1.
2018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
2018-03-13
Alexander Much, Rudolf Grave
Safety and Security Aspects of
Automotive High Performance
Controllers

2.
22018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Changes in E/E architecture
Safety
Security
Outlook
Agenda
Safety and Security Aspects of Automotive High Performance Controllers

3.
2018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Changes in E/E architecture

4.
42018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
We need to completely re-think the E/E architecture:
• Domain or zonal architectures
• Centralized computing units
• High-speed, reliable and dependable networking
• Connected vehicle within infrastructure eco-systems
What comes first?
Mobile on Wheels or Wheels on Mobile?
Safety and Security Aspects of Automotive High Performance Controllers
Source: https://pxhere.com/en/photo/1064249, CC0 Public Domain
Cloud and mobile first!

5.
52018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Most prominent answer:
„Of course, my car!“
People don‘t realize:
• How many security solutions are in today‘s phones
• Cloud and phones set the „state-of-the-art“
• ... not cars!
What needs to be „more“ secure?
Phone and Cloud vs. Vehicle
Safety and Security Aspects of Automotive High Performance Controllers
Source: https://pixabay.com/en/smartphone-phone-castle-key-1868489/, CC0 Creative Commons

6.
62018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolution of E/E Architectures
Safety and Security Aspects of Automotive High Performance Controllers
today tomorrow future
Domain Architecture Centralized Architecture Zoned Architecture
• Signal based communication
• System of ECUs
• Predictable communication
• Function orientated topology
• Central computing nodes
• Mix of signal based and service
orientated communication
• Partly centralized functions
• Software upgradability
• IP/Ethernet communication
• Centralized applications/functions
• Computing power for AD and AI
• Anything anywhere (sensors/actors)
• Architecture follows software/ system
demands

7.
72018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
• Centralized computing platform (yellow)
• Zonal ECUs in a ring architecture (green)
• Actors and sensors (purple) connected via Zonal ECUs
• Applications are running on centralized computing
platforms, zonal ECUs sensors and actors provide
standardized service interfaces.
• Reduction in wiring / weight and cost
Zonal E/E Architecture
Safety and Security Aspects of Automotive High Performance Controllers
Zonal E/E Architecture
For comparison: Star Wiring

8.
82018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Connected E/E Architecture (Logical View)
Safety and Security Aspects of Automotive High Performance Controllers
UI
Computing
Cluster
Computing
Cluster(s)
Smart Antenna
Gateway IO Concentrators,
Actors, Sensors
Smart
Sensors
Smart
Sensors
Steering
Braking Battery
Engine
Back-end
System
Gigabit
Ethernet
Reliable ECU
Performance ECU
IO Concentrators
Back-end Server

9.
92018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Use-case: remote update
Safety and Security Aspects of Automotive High Performance Controllers
Architectural principles:
• Central external
connection
• Distribution of updates
across multiple ECUs
Supporting features
• Coordinated A/B Update
across ECUs
• Secure networks and
communication
• Layered security
architecture
Smart Antenna
Gateway
Back-end
System
Reliable ECU
Performance ECU
IO Concentrators
Back-end Server

10.
102018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Use-case: ADAS
Safety and Security Aspects of Automotive High Performance Controllers
Architectural principles :
• Separation between
planning and
performance parts
• Hierarchical safety
architecture
Supporting features
• ASIL-B performance
platform
• ASIL-D classic platform
• Hierarchical, distributed
runtime supervision
Smart Antenna
Gateway
Back-end
System
Reliable ECU
Performance ECU
IO Concentrators
Back-end Server

11.
112018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Principals of a future architecture
Safety and Security Aspects of Automotive High Performance Controllers
HPC = High performance controller
HPC-1 HPC-2 HPC-3
Horizontal deployment of functions
RT-SW RT-SW RT-SW RT-SW
“logic”-SW “logic”-SW “logic”-SW “logic”-SW “logic”-SW “logic”-SW
Computing
layer
Real time
and sensor/
actuator layer
Back-end
Vehicle API / Basic services / information layer
Every information anywhere” –
enables horizontal deployment
of services and updating
service.
 But need to be controlled
for safety and security reasons

12.
2018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Safety

13.
132018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Example: Fail-Operational Networking
Safety and Security Aspects of Automotive High Performance Controllers
Fault-tolerant communication
Redundant
communication
paths
Redundant paths
between Eth
switches (RedM or
IEEE 802.1CB)
Duplicate network
for CAN/FlexRay
(nodes connected
via 2 links)
Fault-tolerant application services Fault-tolerant
network services
Communication
path quality
Com SW quality:
focus on safety
related feature and
FFI to all other
parts
Com controller and
switch quality
Parallel active
service
Service instance A’
active
Service instance
A’’ active
B selects data
from A’ or A’’
based on priority
Primary/Backup
service
Primary instance
A’ active
Backup instance
A’’ in stand-by,
becomes active
when primary fails
(no heartbeat)
Critical service
with redundancy
(e.g. backup time
master)
Locked service –
no changes on
committed, critical
resources (e.g. ECU
shutdown lock,
network
bandwidth lock)

