Potential implications of operational countermeasures?

The IT security of automotive systems is an evolving area of research. To analyse the current situation and the potentially growing tendency of arising threats we performed several practical tests on recent automotive technology. With a focus on automotive systems based on CAN bus technology, this article summarises the results of four selected tests performed on the control systems for the window lift, warning light and airbag control system as well as the central gateway. These results are supplemented in this article by a classification of these four attack scenarios using the established CERT taxonomy and an analysis of underlying security vulnerabilities, and especially, potential safety implications. With respect to the results of these tests, in this article we further discuss two selected countermeasures to address basic weaknesses exploited in our tests. These are adaptations of intrusion detection (discussing three exemplary detection patterns) and IT-forensic measures (proposing proactive measures based on a forensic model). This article discusses both looking at the four attack scenarios introduced before, covering their capabilities and restrictions. While these reactive approaches are short-term measures, which could already be added to today’s automotive IT architecture, long-term concepts also are shortly introduced, which are mainly preventive but will require a major redesign. Beneath a short overview on respective research approaches, we discuss their individual requirements, potential and restrictions.

With the focus on practical CAN based attacks on automotive IT systems, in this article we motivated the development of more efficient automotive IT security measures in the future. Based on the description of four practically implemented attack scenarios S1–S4, individual classifications of these incidents have been performed using the established CERT taxonomy and relevant examples for violations of the five main security aspects have been stressed out. Also, a special focus has been put to safety threats, which can potentially arise as implications of the security-based incidents depicted by these four scenarios. Based on the results of these tests, basic examples for the underlying security weaknesses in today’s automotive communication networks have been identified. In consequence, future countermeasures have been discussed.

With respect to future, holistic concepts for automotive IT security an overview of main concepts has been given that are currently under research. We shortly introduced some examples for such holistic approaches that are currently developed by automotive IT security researchers and exemplarily discussed their advantages, potential and restrictions. In this publication we focused on additional measures that could also be added to today’s automotive IT systems, i.e. as shortterm solutions addressing the most basic weaknesses that made our test results possible. We presented two exemplary approaches for such mechanisms and discussed their individual advantages, potential and restrictions. The first is the automotive application of intrusion detection technology, which is already well established in the desktop IT domain. A first, adapted implementation has been presented, which has already been tested exemplarily in practice on current automotive IT. The second concept is the adaptation of the IT-forensic process to the automotive domain with a special focus on proactive measures (i.e. prior suspected incidents). Both concepts have been discussed with respect to the four attack scenarios S1–S4. However, both solutions from the previous paragraph are designed as reactive measures and do not directly prevent any kind of automotive, IT security related attack. Consequently, in the long run, holistic preventive solutions will be inevitable to increase the overall system security. They will serve as secure basis for further automotive IT security services, e.g. based on C2C communication. Also, the discussed reactive concepts intrusion detection and proactive forensics support, being promising extensions of future automotive IT systems as well, could profit from the additional security offered by such a holistic, secure basis. As an important challenge for future research appropriate maintenance measures are needed covering the entire life cycle of modern cars. For preventive concepts this includes update facilities of cryptographic algorithms (usually having a significantly shorter life cycle). Also reactive measures like adapted intrusion detection concepts need appropriate maintenance concepts, e.g. to cover newly arising attack techniques (e.g. in the form of anomaly pattern updates or additional attack signatures).