1Spirent Communications

How to protect Ethernet based In-Vehicle Networks against security threatsThomas SchulzeSpirent Communications - Automotive

2Spirent Communications

Outline

The “Connected Car”

Risks and Concerns

Public and Private Domains

Security Implementation

Security Validation

3Spirent Communications

The “Connected Car”

4Spirent Communications

The “Connected Car”

TelematicsNavigationITS/DSRC

X by Wire

Power Train

Radar

Camera

Camera

Front distributionADAS ECU

Body DomainGateway ECU

InfotainmentHead Unit ECU

Camera

Rear distributionAmplifier ECU

Camera

Radar

CAN LINFR

ETHERNET

Radar

Radar

Maintenance

ODB II

5Spirent Communications

Risks and Concerns

6Spirent Communications

Risks and ConcernsThe Media approach

7Spirent Communications

Risks and ConcernsA “Realistic” approach

• The Risk of potential threats through attacks growth because of:

Easier access trough broader connectivity options Common communication protocols The “always connected” approach “Open” Systems for feature rich and easy to use Applications

• The Risk of potential threats through attacks can reduced through:

Separation of Public and Private (Safety related) Domains Security Implementations and Validation Careful assessment of Customer usage and safety impacts

It’s nearly impossible to create a 100% secure communication network, but there a possibilities and ways to protect it!

8Spirent Communications

Public and Private Domains

9Spirent Communications

Public and Private DomainsAssignment of functionalities and applications

Telematicsand

Maintenance

Infotainment

Public Dom

ain

Driver Assistance

Powertrain

Chassis & Safety

Body Electronics

Priv

ate

Dom

ain

10Spirent Communications

Public and Private DomainsPrivate Domain Communication

• Restricted Devices

• No external access

• Unencrypted Data

Driver Assistance

Powertrain

Chassis & Safety

Body Electronics

Priv

ate

Dom

ain

Net

wor

k 1

11Spirent Communications

Public and Private DomainsPublic Domain Communication

Telematicsand

Maintenance

Infotainment

Public Dom

ain

Netw

ork 2

• Restricted Devices(Telematics)

• Unrestricted Devices (Infotainment)

• external access

• Unencrypted Data

• Encrypted Data

• VPN Connections

12Spirent Communications

Public and Private DomainsInterconnection between Public and Private Domain

Driver Assistance

Powertrain

Telematicsand

Maintenance

Chassis & Safety

Infotainment

Body Electronics

Public Dom

ainPr

ivat

e D

omai

n

Net

wor

k 1 N

etwork 2

13Spirent Communications

Security Implementation

14Spirent Communications

Security ImplementationOSI Layer related Security Options

15Spirent Communications

Security ImplementationOSI Layer related Security Options (Examples)

• OSI Layer 1 (Physical) Secured access to the Medium (huge effort needed for Vehicles)

• OSI Layer 2 (Data Link) Frame filtering (Unicast/Multicast; SA-DA check) 802.1Q – Virtual Local Area Network (VLAN) 802.1X – Network Access Control (NAC) 802.1AE – MAC Security (MAC level encryption) 802.1AR – Secure Device Identifier VPN – Virtual Private Network based on L2TP (unencrypted)

• OSI Layer 3 (Network) VPN IPsec SSL/TLS Encryption

• OSI Layer 4 (Transport) Packet filtering (SA-DA & Transport protocol)

16Spirent Communications

Security ImplementationsPossible Architecture

Driver Assistance

Powertrain

Telematicsand

Maintenance

Chassis & Safety

Infotainment

Body Electronics

VLAN 1

VLAN 2

VLAN 3

VLAN 4

17Spirent Communications

Security ImplementationsPossible Architecture

Driver Assistance

Powertrain

Telematicsand

Maintenance

Chassis & Safety

Infotainment

Body Electronics

VLAN 1

VLAN 2

VLAN 3

VLAN 4

Allowed

Un-routed VLAN traffic Traffic between public Internet and VLAN 4 (Infotainment

Connectivity) VPN connection between OEM and VLAN 1/2/3 trough Cellular

Module Secured Traffic between V2X Module and ADAS Controller VPN between Maintenance IF and VLAN 1/2/3/4 Uni-directional traffic between ADAS Devices and VLAN 4 (e.g.

Cameras) Denied

Traffic between Cellular Modem and VLAN 1/2/3Traffic between VLAN 1 and VLAN 4Traffic between V2X Module and other Devices (excluding ADAS Contr.)Public Access through Maintenance IFDevices in VLAN 1/2/3 without Secure Device Identifier

18Spirent Communications

Security Validation

19Spirent Communications

Security ValidationWhat to test?

Testing is mandatory to assure the functionality and performance of the implemented Security features!

• Stage 1 – Basic functionality- VLAN separation- Traffic routing

• Stage 2 – Security functionality- Frame/Packet filtering- Device Identification- VPN Setup and encryption

• Stage 3 – System Performance- Ability to handle high traffic load

• Stage 4 – Specific Simulations- External/Internal Attack Simulation

(e.g. to get access to the In-Vehicle Network)- “Infected Device” attached to the Network- “Zero Day” Attacks and

“Negative/Corrupted” traffic simulation

20Spirent Communications

Security ValidationTest Setup Examples

Driver Assistance

Powertrain

Telematicsand

Maintenance

Chassis & Safety

Infotainment

Body Electronics

VLAN 1

VLAN 2

VLAN 3

VLAN 4

21Spirent Communications

© Spirent Communications, Inc. All of the company names and/or brand names and/or product names and/or logos referred to in this document, in particular the name “Spirent” and its logo device, are either registered trademarks or trademarks pending registration in accordance with relevant national laws. All rights reserved. Specifications subject to change without notice.

spirent.com

THANK YOU! Questions?

SPIRENT Communicationshttp://www.spirent.com/go/automotive

automotive@spirent.comthomas.schulze@spirent.com