车联网通讯平台信息安全设计

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

____®

TuViT

ON-BOARDTELEMATICSPLATFORM

SECURITY

Version:1.02

Date:2020-06-02

Author(s):MarkusBartsch

AlexanderBobel

Dr.BrianNiehofer

MarkusWagner

MaximilianWahner

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

TableofContents

1Introduction6

1.1Motivation6

1.2StructureoftheDocument8

2ChallengesofConnectedVehicles9

2.1GeneralConceptandPotentialVulnerabilities9

2.2SolutionConcepts11

221ExtendedVehicle11

222On-BoardTelematicsPlatform(OTP)13

2.2.3Vehicle-to-Everything(V2X)14

224CombinationofConnectivity15

2.3Future-Proof17

3ITSecurityModels20

3.1SecuritybyDesign21

3.2AssetsandThreats22

4OTP-SecurityConcept25

4.1SecurityModularizationandLayers28

4.2Authorisation31

4.2.1RolesandAccesspolicies32

422Groups36

4.2.3Rationale:SecurityLayers-Authorization40

4.3AutomotiveGatewayAdministrator41

4.3.1Examplesof'multiple-eyes5processeswiththeA-GWA43

4.4SecureLifetime46

4.2.1Development46

4.2.2Production47

4.2.3Personalization47

4.4.4Operation48

4.4.5Scrapping50

5AuditandRatings51

5.1RequirementsforAuditSchemes51

5.2CommonCriteria52

5.2.1InternationalRecognitionandAcceptance53

5.2.2CCParadigms55

5.3Recommendation60

6Roadm叩61

6.1Legislation62

AAnnex63

A.1Acronyms63

A.2References65

FIARegionIReportPage2of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

TableofFigures

Figure1:simplifiedillustrationoftheExtendedVehicle(ExVe)12

Figure2:OpenArchitectureOTP13

Figure3:simplifiedillustrationofV2X14

Figure4:ExVeinConnectedTraffic15

Figure5:ExVeinConnectedTraffic(withPKI)16

Figure6:OTPinConnectedTraffic16

Figure7:Asset&Threats(CCDefinition)22

Figure8:Possibleattackvectors24

Figure9:OTPincludingAutomotiveGateway,dockerunitandtheHMI25

Figure10:Theprinciple'separationofduties527

Figure11:Securitylayers28

Figure12:AuthorizationHierarchy31

Figure13:Supplierpyramidduringthevehicle'sconstructionphase33

Figure14:OTP-Groupbasedillustration36

Figure15:IllustrationofdependenciesbetweenSecurityLayersandGroups41

Figure16:OTP'ssecuritymodularization41

Figure17:UpdateofanOEMusageprofile(simplifiedexample)44

Figure18:SoftwareUpdatebyanOEM(simplifiedexample)45

Figure19:OTPSecurityLifetime46

Figure20:CommonCriteriaRecognitionArrangement(CCRA)-Participants52

Figure21:Compositionstructure56

Figure22:EvaluationAssuranceLevels(EALs)58

FIARegionIReportPage3of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02T/

ExecutiveSummary

Digitalisationisincreasinglyshapingtheenvironmentofpeopleandcompanies.TheInternet

ofThings(loT)hasthepotentialtoconnecteverythingwitheverythingelse.Intheautomotive

sector,vehiclesareincreasinglyconnectedtobackendservicesasapreparationforthein­

terconnectedtrafficofthefuture.Theprogressofcommunicationnetworksliketheemer­

genceof5G-withcurrentlyover60millionconnectedvehiclesalreadyconnectedthrough

3Gand4G-spursthisfundamentalchange,butitalsoopensanewwindowforattackson

theintegrityofvehiclesystemsorallowingremotedatatheft.

Ontheotherhand,differentautomotivestakeholderssuchasmanufacturers(OEM),inde­

pendentserviceproviders(ISP),suppliers,auditors,orthecarownersthemselvesshallget

remoteaccesstosomeofthevehicle'sdata,functionalitiesandresources.Thisremoteac­

cessiscurrentlyonlypossiblethroughtheOEM'sExtendedVehiclemodel.Directaccessto

thevehicleremainsanexclusiveOEMprivilege.Toavoidadatamonopolyandallowingfair

competition,otherdataandfunctionaccessmodelsareneededtoallowindependentservice

providerstocompetewiththeOEMintheaftermarket.

