomposition into hardware, software, mechanical components and functions EuroSPI

10 Automotive SPICE key concept: Traceability and Consistency between the life cycle phases EuroSPI

11 STEERING EuroSPI

12 Classic EPS scope Typical Scope of Supplier ASIL-D ASIL-D ASIL-D EuroSPI

13 Risk Classification 13 EuroSPI

14 Risk Classification 14 EuroSPI

15 Risk Classification 15 EuroSPI

16 Requirements, safety requirements, and traceability Customer Requirements e.g. Steering angle assured by ASIL-D e.g. Mechanical and software based steering endstop Hazard Analysis Identification and classification of safety risks and hazards. e.g. Safety Goal : no uncontrolled actuation of steering system Risk: uncontrolled actuation can happen with wrong sensor input or steering command FMEA / FMEDA Analysis of hazards and safety risks and measures by FMEA and FMEDA e.g. Measure: redundant and diverse rotor position sensors, comparing internal steering angle with external (ADAS command) steering angle. Building a Requirements Traceability as Part of the Safety Case System Requirements e.g. Steering angle is measured internally and reported on the bus. System Requirements Specification Safety Requirements e.g. we need to trust the steering angle at ASIL D, 2 redundant diverse rotor positions, plausi check, safe state in case of deviation. Safe state is assured by a 6 or 12 phase motor with a limp home mode (in ADAS mode with no driver interference). EuroSPI

17 Decomposition (ISO 26262) Independence of elements after decomposition: No dependent failures or Dependent failures have safety mechanism Independent confirmation measures [ISO , Tab1]: Confirmation reviews F.Safety audit F.Safety assessment 17 EuroSPI

18 Functional flow ASIL-D Sin,Cos,Index Pos 1 ASIL-D Sin,Cos,Index Pos 2 Functional Signal Flow Rotor Position 1 Rotor Position 2 ASIL-B ASIL-B ASIC ASIL-D EuroSPI

19 INTEGRATION OF AUTOMOTIVE SPICE, FUNCTIONAL SAFETY, CYBERSECURITY EuroSPI

20 Functional flow for ADAS scenarios Network around the car Steering Command ASIL-D need external steering commands with ASIL-D ASIL-D Sin,Cos,Index Pos 1 ASIL-D Sin,Cos,Index Pos 2 Rotor Position 1 Rotor Position 2 ASIL-B Functional Signal Flow ASIL-B ASIC ASIL-D EuroSPI

21 IT Secure vehicle Understanding interference from IT Security Prio 1: Analyse IT Threats which can lead to the hazardouus failure Prio 2: Analyse additional IT Security Threats 21 EuroSPI

22 Dependable vehicle Understanding interference from Cybersecurity Attack Type* Impact How Spoofing Commands Messages on CAN are used to simulate car is stopping. Checksum algorithm and message structure hacked. Sending a wrong steering command with the correct encryption and identification. Denial of service Tampering Messages on CAN are used to simulate car is never stopping. Changing configuration data in a memory (setting speed limit for activating steering lock) Overloading the bus with speed < 3 km/h so that the steering lock is activated. Changing parking mode from < 10 kmh to < 200 kmh so that parking mode steering is used at high speed (resulting in a too big steering angle) *Following STRIDE security analysis method EuroSPI

23 Dependable vehicle Understanding interference from Cybersecurity Attack Type* Impact How Identity Spoofing Information Disclosure Spoofing identity of garage Spoofing identity of message Memory dump and copying of data, gaining knolwedge about encryption keys, checksum algorithms. Presumptipon of above scenarios. Presumptipon of above scenarios. Elevation of privilege Access to the gateway and access to the priviliged bus in the car Presumptipon of above scenarios. *Following STRIDE security analysis method EuroSPI

24 Dependable vehicle Understanding interference from Cybersecurity Information Disclosure Spoofing Identity Spoofing of Commands Denial of service Maintenan ce tools, listening tools Vehicle Bus and Gateway Vehicle Steering Related ECUs Vehicle Function Steering Lock Automotive Defense Layer 1 Elevation of Priviliges Automotive Defense Layer 2 Tampering Automotive Defense Layer 3 Compared to function chains in Safety, we have to analyse a completely different - intrusion - structure Spoofing of Commands leading to locking ASIL-D 24 EuroSPI

25 Dependable vehicle Understanding interference from Cybersecurity Attack Type* Impact How Spoofing Commands Messages on CAN are used to simulate car is stopping. Checksum algorithm and message structure hacked. Sending a wrong steering command with the correct encryption and identification. Denial of service Tampering Messages on CAN are used to simulate car is never stopping. Changing configuration data in a memory (setting speed limit for activating steering lock) Overloading the bus with speed < 3 km/h so that the steering lock is activated. Changing parking mode from < 10 kmh to < 200 kmh so that parking mode steering is used at high speed (resulting in a too big steering angle) EuroSPI

