車聯(lián)網通訊平臺信息安全設計

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

____?

TuViT

ON-BOARDTELEMATICSPLATFORM

SECURITY

Version:1.02

Date:2020-06-02

Author(s):MarkusBartsch

AlexanderBobel

Dr.BrianNiehofer

MarkusWagner

MaximilianWahner

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

TableofContents

1Introduction6

1.1Motivation6

1.2StructureoftheDocument8

2ChallengesofConnectedVehicles9

2.1GeneralConceptandPotentialVulnerabilities9

2.2SolutionConcepts11

221ExtendedVehicle11

222On-BoardTelematicsPlatform(OTP)13

2.2.3Vehicle-to-Everything(V2X)14

224CombinationofConnectivity15

2.3Future-Proof17

3ITSecurityModels20

3.1SecuritybyDesign21

3.2AssetsandThreats22

4OTP-SecurityConcept25

4.1SecurityModularizationandLayers28

4.2Authorisation31

4.2.1RolesandAccesspolicies32

422Groups36

4.2.3Rationale:SecurityLayers-Authorization40

4.3AutomotiveGatewayAdministrator41

4.3.1Examplesof'multiple-eyes5processeswiththeA-GWA43

4.4SecureLifetime46

4.2.1Development46

4.2.2Production47

4.2.3Personalization47

4.4.4Operation48

4.4.5Scrapping50

5AuditandRatings51

5.1RequirementsforAuditSchemes51

5.2CommonCriteria52

5.2.1InternationalRecognitionandAcceptance53

5.2.2CCParadigms55

5.3Recommendation60

6Roadm叩61

6.1Legislation62

AAnnex63

A.1Acronyms63

A.2References65

FIARegionIReportPage2of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

TableofFigures

Figure1:simplifiedillustrationoftheExtendedVehicle(ExVe)12

Figure2:OpenArchitectureOTP13

Figure3:simplifiedillustrationofV2X14

Figure4:ExVeinConnectedTraffic15

Figure5:ExVeinConnectedTraffic(withPKI)16

Figure6:OTPinConnectedTraffic16

Figure7:Asset&Threats(CCDefinition)22

Figure8:Possibleattackvectors24

Figure9:OTPincludingAutomotiveGateway,dockerunitandtheHMI25

Figure10:Theprinciple'separationofduties527

Figure11:Securitylayers28

Figure12:AuthorizationHierarchy31

Figure13:Supplierpyramidduringthevehicle'sconstructionphase33

Figure14:OTP-Groupbasedillustration36

Figure15:IllustrationofdependenciesbetweenSecurityLayersandGroups41

Figure16:OTP'ssecuritymodularization41

Figure17:UpdateofanOEMusageprofile(simplifiedexample)44

Figure18:SoftwareUpdatebyanOEM(simplifiedexample)45

Figure19:OTPSecurityLifetime46

Figure20:CommonCriteriaRecognitionArrangement(CCRA)-Participants52

Figure21:Compositionstructure56

Figure22:EvaluationAssuranceLevels(EALs)58

FIARegionIReportPage3of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02T/

ExecutiveSummary

Digitalisationisincreasinglyshapingtheenvironmentofpeopleandcompanies.TheInternet

ofThings(loT)hasthepotentialtoconnecteverythingwitheverythingelse.Intheautomotive

sector,vehiclesareincreasinglyconnectedtobackendservicesasapreparationforthein-

terconnectedtrafficofthefuture.Theprogressofcommunicationnetworksliketheemer-

genceof5G-withcurrentlyover60millionconnectedvehiclesalreadyconnectedthrough

3Gand4G-spursthisfundamentalchange,butitalsoopensanewwindowforattackson

theintegrityofvehiclesystemsorallowingremotedatatheft.

Ontheotherhand,differentautomotivestakeholderssuchasmanufacturers(OEM),inde-

pendentserviceproviders(ISP),suppliers,auditors,orthecarownersthemselvesshallget

remoteaccesstosomeofthevehicle'sdata,functionalitiesandresources.Thisremoteac-

cessiscurrentlyonlypossiblethroughtheOEM'sExtendedVehiclemodel.Directaccessto

thevehicleremainsanexclusiveOEMprivilege.Toavoidadatamonopolyandallowingfair

competition,otherdataandfunctionaccessmodelsareneededtoallowindependentservice

providerstocompetewiththeOEMintheaftermarket.