ForMobilityClubsaffiliatedtotheFIARegionI,itisofparamountimportancetogetdata

directlyfromthevehicle.Independenttestingfacilities,independentservicestationsandMo­

bilityClubsneedbasicdiagnosticinformationandaccesstoin-vehicledataandfunctions.

Directaccesstothevehicledatafrominternalcommunicationbusses,controllersandsen­

sorsisofparamountimportanceforallaftermarketproviderscanperformtheirjobsinde­

pendently,unmonitoredandnotunderthecontroloftheOEM.

Obviously,suchindependentdataaccessbyauthorisedISPsmustbesafeandsecure,which

requiresregularsecurityupdatesbytheOEM.Ifsecurityupdatesarenotanylongercom­

merciallyinterestingforthemanufacturertoprovideaftere.g.5-8yearsaftersalesofanew

vehicle,thevehicle'ssecurityisatriskuntilitisscrapped.Consequently,theconsumerwould

beforcedtotakethevehicleoutofcirculationandtopurchaseanewonethatissupported

withregularsecurityupdates.

Hence,adelicatebalanceneedstobestruckbetweendirectaccesstoin-vehicledataand

functionsononehandandontheotherhand,securingthevehiclewithstate-of-the-arton­

boardandoff-boardsecuritymeasuresoveritslifetimeThereportshowsthatitispossibleto

combinedirectaccesstoin-vehicledata,functionsandresourceswithstateoftheartsecurity

measures.

ThisreportdescribesasecurityconceptfortheOn-BoardTelematicsplatform.Itcreates

confidenceinthemechanismsforprotectingthedriver'sandoccupant'sprivacy.Thisap­

proachconsistsofasecureOn-boardTelematicsPlatform(OTP),consistingofanAutomo­

tiveGateway(A-GW)responsibleforsecuringtheremoteaccesstoandfromthevehicle,

correspondingcontrolunits(docker)onwhichISPappscanrunthatcanbeinteractedwith

bythedrivers,owneroroccupantsthroughtheHumanMachineInterface(HMI).

TheOTPalsoconsistsofanexternalinfrastructurewithapivotalroleforanAutomotiveGate­

wayAdministrator,basedonaPublicKeyInfrastructure(PKI).TheOTPfollowstheideaof

FIARegionIReportPage4of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

keepingvehicle'sassetswheretheyappearwheneveritispossible:insidethecarandnot

storedonorprocessedbytheExtendedVehicleserver.Allpartieswillbenefitfrom:

•SecuritybyDesignasabasisfortheconnectedtrafficofthefutureandoverthevehicles5

lifetime;

•PrivacybyDesign(whenthedataleavesthecar,theGeneralDataProtectionRegulation

isautomaticallyfulfilled);

•Tamper-prooftechnologyduetoanembedded,highlysecuredAutomotiveGateway;

•Non-monitoringofindependentserviceprovidersbythevehiclemanufacturerinhisrole

asaftermarketserviceprovider,withouthavingtogiveuponliabilityandwarranty;

•Thepossibilitytogetdirectaccesstoin-vehicledata,functionsandresourcesforISPas

wellastorunappson-boardofthevehicle,givingtheconsumersanumberofcostben­

eficialandqualitychoicesforproductsandserviceproviders;

•Thevehicle'sHumanMachineInterface(HMI)-likethevehicle'sinstrumentpanelor

infotainmentdisplay-tocommunicatedirectlyandsafelywithvehicleoccupantsand

remoteserviceproviders,

Withthatinmind,theOTPstandsfor:

•Safetyandenvironmentalprotectionimprovementsbymonitoringofavehicle'ssafety-

andemissionrelatedsystemswithoutcompromisingthevehicleoccupants5privacy;

•Trustworthyadministrationofaccesstoin-vehicledata,itsfunctionsandresourcesbyan

independent,neutralAutomotiveGatewayAdministrator,respectingthe'separation-of-

duties'principle;

•Afuture-proofsolutionbyhighlysecureandflexibleupdateoptionsandbyconsidering

CooperativeIntelligentTransportSystems(C-ITS);

•Creatingtheprerequisitesforfreechoiceofserviceproviderandtheiraddedvalueser­

vicesbytheconsumer,allowingfortheirfreechoiceofserviceprovidersofferingvalue

addedservicesforacompetitiveprice;

•Thepossibilitytooffernew,innovativeservicestoconsumersbyallserviceproviders,

includingthemanufacturerinhisroleasaftermarketserviceprovideraswellasbyISPs

allowingfaircompetitiontothefullbenefitoftheconsumer;

•BestpossibleprotectionofthecardriverandoccupantsagainstITSecurityandprivacy

breachrisks;

•Consumer'sdataflowcontroltoandfromthevehiclebyopt-in,opt-outfeatures.

