Professional Documents
Culture Documents
Automotive Cybersecurity
An End-to-End Automotive Cybersecurity Solution Combining
NTT DATA’s Intrusion Detection System for CAN Bus
with its State-of-the-Art Vehicle-Security Operation Center
Abstract 3
3 V-SOC 15
Follow us:
NTT DATA Automotive
Visit us at:
de.nttdata.com/Industrien/Automotive
2
Abstract
An NTT DATA
solution of integration
of its in-car Intrusion
Detection System with
The more the digital transformation in the auto- Vehicle-Security Operation
motive industry advances, the more cyber- Center (V-SOC)
security becomes an important topic for vehicle
manufacturers.
In this document, the following aspects of cyber-
security in the automotive sector are discussed:
Chapter 1 gives an introduction at which and how Chapter 3 describes V-SOC and NTT V-SOC, further-
many points connected cars can be threatened by more presents a way designed by NTT DATA to inte-
cyber-attacks, and which security standards and grate an Intrusion Detection System into a Vehicle-
requirements for cybersecurity defined by interna- Security Operation Center (V-SOC). This end-to-end
tional organizations are already in place. To illustrate approach combines our solutions of in-vehicle sen-
how concrete the threat of cyberattacks against sor software for Intrusion Detection and IT SOC
connected cars is, the well-known Miller & Valasek services into a Vehicle-SOC for security monitoring,
experiment is cited, which showed how it can be threat analytics, and reporting.
possible to take control of a vehicle from the outside.
Chapter 4 identifies key challenges that lie ahead
Chapter 2 shows the various concepts and tech- in the development and technical implementation of
nologies of an Intrusion Detection System (IDS) for Intrusion Detection Systems (IDS). NTT DATA will
CAN bus to detect and defend against cyber-attacks continue to work on solving the tasks associated
on connected cars. NTT DATA has developed an with the topic of cybersecurity of connected cars for
IDS solution that is presented here. automotive manufacturers.
15
6
8
2 10 11
4 9 13
5 14
clear attack points 7 12 15
have been identified
in a common con- 1
nected car today.
A repository exists (National Vulnerability Database, NVD) as a A few examples of known vulnerabilities that have been exploited
registry for known vulnerabilities and it is constantly updated. through attack points of connected cars:
Threats can be of various severity levels that are classified with a TPMS sensor spoofing is an attack targeted on the wireless com-
CVSS score (Common Vulnerability Scoring System) defined by munication between a sensor placed in the wheel (to get the status
NIST (US National Institute of Standards and Technology). This of the tires for certain controls actions on the braking system) and a
classification is stored within their NVD (National Vulnerability receiver on the vehicle. TPMS has been standardized across US and
Database) and it is constantly updated. EU regions in 2012. A spoofing attack has been demonstrated to be
feasible remotely, from a distance of roughly 40m, in order to mali-
ciously confuse the braking system, thus altering the behavior of the
vehicle.
Airbag control unit tampering via vehicle bus. It was found that
under circumstances of unauthorized access gained within the
vehicle network, a diagnostic message is able to detonate the airbag
when the ignition is on and the speed is less than 6 km/h. This issue
has been reported in the CVE databased of 2017 and it showed there
was a weakness within the defined standard of ISO 26021-2 (secure
CAN comm).
Network Layer
22 Proximity Layer 16
Vehicle Layer
1 2 3
10 4
28 21 15 11 17 24
9 5
8 7 6
14 12
20 13 18
27 25
19
26
Vehicle Layer Proximity Layer Backend & Cloud Layer Network Layer
1 Infotainment 11 Bluetooth 16 Telematics Service Providers 23 Cellular Network
2 Telematics 12 V2V, V2I 17 Public & Private Clouds 24 Untrusted Networks
3 Central Unit 13 External Sensors 18 OEM Backends 25 Road Side Units
4 Communication Modules 14 Keyless Entry 19 Blockchain Transactions 26 Grid Infrastructure
5 Actuators 15 Wi-Fi 20 Content Providers 27 Infrastructure Sensors
6 ECUs 21 OES Backends 28 Trusted Networks
7 OBD 22 Data Intermediaries 29 Satellite Communication
8 Key
9 Bus Systems
10 Sensors
Twitter
motely The Guardian
Hackers re n a
o
kill a Jeep ith
w
highway – Wire
it. Fiat Chrysler recalls
FC m e in d
AU 1.4m vehicles of Jeep
IM SL hacking revelation
P O LC THE
J
ARE EEP HAC
SA RT
F
RE ETY ANT
B K
NO CAL
TIC L
!
