汽車互聯可以給用戶帶來巨大便利,但同時也將汽車系統暴露在互聯網所帶來的負面風險之中,因此汽車生產商必須迅速采取措施,以確保車輛不會成為黑客攻擊的受害者。SAE即將發布一份最佳做法(Best Practices) 建議,協助整車廠通過實施結構清晰的項目,以保證汽車在全生命周期中都可獲得有效的保護。
SAE J3061推薦規程《信息物理汽車系統網絡安全指南(Cybersecurity Guidebook for Cyber-Physical Vehicle Systems)》是首部針對汽車網絡安全而制定的指導性文件。近日,SAE舉行了一次網絡研討會,數位與會的SAE委員會成員參與探討了一系列重要問題,包括規范相關標準及其在保護網聯汽車安全方面的作用。
本次會議的討論范圍覆蓋了J3061號指南的全部內容。會議開始時,發言人首先介紹了起草J3061號指南的初衷。
全球供應商ZF TRW公司高級技術專家、安全評估員及網絡安全員Barbara Czerny表示,“(與網絡安全有關的)潛在威脅眾多,包括經濟損失、知識產權盜用、汽車性能降低,以及商業運營受到影響等等。”
網絡安全與汽車質量和車輛安全等因素一樣,也需要從一開始就堅持貫徹,始終不變,但要做到這點并不容易。汽車的絕大多數系統都可能受到網絡安全的影響,換言之,網絡攻擊的目標可能是車輛安全系統、信息娛樂系統,也可能是車上的其他電子系統。
Czerny指出,汽車廠商必須采用系統工程的方法保護網絡安全。如果車輛遭受網絡攻擊,其關鍵安全系統和其他電子控制系統均有可能受到影響。舉例來說,黑客有可能盜取存儲在車載信息娛樂系統中的密碼或其他個人信息。目前人們最擔心的,還是網絡安全對汽車安全的潛在影響。
汽車安全和網絡安全有時并無過多交集,但也有很多時候,兩者是緊密聯系在一起的。如果有黑客計劃通過網絡入侵來敲詐整車廠,一定會首先從車輛的安全系統下手。過去工程師需要關注的僅僅是車輛硬件和軟件之間的配合,而如今他們還要考慮更多的問題,比如外來入侵者是否有可能通過某些方法影響車輛的關鍵功能,比如車速控制等。
汽車咨詢公司Horiba MIRA的功能性安全主管David Ward表示,“很多系統都有可能造成汽車發生意外加速等狀況,網絡安全系統也不例外。”
與其他電子系統相比,網絡安全系統需要更高的靈活性,因為網絡威脅時刻都會發生變化。我們必須及時拿出預防措施,應對黑客攻擊,在車輛的整個生命周期中為其提供有效保護。我們必須開發出全面的安全保障策略,有效應對常規問題,并對網絡攻擊做出敏捷的反應。
福特汽車公司車內系統安全專家Lisa Boran表示,“網絡系統安全也必須考慮到車主變更的情況。作為整車廠,我們所制定的規劃必須包含一個能夠準確判斷事件性質的響應機制。當此類事件發生時,所有人都應該知道需要通知哪些人員來處理相關問題。
SAEJ3061規程已于2016年1月發布,同時SAE相關委員會成員已經開始準備相關配套文件。例如,J3101號文件《路面車輛硬件保護措施的應用(Hardware Protected Security in Ground Vehicle Applications)》。設計團隊可以采取一些措施,為車輛提供多重保護,比如將驗證秘鑰存儲在微控制器的受保護區域中。
菲亞特克萊斯勒全球汽車網絡安全策略師Bill Mazzara表示,“對硬件的安全防護,也可以幫助應對一些針對軟件的威脅。”
在網絡研討會上,與會發言人不斷重申,網絡安全系統的開發必須從車輛設計階段就開始進行,并貫徹整個車輛研發過程始終,而不是在研發后期才添添補補。專家們同時指出,認證機制在網絡安全領域并不能發揮太大作用,其按部就班的工作機制并不適合復雜多變的網絡環境。
網絡安全系統一般采用縱深防御(Defense in Depth)技術,這樣一來即使某層防御被突破,其他程序也能補上缺口。此外,分層防御還能保證問題發生時可以得到有效控制,不會迅速蔓延至車輛的其他系統。
Czerny表示,“沒有哪個系統是100%安全的,遵循結構化流程有助于降低網絡攻擊得手的可能性。結構完善的流程還能應對不斷變化的威脅。”
在車輛的生命周期很長,而網絡攻擊的技術始終在發生變化,因而系統只有不斷升級才能有效保持防御能力。美國國家高速公路安全局(簡稱NHTSA)電子系統安全研究部負責人Cem Hatipoglu表示,網絡攻擊信息的共享可以造福所有整車廠,幫助他們在遭受大規模攻擊前及時發現威脅。
Cem說:“我們希望整個汽車行業能夠建立一個信息共享的分析中心,以便在問題大規模爆發前及時互通可疑情況。如果我們等到問題發生時再采取行動,那就太晚了。我們必須盡早發現問題。”
打造靈活的系統,以保證汽車在整個生命周期中有效應對各種威脅并不容易,因為這需要對車輛進行長時間的監測,甚至長達數年。正因為如此,J3061號指南僅僅是SAE推薦的最佳做法,并非研發者必須遵守的規范。
Czerny表示,“J3061只是根據目標而提出的建議,并非強制性規定,公司完全可以根據自身的要求打造適合自己的解決方案。”
研討會期間,J3061號指南的起草者還強調了這份SAE標準文件和ISO26262功能性安全標準之間的相似之處。這兩份文件都要求設計團隊盡可能尋找潛在問題,并采取措施消除或降低風險。此外,這兩份文件都認同應當集中精力處理最危險的問題。
Ward表示,“風險評估應當包括對襲擊動機的偵測,而嚴重等級則用于評估可能遭受的損失規模。”
不過,這兩份標準也有明顯不同。其中最重要的一點差別是,在功能性安全問題上只需考慮開發人員可能發生的疏漏,但在網絡安全領域,還必須同時考慮到其他因素,包括黑客乃至車主的行為。
Ward表示,“功能性安全隱患一般源于系統故障、軟件或硬件失效。但在網絡安全中,還必須同時考慮惡意或意外行為可能造成的影響,比如有些車主出于好奇,也有可能對車輛進行一些不當操作,從而影響車輛的網絡安全。”