Theso-calledCommonCriteriashallbeusedtogetthenecessaryassuranceintothecorrect

implementationoftheOTP'ssecurityfunctions.AsinternationalISOstandard,custom-tai­

loredforEuropebytheSOG-ISagreementandcombinedwiththenewEuropeanCyber

SecurityAct(CSA),CommonCriteriawillbeacceptedbyallEuropeanMemberStatesas

wellasbymanynationsworld-wide.Aformalrequirementdocument,calledaProtectionPro­

file(PP)inaccordancewithCommonCriteriaisavailable,summarizingthemainsecurity

featuresoftheAutomotiveGatewayastheprinciplesecuritycomponentoftheOTP.This,

togetherwithend-to-endencryptionofcommunicationmessagesfromandtothevehicleshall

helptoensureastate-of-the-art,affordablevehiclesecurity.

FIARegionIReportPage5of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02T/

1Introduction

1.1Motivation

Roadsafetyandenvironmentalprotectionhavedriveninnovation,investment,growthand

jobsincarmanufacturing.Today,informationtechnologyisthekeyinnovationdriverof

connectedvehicles.Technologyhasakeyroletoplayinincreasingsafety,mobility,environ­

mentalprotectionandcomfort.Thesafetyapplicationsorassistancesystemsareprimarily

intendedtopreventaccidents,includingwarningsofdangerspots(e.g.endoftrafficjams,

breakdownvehicles).Up-to-datetrafficinformation,obtainedthroughthedevelopmentofve­

hiclecommunication,enablestime-optimizedrouteplanning,thusimprovingmobility.Such

systemscanimprovetrafficfluidity,thuslimitingtheimpactofmobilityontheenvironment.

Whilsttrafficisduetoincreaseintheyearstocome,technologyiscrucialtooptimiseflows

andmakethebestuseofexistinginfrastructure.

InformationTechnologycanofferdirectaccesstoin-vehicledata,functionsandresources,

thusenablingmobilityClubstodeveloplocaldiagnosticsandremotediagnosticsupportin

caseofbreakdowns.Theestablishmentofanover-the-airconnectionwiththedriverviathe

built-inHuman-MachineInterface(HMI)mayprovisionallyresolvetherootcauseofthebreak­

downwithoutphysicalaccesstothevehicle:e.g.,thehelpdeskdiagnosticianqueryingthe

car'son-boarddiagnosticsystemandremotelyactivatingsomefunctionslike,forinstance,

openingandclosingofavalve.Suchfixeswillsignificantlyreduceresponsetimeaftera

breakdown,thusincreasingconvenienceofroadusersandlimitingcostsforserviceprovid­

ers,suchasmobilityclubs.

NewUse-Casesmayalsoemergetopreventbreakdownsfromevenhappening,thusincreas­

ingconvenienceforusers,andimprovingroadsafety.ManyIndependentServiceProviders

(ISP)arealsosetting-upsystemsforprognostics,meaningthatthecriticalsafetyandenvi­

ronmentalvehiclefunctionscouldcontinuouslybemonitoredwiththedrivers'/owners'con­

sent.Suchmonitoringcouldhelpidentifypotentialfailuresinadvance,thusavoidingbreak­

downsontheroadaltogether.Efficientprognosticsrequiredirect,remoteaccesstothevehi­

cle'sdata,functionsandresourcesbyauthorisedISPs.

However,hisIT-inducedchangeentailsnewchallengesforboththeITsecurityagainst

hackerattacksanddataprotection,sincealldatageneratedbyvehiclesandleavingthecar

arepersonaldatasincetheycaneasilybeconnectedtothevehicleidentificationnumber,the

licenseplate,orotheridentifiersofthevehicle'sdriverorowner.

