Autonomous Driving needs Safety & Security - sysgo.com · Autonomous Driving needs Safety &...
Transcript of Autonomous Driving needs Safety & Security - sysgo.com · Autonomous Driving needs Safety &...
�
Autonomous Driving needs Safety & SecurityEmbedded World 2018Dr. Ciwan Gouma
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
Autonomous Driving –The Vision
The vision is not new.
Picture left (maybe you have seen this in other presentations) but why is that here: 1957 --- Vintage illustration from an advertisement by H. Miller of a family of four
playing a board game, while their futuristic electric car automatically drives itself.Very interesting it´s published in an advertisement for electrical power plant in the US to present different use cases: how to use electrical power in the future!
Why not from an automotive company?- Long story …
How does the vision lock today? Some changes compared to the left picture. - People are not playing domino – they are working ;(
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
But back to the why
What is the real why for autonomous driving- Not the number of billion IoT devices
- Not the available technology
Always start with asking why: (Simon Sinek)
- our mobility expectation has changed- Time that we spend in traffic jam!- Number of accidents – 1.3 million / year!
From 2006 – 2016 between 11 and 35 thousand people died caused by terrorist attacks!
- Lessons from avionic industry: 95% of accidents are caused by human
errors! - Same result for cars – source
https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812115
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
© SYSGO AG · PUBLIC 4
Autonomous
WHY´s
Autonomous
WHY´s
Increase safety – 69%
Reduce traffic congestions / increase road capacity – 65% Independent mobility of non- drivers – 55%Reduce stress level / advanced ease of use 49%
Increase productivity for the driver – 43%Enhance quality of live – 38%Emission and cost reduction – 31%
Source: Survey Report tech.AD 2018, Berlinhttps://autonomous-driving-berlin.com/
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
© SYSGO AG · PUBLIC 5
Safety Concerns / Fail safe concepts
Legal restrictions
Cyber Security
MainChallenges
MainChallenges
Fail safe concepts - mission complete - simply stop the car
Not part of this presentation
As well legal restrictions
Cyber Security, always mentioned as an important topic – same moment saying we will handle this later!
My personal view: that is the wrong approach! – continuously and seriously successful cyberattacks could be a show stopper for autonomous driving.
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
© SYSGO AG · PUBLIC 6
New Thinking
• Main stream autonomous vehicle adoption will create a new economy 7
trillion by 2050 business (Intel, Strategic Analytics)• A sep. „passenger economy“ will include new type of products (autonomous
cars, hyperloops, changing or smart Cities, homes) new services and
complete new business modells• New vehicle of the future will be able of retrieve and share real time traffic
data, vehicle2vehicle communication, use AI algorithm, for optimizing
autonomous driving and route and other useful tasks parking space etc.• Side note: Intel sees: shared commuting on autonomous vehicles as norm,
and individual vehicle ownership as less important
• New class of vehicle spawned for dense urban environement ---• What are the impacts for our industry?!
Source: https://newsroom.intel.com/newsroom/wp-content/uploads/sites/11/2017/05/passenger-economy.pdf
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
© SYSGO AG · PUBLIC 7
Connectivity & Security
Complexity – Domain Integration
Life Cycles & Development processes
New ThinkingNew Thinking
Connectivity as a base for new and helpful feature, user and OEMs love that.
Complete new use cases and business models are possible – perfect!
BUT with connectivity we are facing tremendous security issues – nothing is secure. A new thinking has to start.
Complexity – Domain integration -> Combining systems – increase the attack surface!
ECU integration How will that be realized with existing E/E structures?
New business models, new cloud-based service -> complete different player, entire different lifecycles have to be handled.
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
Connected Car – Attack Surface Eldorado
Over the time several component providers added connectivity to their devices –
Bluetooth, WIFI, near-field – some of them used IT-based security mechanism like crypto etc.
- Sometimes old, outdated protocols are used – not safe
- Even some time without any security functionality.
- Attack surface increased – no security concept!
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
Level of Autonomous Driving
Big Difference
Autonomous driving trust connectivity!
For level 1 and 2 – no extra safety certification levels expected!
BUT for level 3 and above High Safety Certification has to come - similar to avionic standards
Safety!Cyber-Security and Security for Safety.