ForMobilityClubsaffiliatedtotheFIARegionI,itisofparamountimportancetogetdata

directlyfromthevehicle.Independenttestingfacilities,independentservicestationsandMo-

bilityClubsneedbasicdiagnosticinformationandaccesstoin-vehicledataandfunctions.

Directaccesstothevehicledatafrominternalcommunicationbusses,controllersandsen-

sorsisofparamountimportanceforallaftermarketproviderscanperformtheirjobsinde-

pendently,unmonitoredandnotunderthecontroloftheOEM.

Obviously,suchindependentdataaccessbyauthorisedISPsmustbesafeandsecure,which

requiresregularsecurityupdatesbytheOEM.Ifsecurityupdatesarenotanylongercom-

merciallyinterestingforthemanufacturertoprovideaftere.g.5-8yearsaftersalesofanew

vehicle,thevehicle'ssecurityisatriskuntilitisscrapped.Consequently,theconsumerwould

beforcedtotakethevehicleoutofcirculationandtopurchaseanewonethatissupported

withregularsecurityupdates.

Hence,adelicatebalanceneedstobestruckbetweendirectaccesstoin-vehicledataand

functionsononehandandontheotherhand,securingthevehiclewithstate-of-the-arton-

boardandoff-boardsecuritymeasuresoveritslifetimeThereportshowsthatitispossibleto

combinedirectaccesstoin-vehicledata,functionsandresourceswithstateoftheartsecurity

measures.

ThisreportdescribesasecurityconceptfortheOn-BoardTelematicsplatform.Itcreates

confidenceinthemechanismsforprotectingthedriver'sandoccupant'sprivacy.Thisap-

proachconsistsofasecureOn-boardTelematicsPlatform(OTP),consistingofanAutomo-

tiveGateway(A-GW)responsibleforsecuringtheremoteaccesstoandfromthevehicle,

correspondingcontrolunits(docker)onwhichISPappscanrunthatcanbeinteractedwith

bythedrivers,owneroroccupantsthroughtheHumanMachineInterface(HMI).

TheOTPalsoconsistsofanexternalinfrastructurewithapivotalroleforanAutomotiveGate-

wayAdministrator,basedonaPublicKeyInfrastructure(PKI).TheOTPfollowstheideaof

FIARegionIReportPage4of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

keepingvehicle'sassetswheretheyappearwheneveritispossible:insidethecarandnot

storedonorprocessedbytheExtendedVehicleserver.Allpartieswillbenefitfrom:

?SecuritybyDesignasabasisfortheconnectedtrafficofthefutureandoverthevehicles5

lifetime;

?PrivacybyDesign(whenthedataleavesthecar,theGeneralDataProtectionRegulation

isautomaticallyfulfilled);

?Tamper-prooftechnologyduetoanembedded,highlysecuredAutomotiveGateway;

?Non-monitoringofindependentserviceprovidersbythevehiclemanufacturerinhisrole

asaftermarketserviceprovider,withouthavingtogiveuponliabilityandwarranty;

?Thepossibilitytogetdirectaccesstoin-vehicledata,functionsandresourcesforISPas

wellastorunappson-boardofthevehicle,givingtheconsumersanumberofcostben-

eficialandqualitychoicesforproductsandserviceproviders;

?Thevehicle'sHumanMachineInterface(HMI)-likethevehicle'sinstrumentpanelor

infotainmentdisplay-tocommunicatedirectlyandsafelywithvehicleoccupantsand

remoteserviceproviders,

Withthatinmind,theOTPstandsfor:

?Safetyandenvironmentalprotectionimprovementsbymonitoringofavehicle'ssafety-

andemissionrelatedsystemswithoutcompromisingthevehicleoccupants5privacy;

?Trustworthyadministrationofaccesstoin-vehicledata,itsfunctionsandresourcesbyan

independent,neutralAutomotiveGatewayAdministrator,respectingthe'separation-of-

duties'principle;

?Afuture-proofsolutionbyhighlysecureandflexibleupdateoptionsandbyconsidering

CooperativeIntelligentTransportSystems(C-ITS);

?Creatingtheprerequisitesforfreechoiceofserviceproviderandtheiraddedvalueser-

vicesbytheconsumer,allowingfortheirfreechoiceofserviceprovidersofferingvalue

addedservicesforacompetitiveprice;

?Thepossibilitytooffernew,innovativeservicestoconsumersbyallserviceproviders,

includingthemanufacturerinhisroleasaftermarketserviceprovideraswellasbyISPs

allowingfaircompetitiontothefullbenefitoftheconsumer;

?BestpossibleprotectionofthecardriverandoccupantsagainstITSecurityandprivacy

breachrisks;

?Consumer'sdataflowcontroltoandfromthevehiclebyopt-in,opt-outfeatures.