Digitalplatformsplayacentralroleinthedevelopmentofinnovativebusinessareasandem­

ploymentopportunities.Bycollectingdatafromthevehicleanditsusersifthedriver/owner

gavetheirconsent,theoperatorsoftheseplatformswillwanttoprocessthisdata,inorderto

providefurtherinformationanddata-basedservicesinsidethecar.Inallcases,theEuropean

GeneralDataProtectionRegulation(GDPR)protectstheconsumerfromdatabeingmisused

forpurposesthedriver/ownerdoesnotconsentto.Theconsumershouldinmostcases-with

exceptionofeCallandotherfuture,legallyobligatoryfunctions-havethepossibilitytoopt-

in/opt-outtodataleavingandenteringthevehicle(consumerinthepilotseatofthevehicle's

dataflows)[EDPB1-3].Newandinnovativeideasarenowincreasinglychallengingexisting

FIARegionIReportPage6of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecutityV1.022020-06-02T/

conceptssuchasthevaluechainorlegalrelationshipsbetweenmanufacturer,dealer,plat­

formoperatorandISPontheonehandandthevehicleowneranddriverontheother.

Vehiclemanufacturersdevelopthecontrolunits'softwareandinstallitinthevehiclewhen

itisplacedonthemarket.Theyarethereforeinaprivilegedpositiontocollectandprocess

vehicle-relateddatafromactuators,sensorsandprocesses.Consequently,manufacturers

haveadditionalinformation,thetechnicalknowledge,andthefactualpossibilitytoestablish

adirectconnectiontothevehicleanditsusers.However,thisspecialpositionofthemanu­

facturerdoesnotmakethemthesoledatacontrollerofavehicle.VehicleManufacturershave

beenofferingseveraladditionalservicesalongsidethemandatoryeCallsince2018,based

onB2Ccontracts.Suchservicesincludejourneysplanning,vehiclemaintenance,keeping

thesoftwareup-to-dateandnewinfotainmentoptions.Inthisnewdigitalera,vehiclemanu­

facturers'businessmodelsarethereforeshiftingfrombeingthetraditionaldesignerandas­

semblerofavehicletowardsanewenvisagedroleasdataassetowner,dataflowcontroller

andaftermarketserviceprovider.

SinceISPsdonothaveequal,directaccesstoin-vehicledata,functionsandresources,and

tothedriver/owner-oronlywithgreatdifficultypendingvehiclemanufacturerapprovaland

paidcontractthevehiclemanufacturersdefactobecomedataoligopolists.Innovationcur­

rentlyhingesonthevehiclemanufacturers'paceofproductdevelopment.Applicationssuch

asthoseenablingV2Xor"CooperativeIntelligentTransportSystems"(C-ITS),improvingmo­

bilitysafetyandsustainabilitywillrequiretofullyunlockthetechnology'sinnovationpotential

andopenaccesstovariouslevelsofdataforvariousplayers.Thetechnologywillnotyield

resultsunlessequalconditionsareestablishedforallcompetitorswithdata-basedbusiness

models,includingthevehiclemanufacturersintheirnewrole.

Thesegoalscanonlybeachievedbyestablishinguniformandbindingspecificationsandby

implementingauniformITsecuritystandardforthefuturedataexchangeviathevehicle's

telematicsorcommunicationinterfaces.SpecificationsandITstandardsarekeytobeable

toaddresstwootherchallengesoftodays'connectedworld:

1.DistributedFunctionalities

IntheInternet-of-Things(loT)era,thefunctionalitiesanddataofconnecteddevicesare

notexclusivelylocatedinthedevicesthemselveswithaninterfacetotherestofthedigital

world.AnloTdevicecouldmorelikelybeseenasapartofthedigitalworld.Manyfunc­

tionalitiesandtheircorrespondingdataofloTdevicesaredistributed

•inthebackendsystemsoftheassociatedsmartservicesofthevendoraswellas

•onmobiledeviceapps

Thisdistributionoffunctionalitiesanditsdatamakesitdifficulttobuildupsecurityzones

aroundallspreadassetsthatshouldbeprotected(chapter3.2).

2.EverythingisPossible(EiP)

AddingnewfunctionalitiestoadeviceisoneofthemainfeaturesoftheloT.Adevicethat

isboughttodaywillbeabletointegratemanyadditionalusecasesthankstoupdatesand

interconnectedfunctionalitiesfromsmartservices.Mostoften,this"valueaddedservice"

featureresultsfromfullaccesstoanypartoftheloTdeviceincombinationtodistributed

functionalitiesmentionedabove.This"fullaccess"ismostoftenimplementedwithalow

levelofprotection,tocaterforfutureupdates.Suchbasiclevelprotectioncouldonlybe

FIARegionIReportPage7of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

tolerableforlesscriticaldevices,suchassmarthomedevices,asitwouldentailtoomuch

inherentsafetyriskformanycriticalusecases.Formostofthedevices,thepossibilityfor

anyonetoswitchtoan^administratormode"withoutbeenrecognizedbysomeoneelse

whowillreactinanappropriateway,couldresultinthe''everythingispossiblemode”(EiP

mode):Elevatordoorscouldopenwithoutcabinbehind,speedlimitede-bikessupported

theirridersevenonhigherspeedsandvoicecontrolinsmarthomebecamesurveillance

stations.