26 Safety Security traceability Traceability Threat Specification per Safety Goal EuroSPI

27 Automotive Defense Layers SPOOFING OF COMMANDS LEADING TO UNINTENDED STEERING EuroSPI

28 Dynamic Flow through Layers Flow Case 1 : vehicle infrastructure Flow Case 2 service garage Defence Mechanisms Layer 1 GW Gateway Indicator: steering command OBD On Board Diganose Defence Mechanisms Layer 2 Indicators to be monitored: Combining steering command e.g. with speed (active steering), requested torque, etc. DDC Dynamic Drive Control Defence Mechanisms Layer 3 Indicator: Comparing steering angle with internally measured angle by rotor position Electronic sensors Steering ECU and Sensors Defence Mechanisms Layer 4 Motor and Steering Rack Automotive Defense Layer 1 Automotive Defense Layer 2 Automotive Defense Layer 3 Automotive Defense Layer 4 28 Flows are highlighted by variables that can be monitored EuroSPI

29 Defence Layer Model FUNCTION GROUP POWERTRAIN Modelling New Car Architectures and App-Communication FUNCTION GROUP STEERING Gearbo x APP Motor Control APP Steering Lock APP Steerin g APP PLA APP Realtime VM Secure Ethernet Realtime VM Safe Operating System Safe Operating System X (e.g. 10) -Core HW X (e.g. 10) -Core HW 29 EuroSPI

30 Customer SSL Apps FUNCTION GROUP POWERTRAIN Modelling New Car Architectures and App-Communication FUNCTION GROUP STEERING Gearbo x APP Motor Control APP Supplier APP Encryption By Customer Custom er SSL Realtime VM Secure Ethernet Encryption by e.g. Autosar Realtime VM Safe Operating System Safe Operating System X (e.g. 10) -Core HW X (e.g. 10) -Core HW Function Flow with Autosar Encryption plus Internal Customer SSL Encryption on Application Layer (all signals along this critical path are encrypted) 30 EuroSPI

31 SDN Driven System CAR 1 The System is not just the car any more! What is the system scope? CAR i Node with Service A[1] Realtime VM Node with Service B[1] A[n] B[n] C[n] Node with Service A[i] Node with Service B[i] Realtime VM Node with Service C[i].. Safe Operating System Safe Operating System X (e.g. 10) -Core HW X (e.g. 10) -Core HW SDN Software Defined Network is a methid for a network set up where the dependency on the hardware architecture is substituted by a software controlled network where comtrolers offer services in the network. 31 EuroSPI

32 ASPICE 3.0 Integration Integrating Into Base Practices Extended Assessment Questions (ASPICE) SYS.2.BP3 Analyze the impact on the operating environment. Determine the interfaces between the system requirements and other components of the operating environment, and the impact that the requirements will have. [Outcome 3] ISO , Specification of the technical safety requirements ISO , The technical safety requirements shall be specified in accordance with the functional safety concept, the preliminary architectural assumptions of the item and the following system properties: a) the external interfaces, such as communication and user interfaces, if applicable; b) the constraints, e.g. environmental conditions or functional constraints; and c) the system configuration requirements. NOTE: The ability to reconfigure a system for alternative applications is a strategy to reuse existing systems. NOTE: See questions for ISO , and ENG.2 BP1. (Security) SAE J3061, Feature Definition The feature definition defines the system being developed to which the Cybersecurity process will be applied. The feature definition identifies the physical boundaries, Cybersecurity perimeter, and trust boundaries of the feature, including the network perimeter of the feature. 32 EuroSPI

33 SAFETY FUNCTIONS AND CONNECTED VEHICLES EuroSPI

34 Critical signal path scenario 1. Vehicle local sensors (correctness?) 2. signals sent to service infrastructure (correctly related to position etc.?) The world is bigger ADAS (connected) environments Cloud based infrastructure for driving support Driving events databases (OEM, authorities) Driving data analysis Cloud driving services 3. Cloud storage (corruption?) 4. merge with other cars signals (data poisoning?) in the current vicinity (correct location?) and those ever operated near the current position (depending on the algorithm for driving data analysis, and its correctness). Infrastructure base stations Mobile internet technologies Radio-navigation satellite systems 5. Up-to date steering angle recommendation & road conditions for the current position sent to all the cars (availablitiy, low latency, correctness, scalability?). Vehicles report driving Vehicles get driving situation, events into the cloud: recommendations, commands from the cloud: 6. Steering angle is applied to the cars E.g. position, speed, E.g. steering related: steering angle, obstacles * instantaneous steering angle of neighbor cars steering (correct in the current context?). detected,... * typical steering angle for road position, * obstacles detected,... EuroSPI

35 Proposed ASPICE extension for Automotive Service Infrastructure (ASI processes) Expected typical properties ASIL-D QoS (Quality of Service) service monitoring for correct operation, availability, scalability and low latency. Preparedness for interruption of connectivity - local take-over (challenging for eg. platooning) Cybersecurity of service infrastructure (eg. wrong data injected, services spoofed, stored data and algorithms tampered with, messages altered) Etc. EuroSPI