CAR ACK TO ERS
H P
E GET ACKING ROVE
MUC C
H WO AN
RSE
A security incident
, 2015
that made a sensation July 24
1. WiFi service. They violated the optional WiFi service (leveraging the weak generation of passwords).
2. Infotainment Head Unit. They hacked the Infotainment Head Unit (exploiting some Linux vulnerabilities).
3. Cellular Network Telematic System. They violated the Cellular Network Telematic System.
4. Lack of encryption. They connected from the infotainment system to an ECU that could read from
the CAN bus (since the protocol is not encrypted, they could analyze the flowing messages).
5. No defense against malicious firmware. They reprogrammed the firmware of that ECU
(there was no secure boot feature to prevent the execution of malicious firmware) to gain the privilege
of writing on the CAN bus.
6. Lack of node authentication. They sent forged packets on the CAN bus (the protocol does not provide
a Message Authentication Control) to send commands to the ECUs, thus taking full control of the car.
Layer 1 Protect the Interfaces – he first step is to imple- In fact, the Miller & Valasek experiment, highlights
ment authentication for all the external communica- the fact that the CAN bus protocol, despites its great
tions and adopt secure protocols. advantages, has many vulnerabilities.
Layer 2 Enforce Isolation between Domains – The sec- No encryption – The messages that flow through
ond step is to secure the communication through the CAN bus are in clear text. Every node that is
a gateway with firewall capabilities. Firewall rules connected to the CAN bus can read all the messages
and signatures allow to filter the communications flowing through the bus (even if they are not targeted
among ECUs. to that node).
Layer 3 Secure the In-vehicle Network – A Network No message authentication code – The CAN
Anomaly Detection System, or Intrusion Detection protocol does not provide any authentication mecha-
System (such as the one that is described in this nism. Furthermore, CAN messages do not contain
whitepaper) monitors the network and detects if any information on the source and destination of the
any unexpected event or anomalous message has packets, since all messages are broadcasted to all
been sent on the CAN bus. CAN nodes. Hence, there is no way to know if the
message received is legitimate or not; thus an
Layer 4 Secure Processing – Secure boot, run-time
attacker may send malicious forged packets on the
integrity checks, and OTA updates need to be imple-
CAN bus to issue commands or confuse an ECU.
mented on the ECUs. If a firmware tampering is
attempted, the ECU will recognize that the firmware Limited payload size – the CAN protocol has been
is not legitimate and revert back to the latest legiti- standardized with packets allowing quite a small size
mate one. for the payload; this does not leave room for easy
cryptographic extensions.
Classical prevention approach alone is not enough. Knowing what happens by leveraging “anomaly
Certain characteristics of the automotive context detection”. For this reason, an approach based on
make it difficult to solve all cybersecurity issues by “behavioral analysis” or “anomaly detection” is
applying a classical “preventive” approach: emerging in this context, to complement the preven-
tive approach: if an attack attempt manages to over-
The limited computational resources of several come the preventive measures, there must be detec-
ECUs and the requirement for real-time respon- tion measures in place, which can detect the attack
siveness make the overhead of certain security to be able to react on it and deflect it.
measures (such as strong encryption and authen-
tication mechanisms) not acceptable. Attack detection with IDS. The adoption of an Intru-
sion Detection System (IDS) for the in-vehicle com-
The long lifecycle of vehicles (spanning up to munications is raising particular interest, thanks to
tens of years), and the difficulty to perform secu- its simplicity and the ability in detecting the attacks
rity updates (over the air, or by maintenance efficiently. An IDS monitors activities within the net-
service), make it difficult to promptly patch known work or directly on a communicating node, detects
vulnerabilities. anomalies (or deviations from the normal behavior)
and raises an alert in case of unexpected events.
The usage of proprietary or legacy protocols,
lacking of security features, makes it difficult to
develop and adopt standard security solutions. Taxonomy of CAN Bus IDS
The enforcement of preventive measures in a There are different kinds of IDS for CAN bus that can
threat landscape that is continuously evolving be classified based on the approach of deployment
may be too expensive. and the method of anomaly detection.