開發人員在分析系統安全的弱點和潛在威脅時,必須分析事故的嚴重級別,以及汽車功能受其影響的可能性,還應評估發動者發動攻擊的難度。
Ward表示,“判斷安全威脅發生的概率,基本上就是在判斷攻擊者發動有效攻擊的概率。研發人員必須分析發動攻擊所需的技術水平、攻擊者是否需要掌握細節信息,或者攻擊者是否已經掌握了可以幫助他們突破安全防線的情報。”
很多評估網絡風險等級的措施,與實現功能性安全要求的流程都有相似之處。研討會上有專家指出,SAE指南文件與ISO26262標準的理念有很多相似之處。設計團隊可以先尋找系統的潛在薄弱點,采取措施消除或減小其風險,然后再重新“走”一遍分析流程。
利用現有的流程來設計網絡安全防御項目,不但可以節省大量時間,效果也更好。現有的質量控制和功能性安全流程都有助于幫助整車廠從最初的車輛設計環節就開始貫徹安全系統。
Czerny說:“大多數組織都有成熟的流程架構,企業完全可以對其加以利用。網絡安全和功能性安全是相互關聯的,網絡安全要進行威脅分析和風險評估,功能性安全也同樣需要分析和風險評估。攻擊樹分析(Attack-tree Analysis)和故障樹分析(Fault-tree Analysis)是非常相似的。”
與會專家指出,現有流程的效果都可以在最新的網絡安全研發項目中得到體現。
Ward表示,“如果沒有完整的質量控制流程作為基礎,上層建筑也不會穩固。企業必須建立良好的質量管理流程。”
作者:Terry Costlow
來源:SAE《汽車工程雜志》
翻譯:SAE 上海辦公室
SAE security guideline set to provide structure for connected vehicles
Connectivity opens vehicle systems to the dark side of the Internet, forcing automakers to quickly develop strategies to ensure that they don’t join the litany of corporations hit by hack attacks. SAE is nearing the release of a best practices document that will help OEMs create structured programs that provide protection that will remain effective throughout vehicle lifetimes.
SAE Recommended Practice J3061, "Cybersecurity Guidebook for Cyber-Physical Vehicle Systems," is the first document tailored for vehicle cybersecurity. Several members of the committee recently participated in an SAE webinar to discuss the standard and its role in protecting connected vehicles.
The session covered the full scope of J3061. Spokespersons opened by highlighting the many motivating factors behind its creation.
“Potential impacts include finances, theft of intellectual property, vehicle performance can be compromised, and interference with business operations,” said Barbara Czerny, Senior Technical Specialist, Safety Assessor and Cybersecurity atZF TRW.
Security will be similar to factors like quality and safety that must be considered from the concept phase and beyond. That’s a tall order, since cyber security spans most vehicle systems. For example, attacks can focus on safety, infotainment, or other electronic systems.
Czerny noted that companies need to take an overarching systems-engineering approach to cyber security. Cyber assaults can impact safety-critical systems as well as other electronic controls. For example, a hacker may steal passwords or other personal information stored on the radio head unit. Potential impacts on safety will be a primary concern.
