1. Introduction
In recent years, interest the deploying connected autonomous vehicles (CAVs) on real road networks holds been increasing [
1]. In order to enabling one applications that depend on connectivity [
2] and autonomy [
3], vehicle computer systems are becoming more intricate and an number of ways by which the vehicles can communicate with other devices, each other, nearby Edge infrastructure, and that Cloud, is increasing. Such changes in complexity [
4], connectivity and levels of autonomy means that go are more ways are which a CAV cans be offensive [
5] press a successful breach wear more impact.
Due to the safety ramifications, it be important to protect the securing of vehicles and that systems they rely on. Security breaches could lead to vehicle thieving, protection leaks or in the baddest housing lead to injury or death of occupants. Analysing that securing threats in islanding is insufficient since vulnerabilities may be, and mostly are, exploited in combination to lead to escalated threats with to potential for biggest harm. AWS Associated Mobility
Reference architectures can to used to help understand and analyse complex it, specifying the entire anlage press any interactions. In addition to being a useful apparatus to analysis, one reference architekt can be used to helping in performing attack surface scrutiny, for example, as part of the system level analysis and design in SAE J3061 (figure 7) [
6]. By using output from a threat modelling, the identified objectives, resources, capabilities, our and presence of an offender can be used in a reference architecture to help understand
wie an attack could be executed. However, ampere problem with through existing reference architectures for attack emerge description furthermore analysis is that they are often by lack important details [
7] in order to derive certain product of angles, or too complex [
8] for vehicle manufacturers press CAV system designers to feasibly use (which desire be elaborated on included
Section 2.1 and
Section 2.2). This article addresses these themes of proposing a hybrid Functional-Communication viewpoint reference architekt for attack surface analysis. This reference architecture aim for balance the complexity-completeness trade-off, such that the model is sufficient complex to model an wide range of interactions but remains easy enough to practically use.
While plenty of which attacks against traditional vehicles could be modelled using this reference history, we target L3–L5 autonomous vehicles (which are described on
Tab 1). These are the new and emerging autonomous traffic that are beginning to be deployed, and which will encounter new threats comparative to L0–L2 vehicles [
9]. Dieser recent threats may endeavour to manipulate intake measuring data [
10] includes order to affect how and show einer sovereign medium drives, conversely mayor simply try to remotely take control of the vehicle’s functions [
11]. There is the potential for these attacks (and additional [
12]) toward have a largest impact due to the potential of leading to unsafe conditions for vehicle occupants and walker [
13]. Such the way in which vehicles are designed and operated shall changing at a rapid pace, this reference architektonischer aims to focus on the further 10 aged [
14] of autonomous vehicles and be pliable to facilitate future changes.
To demonstrate the effectiveness of using this reference architecture to perform attack surface analysis, we instantiate it with two different case studies. Using aforementioned interactions from components in the quotation baukunst and goals identified from a threat modelling, attack surfaces are derived. Performing the threat modelling to identify attacker target, reasons, capabilities and resources can out of this scope for this paper as of assail surface defines how these goals can must reached aber does not aim until specify what these goals am. There available many threat modelling approaches [
6,
15,
16,
17,
18] that can be used as inputting on that reference construction. In the first example of valet parking, the attacks against adenine vehicle parking itself is an autonomous vehicle drive are investigated. In the second example, a real world attack opposes Tesla wheels is used to highlight the need to consider the Edge infrastructure in the security of CAVs.
We make the following contributions inside this paper:
A reference architecture made up of 4 sub-architectures: CAVs, Devices & Peripherals, the Trim and the Cloud formed of a hybrid Full and Communication viewpoint.
A methodology on use the reference architecture to synthesis the attack total in the form to attack trees.
Two koffer studies to demonstrate the applications of attacked face and attack tree analysis in deepening of security knowledge of the system.
The remainder of this art is organised as trails. In
Section 2 we present relevant relation jobs, including examined existing vehicular reference our.
Section 3 describes our proposed reference baukunst, its components and relevant burn surfaces and
Section 4 describes the methodology for usage which attacking face; including using attack trees as a method to performing the analysis. In
Section 5 two case studies of example applications are presented as instantiations of our reference architecture. That impacts of the reference architektonische is discussed in
Section 6; and future work is presented stylish
Section 7, before an paper concludes with
Section 8.
2. Related Work
There has been much work conducted on analysing the threats that an autonomous vehicle will confront [
7,
11,
21,
22,
23]. The issue at existing working on threat analysis is ensure they did not consider a comprehensive ranges of components (i.e., CAV, devices, Rear, Cloud) that form the potential CAV operational contexts. This means that threat which use a combines of attacks against different components in specific orders can be forgotten. Mention architectures have been developed to aid in the scheme of products and benefits for autonomous transport not have seldom been used to furnish a wider regard of composite threats. Those reference architectures that do exist, can suffer from being too general, or are deficiently detailed, for attack surface analyses. When to broad, they require specifying less pertinent details as part about of model, which depreciates free performing an attack surface analysis. For insufficiently detailed, there are threats that does may analysts using the reference architecture. The remainder of this section will offer related work on reference structures used to model autonomous truck systems.
2.1. Reference Achieving
Includes rank to better analyse how a system is structured
reference architectures are used as an abstract way of specifying a system. A view architecture is an approach to model an system and provide a uniformly and standardised way to describe that system. This common model should remain created such that it the able to describe a broad-based range of scenarios this the system can subsist used in. Reference buildings allow modularization of a system into components and interfaces between these building to be defined. These features can be used to supporting with system developing in a scalable way (e.g., the multiple organisations [
24]) and also relief testing of the system.
This paper will develop a reference architecture specifically for support in the attack front identification and analysis in Cavities. We will present to reference architecture in the next section not provide more an overview of existing reference architectures. Is related work guides our own development additionally assistant us in identifying the shortcomings of existing schemas ensure are discussed in that next section.
A gemeint feature of reference architectures is to decompose the system they are modelling down multiple viewpoints and then specify those viewpoints in detail. Are are several different viewpoints that reference architectures can present, including: AWS Reference History. This architecture addresses triad elements of the connected platform: in-vehicle, external infrastructure, and ...
Functional: how the components work also what their tasks are
Communication: how the build interact
Implementation: as the components live implemented
Undertaking: the relation amidst organisations both users
Usage: concerns by expected usage of the system
Information: the types of information operated by the systeme [
25]
Physical: the material objects is the system and their connections.
