Here are some interesting projects that worth your attention. There projects are funded by the FFI Automotive Security and Privacy Program. Please see the list as follows:
We have some results to share! Please visit HOLISEC Results for more information.
HoliSec – Holistic Approach to Improve Data Security
With the advent of connected and autonomous vehicles, security is of increasing importance to the automotive industry; however, security is very hard to address despite being directly linked to some of the most important attributes of the automotive industry, quality, and safety. As a result, there are no clear processes to follow for secure automotive software development and the influence of security mechanisms on safety still needs investigation. Appropriate handling of security issues in the automotive industry can potentially lead to the increased competitive advantage, revenue, and uptime.
We will develop integration-ready security development processes that are aligned with existing safety processes, verification & validation methods that address security, investigate security mechanism properties, and look at methods to secure both wired and wireless communication. We will take for the vehicular industry a unique holistic approach where we make sure security requirements are visible and influence all steps in the development chain, all the way from early development to late testing phases.
From the academic partners, several publications at both scientific and automotive conferences will be delivered. From an industrial perspective, the project will result in processes, methods, tools, models, and guidelines to reach the industry goal of “security by design”. Common processes and methods within the industry that aids communication between OEMs, academia, and suppliers, reducing lead times and complexities, making test results comparable between parties, simplify requirement handling and overall increase the knowledge about how to work with security in systematic ways.
The project will also arrange activities in the form of seminars and workshops to increase the awareness and knowledge about security, as well as disseminate results at external conferences and events. Results from the project will be demonstrated using proof of concept demonstrators.
The HoliSec consortium consists of ArcCore, Assured, Chalmers, SP, Volvo Car Corporation, Viktoria ICT and Volvo AB, with Volvo AB being the project coordinator.
We have some results to share! Please visit Threat MOVE Results for more information!
The increasing level of computerization makes modern vehicles vulnerable to cyber attacks. Software-based tools for threat modeling and simulation can be used to assess the probability that an attacker manages to reach different parts of the vehicle system. However, today there are no such tools for the transport domain. The goal is to develop a threat modeling and simulation language that allows for real-world modeling and simulation of vehicle information system attacks, as well as implementing and testing the language with real-world systems. This will help automotive IT security to be modeled and simulated in both design and operational phases, thus contributing to increased understanding of security challenges and risks. The proposed approach could well be a future best practice for the Swedish automotive industry.
Expected result is thus a threat modeling and simulation language for vehicle IT. This language is meant to be freely available to the automotive industry, academia and other interested parties. Furthermore, the language will be concretized as a module in the securiCAD software from foreseeti. The work will build up security skills in general and for vehicle IT specifically. Several research articles will be published where methods and models are presented and validated with use cases.
The project is expected to last from October 2017 to September 2021 and is divided into eight work packages: (i) project management, (ii) development of a framework for the domain-specific language, (iii) design of the domain-specific modeling and analysis language for security in automotive IT, (iv) implementation, (v) iterative testing and validation of the domain-specific language, (vi) inclusion of Tool chain integration, (vii) vehicle security parameters, and (viii) dissemination. The work will be done iteratively.
The vehicle industry is going from traditionally isolated to open systems. As vehicles continuously increase their connectivity to the surrounding world, becoming part of the Internet of Things, exposure becomes potentially world-wide and attacks may happen with speed and scale not possible before.
Adopting secure development techniques provides organizations with a generic level of assurance against the above-mentioned attacks. The key research question at the core of this project is, however, how a project manager can get precise assurance based on material, project-specific evidence that a system being developed is secure enough and can be released.
The goal is to provide managers with a tool to make go/no-go security decisions on product delivery. Such decisions are currently based on experience and intuition, while we aim at supporting evidence-based decisions. The key contribution of this projects is a methodology to build security assurance cases.