ThisalsoappliestotheconnectedvehiclerepresentingthemostcomplexloTdeviceofa

consumer.Inaconnectedvehicle,dataflowsfromthevehicletothebackendsystemsand

possiblybacktotheuser'ssmartphone,tothevehicleHMIandtothirdPartyProviders.With

therollingoutofC-ITS,theroadwillbefloodedwithbroadcastingmessagesofmostroad

usersandtrafficsigns.Asmoreinformationwillbespread,theywillcaterforbroaderdistrib­

utedfunctionalities.AnEiPmodeshallbeavoidedasasevereexploitlikeitwasillustratedin

thereport[WHICH]forinstance.

Toaddressthischallenge,theautomotiveindustryfirstproposedthe"ExtendedVehicle"

(ExVe),whichwasdeemedsub-optimalintheTRLstudyfortheEU[TRL].Accordingtothis

study,thebestsolutionwasthesocalled“On-BoardApplicationPlatform"(OBAP),which

keepsthecontrolinsidethevehicle.TheOTPgivesconcretesolutionofanOBAPfromthe

ITsecurityaswellasfromthedataprotectionview.Itisdesignedtoachievethefollowing

goals:

•ProtectionagainstCybersecurityincidents

•Dataprotection(fundamentalrighttodataprotection,consumerempowermentand

freedomofchoice)

•Implementationofthe'Separationofduties"principle,whichallowsthevehicle

owner/drivertomakefreechoices

1.2StructureoftheDocument

Thisreportisstructuredasfollows:

•Chapter1-Introduction

•Chapter2-ChallengesofConnectedVehicles:CurrentState-ofthe-artautomotive

communicationconceptsandresultingchallengesrelatedto

ototheconnectedcarand

otoC-ITS.

•Chapter3-ITSecurityModels

•Chapter4一"OTP-SecurityConcept"introducingahighlysecureddataaccess

conceptmanagedbyanAutomotiveGateway(A-GW)

•Chapter5-ThechapterJAuditandRatings"providesrecommendationsforpossi­

bleaudit,evaluationandcertificationschemesofthepresentedOTP

•Chapter6-AsuggestionofaRoadmaptoimplementthesecureOTP

FIARegionIReportPage8of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

2ChallengesofConnectedVehicles

Giventhecentralroleofthecarinpeople'smobility,increasedconnectivityanditspotential

isdrawingalotofpublicinterest.Variouspartiesarealreadyintroducingvariousconcepts,

thuspresentingdifferentwaysofmakinginterconnecteddrivingtomorrow'sreality[TRL].The

firstpartofthechaptergivesanoverviewofnetworkeddriving,whilstthreedifferentconcepts

arepresentedinchapter2.2.Thelastsectionisdedicatedtodiscussingpros-andconsof

thethreesolutions.

2.1GeneralConceptandPotentialVulnerabilities

Moreandmorecarshavealreadyintegratedassistancefunctionssuchasautomaticparking,

adaptivespeedcontrolorlane-keeping.Theseadvanceddriverassistancesystemscanal­

readybeassignedtoacertainlevelofautomateddrivingleveldescribedin[SAEJ3016]and

referencedin[ENISA1,2]:

•Humandrivermonitorsdrivingenvironment:

1.NoAutomation

2.DriverAssistance

3.PartialAutomation

•Automateddrivingsystemmonitorsdrivingenvironment

4.Conditionalautomation

5.Highautomation

6.Fullautomation

AccordingtotheViennaConventionofroadtrafficsafety,eachvehiclemusthaveadriver,

whoisalwaysinfullcontrolandresponsibleforthevehicles5behaviourintraffic.Thismeans

thatanupdateoftheconventionwillbeneededforSAEautomation4andbeyond.However,

somevehiclesalreadycandriveautonomouslyon(somestretchesof)freeway,aswellasto

performon-andoff-rampsintheUSAandCanada.Thisincludesindependentblinking,

changinglanesandadjustingthespeedtothemovingtraffic,whichareenabledbyavariety

ofvisioncameras,ultrasonicsensorsandradardevices.Additionalhardwareisusedtopro­

cessandanalyseallinformationcollectedandto