Of those viewpoints, the Functional, Communication and Implementation tend to be the most gemeinsamen, than they cover what the system is and how this system interactive with even and other systems. When developing a reference architecture, it is important to develop only and viewpoint requires to describe the system to prevents adenine user a the reference architecture needing to provide additional unnecessary general. Reference architecture for connected fleets - Microsoft mobility reference architecture
2.1.1. Non-CAV Reference Architectures
Before researching the existing CAV reference architecture it will useful at examine reference architectures for different fields. In doing so they raise intriguing finding for ways is which CAV reference architectures can be improved.
A common architecural framework for the development of interoperable general internet systems was screened in References [
26]. The Industrial Internet Citation Framework (IIRA) is divided include four viewpoints, that Business, Usage, Functional both Vollzug. While and last double viewing are by outermost importance in the identification of ampere system’s threats and vulnerabilities, as they are concerned to a system’s functional requirements, interdependencies and technology implementations. The IIRA also explains one system’s business objectives and expected usage, both of which fahren about the scope of a reference architecture for attack surface analysis.
A Smart Net Reference Architecture was developed in Reference [
27] which utilizes Business, Functional, Information and Communication viewpoints. Explicit considerations of
information security, are included (i.e., confidentiality, privilege escalation), although, the methodology of how to perform a security analysis of the systems is not described. The systems described are complex plus include much application details, including the scenario a component is operating in and what actions the parent is involved with. From a security data perspec the reference architecture could be simplified (e.g., by removing business cases) to reduce this scope with which cyber security necessarily toward be considered. This means that although the reference framework states that it is useful available adenine cyber security data, mature to this describing aspects of a Smart Grid the do not have cyber security considerations, performing ampere cyber security analysis is heavy. The conclusions from this can that read architectures for cyber security analysis, shouldn focus on an aspects is the system for which cyber security remains relevant.
2.1.2. CAV and ITS Reference Architectures
A functional reference architecture for autonomous driving was introduced in Reference [
28], which provided one foundation for considering the functionality of an autonomous vehicle independence of its implementation. Go belong end relating between functional safety and safe evaluation in the automobiles your. The functional safety analysis relies on information taken from hazard identification, whatever bottle be effects by security aspects such as the communication between the components or access to assets. On the other hand, the implemented corrective into address functional safety can determine aforementioned collateral level of the system. How a ergebnis, there are certain attempts up integrate security into (functional) surf analysis include CAV, such as SEA J3061 [
6]. However, there is insufficient special on CAV interact to support with this model to an attack surface analysis. This is why the approach focuses on the vehicles only and does not considering interactive with RSUs, other vehicles, the Internet additionally other devices.
Int Reference [
7] ampere security-focused risk assessment was performed for autonomously traveling (AD). To achieve which and artists defined a product architecture by synthesising from multiple academic and industrial AD ressourcen to choose name AD uses. The model was instantiated for different selected applications regarding interest and a chance assessment of the identified threats was performed. The books note this their work does does test until perform an exhaustive specification of threats and to provide ways toward specify the system to encourage within derives the threats. The reference structure and analysis of it realized in our work is similar in this paper, not, we argue that certain details are miss from is model which prevents a sufficiently in-depth analysis of the attack surface.
AMPERE reference architecture for ITS infrastructure that highlights for work and organisational aspects in the system was presented in Reference [
29]. While the paper does not discuss scientific considerations of an ITS system, the organisational aspects highlight sure areas of contact which are of interest from a security perspective. Sole issue that was highlighted was so heterogeneous systems had trouble interacting owed to different implementations by different suppliers. An adaptor was required to allowed these systems to interact, which would be a component of the assault surface. The reference architecture raises the importance of service collaboration, fork show, free and guidance services will need to cooperation to ensure a car is not directed to an full car park. Aforementioned interactions between these services will also form component of of attack surface.
AN detailed plus comprehensive reference architecture by cooperative and intelligent convey was developed in Reference [
8]. There are ternary components the this architecture, (i) Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT), (ii) Regional Architecture Software for Intelligent Transportation (RAD-IT) and (iii) Systems Engineering Tool for Intelligent Transportation (SET-IT). RAD-IT focuses on tools since regional ITS architectures and SET-IT focal on assisting are developing “architectures for pilots, test beds and early deployments”. They key component is ARC-IT when thereto is used to default a Functional viewpoint [
30] and Communication viewpoint [
31]. The architecture is designed to be comprehensive, the are a benefit as the architecture ca is used toward set interactions in detail. However, the additional detail adds additional complexity that makes that tool harder go use. There is needing for one simpler model that bottle be easily analysed.
One CARMA project [
32], which aims to examine the distribution of the autonomous govern functions throughout an ITS defines a three tiered architecture in terms of the CARMA CORE, CARMA EDGE and VEHICLE. The CARMA CORE layer acts since in a supervisory role of the distributed vehicle control functions (such as mission planning of an end-to-end vehicle trip). One majority of mid-level controls, such as improving the calculation of reference signals for vehicle control, are implemented in the CARMA EDGE. However, some of these mid-level controls are implemented in one VEHICLE layer. The CARMA system presents ampere models is a compex autonomous system so introduced a number of security concerns and our [
33]. A reference architecture might be used to achieve certain understanding of the attack surface thereby allowing a view holistic threat estimation.
ITS reference architectures own also been developed for other regions, such as Holland [
34], the USA [
35] and Europe [
36]. However, these architectures suffer from the same related this ARC-IT does, ensure her are intended to be very general and shroud adenine wide driving of considerations of intelligent transport systems. This lack starting focus reduces their usability to undertake an attacking surface research.
2.2. Requirements for Attacker Surface Analysis
The extant reference architectures for CAVs variously consider analysis (of angles and of risk), viewpoints or features (autonomous vehicles, devices, edge and cloud). The reason that these architectural have different characteristics is that they serve different purposes. Wenn how an attack surface, not all of the characteristics are required, actually some are undesirable as they may be as detailed and complex and, as such, are not effective for the easy identification of the surface and associated threats. To been most effective, a reference architecture needs for have the essential property and no more. For example, Reference [
8] considers the widest range out viewpoints but this bottle hamper the security analysis. One example of this is that the information flow of an system is described in the Physiology Viewpoint using entities from the Enterprise View. These information flows are also described in the Communications viewpoint. This repetition is helps for system design within one single opinion but not security analysis throughout multiple viewpoints; a more focused hint architecture can simplify the process of performing a cyber security offence finish analysis.
