Biblio

We study a game-theoretic model of the interactions between a Cyber-Physical System’s (CPS) operator (the defender) against an attacker who launches stepping-stone attacks to reach critical assets within the CPS. We consider that, in addition to optimally allocating its security budget to protect the assets, the defender may choose to modify the CPS through network design interventions. In particular, we propose and motivate four ways in which the defender can introduce additional nodes in the CPS: these nodes may be intended as additional safeguards, be added for functional or structural redundancies, or introduce additional functionalities in the system. We analyze the security implications of each of these design interventions, and evaluate their impacts on the security of an automotive network as our case study. We motivate the choice of the attack graph for this case study and elaborate how the parameters in the resulting security game are selected using the CVSS metrics and the ISO-26262 ASIL ratings as guidance. We then use numerical experiments to verify and evaluate how our proposed network interventions may be used to guide improvements in automotive security.

With the emergence of smart automotive devices, the data communication between these devices gains increasing importance. SOME/IP is a light-weight protocol to facilitate inter- process/device communication, which supports both procedural calls and event notifications. Because of its simplicity and capability, SOME/IP is getting adopted by more and more automotive devices. Subsequently, the security of SOME/IP applications becomes crucial. However, previous security testing techniques cannot fit the scenario of vulnerability detection SOME/IP applications due to miscellaneous challenges such as the difficulty of server-side testing programs in parallel, etc. By addressing these challenges, we propose Ori - a greybox fuzzer for SOME/IP applications, which features two key innovations: the attach fuzzing mode and structural mutation. The attach fuzzing mode enables Ori to test server programs efficiently, and the structural mutation allows Ori to generate valid SOME/IP packets to reach deep paths of the target program effectively. Our evaluation shows that Ori can detect vulnerabilities in SOME/IP applications effectively and efficiently.

Connected smart cars enable new attacks that may have serious consequences. Thus, the development of new cars must follow a cybersecurity engineering process as defined for example in ISO/SAE 21434. A central part of such a process is the threat and risk assessment including an attack feasibility rating. In this paper, we present an attack surface assessment with focus on the attack feasibility rating compliant to ISO/SAE 21434. We introduce a reference architecture with assets constituting the attack surface, the attack feasibility rating for these assets, and the application of this rating on typical use cases. The attack feasibility rating assigns attacks and assets to an evaluation of the attacker dimensions such as the required knowledge and the feasibility of attacks derived from it. Our application of sample use cases shows how this rating can be used to assess the feasibility of an entire attack path. The attack feasibility rating can be used as a building block in a threat and risk assessment according to ISO/SAE 21434.

The market landscape has undergone dramatic change because of globalization, shifting marketing conditions, cost pressure, increased competition, and volatility. Transforming the operation of businesses has been possible because of the astonishing speed at which technology has witnessed the change. The automotive industry is on the edge of a revolution. The increased customer expectations, changing ownership, self-driving vehicles and much more have led to the transformation of automobiles, applications, and services from artificial intelligence, sensors, RFID to big data analysis. Large automobiles industries have been emphasizing the collection of data to gain insight into customer's expectations, preferences, and budgets alongside competitor's policies. Statistical methods can be applied to historical data, which has been gathered from various authentic sources and can be used to identify the impact of fixed and variable marketing investments and support automakers to come up with a more effective, precise, and efficient approach to target customers. Proper analysis of supply chain data can disclose the weak links in the chain enabling to adopt timely countermeasures to minimize the adverse effects. In order to fully gain benefit from analytics, the collaboration of a detailed set of capabilities responsible for intersecting and integrating with multiple functions and teams across the business is required. The effective role played by big data analysis in the automobile industry has also been expanded in the research paper. The research paper discusses the scope and challenges of big data. The paper also elaborates on the working technology behind the concept of big data. The paper illustrates the working of MapReduce technology that executes in the back end and is responsible for performing data mining.

