Automotive Cybersecurity: Practices, RISC-V, Sensors, Argus Cybersecurity, NVIDIA,

In automotive cybersecurity news are Synopsys, SAE, Mitsubishi Electric, Singtel, Argus Cybersecurity, IAR Systems, IAR Embedded Workbench and a blockchain study.

Synopsys & SAE Guidelines

Synopsys, Inc.  and SAE International, a global association of engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries, today released the report, Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices. Based on a survey of global automotive manufacturers and suppliers conducted by Ponemon Institute, the report highlights critical cybersecurity challenges and deficiencies affecting many organizations in the automotive industry. The study found that 84 percent of automotive professionals have concerns that their organizations’ cybersecurity practices are not keeping pace with evolving technologies. The survey also found that 30 percent of organizations do not have an established cybersecurity program or team, and 63 percent test less than half of the automotive technology they develop for security vulnerabilities.

“SAE, in partnership with Synopsys, is pleased to present the findings of this study, as it provides real-world data to validate the concerns of cybersecurity professionals across the industry and highlights a path forward,” said Jack Pokrzywa, SAE International director of Ground Vehicle Standards. “SAE members have sought to address cybersecurity challenges in the automotive systems development lifecycle for the last decade and worked together to publish SAE J3061™, the world’s first automotive cybersecurity standard. Armed with the findings of the study, SAE stands ready to convene the industry and lead development of targeted security controls, technical training, standards, and best practices to improve the security, and thus the safety, of modern vehicles.”

Synopsys and SAE commissioned the Ponemon Institute, a leading IT security research organization, to examine current cybersecurity practices in the automotive industry and its capability to address software security risks inherent in connected, software-enabled vehicles. Ponemon surveyed 593 professionals from global automotive manufacturers, suppliers and service providers. To ensure knowledgeable responses, all respondents are involved in assessing or contributing to the security of automotive technologies, including infotainment systems, telematics, steering systems, cameras, SoC-based components, driverless and autonomous vehicles, and RF technologies such as Wi-Fi and Bluetooth, among others.

“The proliferation of software, connectivity, and other emerging technologies in the automotive industry has introduced a critical vector of risk that didn’t exist before: cybersecurity,” said Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group. “This study underscores the need for a fundamental shift—one that addresses cybersecurity holistically across the systems development lifecycle and throughout the automotive supply chain. Fortunately, the technology and best practices required to address these challenges already exists, and Synopsys is poised to help the industry embrace them.”

Other key findings from the survey highlight:

  • Lack of cybersecurity skills and resources. More than half of respondents say their organization doesn’t allocate enough budget and human capital to cybersecurity, while 62 percent say they don’t possess the necessary cybersecurity skills in product development.
  • Proactive cybersecurity testing is not a priority. Less than half of organizations test their products for security vulnerabilities. Meanwhile, 71 percent believe that pressure to meet product deadlines is the primary factor leading to security vulnerabilities.
  • Developers need cybersecurity training. Only 33 percent of respondents reported that their organizations educate developers on secure coding methods. Additionally, 60 percent say a lack of understanding or training on secure coding practices is a primary factor that leads to vulnerabilities.
  • Cybersecurity risk throughout the supply chain. Seventy-three percent of respondents expressed concern about the cybersecurity of automotive technologies supplied by third parties. Meanwhile, only 44 percent say their organization imposes cybersecurity requirements for products provided by upstream suppliers.

Download a free copy of the report: Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices.

Mitsubishi Electric Corporation’s Sensor Security Tech

Mitsubishi Electric Corporation  today that it has developed what is believed to be the world’s first sensor-security technology that detects measurement-data inconsistencies by embedding a proprietary algorithm in sensor fusion algorithms, which combine multiple sensors for measurements used in the automatic control of drones, in-vehicle devices, production equipment and more. Going forward, the company will continue development with the aim to commercialize the technology from the year 2020 onwards.