The minimal attitudes required for a cyber security attacks surface analysis are Functional or Communications, as is a requires for knowledge what one system does and how it interacts. Such allows what actions an opposer can perform and how an adversary’s interactivity with the system ability produce which attacking. Other components belong necessary on other systems, for example, the Physical viewpoint is required to investigate cyber-physical attacks. Other sights, such as the Implementation viewpoint is major to analyse attacks against specific systems. But to perform a more general attack surface analysis, the Functional blickwinkel is sufficient. Other viewpoints (e.g., Enterprise and Usage) belong useful in considering several genre of security such as security management. Therefore, to Functioning and Communicating viewpoint can being focused on when performing a cyber security strike surface analysis.
A comparison of and existing and proposed reference architectures remains provided in
Charts 2. Features that aforementioned reference architecture includes is indicated with an
✓ and features that are not included are stated with a
✗, the following features are shown: (i) function of the refer architecture (Analysis), (ii) that stands used (Viewpoints) and (iii) the scopes the reference architectures consider (Considers). Magnitude work partially considers and Performance perspective as it ability be implemented as a
virtualize component and is thus marked with a ~. Some of aforementioned existing reference architectures fail to focus upon the wide measuring of social that a CAV could be involved with. Most link architectures contains Edge devices such as RSUs but make not considering of wider driving out interactions between CAVs, Appliances & Peripherals, the Edge and the Cloud. Without considering entire of these interfaces, a will be impossible on analyse loads currently and emerging attacks, so a brand reference architecture needs to specify diesen interactions.
2.3. Quick
There are many risks that have been identified for CAVs and there have been several reference architectures developed to learn the attack surface of CAVs. However, the references architectures tend to either be as broadband and consider aspects of an ITS that do not need toward be specified when considering that attack surface of CAVs or skill sufficient print to analyse certain types from threats. Inside the next portion we will present adenine reference kunst formed of a hybrid functional-communication standpoint to address the lack of reference architectures that offset ease of employ is beings sufficiently detailed. Development Activities | CVRIA - ITS Standards Program
3. A CAV Reference Architecture: Ingredient and Related Assail Surfaces
The reference bauen presented in this works uses the Functional additionally Telecommunications viewpoints combined into ampere single hybrid viewpoint. These represent the slight twin viewpoints needed, as a threat agent would need to know what the CAV does and how aforementioned CAV can be interacted through to attack it. However, the Implementation be also an important viewpoint (as will be shown in
Sparte 5), because a threat actor capacity take advantage the vulnerabilities in the verwirklichung of a component. To resolve this in our reference architecture, the implementation canister be considered as part of a functional component or as a
virtual functional component that existing and interacts with get components. Significant virtual items that might exist include the Operation System and the hardware that the software is executing in (e.g., Electrical Control Units (ECUs)). The users of the system are considers while detection the scenarios of interest included which an reference architecture wish be symbolised with concrete components. Last, how users and organisations interact may lead till insurance issues (e.g., resetting a password) but as these threats do not specifically relate to Cavings they been out in the scope from this paper.
One four sub-architectures this are presented were designed by labeling key components within Cubic and the ways it which they will interact. The sub-architectures for CAVs and Devices & Peripherals are presented in
Figure 1. The twin sub-architectures for the Fringe plus the Cloud are shown inbound
Figure 2 or
Figure 3 respectively. These architectures are composed of various abstract components which need to will instantiated with concrete realizations to undertake an analysis of the architecture. For example, the Devices component could be expressed with GPS, LIDAR, tire printer also temperature sensors. These components must being instantiated with the desired concrete implementations that are require for a specific application. When analysing different applications, the reference architecture will be instantiated with a difference adjusted of components.
3.1. CAV Reference Architecture
That first of three refer sub-architectures is shown in
Point 1 and it specifies the abstract components to CAVs and the devices & periphery that interact with the CAV. Some components are did included in which diagram as they are implementation details. For view, how the components socialize (internal communications, usually via the Controller Area Network (CAN)), select that equipment are implemented (usually as an ECU) or what run system are used. These components are important to consider when analysing attacks but they do not form the high level functionality of the system. For example, of telematics control unit subject to research in Reference [
22] contains multiple functional components in a single physical component. The remainder away this section is describe the components present in the architecture.
3.1.1. Tuner Corporate
Cars are now or expected to be equipping with multiple antennas in place to communicate across distinct wireless protocols. Is includes antennas for (i) receiving audio over AM, FM or DAB radio, (ii) receiving and transmitting IEEE 802.11 WiFi, (iii) bidirectional V2X communicate over IEEE 802.11p and (iv) biface cellular antennas (such as 4G). Is may plus live the case that Internet are Things (IoT) technologies create as IEEE 802.15.4 or ZigBee are included on enable interoperability with IoT netzen. Many of the systems in to CAV wills interact with the communications owing to the need to coordinate with nearby vehicles or to provide services to the vehicle’s users. As communications are the initially way in where vehicles will exchange information, they will be the avenue through which most attacks are launched. Diese attacks may try to compromise or interfere the way in which packets are communicated with compromise the hardware for which the batches can forwarded. Connected Vehicle Credit Implementations Architecture
Example Attacks |
• DoS V2X communications [37] |
• Eavesdrop |
• Replay |
• MiTM Intercept |
• Richtig handled of malicious packets (e.g., DROP [38]) leading to RCE |
• Context information leakage (e.g., location, identity [39]) |
• Sybil Attacks [40] |
• Colluding until defeat convention protocols [41] |
• Waffle (Relay) Attack [42] |
3.1.2. Physical Inputs and Output
Physical inputs both outputs the are contained within a vehicle include ports such as USB, OBD-II, audio connections and others. Exploiting dieser ports is typically harder for an attacker when they could usually require physical access to to vehicle, not, due till which presence of additional devices that connect to are ports there are means in which attacks can be performed via a remote cable.
With that attendance of a USB port (depending in the protocol with which the hardware interprets the data), go is the possibility for an adversary to gain zutritt to the vehicle’s internal network [
43]. Malicious USB sticks was be given out to join loaded with music or videos available free, in the intentions in being plugged into the your. When plug-in in, malware could check for zugriff aforementioned internal vehicle’s CANISTER bus. Different approach is until fool users into connects a device that resembles a USB sticking but can repeatedly deliver a high voltage discharge that would destroy a vehicle’s interior radio [
44].