CAN bus
IDS
Taxonomy
Deployment Detection
Strategy Approach
Network Host
Anomaly Specification Signature
Based Based
Based Based Based
IDS IDS
Machine
Gateway CAN ECU Frequency Learning Statistical Hybrid
Controller Based Based Based Based
Remote
Analysis
This anomaly-based approach also can effectively Signature-based IDS: The signature-based
detect new attacks after undergoing a training approach detects an attack by utilizing a set of
phase. Since this approach considers anything that identified signatures, malicious events, or rules
significantly deviates from a normal behavior as a stored in the database module of the IDS (like a
signal of intrusion, this approach – if an accurate blacklist). This approach compares the network or
tuning is not performed – may generate false-posi- system’s activity against the attack patterns stored
tive alerts. in IDS, and if it matches with the stored malicious
patterns, it will trigger the alarm. The signature-
Specification-based IDS: Specification normally based approach is simple and not sophisticated to
is a set of thresholds and rules that describe the build and can increase the accuracy in detecting
well-known behavior of components in the network known attacks effectively. Nonetheless, as this
(like a whitelist). The specification-based approach approach relies heavily on the attack signature
works by detecting attacks whenever an expected database, it becomes ineffective in detecting un-
behavior of the network diverges from designated familiar or unknown attack. Thus, it necessitates an
specifications. Hence, the purpose of the specifica- IDS to update new attack signatures regularly.
tion-based approach is the same as an anomaly-
Bayesian networks. NTT DATA’s IDS uses an anom- Offline preparation phase. To create these profiles/
aly-based approach that is modular and based on models, an offline preparation phase must be per-
different signal types: for periodic signals we use a formed when you want to integrate our solution with
frequency-based approach, while for aperiodic sig- a specific car model.
nals we use Bayesian networks (a unique combina-
tion across machine learning and statistical
approach).
NTT DATA CAN Bus IDS Configuration (offline) and Execution (in-vehicle, real-time)
Periodic Signals
Execute Anomaly
Model Extraction
Detection
through Training
Algorithm
Learning:
Aquisition of
Property Information
Execute Anomaly
Model Extraction
Detection
through Training
Algorithm
Aperiodic Signals
Definition SOC. A Security Operations Center (SOC) Structured security. With a V-SOC, a central location
is a security structure consisting of skilled human is available where all security-critical incidents regard-
resources, processes and procedures, security tools ing a fleet of connected vehicles are identified and
and systems that deals with security issues at an processed in a coordinated manner. Relevant data
organizational or technical level. from the vehicle environment is collected centrally
and enriched with additional information
using threat intelligence.
V-SOC – a Security Operations Center
specialized for the automotive domain. Attack detection directly in the car.
Threat detection plays a key role here: in
certain cases, potential cyber-attacks are
Definition V-SOC. A Vehicle-Security Operations identified directly in the vehicle and the alerts are
Center (V-SOC) is a SOC specialized for the automo- transmitted to the V-SOC; in other cases, data col-
tive domain: as well as protecting computers and lected from a multitude of vehicles are aggregated,
servers of an OEM’s backend, it also protects assets and a large-scale attack can be identified thanks to
such as connected vehicles, cloud resources and data correlation.
fleet management system.
V-SOC – Benefits for OEMs they provide countermeasures and reactions. Typi-
cally, the incident management procedure is already
Advantages and challenges. For OEMs and sup- defined in run books created together with the OEM
pliers, setting up a V-SOC brings advantages as well (e. g., providing patches or shutting down an in-vehicle
as challenges. First of all, in-vehicle software and the interface or service).
use of potential vulnerabilities in this software will
no longer be a black box, since attacks on known vul- 2. Monitoring. With the monitoring of a whole vehicle
nerabilities could be detected and closed by patching fleet, it would be much easier to detect new attack
them. Challenging will be, that currently, OEMs and attempts, fleet attacks and respond to them quickly e.
suppliers are not able to develop, test and roll out new g., by the “emergency shutdown” of components or a
in-vehicle software and patch vulnerabilities in a timely whole vehicle, which both will also increase the safety
manner, which is standard practice in the traditional of all drivers and passengers. But regarding data pro-
IT world (software updates for mobile phones etc.). tection there is a thin line of how much monitoring of
vehicles that is allowed, for which data the approval
Threat intelligence. Other services – apart from of the car owner is necessary etc. There is nowadays
monitoring and analytics – include threat intelligence also no solution for car owners, which refuses the
helping to identify potential attacks, device manage- monitoring by enforcing their data protection rights.
ment, including Vulnerability Management and Inci-
dent Response. Therefore, a SOC must have con- 3. Costs. It is sure, that OEMs will save money, when
stant updates from external sources such as they know vulnerabilities early and can react before
Auto-ISAC, CERTS, and cybersecurity organizations something is happening. They can silently roll out
as well as constantly opened communication chan- new software over an OTA update campaign that is
nels to vehicles. quite cheaper than a call back of thousands of
vehicles, not to mention the cost of the potential rep-
1. Pattern analysis. Specialized analysts, with their utational damage. On the other hand, building and
dashboards and some automated tools, monitor the maintaining a V-SOC for hundreds of thousands or
incoming data and perform further investigations for even millions of vehicles will cost some money and
an alert indicating malicious activity. In such cases, OEMs must think about how they could price in this
they analyze patterns and, if the attack is confirmed, into their products.