Theso-calledCommonCriteriashallbeusedtogetthenecessaryassuranceintothecorrect

implementationoftheOTP'ssecurityfunctions.AsinternationalISOstandard,custom-tai-

loredforEuropebytheSOG-ISagreementandcombinedwiththenewEuropeanCyber

SecurityAct(CSA),CommonCriteriawillbeacceptedbyallEuropeanMemberStatesas

wellasbymanynationsworld-wide.Aformalrequirementdocument,calledaProtectionPro-

file(PP)inaccordancewithCommonCriteriaisavailable,summarizingthemainsecurity

featuresoftheAutomotiveGatewayastheprinciplesecuritycomponentoftheOTP.This,

togetherwithend-to-endencryptionofcommunicationmessagesfromandtothevehicleshall

helptoensureastate-of-the-art,affordablevehiclesecurity.

FIARegionIReportPage5of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02T/

1Introduction

1.1Motivation

Roadsafetyandenvironmentalprotectionhavedriveninnovation,investment,growthand

jobsincarmanufacturing.Today,informationtechnologyisthekeyinnovationdriverof

connectedvehicles.Technologyhasakeyroletoplayinincreasingsafety,mobility,environ-

mentalprotectionandcomfort.Thesafetyapplicationsorassistancesystemsareprimarily

intendedtopreventaccidents,includingwarningsofdangerspots(e.g.endoftrafficjams,

breakdownvehicles).Up-to-datetrafficinformation,obtainedthroughthedevelopmentofve-

hiclecommunication,enablestime-optimizedrouteplanning,thusimprovingmobility.Such

systemscanimprovetrafficfluidity,thuslimitingtheimpactofmobilityontheenvironment.

Whilsttrafficisduetoincreaseintheyearstocome,technologyiscrucialtooptimiseflows

andmakethebestuseofexistinginfrastructure.

InformationTechnologycanofferdirectaccesstoin-vehicledata,functionsandresources,

thusenablingmobilityClubstodeveloplocaldiagnosticsandremotediagnosticsupportin

caseofbreakdowns.Theestablishmentofanover-the-airconnectionwiththedriverviathe

built-inHuman-MachineInterface(HMI)mayprovisionallyresolvetherootcauseofthebreak-

downwithoutphysicalaccesstothevehicle:e.g.,thehelpdeskdiagnosticianqueryingthe

car'son-boarddiagnosticsystemandremotelyactivatingsomefunctionslike,forinstance,

openingandclosingofavalve.Suchfixeswillsignificantlyreduceresponsetimeaftera

breakdown,thusincreasingconvenienceofroadusersandlimitingcostsforserviceprovid-

ers,suchasmobilityclubs.

NewUse-Casesmayalsoemergetopreventbreakdownsfromevenhappening,thusincreas-

ingconvenienceforusers,andimprovingroadsafety.ManyIndependentServiceProviders

(ISP)arealsosetting-upsystemsforprognostics,meaningthatthecriticalsafetyandenvi-

ronmentalvehiclefunctionscouldcontinuouslybemonitoredwiththedrivers'/owners'con-

sent.Suchmonitoringcouldhelpidentifypotentialfailuresinadvance,thusavoidingbreak-

downsontheroadaltogether.Efficientprognosticsrequiredirect,remoteaccesstothevehi-

cle'sdata,functionsandresourcesbyauthorisedISPs.

However,hisIT-inducedchangeentailsnewchallengesforboththeITsecurityagainst

hackerattacksanddataprotection,sincealldatageneratedbyvehiclesandleavingthecar

arepersonaldatasincetheycaneasilybeconnectedtothevehicleidentificationnumber,the

licenseplate,orotheridentifiersofthevehicle'sdriverorowner.

Digitalplatformsplayacentralroleinthedevelopmentofinnovativebusinessareasandem-

ploymentopportunities.Bycollectingdatafromthevehicleanditsusersifthedriver/owner

gavetheirconsent,theoperatorsoftheseplatformswillwanttoprocessthisdata,inorderto

providefurtherinformationanddata-basedservicesinsidethecar.Inallcases,theEuropean

GeneralDataProtectionRegulation(GDPR)protectstheconsumerfromdatabeingmisused

forpurposesthedriver/ownerdoesnotconsentto.Theconsumershouldinmostcases-with

exceptionofeCallandotherfuture,legallyobligatoryfunctions-havethepossibilitytoopt-

in/opt-outtodataleavingandenteringthevehicle(consumerinthepilotseatofthevehicle's

dataflows)[EDPB1-3].Newandinnovativeideasarenowincreasinglychallengingexisting

FIARegionIReportPage6of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecutityV1.022020-06-02T/

conceptssuchasthevaluechainorlegalrelationshipsbetweenmanufacturer,dealer,plat-

formoperatorandISPontheonehandandthevehicleowneranddriverontheother.