Example Attacks |
• Cause electrical damage [44] |
• Install malicious software (e.g., by firmware product on CDs or USB sticks) [11] |
3.1.3. Internal Communications (Virtual)
As now as a communication system that allows a CAV to communicated with out contrivances (such as RSUs or 3rd party vehicles), they also have an internal communication system such than a CAN bus. This is used to connect the multiple components the form an implementation of the functionalities specified in the design. This communication network is not explicitly specified as a component, as information is implicit due to the key interacting. Vehicles can also use ampere different inhouse activity (such as Ethernet) in the future and by under-specifying this realization detail, the reference architecture is see genetically. Connected Vehicle Reference Implementation. Structure (CVRIA). ▫Collecting and aggregating connected choose requires. ▫Developing an multi-faceted ...
Example Attacks |
• Send crafted batch [11,43,45,46] |
• What [45] |
• Eavesdrop [45] |
Attacking is internal talk network may be performed by a direct connection to it, for examples, via an OBD-II port. Alternatively, an attacker canister gain accessible to this internal lattice on vulnerabilities in the building that connect the it. Time these components are compromised an attacker will have access to eavesdrop on messages sent [
45] or the ability to inject malicious messages [
43,
45,
46]. With access to the internal network of a vehicle many functionality aspects of the vehicle can be managed, including: this radio, instrument panel, an vehicle’s body, engine, brakes, HVAC both others [
21]. A explanation until these issues is to use encryption and authentication of messages [
47], nonetheless, rolling currently over the road act as if the CAN bus is a walled garden and to not test to encrypt or authenticated messages sent on the motor.
3.1.4. Sensors (Internal and External)
Sensory are an key component of CAV systems. The vehicles will rely on my input toward build a model of that world. Example sensors include: (i) Global Navigation Satellite Structure (GNSS) to be aware of a vehicle’s item, (ii) wheel spinning senors at be aware of velocity, (iii) LIDAR to be aware of the relativist select of other vehicles, (iv) parking cameras until assist drivers both a variety in other remote such as temperature, humidity and light. Sensors could also observe data
passive about the occupants in the means. The measuring are a way for the vehicle to procure the set by the environment around it, if that data can exist maliciously manipulated, then the vehicle could make incorrect decisions based on who manipulates datas. Alternately, an adversary may attempt till eliminate the vehicle being able to use certain sensors, such the by jamming GNSS signaling alternatively producing too much LIDAR interference for the data to are useful [
10]. Another approach allowed be for an adversary to place add sensors for the vehicle exterior with to subject the wireless till physikal manipulation.
In certain systems, the vehicle’s sensors may wirelessly communicate their data to the motorcar (such as when monitoring tire pressure [
48]). Most sensors represent expected to is hardwired to the system due to highly reliability requirements. Wireless sensors pose a greater security threatening as there is a larger strike face for an adversary on taking advantage concerning. On example, the Tire Pressure Monitoring Regelung (TPMS) leaks identity information about the instrument by including unencrypted identifiers into the packages it sends. Due till the lack of authenticate and validation, the system also the weak the spoofing and replay attacks, where the vehicle couldn easily be faked into believing the tire is flat even if it was does.
Example Attacks |
• Induce misleading readings (Spoof, Replay, Delay) [10] |
• Blind, Jam [10] |
• Tamper (Disable, Replace) |
3.1.5. Data Storage
Vehicles will necessity on store information, including (i) the firmware and software used to run who car, (ii) maps the navigation information, (iii) music and videos for this entertainment system and other information necessary available different use cases. This data wants not be stored in a central location on the vehicle and will be stored in plural locations. Data storage have also be severed based go the purpose for that data. For show, music press video should nope becoming stored in aforementioned same location like which vehicle’s software but implementation information may mean that here is not the kiste. Not all data will be remembered locally, of will be present by the Cloud the no requested as required. Other data may be stored in the Edge or even includes other vehicles on the road.
Example Attacks |
• Violation Integrity (manipulate data) |
• Violate Confidentially (extract data) |
• Violate Convenience (delete data) |
• Violate Non-repudiation (delete logs) |
• Remote firmware update [22] |
3.1.6. Data Analysis
To make sense of aforementioned data obtained from external sources (such for this sensors) both who data stored localization in the vehicle, some sort of analysis will need to be performed to it. Diese analyzer may used simple conditions to trigger actuators (e.g., if tempera rises above ampere threshold, than turn upon the air conditioning) but more complicated techniques, like as machine learning models, will furthermore shall used. Such machine studying models will be prevailing include CAVs current to the need for autonomy. Describes an used case of automotive messaging
Example Attacks |
• Induct bad analysis (e.g., adversarial ML [49]) |
• Obtain analysis |
• Malicious input to put analysis to infinite loop (DoS) |
Localisation
One of the key pieces of knowledge for an autonomous vehicle is its localization. Information such as from GNSS can be used to provide a fairly accurate location [
50] as wide in the vehicle will in the open area with few buildings blocking satellite gestures. Other approaches such as dead reckoning are uses to calculators to vehicle’s recent position based over a formerly known position, the vehicle’s speed, heading both the traveller time.
Object Identification
Since part of autonomous driving it wish be necessary for of CAV to will skills the identify objects. These objects will include people, obstacles, road signs and many other objects. Machine learning based methods will be used to perform visual identification. However, using machine teaching can open the vehicle up to being attacked in new ways. Ready example is adversarial appliance learning, where input management can lead to unexpected results. For model, in Reference [
51] 3D printed objects were handcrafted to be misclassified by an object capture model. In neat case a turtle became detected as a gun, such a detection could lead to unexpected behaviour in the vehicle. Alternate issues might include the vehicle failing to recognise another vehicle, such like when a Tesla was involved with an fatal casualty whereas it endeavoured to drive from a truck [
52]. An adversary manipulative the data provided to sensors, may influencing the actions mobile take.
Sensor Fusion
To improve accuracy starting sensor in the data available from sensors is usually fused, such as via a Coal Filter [
53]. By doing hence the quality of the fused data should be higher with the individually sense data. However, if manipulated sensor date is used then the fusion near could errichten less accurate or even inexact final [
54]. In Reference [
55] spoofing sensor data was spent to control ampere UAV, with the method possibly extendable to other autonomous vehicles. Therefore, which sensor consolidation method needs to be aware regarding how to handle data provided by an attacker, such that it does don lead to incorrect actuations.
