Understanding Automotive Cyber Security – The In-Vehicle Network
To understand automotive cyber security, you need to understand the anatomy of a vehicle, from its in-vehicle networks, to control units and sensors. This article is the first in a series providing background and a simple guide.
Understanding the In-Vehicle Network
The in-vehicle network (IVN) is the central nervous system of the vehicle. All electronic control units (ECUs), including sensors, telematics units, and infotainment systems connect to the IVN. Allowing the sharing and transmission of vehicle data between relevant nodes. Traditionally the IVN has been a closed network bus (think a single spine), allowing no external connection except for diagnostic tools connected directly to the bus, or ECUs. As a result, there was no need for security on the bus itself nor in the ECUs attached to it.
Of course, with the growing demand for connectivity, from data/WiFi and connected services, to the variety of connected sensors required by modern advanced driver assistance systems (ADAS), the bus is no longer a closed environment. This variety of potential attack surfaces for hackers to exploit is what has given rise to the growing field of automotive cyber security. A field which is only set to grow as the industry moves forward with autonomous and vehicle-to-everything (V2X) connectivity technologies.
There are several different types of network, each with different structures and features, developed to address different requirements within the vehicle as the data and connectivity demands evolved. The main IVNs covered in this article include CAN, CAN-FD, LIN, FlexRay, MOST and Automotive Ethernet. CAN has been the back bone of the in-vehicle network for many years, but the rise of connected vehicles, and promise of future automation, has led to considerable speculation as to what network will hold this position in years to come.
Control Area Network (CAN)
Controller Area Network (CAN) was developed by Bosch and presented at SAE Detroit 1986. It is an extremely mature technology, one that has enjoyed wide acceptance across the automotive world, becoming an industry standard and is found in all vehicles to this day.
CAN uses a bus structure, meaning that all ECUs on the network are physically connected to each other. This allows for a lot of flexibility in design and wiring, as ECUs can be placed in nearly any order. But this advantage is also one of the networks key cyber security limitations.
From a connectivity perspective, CAN is limited by available bandwidth, only offering speeds of up to 1Mb/s (but almost always less than that – 125 to 512 Kb/s). The latest iteration, CAN-FD (Flexible Data rate), offers higher bit rates, around 10-12 Mb/s, but this is still well below the 100+ Mb/s speeds required by modern infotainment and telematics systems.
From a cyber security perspective, the main problem lays with the fact that connected ECUs are free to communicate with one another without any sort of secure validation. So, if one ECU is hacked, it will grant access to any other on the system.
Into the Future
Although CAN has limitations with bandwidth and overall structure; limits that restrict its effectiveness as a core network in future connected vehicles, it remains an established and cost-effective technology. CAN will remain a good choice for certain IVN solutions in the near to mid-term, especially those where low cost and low bandwidth are key design specifications. As such, CAN cyber security solutions are, and will remain, a vital consideration.
Local Interconnect Network (LIN)
The Local Interconnect Network (LIN) was developed in the late 1990’s by the LIN Consortium. A group founded by the automakers, Audi, BMW, Mercedes-Benz, VW and Volvo. Developed in response to the growing success of IVNs (CAN in this instance), and seeing a need for a lower bandwidth, lighter weight and thus cheaper and easier to implement option, the LIN was introduced to automotive market in the early 2000’s.
Generally considered a subnetwork to CAN, LIN uses the same bus structure. However, being designed for lower bandwidth, it has a maximum bit rate of only 20 Kb/s, which enables the network to function on extremely low cost, single-wire harnesses. LIN is typically used in areas of the car where instantaneous response times are not required, such as seat, window and door controls.
LIN’s simplicity is also its greatest limitation in terms of connectivity within the vehicle. Due its low bit rate, it is unsuitable for any role where immediate communication is required.
Regarding cyber security, most LIN vulnerabilities assume access to the greater network via its connection to the CAN bus. Protecting the CAN will limit LIN weaknesses in these instances.
Into the future
While LIN is unsuitable for the high bandwidth communication necessary in connected vehicles, its simplicity, cost and weight benefits, like CAN, make it a viable IVN solution for the near to mid-term.
The FlexRay IVN was developed by the FlexRay Consortium, which was formed in 2000 by BMW, Bosch, Daimler, General Motors and VW among others. First introduced in 2006, FlexRay was designed to be faster and more reliable than CAN or LIN, offering a higher bit rate and supporting fail-safe solutions for drive-by-wire features, such as electrical breaking and steering, that replace mechanical and hydraulic control systems.