Though safety and cyber security will sometimes have little overlap, they will often be tightly intertwined. Safety systems may be a primary target for hackers who want to extort money from an OEM. Engineering teams that have focused only on hardware and software they put in the car will now have to think about ways that outsiders may alter the performance of critical vehicle functions like speed control.
“Hazards like unintended acceleration may involve several systems,” said David Ward, Head of Functional Safety at Horiba MIRA Ltd. “Cyber security may be the source of that issue.”
Cyber security systems need more flexibility than most other aspects of vehicle electronics. Threats will change over time, and preventive technologies will have to evolve to meet attacks by hackers throughout vehicle lifetimes. A comprehensive security strategy should address routine events as well as attack responses.
“Computer security must also consider what happens when vehicle ownership changes,” said Lisa Boran, Global Security Attribute Leader at Ford Motor Co. “Corporate plans should include an incident response plan that identifies incidents and makes sure they’re valid. Everyone should know which team members need to be informed about incidents.”
Though J3061 won’t be formally released until early in 2016, SAE committee members are already busy working on supporting documentation. For example, J3101 will address the growing need for "Hardware Protected Security in Ground Vehicle Applications." Steps such as storing authentication keys in protected areas on microcontrollers will help design teams add another layer of protection.
“Hardware protected security offers improved security against software-only threat vectors,” said Bill Mazzara, Fiat Chrysler Global Vehicle Cybersecurity Strategist.
Throughout the Webinar, speakers continually noted that cyber security must be built into the designs, not added on during the development cycle. They also noted that certification may not be beneficial in cyber security because it fosters a check-the-box mentality that won’t work well in the complex, ever-changing cyber security field.
Security programs will typically use defense in depth techniques so that, if one preventive measure fails, another will pick up the slack. Layered defenses also help ensure that any problems that occur are kept in check before they spread to other vehicle systems.
“No system can be 100% safe,” Czerny said. “Following a structured process helps reduce the likelihood of a successful attack. A well-structured process also provides a means to react to a constantly changing threat landscape.”
The changes in hacking techniques over the lifetime of a vehicle will force strategists to plan for updates. Cem Hatipoglu, Chief, Electronic Systems Safety Research Division, at NHTSA, noted that OEMs may benefit from sharing information on attacks. That could help automakers spot attacks before they spread throughout vehicle fleets.
“We encourage the vehicle industry to set up an information sharing and analysis center,” he said. “There’s a need to disseminate information on anomalies seen on one vehicle before there are issues with a lot of vehicles. If we wait until accidents happen, it will be too late. We need to find issues earlier.”
The need to monitor vehicles for years highlights the complexity of building flexible systems that can meet varying types of threats over long lifetimes. J3061 was therefore written as a best practices document, not a specification that tells developers what they must do.
“The standard is goal-based rather than prescriptive so companies can tailor their solutions to their requirements,” Czerny said.
Throughout the webinar, the J3061 developers stressed the similarities between the new SAE document and the ISO 26262 functional safety standard. Both ask design teams to find as many potential problems as possible, then take steps to eliminate or mitigate them. In both standards, the most dangerous issues should get the most attention.
“Risk includes detection and motivation,” Ward said. “The analysis of severity includes the amount of losses that can occur.”
However, there are noticeable differences. Foremost among them is that developers are the only humans involved in functional safety issues. The actions of hackers and even vehicle owners must be taken into account by those working in the cyber security world.
“Functional safety is very much based on hazards caused by malfunctioning systems, failures in hardware or software,” Ward said. “In cyber security, people need to consider malicious action and unintended actions; a curious owner may do something to the car, for example.”
When developers are analyzing vulnerabilities and potential threats, they need to rank them on both severity and likelihood of an incident that impacts some aspect of vehicle operations. They should also examine the amount of effort required to mount an assault.
“Determining the probability of a security threat is typically based on the probability of an attacker making an effective attack,” Ward said. “People need to look at the skill level that’s needed, whether the attackers needs detailed knowledge, or whether it’s based on things that are readily known.”
Many of the steps taken to determine the level of risk are similar to the processes used to meet functional safety requirements. Webinar speakers noted that there are many similarities with the ISO 26262 methodologies. Design teams can figure out potential vulnerabilities and eliminate or mitigate them, then run through the analysis processes again.
Utilizing existing processes to set up cyber security programs will save plenty of time and improve results. Both quality programs and functional safety processes can be used to help build the base for baking security into designs.
“Most organizations have process frameworks established; companies can leverage this,” Czerny said. “Cyber security and functional safety are related activities. Cyber security has threat analysis and risk assessment versus hazard analysis and risk assessment for functional safety. Attack-tree analysis and fault-tree analysis are similar.”
Speakers noted that any new programs for security can’t reduce the effectiveness of existing processes.
“If you don’t have an established quality process, what you put on top of it won’t be reliable,” Ward said. “Companies need to have a quality management process in place.”
Author: Terry Costlow
Source: SAE Automotive Engineering Magazine