Mitsubishi Electric’s new algorithm detects malicious attacks based on more than 42 percent inconsistencies in measurement data. In the case of ultrasonic attacks on drones, for example, the Earth’s magnetism or gravity is calculated in two ways using intermediate values in the sensor fusion algorithm, and any difference between the two results is treated as an inconsistency.
The new algorithm can be implemented at low cost as additional software in existing sensor signal processing circuits without the need to add or modify hardware. The accuracy of sensor measurements is not compromised.
Comparison

Function Disturbance correction
(heat, magnetism, etc.)
Attack detection
Developed Technology Sensor attack detection Possible Possible
Conventional Technology Sensor fusion Possible Impossible

Background

Sensor-based automatic control is becoming increasingly common in everyday applications such as drones, in-vehicle devices and production facilities, raising the need for cybersecurity countermeasures. Sensor fusion algorithms, which combine multiple sensors for measurement, play a key role in automatic control, but their security performance was unproven.
In response, Mitsubishi Electric developed what is believed to be the world’s first sensor-security technology that detects inconsistencies in sensor measurements during malicious attacks. The development was partially supported by business commissioned by the New Energy and Industrial Technology Development Organization (NEDO) under Japan’s National Research and Development Agency.
Details

1) Attack detection algorithm for sensors

Until now, effective countermeasures have not existed for malicious attacks that apply abnormal signals to sensors. Sensor fusion algorithms, which combine multiple sensors for measurement, were thought to offer attack resistance as well as high-accuracy measurements, but due to the complexity of algorithms and the difficulty of creating an evaluation environment, it had not been proven that the algorithms were actually resistant to attacks nor under what conditions attacks could succeed relatively easily.

Mitsubishi Electric, recognizing the potential of using the internal calculations of sensor fusion algorithms, has exploited these calculations in a novel embeddable attack-detection algorithm. Malicious attacks are detected on the basis of inconsistencies between measurements from various sensors, such as compasses, gyros and/or accelerometers used for the automatic control of drones. The algorithm does not compromise computation speed because it exploits intermediate values calculated by the sensor fusion algorithm.

Mitsubishi Electric also created an advanced evaluation environment that applies abnormal signals individually to each sensor, such as a drone’s compass, gyro and accelerometer, as well as simultaneously to multiple sensors. Using this environment, Mitsubishi Electric has confirmed significant differences between disturbances caused by natural physical phenomena and measurement inconsistencies caused by malicious cyber-attacks.
2) Low-cost implementation in autonomous devices with sensors

The new sensor security technology can be added to devices such as drones at low cost because it can be implemented in existing sensor-signal processing circuits without having to modify the hardware or make any other addition.

Singtel & Argus MOU

Singtel and Argus Cyber Security, a global leader in automotive cyber security, have signed a Memorandum of Understanding (MOU) to collaborate on several initiatives to strengthen the cyber security capabilities for Singapore’s transportation sector, facilitating the introduction of connected cars and new technologies such as autonomous vehicles. In addition, both parties will also work together on the research and development of next generation cyber security solutions for autonomous vehicles.

Under the MOU, both parties will launch a suite of solutions which includes Argus’ in-vehicle solutions and technologies, and Argus’ stand-alone cyber security backend platform. This platform collects, correlates and analyses data derived from vehicles, mobile apps, cellular networks, cloud platforms and other sources, and will be integrated with the managed security services portfolio of Trustwave, Singtel’s cyber security arm. The platform helps automakers and fleet managers to quickly protect vehicles that are already on the road without making any modifications to them. It will be delivered through Trustwave’s global network of 10 Advanced Security Operations Centres, further enhancing its capabilities as a leading global managed security services provider.//

AdaCore & NVIDIA Security-Critical Firmaware

AdaCore, a trusted provider of software development and verification tools,  announced it is working with NVIDIA to implement Ada and SPARK programming languages for select security-critical firmware used for applications that demand stringent safety and security capabilities, like automated and autonomous driving.

Some NVIDIA system-on-a-chip product lines will migrate to a new architecture using the RISC-V Instruction Set Architecture (ISA). Also, NVIDIA plans to upgrade select security-critical firmware software, rewriting it from C to Ada and SPARK. Both moves are intended to increase verification efficiencies to achieve compliance with the functional safety standard ISO-26262.

Ada and SPARK are designed to help meet the most stringent software requirements for safety and security. The Ada programming language has numerous built-in features that detect code defects early in the software life cycle, expediting the peer review and testing effort. The SPARK language — a restricted set of Ada features designed to perform a formal mathematical proof — increases the certainty of catching defects early that might not have been detected otherwise. SPARK facilitates static analysis that can formally demonstrate certain properties of the code, ranging from correct data flows and absence of run-time errors such as overflow, to more advanced assertions and satisfaction of functional requirements.

