Monthly Archives: March 2024

Decrypting the Encryption Algorithms Implemented in Automotive Cybersecurity

Modern automobiles are highly connected entities and the need to safeguard these complex systems against cyber threats has never been more critical.

According to an Upstream report, in the year 2022, there was a 380% increase in automated Application Programming Interface (API) attacks.

The advent of Vehicular Ad Hoc Networks (VANETs) marks a significant leap forward in enhancing vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication, promising to revolutionize our driving experiences. However, with great connectivity comes great vulnerability.

Cybersecurity in the automotive sector has thus shifted gears, focusing on implementing robust cryptography algorithms to shield these networks from potential cyber-attacks.

This blog post dives into the intricate world of cryptography algorithms deployed in automotive cybersecurity, offering a glimpse into how these crypto algorithms stand guard over the vehicles’ digital integrity.

From ensuring the confidentiality and integrity of the data transmitted between vehicles to authenticating the myriad of messages exchanged within these networks, cryptographic algorithms are the unsung heroes of automotive cybersecurity.

Commonly Used Cryptography Algorithms in Automotive Cybersecurity

We discuss various cryptographic solutions, including symmetric, asymmetric, and lightweight protocols, aimed at ensuring secure, efficient, and privacy-preserving communication within automotive systems.

Our article emphasizes the importance of developing and implementing advanced cryptographic techniques to safeguard against evolving cybersecurity threats in the automotive industry.

 

In the development of automotive cybersecurity solutions, various encryption algorithms are employed to ensure the confidentiality, integrity, and authenticity of data. These algorithms are crucial for protecting communications within the vehicle’s network, as well as between the vehicle and external networks or devices. Following are the most commonly used algorithms for automotive cybersecurity:

• Advanced Encryption Standard (AES): AES is a symmetric key encryption algorithm widely used for its efficiency and strong security. It is often utilized in securing communications between electronic control units (ECUs) within vehicles and for encrypting data transmitted externally, such as via telematics.

  A vehicle’s infotainment system, which communicates with the engine control module (ECM) to display vehicle performance data may use AES to encrypt this data. This ensures that any intercepted communication cannot be deciphered by unauthorized parties, protecting the integrity and confidentiality of sensitive vehicle data.

• Rivest-Shamir-Adleman (RSA): RSA is an asymmetric encryption algorithm that is primarily used for secure data transmission. In automotive systems, it’s often employed for securing software updates and ensuring the authenticity of messages through digital signatures.

When a car receives an over-the-air (OTA) software update, RSA is used to verify the authenticity of the update package. The update server signs the package with a private key, and the vehicle uses the corresponding public key to verify the signature, ensuring the update is genuine and has not been tampered with.

• Elliptic Curve Cryptography (ECC): ECC provides similar levels of security to RSA but with smaller key sizes, making it more efficient for use in systems with limited computational resources. It’s used in various applications, including key exchange protocols and digital signatures in automotive systems.

  In keyless entry systems, ECC can be used for the key exchange protocol between the key fob and the vehicle, ensuring that the communication is secure and resistant to eavesdropping, even if the signal is intercepted.

• Secure Hash Algorithm (SHA): Though not an encryption algorithm per se, SHA is used for creating hash values from data to ensure data integrity. SHA-256 and SHA-3 are among the variants used in automotive systems for verifying software integrity and authenticity.

  Before installing a new firmware update, a vehicle can use SHA-256 to verify the integrity of the downloaded firmware package. The vehicle computes a hash of the package and compares it to the hash provided by the manufacturer. If they match, it confirms that the package has not been altered or corrupted.

• Transport Layer Security (TLS): TLS and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communication over a computer network. In automotive systems, TLS is used to secure communications between the vehicle and external servers, such as for over-the-air (OTA) updates and telematics services.

  When a vehicle transmits diagnostic data to the manufacturer’s server or retrieves traffic information from a telematics service, TLS is used to encrypt the data in transit, protecting it from interception and ensuring that the vehicle is communicating with a legitimate server.

• Symmetric Key Algorithms (like DES, 3DES): While AES has largely replaced DES (Data Encryption Standard) and 3DES (Triple DES) due to their vulnerabilities, some legacy systems might still use these for compatibility reasons. They are generally considered less secure than AES.

  A legacy telematics system within a vehicle that was designed before the widespread adoption of AES might use 3DES for encrypting data transmissions. Despite its vulnerabilities, 3DES would provide a baseline level of security for communications, albeit with recommendations for upgrading to more secure algorithms like AES.

How to Pick the Right Cybersecurity Algorithm for the Target Automotive Solution?

Choosing the right encryption algorithm for automotive applications depends on balancing security needs with the system’s limitations and the type of data being protected. Confidentiality, Data Integrity, Authentication and Non-repudiation are the pillars of modern cryptographic principles.

