Security in the automobile
Is everyone on track?
Fortsetzung des Artikels von Teil 1
Slower introduction of new cyber security standards in China...
According to Slack, OEMs and tier #1s from these regions are currently concentrating more on adding simple message ID filters or much shorter message authentication codes, given the much restricted payload of CAN 2.0. Slack further: “In China we can see even slower introduction of new cyber security standards.” Here there was an extra problem in that the whole matter becomes more complicated because of national regulations governing the use of widespread public cryptographic algorithms like AES, RSA and ECC — China prescribes algorithms like SM2/SM3/SM4. Plus, there is the requirement that supporting hardware in many cases should be developed and manufactured in China.
Dany Nativel, senior business manager in the micros, security and software business unit of Maxim Integrated, is convinced that for most vehicle control units the basic security requirements are the same for all regions (secure OTA, unit and message authentication). He sees differences rather in specific applications like V2X (vehicle to vehicle, vehicle to infrastructure). The USA requires different cryptographic functions to Europe, for example. Plus, the security certification necessary for such a module is also different, “because a US car needs FIPS 140 certification, while a European car requires more exacting common criteria certification, in other words EAL4+”, says Nativel. On one point Nativel agrees: regardless of region, each carmaker has their own ideas or concepts of security.
Michael Haight, director of business management of Maxim’s micros, security and software business unit, points out that it is not only a matter of the safety of the driver. That there are other important factors needing protection. “There’s the use of original parts or non-licensed components, and data integrity in electronic subsystems. The general trend shows that security demands rise through more electronic components”, says Haight. He thinks state regulations will probably influence regional differences in functional safety and security. Governments pursuing a practice-oriented approach would better understand the correlation of electronic security and functional safety, and be more likely to enact legislation prescribing a higher level of safety in automobiles.
Second-class security?
Are there differences in security level between premium, middle-class and small-class automobiles? Steurich sees no big difference in the traditional security applications like immobilizer or keyless entry. But, the connectivity and thus access to a vehicle from outside much increases the risk of hacker attacks. And, he continues, “after the introduction of networked vehicle services in the premium segment about ten years back, you found the first remote attacks especially in the premium segment, and OEMs had to get into defensive measures.”
However, he reckons, in the next automobile generation at the latest, connectivity and associated security measures will feature more strongly in the other vehicle segments. “The security features of a vehicle are ultimately only a question of equipment — not of the segment the vehicle belongs to.” Slack sees the situation differently to Steurich. He is convinced that most OEMs pursue different security strategies for premium, middle-class and small-class cars, which ultimately “can lead to confusion and complications at the supplier level”, reckons Slack.
- Is everyone on track?
- Slower introduction of new cyber security standards in China...
- Same high security guards for small cars?
- All interfaces can pose a risk