Vehiclemanufacturersdevelopthecontrolunits'softwareandinstallitinthevehiclewhen

itisplacedonthemarket.Theyarethereforeinaprivilegedpositiontocollectandprocess

vehicle-relateddatafromactuators,sensorsandprocesses.Consequently,manufacturers

haveadditionalinformation,thetechnicalknowledge,andthefactualpossibilitytoestablish

adirectconnectiontothevehicleanditsusers.However,thisspecialpositionofthemanu-

facturerdoesnotmakethemthesoledatacontrollerofavehicle.VehicleManufacturershave

beenofferingseveraladditionalservicesalongsidethemandatoryeCallsince2018,based

onB2Ccontracts.Suchservicesincludejourneysplanning,vehiclemaintenance,keeping

thesoftwareup-to-dateandnewinfotainmentoptions.Inthisnewdigitalera,vehiclemanu-

facturers'businessmodelsarethereforeshiftingfrombeingthetraditionaldesignerandas-

semblerofavehicletowardsanewenvisagedroleasdataassetowner,dataflowcontroller

andaftermarketserviceprovider.

SinceISPsdonothaveequal,directaccesstoin-vehicledata,functionsandresources,and

tothedriver/owner-oronlywithgreatdifficultypendingvehiclemanufacturerapprovaland

paidcontractthevehiclemanufacturersdefactobecomedataoligopolists.Innovationcur-

rentlyhingesonthevehiclemanufacturers'paceofproductdevelopment.Applicationssuch

asthoseenablingV2Xor"CooperativeIntelligentTransportSystems"(C-ITS),improvingmo-

bilitysafetyandsustainabilitywillrequiretofullyunlockthetechnology'sinnovationpotential

andopenaccesstovariouslevelsofdataforvariousplayers.Thetechnologywillnotyield

resultsunlessequalconditionsareestablishedforallcompetitorswithdata-basedbusiness

models,includingthevehiclemanufacturersintheirnewrole.

Thesegoalscanonlybeachievedbyestablishinguniformandbindingspecificationsandby

implementingauniformITsecuritystandardforthefuturedataexchangeviathevehicle's

telematicsorcommunicationinterfaces.SpecificationsandITstandardsarekeytobeable

toaddresstwootherchallengesoftodays'connectedworld:

1.DistributedFunctionalities

IntheInternet-of-Things(loT)era,thefunctionalitiesanddataofconnecteddevicesare

notexclusivelylocatedinthedevicesthemselveswithaninterfacetotherestofthedigital

world.AnloTdevicecouldmorelikelybeseenasapartofthedigitalworld.Manyfunc-

tionalitiesandtheircorrespondingdataofloTdevicesaredistributed

?inthebackendsystemsoftheassociatedsmartservicesofthevendoraswellas

?onmobiledeviceapps

Thisdistributionoffunctionalitiesanditsdatamakesitdifficulttobuildupsecurityzones

aroundallspreadassetsthatshouldbeprotected(chapter3.2).

2.EverythingisPossible(EiP)

AddingnewfunctionalitiestoadeviceisoneofthemainfeaturesoftheloT.Adevicethat

isboughttodaywillbeabletointegratemanyadditionalusecasesthankstoupdatesand

interconnectedfunctionalitiesfromsmartservices.Mostoften,this"valueaddedservice"

featureresultsfromfullaccesstoanypartoftheloTdeviceincombinationtodistributed

functionalitiesmentionedabove.This"fullaccess"ismostoftenimplementedwithalow

levelofprotection,tocaterforfutureupdates.Suchbasiclevelprotectioncouldonlybe

FIARegionIReportPage7of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

tolerableforlesscriticaldevices,suchassmarthomedevices,asitwouldentailtoomuch

inherentsafetyriskformanycriticalusecases.Formostofthedevices,thepossibilityfor

anyonetoswitchtoan^administratormode"withoutbeenrecognizedbysomeoneelse

whowillreactinanappropriateway,couldresultinthe''everythingispossiblemode”(EiP

mode):Elevatordoorscouldopenwithoutcabinbehind,speedlimitede-bikessupported

theirridersevenonhigherspeedsandvoicecontrolinsmarthomebecamesurveillance

stations.