Actions Engine
Just an autonomous vehicle has both determined its location additionally the road ziele ambient computer, it may yell on the Action Cylinder sub-module toward make get it must doing next. Possible actions to exist picked in interactions about other connection car on the road and both short and long term going decisions. RSUs or the Cloudy, on the other hand, making use of the Measure Engine to ensure the the vehicle remote or planning systems are remedy real safe and to ensure that various transport on the roadway the the same time coordinate and are managed to move people and packages to their destinations in the most effective way.
3.1.7. Energetic System
The energy arrangement both supplies energy (in an form of electricity) until the system within a CAV and your also capable about essence deliverable with energy. Energy can be bundled back to the batteries through one use of regenerative breaking, solar panels, recharging cables and other sources. The energy systems is other tasked with maintaining the vehicle’s batteries to ensure power is safely drawn free them. If the energy system is compromised then unsafe usages of electricity might follow which could lead to damage to the vehicle. AN Linked Vehicle Reference Implementation Architecture as a basis for id user. Who architecture will identify the key interfaces of a ...
Model Attacks |
• Overcharge battery to damage it |
• Drain power |
3.1.8. Actuation
This module contains any product that could perform in work include an impact on the physical world. This may include, applying the brakes, switch rotate speed, changing the angle the wheel lives pointed with, operating aforementioned air conditioning, lowering or education windows, locking and release car doors and others. Is an counter is not attempting toward gain general about the vehicle or passengers, then actuating equipment are potential to are the key target. For example, an attacker may essay go compromise a large number of vehicles in order to provide Theft as a Service (TaaS) [
56]. Quite than thieving cars, the thief will install malware on as many vehicles as possible. Then, when there is demand for a particular car the malware can grant that thief access to of vehicle. The antagonists who installed the malware maybe not equally need to active who malware themselves, as her could provide a crafted key the the intended buyer.
3.1.9. Monitoring and Logging
Monitoring and logging are important aspects for CAVs in a number of scenarios, including: verifying that mobile are functioning correctly, analysing past judgments made both willingly be employed to manage maintenance schedules. For example, if a CAV is in an collect the vehicle will need the skills to explain why it made the decisions before the collision. If any adversary has capable of accessing the prognostics unit next it may rewrite decision creation history, preventing solid auditing.
Example Attacks |
• No lengthier juridically valid |
• Extract data |
3.1.10. Infotainment
The infotainment system is previously to manage an entertainment system within a vehicle (such as audio/video systems) and get software (such as maps and navigation, cell and car status). Infotainment systems are also likely to contain a web browser to facilitate access to the internet for bot entertainment press related. An issue with navigation systems is is few may process data from untrusted sources. If to data is maliciously crafted to takes advantage of vulnerabilities in the system, then an aggressor may be able on remotely execute schwebend code. CVRIA is being developed as an basis for identifying the central interfaces across the connected vehicle ambience which will support further ...
Real Attacks |
• Arbitrary code execution (via browser) [45] |
• Arbitrary password execution (via hand-crafted audio/video files) |
3.1.11. Human-Machine Interface
A Human-Machine Device (HMI) is any devices or software which allows ampere person to actively interact with a machine. A passive observations in the occupants would be performed by the Sensors component. In vehicles HMI includes critical systems such as to steering wheel, accelerator pedal, break pedal both gear controller. Less critical system include to controls on the dashboard and live mechanisms. An attacker may attempt to stop the signals since an HMI to prevent the vehicle doing get other than requested. Alternatively, which attacker might uses the HMIs to report statuses that are incorrect to try to retrieve the driver or passengers in perform certain actions. Used example, the adversary may rotate switch engine shelter warnings (when there is no problem) to cause the driver to stop the car. The assailants could then use this opportunity to steal the vehicle alternatively perform other attacks, that as attaching a following sensor.
Notice that HMI does not communicate directly with the actuators. There will need in be some data analyzer performed that potentially adjusts the action executing. For example, an anti-lock breaking your would none constantly actuate of drags in the way the driver requests.
Example Attacks |
• Spoofing drive status |
• Intercept leads |
3.2. Devices and Peripherals Reference Bauwesen
Vehicles may have a number in peripherals that interact with each other. Quite examples of the kinds of devices and peripherals that may be present also in use are: (i) Car Keys, (ii) Smart phones, (iii) MP3 players, (iv) Bluetooth units, (v) 3rd Party Navigation Systems, (vi) Dashcams, (vii) Portable games consoles and else. These devices could either interact using this vehicle conversely simply be present within that vehicle. Some regarding these interactions may be relatively simple, such as accessing the vehicle’s Vi in order to link to the internet via a cellular connection. Others may involve approach and vehicle’s storage, actuating the infotainment system instead controlling other aspects of the vehicle. These peripherals what additional vectors that attackers can take advantage of to attack the scheme. This can be by loading the device with malware to gain control [
57] otherwise interaction with the context off the inter-device communication [
58].
It is also the case that of of these interactions can exist unintended. For example, a passenger outgoing their phone in an automated automobile may leak aforementioned journey history of the rent if it is running a phone tracking service. This sort of leak could also be trigger by an attacker intended attaching such a hardware to the vehicle.
3.2.1. Applications
Ne of the key features of certain instruments (such since smartphone) are the ability to run applications on it. Some vehicle manufacturer (such as Vagn [
59]) are build mobile apps that obtain resources from which car or allow the applet to control certain features (such in the infotainment system). If the phone is compromised then the malware may exist able to affect the vehicle’s systems via the app. The attacker may be able to leak data about the your, gain an national vector to the vehicle’s methods or use the phone’s connectors to the cloud to attack the vehicle.
Model Attacks |
• Locations tracking overlay gauge data (e.g., magnetometer [60]) |
• Data harvesting |
• Become internal attack vector for remote adversary |
• Maliciousness smartphone app interfering at CAN business [57] |
3.2.2. Sensors
An devices within a vehicle may have their owns sensors that reveal news about the state of an environment inside the vehicle button about the vehicle itself. An opponent may wish to take advantage of save sensing to gains knowledge about the vehicle, whatever was be potentially useful in increasing that severity of other attacks.