Security assurance cases (a.k.a. security cases) have been suggested in the past and also described by standards like ISO 15026. However, there is a research gap on how to practically build them. This project will address that gap by providing an answer to the following questions, especially in the automotive domain:
* What evidence needs to be collected throughout the software development process (code and design metrics, test results, code verification results, traceability information across artifacts, development effort figures, to name a few).
* How to build the security assurance argumentation from the available evidence.
Further, the automotive industry is going in the direction of defining security levels similarly to Automotive Safety Integrity Levels (ASIL). For instance, this is a research direction in FFI HoliSec. Therefore, we will investigate argumentation patterns that are specific to the different security levels (typically 5 levels). The methodology will also consider ways to build assurance cases at several levels of abstractions (e.g., subsystem vs function vs complete vehicle).
We acknowledge the existence of important trends in the automotive industry, like agility and continuous delivery. In this respect, the methodology should integrate rather than excessively constrain the agile activities.
WHERE WE’RE GOING, WE DON’T NEED ROADS. AUTOMOTIVE CYBERSECURITY IS THE FAST LANE!
As today’s vehicles become increasingly connected and automated, the opportunity for new cyber attacks has become a real threat. The automotive industry needs software developers who understand how these attacks work, and how to protect against them.
SUFFI is a cybersecurity education program for automotive software professionals and the training intends to give its audiences a theoretical and practical knowledge on how to discover and protect against automotive-specific security vulnerabilities. The educational program is targeted at automotive software developers with an interest in cybersecurity.
Three occasions will be available in fall 2018. If you are interested in participating in the program, please visit SUFFI’s page for more information and registration.
SUFFI-Cybersecurity education for automotive software professionals is a project financed by VINNOVA.
Cyber Resilience for Vehicles (phase 1)
The introduction of autonomous and connected vehicles has brought new cybersecurity challenges to the automotive industry and put requirements on the dependability of vehicles in the presence of cyber-attacks. CyReV phase 1 is part of a larger proposal, which focuses on cybersecurity for automotive in-vehicle systems in a changing environment.
Aim and goal
- Design a reference architecture for resilient vehicles and include research around Architecture Design Principles for resilient vehicle
- Investigate novel techniques for on-line attack analysis
- Incorporate Machine Learning techniques for Anomaly Based Intrusion Detection Systems (IDSs) to describe normal and abnormal behaviour of traffic systems
- Study the Defence in depth strategy for the vehicle to be able to prevent and detect cybersecurity attacks
- Investigate post attack forensics for post attacks investigations
- Perform interplay analyses between non-functional requirements such as safety and security
Vehicular systems will always be the target for hackers, thus the ability to design for security and safety is of uttermost importance. In fact, we must design vehicles in such a way that they are able to continue to function in a malicious environment such as dealing with malicious actions from other entities. To do so, we need to detect and react to security incidents in vehicular systems.
- A reference architecture for resilient vehicle along with metrics to quantify/evaluate the novel design
- In-vehicle intrusion detection system techniques suitable for the resilient architecture
- Data driven modelling techniques to describe normal and abnormal behaviours of the traffic systems
- Data collection techniques as enablers for post attack investigations
- Novel forensics techniques for vehicle to be able to understand the root cause of ongoing attacks
- Verification and validation strategies suitable for evaluating resilient vehicles
- Interplay analysis between safety and security in the context of vehicle resiliency
- Utilization of results in the design of next generation vehicle architectures.
- Providing the Swedish automotive industry with techniques, methods and tools to maintain the safety and security of modern connected and autonomous vehicles when facing threats of evolving cyberattacks.
- Bringing together Swedish automotive players in passenger and commercial vehicles, suppliers as well as research institutes.
- Developing a reference architecture for vehicles resilient to cyberattacks including principles, metrics and design requirements necessary to support resilience.
- Dissemination of results in the form of arranged seminars and workshops, knowledge sharing within the consortium, scientific articles and master/PhD theses. Some of the project results will also be demonstrated using proof of concept.
For more information about the project, please read it on the project homepage at ri.se.
Contact person: Behrooz Sangchoolie, RISE