Emerging trends that are shaping the future of the automotive industry include electrification, autonomous driving, sharing, and connectivity, and these trends keep changing annually. Thus, the automotive industry is shifting from mechanical devices to electronic control devices, and is not moving to Internet of Things devices connected to 5G networks. Owing to the convergence of automobile-information and communication technology (ICT), the safety and convenience features of automobiles have improved significantly. However, cyberattacks that occur in the existing ICT environment and can occur in the upcoming 5G network are being replicated in the automobile environment. In a hyper-connected society where 5G networks are commercially available, automotive security is extremely important, as vehicles become the center of vehicle to everything (V2X) communication connected to everything around them. Designing, developing, and deploying information security techniques for vehicles require a systematic security-risk-assessment and management process throughout the vehicle's lifecycle. To do this, a security risk analysis (SRA) must be performed, which requires an analysis of cyber threats on automotive vehicles. In this study, we introduce a cyber kill chain-based cyberattack analysis method to create a formal vulnerability-analysis system. We can also analyze car-hacking studies that were conducted on real cars to identify the characteristics of the attack stages of existing car-hacking techniques and propose the minimum but essential measures for defense. Finally, we propose an automotive common-vulnerabilities-and-exposure system to manage and share evolving vehicle-related cyberattacks, threats, and vulnerabilities.

In the paper, our research of abnormal bus data analysis of intelligent and connected vehicle aims to detect the abnormal data rapidly and accurately generated by the hackers who send malicious commands to attack vehicles through three patterns, including remote non-contact, short-range non-contact and contact. The research routine is as follows: Take the bus data of 10 different brands of intelligent and connected vehicles through the real vehicle experiments as the research foundation, set up the optimized neural network, collect 1000 sets of the normal bus data of 15 kinds of driving scenarios and the other 300 groups covering the abnormal bus data generated by attacking the three systems which are most common in the intelligent and connected vehicles as the training set. In the end after repeated amendments, with 0.5 seconds per detection, the intrusion detection system has been attained in which for the controlling system the abnormal bus data is detected at the accuracy rate of 96% and the normal data is detected at the accuracy rate of 90%, for the body system the abnormal one is 87% and the normal one is 80%, for the entertainment system the abnormal one is 80% and the normal one is 65%.

Future automotive systems will be highly automated and they will cooperate to optimize important system qualities and performance. Established safety assurance approaches and standards have been designed with manually controlled stand-alone systems in mind and are thus not fit to ensure safety of this next generation of systems. We argue that, given frequent dynamic changes and unknown contexts, systems need to be enabled to dynamically assess and manage their risks. In doing so, systems become resilient from a safety perspective, i.e. they are able to maintain a state of acceptable risk even when facing changes. This work presents a Dynamic Risk Assessment architecture that implements the concepts of context-awareness, confidence-disclosure and fail-operational. In particular, we demonstrate the utilization of these concepts for the calculation of automotive collision risk metrics, which are at the heart of our architecture.

Internet of Vehicle (IoV) is an essential part of the Intelligent Transportation system (ITS) which is growing exponentially in the automotive industry domain. The term IoV is used in this paper for Internet of Vehicles. IoV is conceptualized for sharing traffic, safety and several other vehicle-related information between vehicles and end user. In recent years, the number of connected vehicles has increased allover the world. Having information sharing and connectivity as its advantage, IoV also faces the challenging task in the cybersecurity-related matters. The future consists of crowded places in an interconnected world through wearable's, sensors, smart phones etc. We are converging towards IoV technology and interactions with crowded space of connected peoples. However, this convergence demands high-security mechanism from the connected crowd as-well-as other connected vehicles to safeguard of proposed IoV system. In this paper, we coin the term of smart people crowd (SPC) and the smart vehicular crowd (SVC) for the Internet of Vehicles (IoV). These specific crowds of SPC and SVC are the potential cyber attackers of the smart IoV. People connected to the internet in the crowded place are known as a smart crowd. They have interfacing devices with sensors and the environment. A smart crowd would also consist of the random number of smart vehicles. With the future converging in to the smart connected framework for crowds, vehicles and connected vehicles, we present a novel cyber-physical surveillance system (CPSS) framework to tackle the security threats in the crowded environment for the smart automotive industry and provide the cyber security mechanism in the crowded places. We also describe an overview of use cases and their security challenges on the Internet of Vehicles.

To increase security and to offer user experiences according to the requirements of a hyper-connected world, modern vehicles are integrating complex electronic systems, being transformed into systems of Cyber-Physical Systems (CPS). While a great diversity of heterogeneous hardware and software components must work together and control in real-time crucial functionalities, cybersecurity for the automotive sector is still in its infancy. This paper provides an analysis of the most common vulnerabilities and risks of connected vehicles, using a real example based on industrial and market-ready technologies. Several components have been implemented to inject and simulate multiple attacks, which enable security services and mitigation actions to be developed and validated.