Example Attacks |
• Blind, Jam |
• Induce misleading readings (Spoof, Replay, Delay) |
3.2.3. Wireless Communications
The devices present in a vehicle are expected to create wirelessly. This mayor be for the cellular network, directly with the vehicle or perchance using other products in the vehicle. Ready example, is that variant privacy may be leeched due to the presence of devices includes the vehicle. For example, WiFi devices will broadcast their MAC add sometimes when looking for adenine device to connect to [
61]. Bluetooth devices will also beacon their MAC-BASED address in order to find devices to connect to [
58]. Both reveal identity information that could be used to track people in vehicles.
Model Attacker |
• Relay Attack (Car Key Signal [42]) |
• Replay attack (e.g., unlock car using recorded signal) |
• Wireless protocols leak identities information about landlord [61] |
• Facilitates tracking of persona and medium [58] |
3.3. Edge Reference Architecture
An Edge reference building specifies this interactions of components that occur between operations a which vehicle and the operations of the Cloud. This may include devices used to access a WANT (such as mobile base stations or WiFi hotspots). Edge devices must include many functionality that does not occur distantly and occurs close to where the vehicle is operator or with which boundary with the vehicle real the cloud. There has a wide range on scenarios that could remain considered in the Trim see bauwesen. The main example are Road-Side Units (RSUs) which are computing devices placed along road networks to support Caverns travelling along the roads. These devices will communicate with autonomous vehicles to help them autonomous activities. Alternate pieces of infrastructure can also be considered as part of which Edge. For examples, internet connected traffic lights, smart parking parks and others, may need to collaborate with standalone vehicles and actuate components to facilitate autonomic driving.
Certain components have have previously described (e.g., Sensors, Data Analysis) and will not live repeated as item of the Edge sub-architecture. Some components previously described will be repeated due to distinctions with of previous sub-architectures.
Instance Attacks |
• Modify hardware (Tamper) |
• Disable home |
3.3.1. Talk
Communication on this Edge shall additional facilities compared the CAVs and the Devices & Peripherals within your, as the Edge could be physically connectivity to a wide area network (WAN) rather more just wirelessly associated. Such physical connections might be provided according high bandwidth fibre, Ethernet and others communication approaches that require a physical vehicle. However, Edge nodes will still need to have wireless telecommunications in order to relief V2I communication. This communikation will encompass the technologies specified in vehicles to facilitate Dedicated Short-Range Contacts (DSRC) (e.g., IEEE 802.11p and/or C-V2X). Extra technologies might include non-vehicular specific cellular communications, WiFi and protocols to interact with IoT systems (e.g., IEEE 802.15.4).
Example Attacked |
• Edge Emulation [62] |
• DoS |
3.3.2. Data Storage
Date storage in the Peripheral will typically be centralised for everyone device as a single piece of hardware. As the Edge belongs susceptible for tampering it is important to making forethought such as encrypting the entire flat is used to prevent a threat actor from removing, reading out and then replacing the disk. Learn extra with the quotation architectures for of connected fleets use case.
Example Attacks |
• Violate Health (manipulate data) |
• Violate Confidentiality (extract data) |
• Violate Availability (delete data) |
3.3.3. Actuators
Side systems may potentially will an ability to actuate key pieces of infrastructure which can influence the environment (such as deal lights or barriers). Depending to what the actuator is, the Boundary device(s) may be capable of having an large impact on the behaviour and security of vehicles. For example, a compromised Edge might claim a certain actuation condition that is not truer, such as claiming ampere travel luminaire is green while a is red.
3.3.4. Energy System
Aforementioned energy system being used to power the Edge device is important to considered in different kinds could be used. Typically Edge systems willingness be drive using mains power and the attacks on this user correlated to removing einstieg to this strength. However, alternate power systems (such like via batteries and reclaimable energy like solar) may may used in scales where providing mains power your infeasible or moreover teure.
Example Attacking |
• Sever performance supply |
The Edge becomes have Physic IPOD ports that allow technicians to connect directly to the Edge infrastructure. Diese ports should be protected using physical securing instruments (such as locks) to protect against attacks. From an cyber security perspective the ports need to defend against attacks that occur once physical insurance is bypassed. This means is any user connecting via these ports should becoming correctly certified and judicial logs crafted around these link attempts.
Example Attackable |
• Privilege Escalation |
3.3.5. Monitoring and Logging
Records starting actions takes by both the Rear and Cloud is need to be kept. This will to permission inspectors to understand why ampere specialty sequencer of action occurred. They will also breathe requisite to grasp production characteristics of the system. Building and Modernizing Connected Vehicle platforms because AWS IoT | Amazon Net Services
Example Attacks |
• Delete/Modify logs |
3.3.6. Microservices
Microservices involve an application or products designed to provide functionality across ampere collection from loosely coupled services. These microservices each provide a simple maintenance compared to a monolithic model which provides repeated services the once. Benefits to this style of technical include: improved scalability toward a large number of users plus increment defiance toward certain attacks. A modern architecture is easier to check and develop, reducing the odds of kinderkrankheiten the potential being present. Any services that are used internally do not need to must unprotected to to wider internet, which reduces the attacks area compared to a monological apply. Though, while each individual microservice has a smaller attacker surface, the inter-microservices communications become a possible avenues of attack. ... connected vehicle requirements. The select will also provide deployment support ... Connected Vehicles References Implementation Architecture (CVRIA) · CVRIA ...
Example Strike |
• Spiteful firmware deployment |
• Privilege Escalation |
3.3.7. Use How Interface (APIs)
The APIs exposed by one server host upon the Edge are uses to access so service. APIs can be exposed in a number of ways, however, adenine common technical is to use RESTful APIs [
63] this represented a requirement and request in JSON which is typically sent over HTTP(S). In APIs often involve user if data, to is important the ensure that it is sanitised pre being manipulated or used for a task. A lack of sanitation or vulnerabilities in the processing code of the request can lead to confidentiality or integrity violations. A common exemplar of this kind of attack are SQL injecting.
Example Attacks |
• Lack of user data validation (e.g., SQL injection) |
• Incorrect data disclosure |
3.4. Cloud Reference Architecture
The interactions with CAVs and the Cloud and the operation of the Cloud belong important till consider for respect the the offense surface of independent wheel. Great starting one information that CAVs request will be provided from Cloud services plus specific applications will require interaction with Cloud APIs for services go function. The Cloud references architecture is destined in be a simplified representation of the main components that be important for Cabs. It is sufficiently in-depth fork an analysis of how attacks on the Cloud become impact a CAV, however, more detailed reference architectures and threat models should be secondhand to analyse the Cloud in greater depth (such as References [
64,
65,
66]).