FlexRay has flexible design options, offering bus, star (think central hub with as many spokes as you need) and hybrid variations of these network topologies, and designed with safety in mind it has built in redundancy.
A hardware limited maximum bit rate of 10 Mb/s, and higher implementation complexity vs CAN-FD and Automotive Ethernet, limit its scope to support future connected vehicle data requirements.
From a cyber security standpoint; while the media access control methodologies that are used as standard make it more secure by design than CAN, it still shares the same vulnerabilities as the CAN IVN (namely vulnerable connected ECUs). Overcoming these limitations would require significant redevelopment to address, development the market seems unlikely to support.
Into the future
The FlexRay Consortium disbanded in 2009, and market trends seem to indicate that FlexRay will not be part of the IVN landscape of the future. Although it is still used in some vehicles today, it is widely believed that FlexRay will be phased out and replaced by either CAN-FD or Automotive Ethernet in the near to mid-term.
Media Oriented Systems Transport (MOST)
The Media Oriented Systems Transport (MOST) in-vehicle network was developed by the MOST Co-operation; a partnership of original equipment manufacturers (OEMs) and tier suppliers that include BMW, Daimler, Harman and Microchip Technology (previously Oasis Silicon Systems). Formed in 1998, its aim was to create a set of standards and technologies that would evolve to support the growing infotainment and media demands of modern vehicles.
The MOST IVN supports media systems within the vehicle, enabling navigation, media systems and a host of other connected features. It can be configured in ring (think looped harness with each ECU/node connected to two others) and star topologies, allowing for increased flexibility in design.
MOST can be found in most luxury vehicles today, and offers variants to cater to most applications and markets. These include MOST25, MOST50 and the latest version MOST150 which offers speeds of up to 150Mb/s.
MOST offers the high speeds necessary to enable connected vehicles, and no doubt it will continue to evolve as media rich technologies increase bandwidth demands within the vehicle. However, its key limitation is its hardware. Specified and supplied by Harman, Microchip Technologies and a handful of smaller suppliers, this proprietary approach has kept costs high, to the point that many OEMs are now looking to Automotive Ethernet as a potentially cheaper and more flexible alternative.
From a cyber security perspective, MOST is primarily used for infotainment systems and is usually not connected to any automated vehicle control functionality, making it less critical for protection as an IVN. Any indirect use of the network (using infotainment connectivity options to access the CAN for instance) would be prevented by protection of the CAN IVN.
Into the future
In response to industry pressure, there has been movement to open the standards and license the intellectual property components of the technology. However, with so few manufacturers providing the hardware, costs are unlikely to reduce at a pace significant enough to slow the development of its main challenger, Automotive Ethernet.
Automotive Ethernet IVN is based on the BroadR-Reach standard developed by Broadcom as part of the One-Pair Ether-Net (OPEN) Alliance Special Interest Group (SIG). The OPEN Alliance SIG, formed by BMW, Broadcom and Harman among others, was formed in 2011 to support and encourage the development and adoption of Automotive Ethernet.
It uses a switched, star structure enabling the network to be easily expanded. It is designed to offer cars greater bandwidth than their usual networks, offering speeds of up to 100 Mb/s in its current form, and is soon to reach faster speeds with the IEEE802.3 working group, developing a much faster multi-Gig standard for future applications.
The star topology which makes it scalable also makes Automotive Ethernet potentially costly at this early stage in its lifecycle, and design methodologies will need to take this into account. Extra ports and switches add extra cost, so the number of ports left open for upgrades and additional ECUs will need to be carefully considered during the design stage.
From a cyber security perspective Automotive Ethernet offers new and interesting challenges. It will be less about watching for malicious messages from rogue ECUs and more about network resource management. It is likely we will see attempted IT-like attacks; for instance, malware or denial-of-service attacks. Preventing these attempts will require a security platform to monitor the network as a whole; checking open ports, and watching for bandwidth abuse among a variety of other scenarios.
Into the future
Although Ethernet is a recent entrant to the automotive industry, it is a mature technology with over 30 years of use in the wider networking market. A host of networking protocols and security methodologies have been developed in that time, that lend themselves well to the challenges of automotive networking and cyber security.
The BroadR-Reach standard is an open and licensable technology and if it gains wider adoption Automotive Ethernet has the potential to replace MOST and FlexRay entirely, and perhaps even surpass CAN as the backbone of the future connected vehicle.