F2010E035
Secure Automotive On-Board Electronics Network Architecture
Automotive safety applications based on vehicle-to-vehicle and vehicle-to-infrastructure communication have been identified as a means for decreasing the number of fatal traffic accidents in the future. Local danger warning and emergency braking assistance are examples of such applications. These functionalities herald a new era of traffic safety. However, malicious attacks on embedded IT systems and networks implementing those functionalities and malicious encroachments on messages transiting between vehicles and infrastructures, such as sending fake messages and spoofing over the wireless network, may have dramatic consequences. Thus, the essential security objective is to maintain the intended operational performance of all vehicles and corresponding intelligent transportation systems in order to ensure the safety of the vehicle occupants and of other road users. Other relevant security objectives are to protect the privacy of vehicle drivers, to protect the intellectual property of vehicle manufacturers and their suppliers, and to prevent fraudulent commercial transactions and theft of vehicles. This paper introduces a secure system architecture for automotive on-board electronics networks. It is based on work being done in the European research project EVITA [http://www.evita-project.org], the main objectives of which are to design, verify, and prototype such a secure architecture. Focusing on on-board network protection, EVITA provides the basis for and complements other e-safety related projects that focus on the protection of external vehicle communication (e.g. SEVECOM). A list of potential attacks and related security requirements served as starting point for designing the secure on-board architecture. The attacks have been classified according to their risk level in order to choose adequate levels of protection against them. We have used a refinement-based approach for deriving in-car security mechanisms out of the security requirements. Security functions are partitioned between software and hardware with cost and security levels as major criteria. The secure storage of trust anchors and secret keys together with secure and trustworthy communication among in-car electronic components are the foundation for secure communication among cars or between cars and infrastructures. Therefore, the root of trust is placed in hardware security modules realized as extensions to automotive controllers or as dedicated security controller chips. This enables the reliable enforcement of application-specific security properties such as authenticity, confidentiality, or freshness.
This abstract is supplemented by a PDF, which can be viewed here.
Session: Intelligent Vehicle Systems