Securing automotive systems is no news, the need to secure VANETs neither. However, the more use cases for connected, cooperative and autonomous vehicles surface [1], the more important it is to expand cyber security with resilience. There may be many definitions or descriptions extending traditional cyber security measures to cyber resilience, some research calls related techniques merely reaction techniques, other frameworks describe the related techniques in more detail, e.g., [2,3]. All have in common, extending the vehicle’s connectivity and therefore, exposing the in-vehicle network (IVN) to the Internet requires not only preventive measures, but also reactive measures in case things go wrong and the attacker successfully misuses a service/functionality or succeeds to compromise a connected server, another vehicle to send wrong warnings, or infrastructure, such as road side units or even charging stations connecting the vehicle to critical infrastructure such as the power grid. In some cases, it may be even necessary to reduce the vehicle’s functionality to limit the attackers’ actions.

There are several challenges and threats that may need to be addressed separately, however, it highlights the complexity of future mobility solutions. By just looking at the well-known demonstration where an artist pulled 99 Android phones in a cart to make Google maps think there is a traffic jam, highlights how far beyond we need to think [4].

A first step is to be able to categorise possible attacks towards mobility solutions around cars. Attacks been modelled and described in various research publications, e.g., [5,6]. In [6], for instance, the researchers perform a literature review and establish a taxonomy in which they categorise automotive attack mechanisms into eight main categories, namely engage in deceptive interactions, abuse existing functionality,manipulate system resources, inject unexpected items,employ probabilistic techniques, manipulate timing and state,collect and analyse information, and subvert access control. These categories are further broken down into sub-categories describing the attacks more detailed. For example, this taxonomy identifies manipulation of human behaviour, as a sub-group of engage in deceptive interactions and therefore, also finds a suitable category for the Google maps attack.

The next steps are complex, and many are still researched, as we need to address safety and security as well as the fact that such a system needs to be considered, evaluated, protected against, and prepared for malicious activities on several levels, ranging from a single vehicle, the connected vehicle, and the vehicle as part of mobility solutions and our society aiming to efficiently utilise and manage the transportation infrastructure. Modelling how such a systems of systems environment is affected by misuse and disinformation and how to deal with it is challenging and requires more research.

[1] Qafzezi E., Bylykbashi K., Ampririt P., Ikeda M., Matsuo K., and Barolli L. “A Survey on Advances in Vehicular Networks: Problems and Challenges of Architectures, Radio Technologies, Use Cases, Data Dissemination and Security”, Advanced Information Networking and Applications (AINA) 2022, https://link.springer.com/chapter/10.1007/978-3-030-99619-2_56
[2] Sterbenz, J.P.G., Hutchison, D., Çetinkaya, E.K. et al. Redundancy, diversity, and connectivity to achieve multilevel network resilience, survivability, and disruption tolerance invited paper. Telecommun Syst 56, 17–31 (2014). https://doi.org/10.1007/s11235-013-9816-9
[3] T. Rosenstatter, K. Strandberg, R. Jolak, R. Scandariato and T. Olovsson, ”REMIND: A Framework for the Resilient Design of Automotive Systems,” 2020 IEEE Secure Development (SecDev), 2020, pp. 81-95, doi: 10.1109/SecDev45635.2020.00028.
[4] Alex Hern, “Berlin artist uses 99 phones to trick Google into traffic jam alert”, the Guardian, 2020, https://www.theguardian.com/technology/2020/feb/03/berlin-artist-uses-99-phones-trick-google-maps-traffic-jam-alert
[5] Limbasiya T., Teng K. Z., Chattopadhyay S., and Zhou J. “A Systematic Survey of Attack Detection and Prevention in Connected and Autonomous Vehicles” in arXiv:2203.14965, https://arxiv.org/abs/2203.14965
[6] Pekaric I., Sauerwein C., Haselwanter S., and Felderer M. “A taxonomy of attack mechanisms in the automotive domain” in Computer Standards & Interfaces, Volume 78, 2021, https://doi.org/10.1016/j.csi.2021.103539

Written by Thomas Rosenstatter

Facebooktwitterredditlinkedinmail