IAR Systems Tools for RISC-V

At embedded world 2019, IAR Systems, the future-proof supplier of software tools and services for embedded development, will present its ground-breaking technology for IoT security, developed with its sister company Secure Thingz, a global domain expert in device security, embedded systems and lifecycle management. In addition, the company will show its strengthened functional safety offering for automotive, and a preview of upcoming complete tools for RISC-V. The novelties are being presented as demos at IAR Systems (hall 4, booth 4-216) plus, like every year at embedded world, as free technical seminars for embedded developers.

Free 20-minute-seminars

At IAR Systems’ booth, embedded world visitors can expect a full program of free technical 20-minute-seminars. On all three show days, experts from IAR Systems and its partners, including Si-Five, Microchip, Arm, Renesas and Amazon Web Services, give insights to embedded development and debugging, functional safety and code quality, and IoT security.

Security for the IoT

Connected devices in the Internet of Things continue to be vulnerable to increasingly sophisticated cybercriminals. At embedded world 2019, IAR Systems together with its sister company Secure Thingz will be showcasing the new product Embedded Trust – which will help embedded developers to consistently implement security into their products to protect them from counterfeiting, unauthorized usage, invasive attacks, and other security threats. The companies will also demonstrate a new innovative product to simplify security development throughout the development team.

Functional safety development for automotive

The versions of IAR Embedded Workbench that are certified for functional safety development have recently experienced strong demand in the automotive sector. The pre-certified development toolchain fulfills all requirements according to ISO 26262, which is used for automotive safety-related systems, and IEC 61508, the international umbrella standard for functional safety, including standards derived from it. At embedded world 2019, IAR Systems will demonstrate the latest versions of the functional safety tools with special focus on automotive software development.

Tools for RISC-V

Another demo that can be seen at IAR Systems’ booth is the not-yet-launched IAR Embedded Workbench for RISC-V. The toolchain will bring leading compiler technology, static code analysis and extensive debug functionality to the RISC-V community.

Committed to embedded developers

IAR Systems stays true to its mission of providing embedded developers with complete and simplified development workflows. Together with Secure Thingz, the company is breaking new ground for innovative, extended workflows for ensured code quality, as well as compliance with legislation and industry standards, all integrated in the day-to-day work of the development team. Don’t miss IAR Systems at embedded world 2019!

Automotive Blockchain Estimates by Month

Blockchain is establishing its presence in the automotive sector. Car owners and other road users are already interested in the many ways in which this technology can be used, the strategy and marketing consultancy Simon-Kucher & Partners found in a recent study*. Survey participants were particularly interested in time-saving solutions, such as traffic congestion management (48 percent) and automated payments (54 percent). Applications that provide added security such as protected data access (50%), enable increased efficiency such as automated payments (54%), or greater convenience such as remote access (46%) were also popular with participants.

“The added value of blockchain applications for the end customer is obvious,” says Peter Harms, a Partner in Simon-Kucher’s global automotive practice. “Automakers need to be aware that they can generate significant profit from these applications.”

The study also revealed how much drivers would be willing to pay each month for various blockchain solutions:

  • Traffic congestion management: 27 percent of survey participants would be willing to pay on average $11.00 per month for this solution
  • Protected data access: $11.00 (7 percent)
  • Remote control of vehicle (e.g. locking/unlocking): $8.00 (12 percent)
  • Automated payments (e.g. at parking or charging stations): $7.00 (17 percent)
  • Immutability of vehicle records (when buying a used car): $6.00 (7 percent)

Based on these figures, total revenue generated by 2030 is set to reach $120 billion. “The added value of blockchain solutions and customer willingness to pay for them already indicate enormous monetizing potential,” says Harms. “Now is the time for the automotive industry to start adjusting its strategies and business models, not only to expand their current offerings with blockchain solutions but also to monetize them.” To accomplish this, industry-wide infrastructure is required. “Close cooperation among individual stakeholders (e.g. automotive manufacturers, taxi companies, municipal corporations, toll operators) is essential to unlock the multi-billion-dollar potential of this technology.”

Read previous automotive cybersecurity articles.

SUBSCRIBE

You are welcome to subscribe to receive email notification of publication of Connected Car News Cybersecurity, you can also get weekly news summaries or daily emails.

COMMENT: Let Us Know What You Think