Autonomous Driving needs Safety & Security Embedded World 2018 Dr. Ciwan Gouma
Autonomous Driving The Vision The vision is not new. Picture left (maybe you have seen this in other presentations) but why is that here: 1957 --- Vintage illustration from an advertisement by H. Miller of a family of four playing a board game, while their futuristic electric car automatically drives itself. Very interesting it s published in an advertisement for electrical power plant in the US to present different use cases: how to use electrical power in the future! Why not from an automotive company? - Long story How does the vision lock today? Some changes compared to the left picture. - People are not playing domino they are working ;(
But back to the why What is the real why for autonomous driving - Not the number of billion IoT devices - Not the available technology Always start with asking why: (Simon Sinek) - our mobility expectation has changed - Time that we spend in traffic jam! - Number of accidents 1.3 million / year! From 2006 2016 between 11 and 35 thousand people died caused by terrorist attacks! - Lessons from avionic industry: 95% of accidents are caused by human errors! - Same result for cars source https://crashstats.nhtsa.dot.gov/api/public/viewpublication/812115
Autonomous WHY s SYSGO AG PUBLIC 4 Increase safety 69% Reduce traffic congestions / increase road capacity 65% Independent mobility of non- drivers 55% Reduce stress level / advanced ease of use 49% Increase productivity for the driver 43% Enhance quality of live 38% Emission and cost reduction 31% Source: Survey Report tech.ad 2018, Berlin https://autonomous-driving-berlin.com/
Safety Concerns / Fail safe concepts Legal restrictions Cyber Security SYSGO AG PUBLIC 5 Main Challenges Fail safe concepts - mission complete - simply stop the car Not part of this presentation As well legal restrictions Cyber Security, always mentioned as an important topic same moment saying we will handle this later! My personal view: that is the wrong approach! continuously and seriously successful cyberattacks could be a show stopper for autonomous driving.
ƵƚŽŶŽŵŽƵƐ ƌŝǀŝŷő ŶĞĞĚƐ ^ĂĨĞƚLJ Θ ^ĞĐƵƌŝƚLJ New Thinking SYSGO AG PUBLIC 6 Main stream autonomous vehicle adoption will create a new economy 7 trillion by 2050 business (Intel, Strategic Analytics) A sep. passenger economy will include new type of products (autonomous cars, hyperloops, changing or smart Cities, homes) new services and complete new business modells New vehicle of the future will be able of retrieve and share real time traffic data, vehicle2vehicle communication, use AI algorithm, for optimizing autonomous driving and route and other useful tasks parking space etc. Side note: Intel sees: shared commuting on autonomous vehicles as norm, and individual vehicle ownership as less important New class of vehicle spawned for dense urban environement -- What are the impacts for our industry?! Source: https://newsroom.intel.com/newsroom/wpcontent/uploads/sites/11/2017/05/passenger-economy.pdf!"#$ %&'(#) *!"#$ +&'(#,-.-+& *&( ϲ
Connectivity & Security New Thinking Complexity Domain Integration SYSGO AG PUBLIC 7 Life Cycles & Development processes Connectivity as a base for new and helpful feature, user and OEMs love that. Complete new use cases and business models are possible perfect! BUT with connectivity we are facing tremendous security issues nothing is secure. A new thinking has to start. Complexity Domain integration -> Combining systems increase the attack surface! ECU integration How will that be realized with existing E/E structures? New business models, new cloud-based service -> complete different player, entire different lifecycles have to be handled.
Connected Car Attack Surface Eldorado Over the time several component providers added connectivity to their devices Bluetooth, WIFI, near-field some of them used IT-based security mechanism like crypto etc. - Sometimes old, outdated protocols are used not safe - Even some time without any security functionality. - Attack surface increased no security concept!
Level of Autonomous Driving Big Difference Autonomous driving trust connectivity! For level 1 and 2 no extra safety certification levels expected! BUT for level 3 and above High Safety Certification has to come - similar to avionic standards Safety! Cyber-Security and Security for Safety.
IT - Security Aviation Industry Other Perspectives SYSGO AG PUBLIC 10
Learning from IT Security Firewalls Cryptography Crypto won t save you either End2End Intrusion Thus, the attack surface is the full system architecture Security is the integral system property! Without a clean design, it is complicated to identify/define the attack surface Security is a process Easy to use update procedures refer WannaCry and Microsoft statements about updates! Positive: due to the impact of security attacks on companies -> Management attention increased over the past years. IT security: Pos. awareness from Management is already there. Security is a process. Firewalls are a good idea. Crypto won t save you either.