ThisalsoappliestotheconnectedvehiclerepresentingthemostcomplexloTdeviceofa

consumer.Inaconnectedvehicle,dataflowsfromthevehicletothebackendsystemsand

possiblybacktotheuser'ssmartphone,tothevehicleHMIandtothirdPartyProviders.With

therollingoutofC-ITS,theroadwillbefloodedwithbroadcastingmessagesofmostroad

usersandtrafficsigns.Asmoreinformationwillbespread,theywillcaterforbroaderdistrib-

utedfunctionalities.AnEiPmodeshallbeavoidedasasevereexploitlikeitwasillustratedin

thereport[WHICH]forinstance.

Toaddressthischallenge,theautomotiveindustryfirstproposedthe"ExtendedVehicle"

(ExVe),whichwasdeemedsub-optimalintheTRLstudyfortheEU[TRL].Accordingtothis

study,thebestsolutionwasthesocalled“On-BoardApplicationPlatform"(OBAP),which

keepsthecontrolinsidethevehicle.TheOTPgivesconcretesolutionofanOBAPfromthe

ITsecurityaswellasfromthedataprotectionview.Itisdesignedtoachievethefollowing

goals:

?ProtectionagainstCybersecurityincidents

?Dataprotection(fundamentalrighttodataprotection,consumerempowermentand

freedomofchoice)

?Implementationofthe'Separationofduties"principle,whichallowsthevehicle

owner/drivertomakefreechoices

1.2StructureoftheDocument

Thisreportisstructuredasfollows:

?Chapter1-Introduction

?Chapter2-ChallengesofConnectedVehicles:CurrentState-ofthe-artautomotive

communicationconceptsandresultingchallengesrelatedto

ototheconnectedcarand

otoC-ITS.

?Chapter3-ITSecurityModels

?Chapter4一"OTP-SecurityConcept"introducingahighlysecureddataaccess

conceptmanagedbyanAutomotiveGateway(A-GW)

?Chapter5-ThechapterJAuditandRatings"providesrecommendationsforpossi-

bleaudit,evaluationandcertificationschemesofthepresentedOTP

?Chapter6-AsuggestionofaRoadmaptoimplementthesecureOTP

FIARegionIReportPage8of69

FEDERATIONINTERNATIONALEDEL'AUTOMOBILE

REGIONI-EUROPE,THEMIDDLEEASTANDAFRICA

OTPSecurityV1.022020-06-02

2ChallengesofConnectedVehicles

Giventhecentralroleofthecarinpeople'smobility,increasedconnectivityanditspotential

isdrawingalotofpublicinterest.Variouspartiesarealreadyintroducingvariousconcepts,

thuspresentingdifferentwaysofmakinginterconnecteddrivingtomorrow'sreality[TRL].The

firstpartofthechaptergivesanoverviewofnetworkeddriving,whilstthreedifferentconcepts

arepresentedinchapter2.2.Thelastsectionisdedicatedtodiscussingpros-andconsof

thethreesolutions.

2.1GeneralConceptandPotentialVulnerabilities

Moreandmorecarshavealreadyintegratedassistancefunctionssuchasautomaticparking,

adaptivespeedcontrolorlane-keeping.Theseadvanceddriverassistancesystemscanal-

readybeassignedtoacertainlevelofautomateddrivingleveldescribedin[SAEJ3016]and

referencedin[ENISA1,2]:

?Humandrivermonitorsdrivingenvironment:

1.NoAutomation

2.DriverAssistance

3.PartialAutomation

?Automateddrivingsystemmonitorsdrivingenvironment

4.Conditionalautomation

5.Highautomation

6.Fullautomation

AccordingtotheViennaConventionofroadtrafficsafety,eachvehiclemusthaveadriver,

whoisalwaysinfullcontrolandresponsibleforthevehicles5behaviourintraffic.Thismeans

thatanupdateoftheconventionwillbeneededforSAEautomation4andbeyond.However,

somevehiclesalreadycandriveautonomouslyon(somestretchesof)freeway,aswellasto

performon-andoff-rampsintheUSAandCanada.Thisincludesindependentblinking,

changinglanesandadjustingthespeedtothemovingtraffic,whichareenabledbyavariety

ofvisioncameras,ultrasonicsensorsandradardevices.Additionalhardwareisusedtopro-

cessandanalyseallinformationcollectedandto