Modern automotive architectures are complex and often comprise of hundreds of electronic control units (ECUs). These ECUs provide diverse services including infotainment, telematics, diagnostics, advanced driving assistance, and many others. The availability of such services is mainly attained by the increasing connectivity with the external world, thus expanding the attack surface. In recent years, automotive original equipment manufacturers (OEMs) and ECU suppliers have become cautious of cyber attacks and have begun fortifying the most vulnerable systems, with hardware-based security modules that enable sandboxing, secure boot, secure software updates and end-to-end message authentication. Nevertheless, insecure legacy ECUs are still in-use in modern vehicles due to price and design complexity issues. Legacy ECUs depend on simple microcontrollers, that lack any kind of hardware-based security. This makes it essential to bridge the gap between modern and legacy ECUs through software-based security by which cyber attacks can be mitigated, thus enhancing the security of vehicles. This paper provides one more step towards highly secure vehicles by introducing a lightweight software- based security framework which provides legacy ECUs with software-based virtualization and protection features along with custom security services. We discuss the motivation for pure software-based approaches, explore the various requirements and advantages obtained, and give an initial insight of the design rationale. Furthermore, we provide a proof of concept implementation and evaluation with a demonstrative use case illustrating the importance of such framework in delivering new diagnostics security services to legacy ECUs.

Cyber attacks against automobiles have increased over the last decade due to the expansion in attack surfaces. This is the result of modern automobiles having connections such as Bluetooth, WiFi, and other broadband services. While there has been numerous proposed solutions in the literature, none have been widely adopted as maintaining real-time message deliverability in the Controller Area Networks (CAN) outweighs proposed security solutions. Through iterative research, we have developed a solution which mitigates an attacker's impact on the CAN bus by using CAN's inherent features of arbitration, error detection and signaling, and fault confinement mechanism. The solution relies on an access controller and message priority thresholds added to the CAN data-link layer. The results provide no time delay for non-malicious traffic and mitigates bus impact of a subverted node attempting to fabricate messages at an unauthorized priority level.

With the growing number of electronic features in cars and their connections to the cloud, smartphones, road-side equipment, and neighboring cars the need for effective cybersecurity is paramount. Beyond the concern of brand degradation, warranty fraud, and recalls, what keeps manufacturers up at night is the threat of malicious attacks which can affect the safety of vehicles on the road. Would any single protection technique provide the security needed over the long lifetime of a vehicle? We present a new methodology for automotive cybersecurity where the designs are made to withstand attacks in the future based on the concepts of high availability and malicious fault-tolerance through self-defending techniques. When a system has an intrusion, self-defending technologies work to contain the breach using integrity verification, self-healing, and fail-over techniques to keep the system running.

Technologies such as Industry 4.0 or assisted/autonomous driving are relying on highly customized cyber-physical realtime systems. Those systems are designed to match functional safety regulations and requirements such as EN ISO 13849, EN IEC 62061 or ISO 26262. However, as systems - especially vehicles - are becoming more connected and autonomous, they become more likely to suffer from new attack vectors. New features may meet the corresponding safety requirements but they do not consider adversaries intruding through security holes with the purpose of bringing vehicles into unsafe states. As research goal, we want to bridge the gap between security and safety in cyber-physical real-time systems by investigating real-time-aware intrusion-tolerant architectures for automotive use-cases.

MAC using a counter value in message authentication for in-vehicle network prevents replay attack. When synchronization deviation of the counter value occurs between the sender and receiver, a message cannot be authenticated correctly because the generated MACs are different. Thus, a counter synchronization method has been proposed. In addition, injection and replay attack of a synchronization message for the synchronization method have been performed. However, DoS attack on the synchronization method has not been conducted. This study performs DoS attack in order to evaluate security of the synchronization method. Experimental results reveal the vulnerability of the synchronization method against DoS attack.