• Confidentiality ensures only authorized parties can access information.
• Data integrity guarantees information is not altered unauthorizedly, preserving accuracy.
• Authentication verifies the identity of parties involved in communication, confirming they are who they claim to be.
• Non-repudiation prevents entities from denying their actions, providing proof of involvement in a communication or transaction.

Together, these principles form a comprehensive framework for secure communication, ensuring trust and reliability in digital interactions.

Another factor that impacts choice of cryptographic algorithm is system design consideration.

These considerations include processing power, memory constraints, energy consumption, real-time operation requirements, and the system’s ability to handle computational load without impacting functionality.

For example, high-performance ECUs can manage more complex algorithms like RSA for secure communications, while energy-efficient systems might opt for ECC due to its lower computational requirements.

Additionally, the need for real-time processing in safety-critical applications necessitates the selection of algorithms that balance security with minimal latency. Ensuring the encryption approach aligns with these design parameters is crucial for maintaining both the vehicle’s security posture and its operational efficiency.

Let’s dive a little deeper into more such considerations that significantly impacts the choice of encryption algorithm:

Application Requirements

• Confidentiality: AES is chosen for transmitting sensitive data due to its strong encryption capabilities, making it difficult for unauthorized parties to decrypt the information without the correct key.
• Integrity and Authentication: Applications that require data to be authenticated, like OTA updates, benefit from RSA or ECC, which enable digital signatures. These signatures verify the data’s origin and integrity, ensuring it hasn’t been tampered with during transmission.

Evaluate System Resources

• Computational Power: Devices with limited computational resources might opt for ECC over RSA for key exchange and digital signatures because ECC provides similar levels of security with smaller key sizes, reducing the computational load.
• Network Bandwidth: In scenarios like V2X communication, where efficiency and speed are crucial, ECC’s smaller key sizes also mean less data is transmitted over the network, improving communication efficiency.

Security Requirements

• Data Protection Level: The choice of algorithm (e.g., AES-128 vs. AES-256) can depend on the level of security required. AES-256 provides a higher security level but requires more computational resources.
• Long-term Security: For components that are not updated frequently, selecting algorithms that are resistant to future threats, including quantum computing attacks, is crucial. Certain ECC curves are believed to offer quantum resistance.

Regulatory and Standards Compliance and Inoperability

Compliance with industry standards and regulations ensures that the security measures adopted are recognized and approved, minimizing legal and operational risks.

The chosen encryption methods must ensure seamless communication and compatibility with other systems, components, and infrastructures within the automotive ecosystem, avoiding proprietary solutions that could hinder integration.

Conclusion

As the automotive industry continues to integrate more sophisticated technologies, the importance of employing robust encryption methods cannot be overstated.

Encryption algorithms such as AES, RSA, ECC, and protocols like TLS, along with the use of hash functions like SHA, are foundational to securing the complex ecosystem of modern vehicles.

Autonomous vehicles, electric vehicles, V2X are all examples of how automotive cybersecurity is poised to become a core aspect of automotive ecosystem.

By prioritizing security in the development of new vehicle features, the automotive industry can ensure that vehicles remain not only advanced and interconnected but also safe and reliable in the face of ever-evolving cyber threats.

This proactive approach to cybersecurity is essential in fostering consumer trust and ensuring the successful adoption of future automotive innovations.

What Makes Threat Analysis and Risk Assessment (TARA) the Key Driver of Automotive Cybersecurity

Before the automotive cybersecurity standard ISO 21434 was introduced, the approach to cybersecurity was quite muddled.

The absence of standardized cybersecurity practices led to a fragmented landscape where each entity approached cybersecurity in its own way, leading to inconsistencies and vulnerabilities.

OEMs (Original Equipment Manufacturers) and Tier-1 suppliers faced a multitude of challenges that not only threatened the security and integrity of vehicle systems but also posed significant risks to safety and privacy.

So, what exactly did a standard like ISO 21434 change for the automotive cybersecurity landscape? For one, it introduced certain practices and methodologies that had a direct impact on making automotive solutions secure-by-design.

One such methodology is Threat Analysis and Risk Assessment, aka TARA. In this article, we will not only learn about the theoretical aspects of TARA but also understand how TARA is implemented, through a real-world example.

To get into the finer details of TARA, we brought in our cybersecurity expert, Ganapathi Ramachandra, Director of Engineering at Embitel Technologies.

Time to roll!

Threat Analysis and Risk Assessment in Action!

Since we are witnessing rapid innovation in ADAS, let’s put it under the lenses of TARA.

Let’s consider the challenge of cybersecurity within ADAS.