36 Extension of ASPICE for Automotive Service Infrastructure ASI processes By example: ASI.2 Requirements Analysis Base practice BP4 ASI.2.BP4: Analyze the interfaces between the vehicle and the service infrastructure. Analog and linked to SYS.2.BP4: Analyze the impact on the operating environment Identify the interfaces between the vehicle and the service infrastructure. Analyze the impact that the service infrastructure interfaces will have on the vehicle operating environment. OUTCOMES: Quality of Service (Availability), Defined reaction in case of no availability, criticality of information, safety classification (if provided as QM or validated among a set of data to be provided with an ASIL), encryption and identification mechanisms to be implemented. Extended Cybersecurity (SAE J3061:2016) Assessment Questions : Related to SAE J3061:2016, clauses Feature Definition identifies physical boundaries, Cybersecurity perimeter, and trust boundaries of the feature, including the network perimeter of the feature. The feature definition defines the scope and interfaces of the feature. EuroSPI Christian Kreiner,TUGraz Richard Messnarz, ISCN 36

37 RELATED SKILLS PROJECTS AQUA ECOSYSTEM EuroSPI

38 AQUA - Knowledge Alliance for Training Quality and Excellence in Automotive EU Sector Skills Alliance for Automotive Aims: A unique, sustainable strategic alliance for modern certified VET Curricula for the automotive sector Industry aligned Capable of Europe-wide implementation Certified VET training course: Integrated Quality, Functional Safety, and Six Sigma in Automotive Certification by European Certification and Qualification Association ( Incorporated into Automotive Clusters Qualification programmes University Education (TUGraz, Grenoble INP) This project has been funded with support from the European Commission under agreement EAC This publication/communication reflects the views only of the author, and the Commission cannot be held responsible for any use which may be made of the information contained therein. EuroSPI Christian Kreiner,TUGraz Richard Messnarz, ISCN 38

39 AQUA Skills Set Automotive Quality Manager with AQUA Skills UnitID Unit Name Element ID Element Name AQUA.U1 Introduction AQUA.U1.E1 Integration view and general part AQUA.U1.E2 Organisational readiness AQUA.U2 Product Development AQUA.U2.E1 AQUA.U2.E2 AQUA.U2.E3 Lifecycle Requirements Design Each element contains four views: integrated perspective Automotive SPICE perspective Functional Safety perspetcive Six Sigma perspective AQUA.U3 Quality and Safety management AQUA.U2.E4 AQUA.U3.E1 AQUA.U3.E2 AQUA.U3.E3 Integration and Testing Capability Hazard & Risk management Assessment and audit AQUA.U4 Measure AQUA.U4.E1 Measurements AQUA.U4.E2 Reliability EuroSPI

40 SafEUr - ECQA Certified Functional Safety Manager Industry training and TUGraz course: Functional Safety Introduction, Management, Engineering, Production, Legal, Qualification topics Modular: 15 course elements Face-to-face and online delivery Heavily based on Industry Best Practice ISO26262, IEC61508 Skills set aligned with Industry Europe-wide certification by European Certification and Qualification Association ( Contact: Christian.Kreiner@tugraz.at EuroSPI Christian Kreiner,TUGraz Richard Messnarz, ISCN 40

41 Automotive Quality Universities (AQU) AQUA alliance extension to higher education Partners VŠB - Technical University of Ostrava, CZ Graz University of Technology, AT UAS Joanneum, Graz, AT University of Maribor EE + CS, SLO ISCN IE/AT EMIRAcle (European Innovation in Manufacturing Association), BE/FR Grenoble INP (EMIRAcle) Hochschule Düsseldorf (EMIRAcle) ECQA Online Campus for Industry The AQU project is financially supported by the European Commission in the Erasmus+ Programme under the project number CZ01-KA P1 TUG. This website and the project s publications reflect the views only of the authors, and the Commission cannot be held responsible for any use which may be made EuroSPI Christian Kreiner 41 of the information contained therein.

42 Regular student s course from 2014 AQUA university course for industry (TU Graz Life-long-learning progm. & ECQA) 1st ECVET-ECTS bridge between university and industry education Coordinator of AQUA project - EU funded Sector Skills Alliance Automotive Quality Universities EU project (partner) TU Graz Christian Kreiner EuroSPI

43 The AQUA ecosystem current state AQU - AQUA Quality Universities (EQF Level 6-8) AQUA for ROC (EQF Level 4-5) Planned AQUA extension Integrated Cybersecurity automotive & medical & automation Yellow Belt Orange Belt Green Belt Black Belt ECQA Functional Safety Manager /Engineer AQUA MOOCs? SPI manager/facilitator Integrated, interdisciplinary Innovation and improvment intacs Automotive SPICE ECQA Integrated Design Engineer More Christian Kreiner EuroSPI