The domain of securing in-vehicle networks has attracted both academic and industrial researchers due to high danger of attacks on drivers and passengers. While securing wired and wireless interfaces is important to defend against these threats, detecting attacks is still the critical phase to construct a robust secure system. There are only a few results on securing communication inside vehicles using anomaly-detection techniques despite their efficiencies in systems that need real-time detection. Therefore, we propose an intrusion detection system (IDS) based on Multi-Layer Perceptron (MLP) neural network for Controller Area Networks (CAN) bus. This IDS divides data according to the ID field of CAN packets using K-means clustering algorithm, then it extracts suitable features and uses them to train and construct the neural network. The proposed IDS works for each ID separately and finally it combines their individual decisions to construct the final score and generates alert in the presence of attack. The strength of our intrusion detection method is that it works simultaneously for two types of attacks which will eliminate the use of several separate IDS and thus reduce the complexity and cost of implementation.

Recent years have seen an increase in the data usage in cars, particularly as they become more autonomous and connected. With the rise in data use have come concerns about automotive cyber-security. An in-vehicle network shown to be particularly vulnerable is the Controller Area Network (CAN), which is the communication bus used by the car's safety critical and performance critical components. Cyber attacks on the CAN have been demonstrated, leading to research to develop attack detection and attack prevention systems. Such research requires representative attack demonstrations and data for testing. Obtaining this data is problematical due to the expense, danger and impracticality of using real cars on roads or tracks for example attacks. Whilst CAN simulators are available, these tend to be configured for testing conformance and functionality, rather than analysing security and cyber vulnerability. We therefore adapt a leading, industry-standard, CAN simulator to incorporate a core set of cyber attacks that are representative of those proposed by other researchers. Our adaptation allows the user to configure the attacks, and can be added easily to the free version of the simulator. Here we describe the simulator and, after reviewing the attacks that have been demonstrated and discussing their commonalities, we outline the attacks that we have incorporated into the simulator.

There is a need for new tools and techniques to aid automotive engineers performing cybersecurity testing on connected car systems. This is in order to support the principle of secure-by-design. Our research has produced a method to construct useful automotive security tooling and tests. It has been used to implement Controller Area Network (CAN) fuzz testing (a dynamic security test) via a prototype CAN fuzzer. The black-box fuzz testing of a laboratory vehicle's display ECU demonstrates the value of a fuzzer in the automotive field, revealing bugs in the ECU software, and weaknesses in the vehicle's systems design.

With emerging smart automotive technologies, vehicle-to-vehicle communications, and software-dominated enhancements for enjoyable driving and advanced driver assistance systems, the complexity of providing guarantees in terms of security, trust, and privacy in a modern cyber-enabled automotive system is significantly elevated. New threat models emerge that require efficient system-level countermeasures. This article introduces synergies between on- and off-chip networking techniques to ensure secure execution environments for electronic control units. The proposed mechanisms consist of hardware firewalling and on-chip network physical isolation, whose mechanisms are combined with system-wide cryptographic techniques in automotive controller area network (CAN)-bus communications to provide authentication and confidentiality.

Processing smart grid data for analytics purposes brings about a series of privacy-related risks. In order to allow for the most suitable mitigation strategies, reasonable privacy risks need to be addressed by taking into consideration the perspective of each smart grid stakeholder separately. In this context, we use the notion of privacy concerns to reflect potential privacy risks from the perspective of different smart grid stakeholders. Privacy concerns help to derive privacy goals, which we represent using the goals structuring notation. Thus represented goals can more comprehensibly be addressed through technical and non-technical strategies and solutions. The thread of argumentation - from concerns to goals to strategies and solutions - is presented in form of a privacy case, which is analogous to the safety case used in the automotive domain. We provide an exemplar privacy case for the smart grid developed as part of the Aspern Smart City Research project.

Software integration in modern vehicles is continuously expanding. This is due to the fact that vehicle manufacturers are always trying to enhance and add more innovative and competitive features that may rely on complex software functionalities. However, these features come at a cost. They amplify the security vulnerabilities in vehicles and lead to more security issues in today's automobiles. As a result, the need for identifying vulnerable components in a vehicle software system has become crucial. Security experts need to know which components of the vehicle software system can be exploited for attacks and should focus their testing and inspection efforts on it. Nevertheless, it is a challenging and costly task to identify these weak components in a vehicle's system. In this paper, we propose some security vulnerability metrics for connected vehicles that aim to assist software testers during the development life-cycle in order to identify the frail links that put the vehicle at highsecurity risks. Vulnerable function assessment can give software testers a good idea about which components in a connected vehicle need to be prioritized in order to mitigate the risk and hence secure the vehicle. The proposed metrics were applied to OpenPilot - a software that provides Autopilot feature - and has been integrated with 48 different vehicles.. The application shows how the defined metrics can be effectively used to quantitatively measure the vulnerabilities of a vehicle software system.

