This article also appears in
Subscribe now »

Intel’s vision of bumper-to-bumper vehicle security encompasses all the areas shown, plus cloud-based traffic monitoring and "virtual patching," an interim method to prevent exploitation of newly-discovered weaknesses, until more durable fixes can be implemented.

Intel's "bumper-to-bumper" vehicle security approach

As vehicle connectivity becomes ubiquitous, the threat of being hacked rises. The longer a car is on the road, the more its access points become exposed. Thus the industry's feverish race to find a robust and ongoing cyber defense at every level. At the 2016 SAE World Congress, an expert at microprocessor supplier Intel gave her assessment of what the industry must do to ensure that defense.

According to Lorie Wigle, General Manager of Intel's Internet of Things (IoT) Security, while encryption (particularly of the CAN bus) has been highly-touted, "the reality is encryption is going to address just part of the threat."

There is no "silver bullet" solution, Wigle said. Security must be a continuing operation, not a single preparatory event. And it extends beyond the vehicle.

Biggest bang in cloud

"Clouds and infrastructure also must be secured," she explained, noting that the "biggest bang for the buck" for a high-threat attacker is in "the cloud," not the car parc.

Although many consider today's threat level high, the automotive fleet actually represents relatively low complexity, despite the fact that a typical car has 25 to 200 microprocessors and up to 65 million lines of codes, about half of which are for the multimedia systems, she said. A current luxury model has 144 ECU connections—73 are on CAN busses, 61 are on LIN (Local Interconnect Networks) and 10 on FlexRay. Further, a fully-optioned vehicle may have up to 100 electric motors for interior controls.

The cloud may be the highest value target, but the vehicle itself is the object of many groups of potential attackers. Wigle pointed out six primary threat models. The most common is the car thief, whose access into the vehicle is typically physical entry but also via wireless. More technically astute is the hacker seeking his minutes of fame and working the purely wireless approach.

The highest threats, however, come from the criminal who may have medium to very high technical knowledge and can combine wireless with physical access to pose a danger to passengers. There's also the workshop tuner with total physical access to modify a vehicle's control settings. Perhaps the highest hacker-threat comes from counterfeiters and competitors, who have physical access and are looking to understand the vehicle architecture.

According to Wigle, the present level of telematics is largely in the entertainment area, whereas the future is a fully connected environment—V2V, V2I and V2X (vehicle to vehicle and infrastructure, and real-time integration with on-board drive/brake systems). Vehicle automated operation is on a handful of cars, and limited in most cases to advanced forms of adaptive cruise and related semi-autonomous systems.

Data analytics on-board is currently focused on performance and such navigation-related items as vehicle location, whereas the future will go well beyond, into vehicle-driver personal data.

Bumper-to-bumper defense

The term "bumper to bumper" used to only describe a vehicle's warranty. Recently it has also come to describe the adaptive security perimeter around the vehicle and extending into the cloud, Wigle said. Best practices will require moving "attack surfaces" to the cloud where possible. She pointed to Intel McAfee's cloud-based IPS (Intrusion Prevention System) as an example.

However, Intel also is promoting its vehicle enhanced head unit including a "Hardware Security Module" intended to provide broad-based operating and security hardware coverage. The system includes a Wind River hypervisor, which can run multiple operating systems on a single central processing unit, and Intel's PC-established "Trusted Execution Engine." This hardware technology is designed to attest to the authenticity of a platform and its operating system and establish levels of trust to provide security.

OTA (over the air) software updates, Wigle said, will not be between individual devices, but from and to certified groups.

There are two sides of providing vehicle electrical system security, she noted. One is a secure, flexible development process as described in the guidebook for SAE J3061. This requires identifying and numbering all attack surfaces and conducting threat analyses, reducing attack surfaces and hardening the hardware and software. It is accompanied by SAE J3101, which defines a common set of requirements for hardware protection which exceeds the capability of the software alone.

Wigle also pointed to Intel's formation of the Automotive Security Review Board, to be composed of researchers from industry vendors, to develop solutions using Intel-based platforms. ASRB is working with three "white hat" security research operations—IOActive, and—to recruit cybersecurity professionals to contribute.

Continue reading »