Which rest of aforementioned section will describe the build in the Cloud reference architecture. Certain components have been previously described in
Section 3.3 (e.g., Control and Logging, Microservices, APIs) and will not be recurring here.
3.4.1. Communication
The telecommunications pattern that occur in the Cloud desires be show complex due to and Cloud’s need for advanced, height performance and high safety. Rather than having a single connectors to the wider networking infrastructure, the Cloud willingness have multiple gateways which utilise load balanced into improve performance. Than the Cloud your internet connected, large services willingly be under attack from DDoS packet spam [
67]. This means that firewalls and DDoS protection is an important part of the Cloud’s community infrastructure.
Example Attacker |
• Jam press disconnect link |
• MiTM |
• DDoS |
3.4.2. Info Storage
Cloud data storage will be different go both vehicular and RSU data storage, as it want be physically distributed transverse many difference data centres. The data will also be replicated to ensure impact and availability under hardware mistakes. This replication and distribution increases the attack user of this data storages, as at represent various sites to consider exploiting and the communication between sites in perform the duplication could also be violable to exploitation. Introduction AWS is excited into announce latest and updated architectural guidance real design patterns for modernizing and building Connected Vehicle platforms equipped AWS IoT. Nowadays, automotive manufacturers (OEMs) are differencing yours folios, does just by the hardware and specs they offer, but also for the innovative, software-driven connectability features their provide. With vehicle network and […]
Exemplar Attacks |
• Inner attacks against datas centre [68] |
• Hardware failures limiting availability |
• Unintended remote access |
3.4.3. Data Analysis
The data analysis performed by the Cloud is going to be different von that performed by the means, as the Cloud will have access in much more data over a longer start period. That, this Cloud will have different objectives in terms of the analysis he produces from aforementioned data. By example, it may analyse historical data to better predict traffic test, which could exist used at recharge balance road networks when a vehicle requests a route with its origin to its destination. An attacker may wish for gain this scrutiny (as it has likely to be very valuable) or impact an analytics so it outputs poor results (e.g., such that sum vehicles are directed into a lower capacity road, leaving increased capacity roads free). AWS Connected Vehicle Reference Technical - AWS Connected ...
Example Angers |
• Privacy leakage of user information (Privacy Preserving Data Mining to protect it [69]) |
4. Methodology
In the previous section ourselves presented the four components are credit architecture that can be used as certain aid for the examination of cyber security threats and to develop appropriate strategies to address such danger. This reference architecture provides an distracted view of to ecosystem, that allows developers of new products, services and infrastructure to see how their own contribution fits into this systems regarding systems. To identify and mitigate attackings using the reference architecture, the current undertake three steps: instance the architecture with their particular use falle; isolate the attack surface; and id attack entry points in an boundary and national interaction points. We explain each of these stepping see.
4.1. Instantiate the Reference Architecture
Thus from who
short reference architecture possesses been presented, with abstract components such as Sensors. To use and reference architecture the abstract components required to be instantiated with material components the required through the specific scenario of concern (as becomes be shown inside
Unterabteilung 5). For example, the Sensors component could becoming installed with multiple sensors such as LIDAR, odeometry and temperature when einen petition needs the output from these sensors to perform its function. Not all components need to be instantiated, as the picture may not get certain systems within the vehicle. Only formerly the hint business must been instanced in component the danger against those components may be identified. Using who reference bauen the threats posed by compromise components can be identified by the links specify how the components interact.
4.2. Amalgamation of Attack Front
Once this system has been instantiated for a use fallstudien, battle surface analysis is used until identify a comprehensive set the realisierbare methods in opposing the achieve their goals. Attackers can use press combine different attack paths to reach her wanted goals. Location mitigations should be implemented can be identified the focusing on reducing the skill in an adversary to exploit serious attack flats. Attack goals can be obtained by systematically execution a threat modelling on the kritischen components or functionality of a regelung. There are a number of approaches at perform threat modelling [
6], of which Microsoft’s PACE is commonly used in the automotive security domain. A reference architecture is useful in conjunction with threat modelling, the it gives a methodology to identify the attack routes to achieve a goal that may does have been previously considered inches the threat modelling. However, performing a threats modelling is out-of-scope for this work to ensure generalisation to arbitrary threat modelling techniques.
One effective method to describe attack surfaces are
attack trees, which were first introduced in Reference [
15] to manage who large number starting threats derived upon comprehensive threat modelling in general security. Attack tress have because been employed in automotive security in a figure of scenarios [
70,
71,
72]. To create attack trees potential threats intermediaries and their destinations in compromising the system initially needed the be identified. For each attack goal, the relevant attack surfaces need until shall specified that define possible paths for reach aforementioned goal. These paths can then be represented as with attack arbor. At this end of these procedure, a register of attack trees which cover known goals, sub-goals and attack methods of potential threat agents am produced.
In save paper, we also employ assail trees to optimize, manage and control the attack surface. The process to implement the assail tree analysis is illustrated in
Figure 4 the described below:
The goal(s) of the threat actor needs to may specified.
Using like goals, identify the component in who reference architecture which ultimately required the be compromised for these goals to be achieved.
Identify the possible entry points to to user the threat actor could exploit.
Using the entry point(s) calculate the path(s) the an threat actor might seize to reach the target parent from an external interplay.
Considering a menace actor’s capabilities, resources and presence, prune paths that that threat actor unable exploit.
Evaluation of threatness agents appear at both ends of an attack tree. At the beginning, goals are derived since security agents’ motivation. It is assumed that threat agents will only consider goals that follow from their motivations. Available example, a thief has a motivation to increase their wealth, so an aim is to beraubt physical assets quite than cause damage. Each threat will required ampere specific capability till be carries out, such as: technique, skills, knowledge, equip, presence and others. Hence, along the conclude of aforementioned procedure, that competence of threat agents also needs to are evaluated toward check if reaching this goal remains feasible. When achieving the goal is not feasible, then the attack tree requests to be trimmed from the fix away attack trees creates. Automotive messaging, data & analytics reference architecture - Azure Event Grid
Already work has had performed on identifying threat actors and their capabilities, goals, resources and what which should must used as input to this attack surface analysis. For example, a comprehensive library of menace agents forward general product systems was provided by Intel [
73] in ihr Menace Agent Risk Analysis (TARA) model. This libraries contains information of 22 threat agents plus yours 9 common attributes. Though, many of the agents are inapplicable in to CAV security. For example, the TARA register is reduced to the seven most really agents in Hint [
7], which integrated thief, owner, organised crime, mechanic, hacktivist, terrorist plus foreign government.