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
© SYSGO AG · PUBLIC 10
IT - Security
Aviation Industry OtherPerspectives
OtherPerspectives
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
Learning from IT Security
Firewalls
Cryptography„Crypto won´t save you either“End2End
IntrusionThus, the attack surface is the full system architectureSecurity is the integral system property!
Without a clean design, it is complicated to identify/define the attack surfaceSecurity is a process
„Easy to use update procedures“ – refer WannaCry and Microsoft statements about updates!Positive: due to the impact of security attacks on companies -> Management
attention increased over the past years.
IT security: Pos. awareness from Management is already there.
Security is a process.Firewalls are a good idea.Crypto won´t save you either.
��
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
Learning from Avionic Industry
• Safety & Security
Process & Certification
• Fail Safe
• HW Consolidation
• Security by design
• MILS
Tremendous changes for the network based infrastructure Aircraft today is network based
(AFDX & IP)Increasing usage of common computing resources
Integrated Modular Avionics (IMA), Open WorldOpen World domain with COTS software
Wi-fi products, Linux
New IT servicesPilots (tablets), passengers, crew, maintenance
Increasing integration and information flow between systems
Aircraft is heavily connected to other IT services, Integration of several domainsAirlines, ATC
Aircraft is connected to INTERNET
Common Challenges in Cyber-Physical-SystemsFunctionality density is increasing
Integrate functions on small numbers of ECUReduce the number of ECUs or keep (at least) the sameBenefit on powerful COTS HW and SW
Need proper separation and control of functionalitiesHeterogeneous information flows
Systems are interconnected and exposed to external world
Usage of common network infrastructureNeed proper separation and control of information flows
High-assurance for mixed-critical ECUs
Functionalities have different assurance requirements, e.g. safety vs. securityThe overall assurance design shall be enough to run the most demanding oneNeed proper compositional certification approach
��
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
MILS
Low-criticalityPartition
Medium-criticalityPartition
High-criticalityPartition
Application plane
MILS is a high-assurance security architecture that supports
the coexistence of untrusted and trusted components, based on
verifiable separation mechanisms and controlled
information flow
Please refer for more information to Research Project EuroMils:
Please refer for more information to Research Project CertMils:
��
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
�����������
������������ ���������� �����������
���������� �!����!�������������������"
�����������
�������!����� ���������� �!��������
#������� ��� ����������"
��������������� �����������������������
MILS Architectural Approach
Refinement
Low-criticalityPartition
Medium-criticalityPartition
High-criticalityPartition
Application plane
Low-criticalityPartition
High-criticalityPartition
Medium-criticalityPartition
MILS Platform (Separation Kernel)
Hardware
(CPUs, memory, and devices)
MILS Architecture
Network Actuator
MILS induced abstraction
Resource plane
��
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
Please refer for more information to our Research Project EuroMils :
Please refer for more information to our Research Project CertMils
�����������
������������ ���������� �����������
���������� �!����!�������������������"
�����������
�������!����� ���������� �!��������
#������� ��� ����������"
��������������� �����������������������
Common Safety and Security Base
Common: Assurance via Standards
ISO 26262SAE J3101
Hardware-Protected Security for Ground Vehicle
Applications
SAE J3061Cyber security Guidebookfor Cyber-Physical Vehicle
Systems
Adaptive Autosar
Genivi /AGL
Other OEM Innovations
ISO 26262
a) Potential interaction between safety and security b) Cybersecurity threats to be analyzed as hazards
c) Monitoring activities for cybersecurity, including incident response tracking d) Refer also to SAE J3061, ISO/IEC 27001, and ISO/IEC 15480 ISO/WD PAS 21448 Road vehicles -- Safety of the intended functionality Sotif – under developmentSAE J3101a) Secure boot
b) Secure storage c) Secure execution environment d) Other hardware capabilities ...
e) OTA, authentication, detection, recovery mechanisms ...
SAE J3061
a) Enumerate all attack surfaces, conduct threat analysis b) Reduce attack surface c) Harden hardware and software
d) Perform security testing (penetration, fuzzing, etc.)
SAE Society of Automotive Engineers, U.S.-based, globally active professional association and standards developing organization for engineering professionals in various industries. Principal emphasis is placed on transport industries such as automotive, aerospace, and commercial
vehicles.
J3061 -Guidebook CyberSecurtiy
IEC 27001 : "Information technology — Security techniques — Information security management systems — Requirements“
ISO IEC 15480: Common Criteria ...