NTT DATA is developing a holistic view, to secure the entire connected cars’ ecosystem.
Cyber
attacks
In particular, the CAN bus IDS solution presented in chapter 2.2 is natively integrated with the NTT V-SOC
analyst's workbench: the alerts generated by in-vehicle security components will be transmitted to the
V-SOC through the mobile network (e. g. via MVNOs or direct lines); thus a SOC analyst gets notified and
may perform further analyses.
TCU
Infotainment &
Communication IVI
domain
Braking Powertrain ADAS
OBD
V-SOC
Need of strong cybersecurity countermeasures. car. And finally, the problem how to protect vehicles
Modern vehicles consist of hundreds of digital com- as well as drivers and their passengers if cyber-
ponents, with a further increasing number and com- attacks were performed with new attack paths or
plexity. There are many potential attack points where technologies must solved.
an unauthorized user can try to overtake control of
digital-based car functions. So modern cars have Regulatory requirements. The OEMs are forced by
many vulnerabilities, as was revealed by the famous regulations (UN ECE WP.29) to detect and prevent
Miller & Valasek attack in 2015; they even attacked cyber-attacks against vehicles. Especially the adop-
the CAN bus and eventually took full control over a tion of an in-vehicle Intrusion Detection System for
vehicle. This shows that there is need of strong the CAN bus is an appropriate means to fulfill the
cybersecurity countermeasures. Cybersecurity is regulatory requirements. But there is not much time
vital for protection of the vehicles as well as for left for development of the solutions and for the
safety of the drivers and the passengers. vehicle manufacturers to deploy across their fleet
with necessary adaptation and validation to abide
Implementation of an IDS – challenges. An Intrusion with the regulations for connected vehicles world-
Detection System (IDS) for the in-vehicle communi- wide. Additional challenges are based with respect
cation enables to detect cyber-attacks efficiently. to the architecture, technology and vehicle commu-
There are several challenges for the implementation nication topology on a specific vehicle platform.
of an IDS for the CAN bus that OEMs have to deal
with: Significant limitations regarding computational Increasingly utilized: Ethernet. At present most of
power and data transmission rate; the CAN packets the OEMs use CAN as their vehicle communication
received from the vehicle´s sensors have to be man- technology with some migrating to Ethernet. Ether-
aged in real-time, so that vehicle´s functions can be net provides faster transmission speed (10/100
performed without any delay; different communica- Mbit/sec compared to CAN's 1 Mbit/sec at minimal
tion traffic protocols are needed for data exchange network length) combined with a virtually unlimited
within the automotive communication system and amount of data (CAN bus is limited to 8 bytes per
to data systems outside the vehicle (updates, dia- data frame). Ethernet, the most widely used LAN
gnostics etc.); dependency of possibly unstable technology in homes, offices, and factories, is
internet connections. increasingly utilized in the automotive world in the
form of Automotive Ethernet.
René Bader works in the IT area since 1995, in IT security projects since 2003.
As Managing Consultant Cybersecurity he is mainly focusing on the design
and implementation of security measures and optimization of security operations
for ERP landscapes, DevSecOps and databases but also in the security for
connected vehicles and IoT/OT devices. René has strong experiences in the
Automotive, Retail, Pharma and Finance sectors.
https://www.linkedin.com/in/rene-bader/
Rajesh Katyal is member of the Global Auto team supporting inCAR activities
since April 2020. He is leading the offering development for V-SOC. He comes with
18+ years of rich experience working with leading OEMs and Tier1s in the area
of automotive E/E, software development and mechatronics.
https://www.linkedin.com/in/rajesh-katyal/
Filippo Capocasale is Senior Engagement Manager and Security Architectures & Inno-
vation Practice Lead at NTT DATA Italy. He holds responsibility on Cybersecurity
projects on particularly innovative domains, such as OT, IoT, Automotive, Cyber-physical
devices. He has 18 years of experience in the Cybersecurity domain.
https://www.linkedin.com/in/capocasale/
Special thanks
Alba Lo Grasso / Security Consultant NTT DATA Italy
Lorenzo Sicignano / Security Consultant NTT DATA Italy
NTT DATA – a part of NTT Group – is a trusted global innovator of IT and business services
headquartered in Tokyo. We help clients transform through consulting, industry solutions, business
process services, IT modernization and managed services. NTT DATA enables clients, as well
as society, to move confidently into the digital future. We are committed to our clients’ long-term
success and combine global reach with local client attention to serve them in over 50 countries.
Visit us at nttdata.com