Cyber-Physical Systems (CPS) are growing with added complexity and functionality. Multidisciplinary interactions with physical systems are the major keys to CPS. However, sensors, actuators, controllers, and wireless communications are prone to attacks that compromise the system. Machine learning models have been utilized in controllers of automotive to learn, estimate, and provide the required intelligence in the control process. However, their estimation is also vulnerable to the attacks from physical or cyber domains. They have shown unreliable predictions against unknown biases resulted from the modeling. In this paper, we propose a novel control design using conditional generative adversarial networks that will enable a self-secured controller to capture the normal behavior of the control loop and the physical system, detect the anomaly, and recover from them. We experimented our novel control design on a self-secured BMS by driving a Nissan Leaf S on standard driving cycles while under various attacks. The performance of the design has been compared to the state-of-the-art; the self-secured BMS could detect the attacks with 83% accuracy and the recovery estimation error of 21% on average, which have improved by 28% and 8%, respectively.

In autonomous driving, security issues from robotic and automotive applications are converging toward each other. A novel approach for deriving secret keys using a lightweight cipher in the firmware of low-end control units is introduced. By evaluating the method on a typical low-end automotive platform, we demonstrate the reusability of the cipher for message authentication. The proposed solution counteracts a known security issue in the robotics and automotive domain.

In recent years, there has been progress in applying information technology to industrial control systems (ICS), which is expected to make the development cost of control devices and systems lower. On the other hand, the security threats are becoming important problems. In 2017, a command injection issue on a data logger was reported. In this paper, we focus on the risk assessment in security design for data loggers used in industrial control systems. Our aim is to provide a risk assessment method optimized for control devices and systems in such a way that one can prioritize threats more preciously, that would lead work resource (time and budget) can be assigned for more important threats than others. We discuss problems with application of the automotive-security guideline of JASO TP15002 to ICS risk assessment. Consequently, we propose a three-phase risk assessment method with a novel Risk Scoring Systems (RSS) for quantitative risk assessment, RSS-CWSS. The idea behind this method is to apply CWSS scoring systems to RSS by fixing values for some of CWSS metrics, considering what the designers can evaluate during the concept phase. Our case study with ICS employing a data logger clarifies that RSS-CWSS can offer an interesting property that it has better risk-score dispersion than the TP15002-specified RSS.

The technological development of automated vehicles opens novel cybersecurity threats and risks for road safety. Increased connectivity often results in increased risks of a cyber-security attacks, which is one of the biggest challenges for the automotive industry that undergoes a profound transformation. State of the art studies evaluated potential attacks and recommended possible measures, from technical and organizational perspective to face these challenges. In this position paper, we review these techniques and methods and show that some of the different solutions complement each other while others overlap or are even incompatible or contradictory. Based on this gap analysis, we advocate for the need of a comprehensive framework that integrates technical and organizational mitigation measures to enhance the cybersecurity of automotive vehicles.

Augmented reality (AR) technologies, such as Microsoft's HoloLens head-mounted display and AR-enabled car windshields, are rapidly emerging. AR applications provide users with immersive virtual experiences by capturing input from a user's surroundings and overlaying virtual output on the user's perception of the real world. These applications enable users to interact with and perceive virtual content in fundamentally new ways. However, the immersive nature of AR applications raises serious security and privacy concerns. Prior work has focused primarily on input privacy risks stemming from applications with unrestricted access to sensor data. However, the risks associated with malicious or buggy AR output remain largely unexplored. For example, an AR windshield application could intentionally or accidentally obscure oncoming vehicles or safety-critical output of other AR applications. In this work, we address the fundamental challenge of securing AR output in the face of malicious or buggy applications. We design, prototype, and evaluate Arya, an AR platform that controls application output according to policies specified in a constrained yet expressive policy framework. In doing so, we identify and overcome numerous challenges in securing AR output.