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
Safety Software LifeCycle
Threat Analysis
Attack Tree Analysis (ATA)
Code and HW Implementation Reviews
Validate Security Assumptions
& Security
Implementation
Requirements
System Requirements
Global Design
Detailed Design Unit Test Case Execution
Integration Test Execution
System Test ExecutionSecurity Goals
Security Architecture
Functional and Penetration Tests
Integration and Penetration Tests
Threat Analysis - Hazard analysis and risk assessment
Security Goals - Safety Goals - Requirements Analysis
Security Architecture - System Safety Concept - System Architecture
Attack Tree Analysis (ATA) - FMEA, FTA, FMEDA - HW/SW Design Failure Mode and Effects Analysis (FMEA ) Fault Tree Analysis (FTA)
Failure Modes Effects and Diagnostic Analysis (FMEDA)
HW/SW Implementation – Guidelines, Reviews, Analyses - Code and HW
Implementad
HW/SW Test - Test Safety Mechanisms - Functional and Penetration Tests
System Integration - Test Safety Mechanisms - Integration and Penetration Tests
System Test - Validate Safety Assumptions - Validate Security Assumptions
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
© SYSGO AG · PUBLIC 17
BenefitsBenefitsMILS OS as base for
Future Automotive Platforms
Create Multi Domain PlatformSupports New Mobility Services
Ensure Strict separation, Domain IntegrationIncrease data privacy, Minimise security risks
Reduce development CostMinimize risk for 3rd party components
��
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
��
����� �� � ��� �
������������ ���� ������������
/�0 1�2�� ����� �2��03���4�5�3�0 ��
Prove our Secure Domain Demonstrator Embedded World 2018, Hall 4-308 & Hall 4A-410
More information:
www.sysgo.com
Company Video:
https://www.youtube.com/watch?v=x5YUhbKTXbA&feature=youtu.be
http://bit.ly/autonomous_driving
��������������� �����������������������
AUTOSAR Adaptive – New Standard – New FeatureHypervisor combines Safety and Linux
SafePOSIX(e.g. PikeOS)
Linux
Hypervisor (e.g. PikeOS)
ISO 26262
Barrier: Safe and Secure
QM Application
QM Adaptive
AUTOSAR
Safe Application
Safe Adaptive AUTOSAR
µController
Visit Vector at Hall 4-510
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
More information:
www.sysgo.com
Press Release SYSGO – Vector Joint Venture:
https://www.sysgo.com/partners/sysgo-vector
��������������� �����������������������
Multi-Domain AI Brain PlatformPikeOS & Evolver from OSR
More information:
www.sysgo.com
Press Release SYSGO – OSR Cooperation
https://www.sysgo.com/news-events/news-and-articles/article/osr-uses-pikeos-for-ai-based-automotive-platform/
�
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
Take Away
- Understand the Standards and Recommendations
- First Secure the HW
- Than Secure the SW
- System integration concept,i.e. Architecture is the most importantSecurity MEASURMENT
- Ask if your SW has:
- Monitoring
- Assessment
- Notifications
- Remediations
- Safe & Secure SW LifeCycle
- Establish End to End Security
Consider adverse actors at the very beginning of the system design stage.
Your system will not be isolated: neither physically nor information-flow-wise
System integration concept, i.e. architecture, is the most important SECURITY MEASURE
MILS architectural approach is an enabler for High-assurance safety and security architecture and Compositional
certification
Develop a system architecture consisting of different safety and security domains, i.e. partition system in domains
Assign platform resources to partitionsAssign CPUs, CPU time, memory, I/O devices, file access, available services to partitions
Define communication channels between partitionsDefault: everything is forbidden what is not explicitly allowed
Optionally, add libraries/run-time environments to partitions
e.g. POSIX, ARINC, AUTOSAR, Linux, ANDROID, Ada
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
��������������� �����������������������
Autonomous Driving –Let´s make the Vision happen
��
����� �� � ��� �
������������ ���� ������������
��� !"#$ %&'(#) *!"#$�+&'(#,-.-+&�*&(
http://bit.ly/autonomous_driving/
�����������������������������
SYSGO Website https://sysgo.com
SYSGO Blog https://blog.sysgo.com
LinkedIn https://de.linkedin.com/company/sysgo-ag/
Twitter https://twitter.com/sysgo
YouTube https://www.youtube.com/user/sysgoag/videos
��������������� �����������������������