Advanced Driver-Assistance Systems (ADAS) enhance vehicle safety and driving comfort by automating operations, which could include steering, braking, and various other functions. However, these systems, due to their reliance on software, sensors, and connectivity, introduce various vulnerabilities.

Taking an example of Adaptive Cruise Control, hackers can exploit vulnerabilities in the communication protocol between the vehicle and the cloud or between vehicles (V2V) to send false information, causing the vehicle to brake unexpectedly or fail to adjust speed appropriately.

TARA steps in as the first line of defense, highlighting potential cybersecurity vulnerabilities and guiding manufacturers towards implementing robust security measures like encryption and real-time intrusion detection systems.

This proactive stance ensures that vehicles are not just technologically advanced but fortified against digital threats, safeguarding the integrity of ADAS and the safety of those who rely on them.

How to Perform Threat Analysis and Risk Assessment as per ISO 21434?

The execution of Threat Analysis and Risk Assessment (TARA) in cybersecurity engineering involves a detailed and systematic process to identify potential cybersecurity threats and assess the associated risks.

Although the standard ISO 21434 does not provide any strict method for performing TARA, it lays an outline for it.

The execution of TARA is a comprehensive process that involves multiple steps from pre-analysis to the definition of cybersecurity requirements, guided by structured approaches and methodologies. This ensures a thorough understanding of potential cybersecurity risks and the formulation of effective strategies to address them, thereby enhancing the security and resilience of automotive systems against cyber threats.

1. 1. Pre-Analysis Steps:
      • Cybersecurity Item Definition: Begin by clearly defining the system under consideration, detailing its purpose, components, and boundaries. This sets the stage for a focused analysis.
      • Critical Function Block Analysis: Analyze the system’s primary functions to pinpoint areas that are critical for operation and might be attractive targets for cyber threats.
      • Technology Stack Analysis: Examine the hardware and software layers involved in the system. This includes identifying the technologies used and how they contribute to cybersecurity mechanisms.
      • Threat Modeling: Develop conceptual models that represent potential cyber threats to the system. This step is foundational for identifying how and where a system could be attacked.
   2. Asset Identification:

Asset identification is a critical early phase in the Threat Analysis and Risk Assessment (TARA) process. It lays the groundwork for a comprehensive understanding of what needs protection within a system from potential cybersecurity threats.

This step involves systematically cataloging all components of a system that could be valuable targets for cyber-attacks or that are essential for the system’s operation and security.

Key Components of Asset Identification

1. 1. • Hardware Components: This includes all physical devices and hardware within the system, such as servers, network devices, end-user devices, and any other equipment critical to the system’s operation.
      • Software Elements: This encompasses the operating systems, applications, databases, and any other software that runs on the hardware components. Software elements are crucial for the functionality of the system and often contain or process sensitive information.
      • Data: One of the most critical assets, data includes all information processed, stored, or transmitted by the system. This can range from confidential business information to personal data of users, which could be attractive targets for cyber attacks.
      • Network Connections: These are the pathways that allow communication between components within the system and with external entities. These include both physical connections, like Ethernet cables, and wireless connections, such as Wi-Fi and Bluetooth.
      • User Interfaces: This includes any point where a user interacts with the system, including web interfaces, command-line interfaces, and APIs. These interfaces can be pathways for unauthorized access if not properly secured.
      • Cryptographic Keys and Certificates: These are used to secure communications and data and are themselves valuable assets that need protection against compromise.

Process of Asset Identification

1. • Inventory Creation: Compile a detailed inventory of all system assets. This should be as comprehensive as possible to ensure no component is overlooked.
   • Asset Categorization: Group assets into categories based on their type, function, or sensitivity. This helps in prioritizing assets for risk assessment.
   • Value Assessment: Evaluate the importance of each asset to the system’s overall operation and security. Assets critical to system functionality or containing sensitive information are of higher value and, thus, higher priority for protection.
   • Documentation: Clearly document each identified asset, its location, its role in the system, and any protection mechanisms currently in place. This documentation is crucial for ongoing risk management and ensuring that all team members have a consistent understanding of the system’s components.
2. TARA Execution Steps
   • Asset and Threat Identification: With the system’s assets clearly defined, identify the specific threats applicable to each asset, using the earlier threat modeling as a guide.
   • Scenario Development: Develop scenarios for each identified threat, focusing on envisioning the potential outcomes of an attack without delving into the technical specifics of how the attack is carried out.
   • Impact and Likelihood Estimation: For each threat scenario, estimate the potential impact on stakeholders and the likelihood of the threat occurring. This involves assessing factors like safety, financial loss, operational disruption, and privacy breaches.
   • Risk Classification: Utilize methodologies like Heavens or SAHARA to classify the risk associated with each threat. This step combines the estimated impact and likelihood into a comprehensive security level rating.
   • Cybersecurity Goal Definition: Based on the identified risks, define specific cybersecurity goals for each significant threat. These goals outline the high-level protections or risk mitigation strategies that need to be implemented.
   • Requirement Specification: Finally, translate the defined cybersecurity goals into actionable high-level cybersecurity requirements. These requirements are aimed at addressing the identified risks, thereby enhancing the system’s security posture against potential cyber attacks.