Learning from Avionic Industry Safety & Security Process & Certification Fail Safe HW Consolidation Security by design MILS Tremendous changes for the network based infrastructure Aircraft today is network based (AFDX & IP) Increasing usage of common computing resources Integrated Modular Avionics (IMA), Open World Open World domain with COTS software Wi-fi products, Linux New IT services Pilots (tablets), passengers, crew, maintenance Increasing integration and information flow between systems Aircraft is heavily connected to other IT services, Integration of several domains Airlines, ATC Aircraft is connected to INTERNET Common Challenges in Cyber-Physical-Systems Functionality density is increasing Integrate functions on small numbers of ECU Reduce the number of ECUs or keep (at least) the same Benefit on powerful COTS HW and SW Need proper separation and control of functionalities Heterogeneous information flows Systems are interconnected and exposed to external world Usage of common network infrastructure Need proper separation and control of information flows High-assurance for mixed-critical ECUs Functionalities have different assurance requirements, e.g. safety vs. security The overall assurance design shall be enough to run the most demanding one Need proper compositional certification approach
MILS Low-criticality Partition Mediumcriticality Partition High-criticality Partition Application plane MILS is a high-assurance security architecture that supports the coexistence of untrusted and trusted components, based on verifiable separation mechanisms and controlled information flow Please refer for more information to Research Project EuroMils: Please refer for more information to Research Project CertMils:
MILS Architectural Approach Low-criticality Partition Medium-criticality Partition High-criticality Partition Application plane Refinement Low-criticality Partition MILS Architecture Mediumcriticality Partition MILS induced abstraction High-criticality Partition MILS Platform (Separation Kernel) Hardware (CPUs, memory, and devices) Network Resource plane Actuator Please refer for more information to our Research Project EuroMils : Please refer for more information to our Research Project CertMils
Common: Assurance via Standards Adaptive Autosar Genivi / AGL Other OEM Innovations Common Safety and Security Base ISO 26262 SAE J3101 Hardware-Protected Security for Ground Vehicle Applications SAE J3061 Cyber security Guidebook for Cyber-Physical Vehicle Systems ISO 26262 a) Potential interaction between safety and security b) Cybersecurity threats to be analyzed as hazards c) Monitoring activities for cybersecurity, including incident response tracking d) Refer also to SAE J3061, ISO/IEC 27001, and ISO/IEC 15480 ISO/WD PAS 21448 Road vehicles -- Safety of the intended functionality Sotif under development SAE J3101 a) Secure boot b) Secure storage c) Secure execution environment d) Other hardware capabilities... e) OTA, authentication, detection, recovery mechanisms... SAE J3061 a) Enumerate all attack surfaces, conduct threat analysis b) Reduce attack surface c) Harden hardware and software d) Perform security testing (penetration, fuzzing, etc.) SAE Society of Automotive Engineers, U.S.-based, globally active professional association and standards developing organization for engineering professionals in various industries. Principal emphasis is placed on transport industries such as automotive, aerospace, and commercial vehicles. J3061 -Guidebook CyberSecurtiy IEC 27001 : "Information technology Security techniques Information security management systems Requirements ISO IEC 15480: Common Criteria...
Safety & Security Software LifeCycle Requirements Threat Analysis System Requirements Security Goals System Test Execution Validate Security Assumptions Global Design Security Architecture Integration Test Execution Integration and Penetration Tests Detailed Design Attack Tree Analysis (ATA) Unit Test Case Execution Functional and Penetration Tests Implementation Code and HW Implementation Reviews Threat Analysis - Hazard analysis and risk assessment Security Goals - Safety Goals - Requirements Analysis Security Architecture - System Safety Concept - System Architecture Attack Tree Analysis (ATA) - FMEA, FTA, FMEDA - HW/SW Design Failure Mode and Effects Analysis (FMEA ) Fault Tree Analysis (FTA) Failure Modes Effects and Diagnostic Analysis (FMEDA) HW/SW Implementation Guidelines, Reviews, Analyses - Code and HW Implementad HW/SW Test - Test Safety Mechanisms - Functional and Penetration Tests System Integration - Test Safety Mechanisms - Integration and Penetration Tests System Test - Validate Safety Assumptions - Validate Security Assumptions
Benefits MILS OS as base for Future Automotive Platforms Create Multi Domain Platform Supports New Mobility Services Ensure Strict separation, Domain Integration Increase data privacy, Minimise security risks SYSGO AG PUBLIC 17 Reduce development Cost Minimize risk for 3rd party components
Prove our Secure Domain Demonstrator Embedded World 2018, Hall 4-308 & Hall 4A-410 More information: www.sysgo.com Company Video: https://www.youtube.com/watch?v=x5yuhbktxba&feature=youtu.be http://bit.ly/autonomous_driving /0 12 203 4530
AUTOSAR Adaptive New Standard New Feature Hypervisor combines Safety and Linux ISO 26262 Safe Application Barrier: Safe and Secure QM Application Visit Vector at Hall 4-510 SafePOSIX (e.g. PikeOS) Safe Adaptive AUTOSAR Linux QM Adaptive AUTOSAR Hypervisor (e.g. PikeOS) µcontroller More information: www.sysgo.com Press Release SYSGO Vector Joint Venture: https://www.sysgo.com/partners/sysgo-vector
Multi-Domain AI Brain Platform PikeOS & Evolver from OSR More information: www.sysgo.com Press Release SYSGO OSR Cooperation https://www.sysgo.com/news-events/news-and-articles/article/osr-uses-pikeosfor-ai-based-automotive-platform/
Take Away - Understand the Standards and Recommendations - First Secure the HW - Than Secure the SW - System integration concept, i.e. Architecture is the most important Security MEASURMENT - Ask if your SW has: - Monitoring - Assessment - Notifications - Remediations - Safe & Secure SW LifeCycle - Establish End to End Security Consider adverse actors at the very beginning of the system design stage. Your system will not be isolated: neither physically nor information-flow-wise System integration concept, i.e. architecture, is the most important SECURITY MEASURE MILS architectural approach is an enabler for High-assurance safety and security architecture and Compositional certification Develop a system architecture consisting of different safety and security domains, i.e. partition system in domains Assign platform resources to partitions Assign CPUs, CPU time, memory, I/O devices, file access, available services to partitions Define communication channels between partitions Default: everything is forbidden what is not explicitly allowed Optionally, add libraries/run-time environments to partitions e.g. POSIX, ARINC, AUTOSAR, Linux, ANDROID, Ada
Autonomous Driving Let s make the Vision happen SYSGO Website SYSGO Blog LinkedIn Twitter YouTube https://sysgo.com https://blog.sysgo.com https://de.linkedin.com/company/sysgo-ag/ https://twitter.com/sysgo https://www.youtube.com/user/sysgoag/videos http://bit.ly/autonomous_driving/