Post on 13-Apr-2017
1Spirent Communications
How to protect Ethernet based In-Vehicle Networks against security threatsThomas SchulzeSpirent Communications - Automotive
2Spirent Communications
Outline
The “Connected Car”
Risks and Concerns
Public and Private Domains
Security Implementation
Security Validation
3Spirent Communications
The “Connected Car”
4Spirent Communications
The “Connected Car”
TelematicsNavigationITS/DSRC
X by Wire
Power Train
Radar
Camera
Camera
Front distributionADAS ECU
Body DomainGateway ECU
InfotainmentHead Unit ECU
Camera
Rear distributionAmplifier ECU
Camera
Radar
CAN LINFR
ETHERNET
Radar
Radar
Maintenance
ODB II
5Spirent Communications
Risks and Concerns
6Spirent Communications
Risks and ConcernsThe Media approach
7Spirent Communications
Risks and ConcernsA “Realistic” approach
• The Risk of potential threats through attacks growth because of:
Easier access trough broader connectivity options Common communication protocols The “always connected” approach “Open” Systems for feature rich and easy to use Applications
• The Risk of potential threats through attacks can reduced through:
Separation of Public and Private (Safety related) Domains Security Implementations and Validation Careful assessment of Customer usage and safety impacts
It’s nearly impossible to create a 100% secure communication network, but there a possibilities and ways to protect it!
8Spirent Communications
Public and Private Domains
9Spirent Communications
Public and Private DomainsAssignment of functionalities and applications
Telematicsand
Maintenance
Infotainment
Public Dom
ain
Driver Assistance
Powertrain
Chassis & Safety
Body Electronics
Priv
ate
Dom
ain
10Spirent Communications
Public and Private DomainsPrivate Domain Communication
• Restricted Devices
• No external access
• Unencrypted Data
Driver Assistance
Powertrain
Chassis & Safety
Body Electronics
Priv
ate
Dom
ain
Net
wor
k 1
11Spirent Communications
Public and Private DomainsPublic Domain Communication
Telematicsand
Maintenance
Infotainment
Public Dom
ain
Netw
ork 2
• Restricted Devices(Telematics)
• Unrestricted Devices (Infotainment)
• external access
• Unencrypted Data
• Encrypted Data
• VPN Connections
12Spirent Communications
Public and Private DomainsInterconnection between Public and Private Domain
Driver Assistance
Powertrain
Telematicsand
Maintenance
Chassis & Safety
Infotainment
Body Electronics
Public Dom
ainPr
ivat
e D
omai
n
Net
wor
k 1 N
etwork 2
13Spirent Communications
Security Implementation
14Spirent Communications
Security ImplementationOSI Layer related Security Options
15Spirent Communications
Security ImplementationOSI Layer related Security Options (Examples)
• OSI Layer 1 (Physical) Secured access to the Medium (huge effort needed for Vehicles)
• OSI Layer 2 (Data Link) Frame filtering (Unicast/Multicast; SA-DA check) 802.1Q – Virtual Local Area Network (VLAN) 802.1X – Network Access Control (NAC) 802.1AE – MAC Security (MAC level encryption) 802.1AR – Secure Device Identifier VPN – Virtual Private Network based on L2TP (unencrypted)
• OSI Layer 3 (Network) VPN IPsec SSL/TLS Encryption
• OSI Layer 4 (Transport) Packet filtering (SA-DA & Transport protocol)
16Spirent Communications
Security ImplementationsPossible Architecture
Driver Assistance
Powertrain
Telematicsand
Maintenance
Chassis & Safety
Infotainment
Body Electronics
VLAN 1
VLAN 2
VLAN 3
VLAN 4
17Spirent Communications
Security ImplementationsPossible Architecture
Driver Assistance
Powertrain
Telematicsand
Maintenance
Chassis & Safety
Infotainment
Body Electronics
VLAN 1
VLAN 2
VLAN 3
VLAN 4
Allowed
Un-routed VLAN traffic Traffic between public Internet and VLAN 4 (Infotainment
Connectivity) VPN connection between OEM and VLAN 1/2/3 trough Cellular
Module Secured Traffic between V2X Module and ADAS Controller VPN between Maintenance IF and VLAN 1/2/3/4 Uni-directional traffic between ADAS Devices and VLAN 4 (e.g.
Cameras) Denied
Traffic between Cellular Modem and VLAN 1/2/3Traffic between VLAN 1 and VLAN 4Traffic between V2X Module and other Devices (excluding ADAS Contr.)Public Access through Maintenance IFDevices in VLAN 1/2/3 without Secure Device Identifier
18Spirent Communications
Security Validation
19Spirent Communications
Security ValidationWhat to test?
Testing is mandatory to assure the functionality and performance of the implemented Security features!
• Stage 1 – Basic functionality- VLAN separation- Traffic routing
• Stage 2 – Security functionality- Frame/Packet filtering- Device Identification- VPN Setup and encryption
• Stage 3 – System Performance- Ability to handle high traffic load
• Stage 4 – Specific Simulations- External/Internal Attack Simulation
(e.g. to get access to the In-Vehicle Network)- “Infected Device” attached to the Network- “Zero Day” Attacks and
“Negative/Corrupted” traffic simulation
20Spirent Communications
Security ValidationTest Setup Examples
Driver Assistance
Powertrain
Telematicsand
Maintenance
Chassis & Safety
Infotainment
Body Electronics
VLAN 1
VLAN 2
VLAN 3
VLAN 4
21Spirent Communications
© Spirent Communications, Inc. All of the company names and/or brand names and/or product names and/or logos referred to in this document, in particular the name “Spirent” and its logo device, are either registered trademarks or trademarks pending registration in accordance with relevant national laws. All rights reserved. Specifications subject to change without notice.
spirent.com
THANK YOU! Questions?
SPIRENT Communicationshttp://www.spirent.com/go/automotive
automotive@spirent.comthomas.schulze@spirent.com