Performing Threat Analysis and Risk Assessment for a Telematics ECU

Cybersecurity risks are more pronounced in connected systems of a vehicle, for eg. Telematics ECU. Vehicle telematics system by the virtue of being connected to the outside world are vulnerable to cyberattacks.

So, let’s understand TARA in finer details by dissecting the cybersecurity vulnerabilities of a Telematics system.

This example serves to illustrate the application of TARA in a simplified and abstracted manner, specifically during the concept phase of system development. It outlines a systematic approach to cybersecurity risk management, focusing on identifying and assessing potential threats and vulnerabilities within the system, and deciding on appropriate risk treatment options.

Telematics ECUThe output of each step in TARA is an input to the next step. For example, based on the damage scenarios identified during ‘asset identification’ step, cybersecurity experts derive the threat scenarios. Subsequently, the ‘threat scenarios’ become the input for the next step, i.e. Risk determination and treatment and so on..

Let’s get back to TARA of a Telematics ECU!

Item Definition for Telematics ECU

Item Boundary & Functions: The TCU, responsible for telematics services like emergency calls (eCall), remote diagnostics, vehicle tracking, and firmware updates over-the-air (FOTA).

Preliminary Architecture: Encompasses integration of cellular modules, GPS, and interfaces for Vehicle-to-Everything (V2X) communications, highlighting the interaction with internal and external networks.

Asset Identification

One of the assets of Telematics ECU for cybersecurity consideration is the wireless communications. We mention the functionality of this asset and further dissect the cybersecurity properties pertaining to wireless communications. As per the template prescribed by ISO 21434 standard, confidentiality, integrity, and availability are three properties that we consider for TARA.

Damage Scenarios: Potential damages involve unauthorized access to vehicle tracking information, injection of malicious firmware updates, and breach of user privacy.

Impact Rating

Applies the scale from “Negligible” to “Severe” to evaluate how threats could impact safety, privacy, and operational functionality. For example, a breach in user privacy through unauthorized access to personal data could be rated as “Major” or “Severe” due to legal and reputational consequences.

Threat Scenario Identification

Uploading of illegitimate firmware: Such a scenario can affect the functionality and safety of the telematics ECU.

Leakage of sensitive data: It can lead to privacy breaches and its adverse repercussions including regulatory penalties.

Attack Path Analysis

External Communication Compromise: An attacker might exploit vulnerabilities in cellular or Wi-Fi connections to gain access to the TCU, aiming to manipulate telematics functions or steal sensitive data.

Attack Feasibility Rating

Feasibility is assessed based on the attacker’s required resources and expertise. For instance, an attack exploiting a well-known vulnerability in the TCU’s cellular module might be rated as “High” feasibility due to the availability of exploit tools and knowledge.

Risk Value Determination

Combines the impact and feasibility ratings to prioritize threats. High-risk scenarios might include those that could lead to direct safety impacts or significant breaches of user privacy.

Risk Treatment Decision

For a TCU, risk reduction through technical controls, such as enhanced encryption for data transmission and robust authentication mechanisms for firmware updates, is typically preferred to protect against identified threats.

Cybersecurity Strategy for TCU

• Layered Security: Employment of network segmentation and firewalls, and IDS to safeguard the TCU’s network interfaces.
• Secure Communication: Implementation of end-to-end encryption for all transmitted data to prevent interception or manipulation.
• Software Management: Ensuring secure FOTA processes with cryptographic verification to maintain firmware integrity.
• Anomaly Detection and Incident Response: Utilization of advanced monitoring for the TCU’s network activity and establish a clear protocol for responding to detected cybersecurity incidents.

Conclusion

A well-executed TARA process offers comprehensive insights into the potential vulnerabilities within a system, the likely threats that could exploit these vulnerabilities, and the potential impact of such exploits on the system’s operations and stakeholders.

The culmination of the TARA process in the risk treatment decision step is crucial for defining actionable strategies to mitigate identified risks.

By applying a thorough and methodical approach to threat analysis and risk assessment, organizations can enhance their preparedness against cyber-attacks, protect critical assets, and ensure the continuity of their operations.

Embitel Technologies has proven expertise in performing TARA as per ISO 21434 standard. Our automotive cybersecurity team can support you in end-to-end cybersecurity requirements.