In autonomous vehicles, security and safety are paramount. Methods for achieving these goals sometimes benefit both, but potentially put them in conflict. That creates massive challenges for engineers who design safety-critical systems.
FierceElectronics sat down to discuss this new world order with Bill Taylor, managing director – Functional Safety at kVA by UL, an expert on safety-driven automotive security.
FierceElectronics: What is the basic definition of safety-driven automotive security?
Taylor: I would define it as security without compromising safety. When you have a 5,000-pound vehicle hurtling down the road at 70 miles per hour, the safety implications loom large should there be a security breach. If someone can corrupt or gain some sort of malicious control, these security breaches can lead to injury and fatalities.
The challenge is that sometimes safety and security overlap in ways that are positive and mutually beneficial, while at other times they are potentially in conflict. Autonomous vehicles in particular present a broad spectrum of challenges and they have some very advanced features that set up a contradiction in safety and security requirements that are incredibly tricky to address.
FE: How are safety and security intertwined when it comes to autonomous vehicles?
Taylor: We traditionally view safety as trying to protect against a fault, failure or performance gap in a vehicle’s electronics systems and making sure that these faults and failures or low-level software bugs and data corruption don’t propagate forward and lead to some sort of unsafe condition in the vehicle. You wouldn’t want a minor software bug, for example, that could interfere with applying the brakes or with proper steering.
Cybersecurity is all about protecting against external threats such as remote hacking to disable or control a vehicle or an entire fleet of vehicles to stealing data that is being transmitted or stored. As bad actors continue to come up with new and better plans of attack, we have to be vigilant and understand how to mitigate against these threats as they are presented. And as I said, the two objectives of safety and security can be both in concert and in conflict.
Engineers have to design systems for autonomous vehicles to meet both. Some of the steps that we take to help ensure security, for example the encryption of information, are good for both security and safety. Carefully protecting information is hard to argue against it.
But sometimes safety and security goals are in conflict. Consider a scenario in which a malicious actor could somehow confuse our system. Consider the scenario in which we see something we don’t like in the vehicle’s diagnostics. When in doubt, the reasonable thing to do from a security perspective would be to lock the system down in a safe state, because the anomaly could be the result of a cybersecurity attack. But from a safety perspective that could be extremely dangerous, should for example the attack occur while traveling along a highway at 70 miles per hour. Moreover, if not covered by security considerations, going into a safe state could actually introduce additional attack vectors.
FE: Given this interdependency, how must engineers change their approach to functional safety — which is well established when it comes to designing hardware, software, and systems for autonomous vehicles?
Taylor: It’s a good question. There will be some approaches that are necessary for cybersecurity that will be welcome in the functional safety community—such as hardware encryption that are now available on electronic components. Also, there are some standards with respect to software methods for detecting and preventing threats that will be straightforward. Other actions will be more challenging, such as the idea of software updates and patches. So, I think that some sort of compromise will be required.
The traditional view in functional safety is that you set it up once and forget about it. But in a cybersecurity world, the expectation is that in order to prevent attacks you need to update quickly and often. Just last week in the news, a major U.S. automaker immediately sent out an over-the-air (OTA) software update when researchers reported that they found a vulnerability in a Bluetooth-connected key fob. That’s the kind of swift action that engineers will need to embrace to combat security threats.
FE: Security parameters will evolve over time. How will that work in today’s market, where vehicles are typically on the road for years?
Taylor: It’s a new world for automotive software, and part of that is due to security reasons. The ability to have regular OTA updates for vehicle software is a feature that is going to be a game changer from a security standpoint. It may not happen at the pace at which we see happening with electronic devices that are smaller and potentially less sensitive to serious safety issues, but it is coming.
While that is going to be a huge positive, we also have to recognize that when we build these vehicles they still need to meet safety goals, and that implies a lot of verification and validation tests. It is going to take a lot of effort to get to a final version and prove that it is really safe. And then when we make changes in the software via OTA updates—even minor changes—we’ll need to help ensure that safety considerations cover those modifications.
FE: What is some of the key work being done around security and safety standards to address this issue?
Taylor: I think the rules of the game are going to be set in standards, which differ from those for other industries, as they may cover a precise messaging scheme or communication protocol or maybe a very precise safety test or test procedures.
In the autonomous vehicle area, standards are really meant to establish a common framework and common language that enable people working on these issues to approach them with a common understanding. Some of the most relevant standards are ISO 26262, an international functional safety standard for road vehicles, ISO 21448, which applies to functionality that requires proper situational awareness in order to be safe, and UL 4600, the Standard for Safety for the Evaluation of Autonomous Products. ISO/SAE 21434 is the major automotive standard with respect to cybersecurity.
These standards are a key to the solution, but remember the standards are not the solution. They provide a framework that will take smart people a long ways to a good engineering solution. But good design, good development and good processes will also all be required.
FE: Isn’t this all going to be expensive? How will automakers get there?
Taylor: It is going to be a real challenge. What we need to say upfront is that safety costs something and security costs something—these things do not come for free. There are a lot of really good capabilities coming online with respect to many situations that will help automakers to do a lot of evaluation in the virtual world, which is going to help enormously.
But I also think a grounds for many of these solutions is going to have to be really good, smart architectures in our vehicles. Engineers are going to have to have a deep understanding upfront of how the system is architected in order to be able to compartmentalize and make software updates that don’t require so much simulation. In the end in order to achieve both safety and security goals, we have to recognize and accept that it’s going to take a real investment.
FE: When will autonomous vehicles really get here in some kind of scale?
Taylor: No doubt autonomous vehicles are coming. I’m not going to give an exact date, but given the rapid advance of technology we’re getting there. I think the one thing that could slow progress is whether we will have enough embedded systems engineers with the deep knowledge that’s going to be needed to understand and tackle these complex problems.
But even when autonomous vehicles hit the mainstream, given the unfortunate rapid advance of sophisticated hackers, we will never be in a place where we don't need to work constantly to help ensure the safety and security of autonomous vehicles.
Editor’s Note: Bill Taylor, managing director – Functional Safety at kVA by UL, will be giving the keynote: Safety-driven Automotive Security: Challenges and Opportunities in a Driverless World, at AutonomousTech Innovation Week, a digital event series taking place Dec. 14-16, 2020. For more information and to register for your free pass please visit the event website.