14.
142018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Separation of concerns:
• Performance
• Safety
• Security
Mixture of Classic and Adaptive:
• Safety closely related to real-
time domain
• Plenty of room for legacy
applications
High Performance Controllers: SW Architecture
Safety and Security Aspects of Automotive High Performance Controllers
AUTOSAR OS
Adaptive AUTOSAR
QM
App App
MCU
Classic AUTOSAR
Automotive-grade Hypervisor
Adaptive AUTOSAR
Safety
App
LINUX OS LINUX OS
Classic AUTOSAR
Safety
App
Safety Cores
Safety OS
Performance Cores
Performance Partitions for Vehicle & Consumer Functions Safety Partition
Security
TEE
App
Security HW
Trusted OS
Security Partition

15.
152018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Classic AUTOSAR
Components
Example: Distributed Health Management
Safety and Security Aspects of Automotive High Performance Controllers
Classic AUTOSAR
Components
Lockstep
Safety OS
WDG
Core CoreCore Core
Safety
Core
Safety
Core
Core…. CoreCore
Health
Control
Bootloader
Hypervisor
Privileged Partition
Adaptive AUTOSAR on
Linux
Health Manager
Vehicle Functions Partition
Adaptive AUTOSAR on Linux
Container
Vehicle
Function
Virtual
Resources
Container
Vehicle
Function
Virtual
Resources
Container
Vehicle
Function
Virtual
Resources
Pesistency
Manager
Execution
manager
Health
Manager
Diagnostic
Manager
Virtual
Resources
Physical Resources
….
Classic AUTOSAR
Safety
Core
Safety
Core
Lockstep
Safety OS
WDG
Health
Control
Classic AUTOSAR
Monitor Control

16.
2018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Security

17.
172018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Security >>> Safety
• Connectivity, Ethernet and High-Performance ECUs open the
car to new threats
• More data  more lucrative to attack
• Product development life-cycles (PLCs) don‘t suffice, a switch to
service life-cycles (SLCs) needed:
– Automotive quality assurance in DevOps environments?
– Regulatory clearance?
– Field monitoring and incident response management
– Third-party security observation, also for open source software
• Cars will need to be updated frequently
Which has more „impact“?
Safety and Security
Safety and Security Aspects of Automotive High Performance Controllers
Source: http://maxpixel.freegreatpicture.com/Virus-Computer-Word-Security-Trojan-Cloud-Cyber-2120014, CC0 Public Domain

18.
182018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Secure System Layers
Safety and Security Aspects of Automotive High Performance Controllers
Secure Environment
Secure External
Communication
Secure Network
Segmentation
Secure OnBoard
Communication
Secure Platform
Secure Boot
Secure Hardware Element
Secure Update / Diagnostics
- Applications
- Flashware
Separation / Isolation
- Memory Protection
- Scheduling Policies
- Access Control
AUTOSAR SecOC
Ethernet Security
Domain Separation
Trust Zones
IDS/ADS
Firewall
Secure External Channels
- TLS
Secure Logging Agent
Secure Backend Infrastructure

19.
192018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Limit the number of ECUs with off-board
connections
Restrict access to the network (I)
Safety and Security Aspects of Automotive High Performance Controllers
Today: multiple connections

20.
202018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
• Divide network into security zones, e.g. extern, “demilitarized”, internal.
• Restrict traffic between zones: Physical split or separation via VLANs:
Not only extern-intern, but also intern-intern, e.g. infotainment to powertrain
Restrict access to the network (II)
Safety and Security Aspects of Automotive High Performance Controllers
VLAN Tagging to separate external – internal
• External frames are tagged with an orange VLAN tag at the switch
• Only nodes assigned to the orange VLAN can receive frames from the
external tester
• Frames to be sent to external tester, are sent via the orange VLAN – the
switch at the gateway removes the orange VLAN tags before forwarding it
to the tester
VLAN Tagging to separate internal networks
• ECUs from Infotainment (blue VLAN), chassis (green VLAN) and
powertrain (yellow VLAN) can be separated
• Traffic between VLANs require a switch or Gateway
Tester

21.
212018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Example: Platform Security Layers
Safety and Security Aspects of Automotive High Performance Controllers
Operating Systems
Containers
Hardware
Classic
µC
HSM Performance µP SwitchSecure EnginePerformance Cores
Hypervisor
Processes
Resource Access Control
Intermediate Address Space
Separation (1st-Stage MMU)
Control Flow Integrity
Hardware Resource Separation
Physical Address Space Separation
2nd-Stage MMU
Scheduling Domains
Resource Constraints
Control Flow Integrity
Virtual Address Space
Crypto Accelerators
3 Core Logic (Secure, Public & PKA)
Dedicated RAM/ROM (key material)
eFuses
Life Cycle Management
Hardware Access Protection
Crypto AcceleratorsHSM (EVITA medium)
HIS SHE support
DoS prevention
VLAN Tagging
Static ARP tables
Monitoring Ports

22.
2018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Outlook

23.
232018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Outlook: Interesting Times...
Safety and Security Aspects of Automotive High Performance Controllers
machine learning crowed sourced data system of systems third party access
personalization shortened
development cycles
evolution after SOP new topics
new business models
?

24.
2018-03-13 | Funktionale Sicherheit und Security in der Fahrzeugelektronik 2018 | Public | © Elektrobit Automotive GmbH 2018.
All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
www.elektrobit.com
alexander.much@elektrobit.com
Get in touch!