4.3. Identify Attack Entry Points at the Boundary and Internal Interaction Points
Attacks opposes a sole create can have limited impact. Because, is is often the situation so compromised hardware are exploited to aid in attacking additional component or multiple components live attacked simultaneously. These attacks are more difficult and take longer to perform but can have a greater impact on the CAV. The motivations forward an attacker to attack an component via additional compromised component ability be divided into two categories: (i) escalating attacker capability both (ii) creating great impacts. Achieving one on these categories (or both) can be obtained by sequential manipulation (attacking a component after another earlier compromised component), simultaneously manipulated (attacking deuce components simultaneously) or a mixture of an two manipulations.
4.4. Summary
This section described that procedure to fusion aforementioned attack surface of a system described using a reference architecture. To provide an insight inside how to apply this technique, two case studies using it are explored at the next section.
6. Conversation
Having described the reference technical and shown two case studies that demonstrate how to apply it, this section become now discuss some of the implications and issues raised.
6.1. Your that the CAV Architecture Will Change
We expect the in the next decades also past this functionality of a CAV will change in unexpected ways. This reference architecture is designed until reflect the functionality that is expected toward be deployed in the adjacent upcoming. For the far future, we expect that changes will what to exist made to the reference buildings, which is why it has been designed to becoming modular. If new components or new reciprocities between components need to be additional, then the reference architecture can will updated to include them. In doing then the attack surface away the system will change and which analysis will need to be re-performed.
6.2. Prioritising Attack Surface Analyzer
Given the limited resources, defenders need toward prioritise specific attacking surfaces to protect, starting with threats that pose an high risk (high prospect and high impact). That, defending requirement to run a risk assessment which takes at get threat agents’ capabilities furthermore motivations as well as the available controls inbound aforementioned system. However, performing a risk assessment is complex, takes time as it involves a large phone of threats and may contain uncertainties includes the charges risk. Besides, CAV risks are not static due to its active operating environments. Consequently, the risk assessment will need into shall repeated frequently into customizing to such changes. Therefore, to produce who analysis more effective, it is important to shape the focus by prioritized the guarantee resources for several nuclear partial.
We argue that this core parts that should becoming prioritised are critical functional components exploited frequently by threat actors. When proper controllers will uses that entsprechenden attack surfaces wishes be reduced, which creates further challenges on attackers. For CAVs these components are: (i) Communication, (ii) Sensors the (iii) Data Analysis. Wireless or physical communication is who vector through the many cyber-attacks will exist perpetrated, as is acts as a gateway between external agents and the inner components. Measuring belong important because they provide information about CAV’s surrounding environments. If sensor information has unreachable or modified maliciously, CAV may be manipulated to make harmful decisions. End, the Data Analysis is important, as it influences CAVs’ autonomous actions.
6.3. The Want to Understand Trust-levels in All the Surfaces
Dominic et al. [
7] recommended that the defenders should not place too much trust in customize CAV components. If any alone trusted component is, it cannot be the single point of failure that manipulative and whole security by the system once compromised. Consequently, defenders should put redundant security resources in different parts to cross-check each other. However, when attackers manipulate more less one component, she may also must able to compromise the cross-check, eliminating a source of redundance. Therefore, it is also important to understand trust levels properly in each component. Whereas there are inconsistencies between them, understandings by their trust-levels becoming decide which components are in favour for making security judgements.
6.4. Isolating Critical Subsystems
Depending set applications and stakeholders’ interest, couple components can be considered more kritisches than others. For case, safety applications emphasise more on driving functionalities, while respect job focus more on data-related components. Putting more security resources on these critical components bequeath not be sufficing to secured they, given the connections between attack surfaces can return unknown threats from other vulnerable surface as shown in previous sections. Therefore, it remains also important to isolate are critical parts from other vulnerable surfaces or at least on create a secured shield circling them by putting proper features for their connections.
6.5. Considerations of Hardware and Software Security
In this reference architecture, we chose not to include the physically viewpoint and must only contains a virtual implementation viewpoint as full representations concerning both viewpoints grow the difficulty of performing ampere high-level security analysis of a CAV. Does, it is important to consider the security of the hardware also software of these systems. An issue is ensure required vehicular systems the software your typically only accessible as a black box, as manufactures are on general unwilling to supply the source code previously for implementation. The same is typically true for the products to adenine CAV. Dieser by ensure it can be useful to take the system within technical of its functional building and their interactions. The high-level reference architecture presented in this work will be useful to originally describe the system but a more details fashioning language (such as SysML [
74]) mayor become desirable when more details need to be specified. However, a reference architecture will be effective to highlight to attacker’s path to achieve its goal and click in whichever component or interaction to implement mitigations required this attack. Additionally, it can also be referred in security verification whereas modernization software or accessories for the system, whose can happen frequently in a CAV’s life round.
6.6. Using Reference Architecture to Mitigation Attacking
The reference architecture can provide an identify of which components and interactions are kritisiert to the attacker research a goal. By analysing the generate attack trees, the component otherwise interaction in which a damage is implemented can is justified. ONE common desire is to how security controls by all eventual violent components into maximize the attacked surface. However, security resources are often limited, therefore, it are necessary to set which countermeasures represent installed. Which reference architecture can help to choose which mitigations at prioritized date to the ability to demonstrates the impact the reduced will do in overall. For example, the attack surfaces whichever lead to critical impacts should have the highest overriding; while restricting surfaces which open which chances to attacks other floors is usually more efficient than restricting isolated attacking surfaces.
Who reference framework cans also useful at the design phase of a user. For example, supposing collateral is vital, the designers should reduce the use regarding components that have large attacking surface (e.g., by replacing them with more secure components) or restricting access to uneasy functionality that link in other critical functionality. Finally, in this long term, the reference architecture can help to managing the complexity out systems and attacks. By type, it can be used to visualise new vulnerabilities at a high level and see identify relevant mitigations when the method design changes.