Automotive Security: Oops, far more complex than we thought

On a road trip with colleagues this week in Europe, driving about in a diesel-powered auto, it is with no small amount of interest that we have followed the news out of the U.S. regarding recently discovered emissions-reporting irregularities for diesel-engined VWs and Audis.

At the core of the alleged scheme is a cunning software construct that knows when the diesel engine should behave according to EPA regulations – in other words, when it’s being tested – and alternatively knows how to rev up engine performance by allowing emissions way in excess of allowed limits – in other words, when the car is being driven between testing sessions.

Whether you follow engineering, automotive engineering, the global automotive market (and stock valuations), or even international relations, you know that this story about VW is a complex one. And not one that is making anyone happy: Neither the company, nor the millions of owners of the vehicles involved, nor the governments and agencies in various geographies impacted by the revelations, nor the many whose health may be have been compromised by emissions that might have otherwise been avoided.

However, that’s not the point of this blog; the point here is one of situational irony.

This week the organizers of the 53rd Design Automation Conferences, set to unfold in Austin next year from June 5-9, announced the six tracks that will be highlighted at the meeting. They include EDA, Embedded Systems, Design & IP, and the IoT.

They also include Automotive Systems & Software, and Security.

For those of you who are involved in these last two technology sectors, you know there has been a great deal of overlap of discussion here recently – especially now that we are all painfully aware that automobiles are morphing into System Platforms on Wheels. And if it’s a system, it can be hacked.

Hence, conversations and conference sessions about how that hacking might occur, and what kinds of defenses must be built into automotive systems to prevent it, have moved from the back burner in conference programs to front and center. And that crescendo of concern will, no doubt, continue to be well showcased at next year’s DAC in Austin.

Of course, we’ve all attended sessions that discuss automotive security. The speakers always start with a horror story about how vulnerable every electronic system is, and then how those vulnerabilities are being translating into the automotive sector.

Then, marrying dense analysis from a host of academics, tons of acronyms and legalities from various government regulators, noble optimisms from automobile and design automation industry reps, and the occasional fret-fest from plain-long worry-worts, such sessions always conclude with the same mantra:

When it comes to cars, security strategies must be built into the system from the very start of the design process. Cobbling security defenses onto the system after the fact simply will not work. You’ve got to do it from the get-go!

Surely you can see the irony here. We’ve being told – at DAC and endless other conferences – that automotive security must be built into cars by the guys in the white hats. Those people who design, manufacture, and test the cars.

What we have not been told at any of these sessions – although undoubtedly that will now change – is that even the guys in the white hats might themselves be suspect, might be pre-building the hacking into their own systems, hiding it amidst complex software scrums from the get-go.

And therein lies the crushing blow.

We’ve been so worried that external hackers might get in and mess with our increasingly complex automotive systems – things that control everything from safety and braking, to energy optimization, guidance control and entertainment – we’ve never thought the system developers themselves might be building nasty trap doors into their own products.

Undoubtedly, this will not be the first discovery in this category of mischief. I suspect it won’t be long before other such ‘errors in judgment’ are revealed, and so the human comedy continues.

Perhaps we need a seventh track at the 53rd DAC: Automating the Process of Authenticating In-vehicle Security and Emissions Software to Reassure Governments and Consumers Everywhere.

****************
DAC Proposals: First deadline 17 November …

All submission information and topic details can be found at http://dac.com/call-for-contributions

* Track 5: Automotive Systems & Software

Nearly every aspect of today’s automobiles uses smart electronics and embedded software to make our transportation experience safer, more energy-efficient and enjoyable. Premium vehicles can have several million lines of embedded software running on hundreds of electronic control units connected not only with one another by in-vehicle networks, but also to the cloud, other vehicles and infrastructure.

As the trend towards automated driving and connectivity accelerates, the ability to deliver these innovations depends more than ever on the electronics and software development capabilities. Mastering the enormous functional complexity while also satisfying safety and security, all within cost constraints, requires powerful methods and tools for all development steps.

The Automotive sessions at DAC provide a forum for people from automotive, embedded systems, security and EDA to connect, engage and exchange information. These sessions will highlight unique challenges and emerging solutions and explore the road ahead.

* Track 6: Security

Security sessions at DAC address an urgent need to create, analyze, evaluate and improve the hardware, embedded systems and software base of contemporary security solutions. Secure and trustworthy software and hardware components, platforms and supply chains are vital to all domains including financial, healthcare, transportation and energy. Security of systems is becoming equally important. A revolution is underway in many industries that are “connecting the unconnected.” Such cyber physical systems – e.g., automobiles, smart grid, medical devices, etc. – are taking advantage of the integration of physical systems with information systems.

These integrated systems are appealing targets of attacks. Attacks on the cyber part of such systems can have disastrous consequences in the physical world. The scope and variety of attacks present design challenges that span embedded hardware, software, networking and system design.

Security topics will be featured through invited special sessions, panels and lecture/ poster presentations by both practitioners and researchers to share their knowledge and experience on this evolving environment.

* Hypothetical Track 7: Automating the Authentication of Security and Emissions Software to Reassure Governments and Consumers Everywhere

****************

Tags: 53rd Design Automation Conference, Automotive Security, VW

This entry was posted on Thursday, September 24th, 2015 at 12:06 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.