Safeguarding Automotive Sensors for Automotive Safety

In modern vehicles, sensors measure everything from the crankshaft’s rotating speed to the oxygen level in exhaust gases, fuel temperature, and the throttle position. Many are key components in safety-critical functions like advanced driver assistance systems (ADAS), providing another set of “eyes” for the vehicle. When your car “sees” an obstacle on the road ahead, it’s relying in part on sensors to provide the object detection that will trigger the automatic braking system to act. Safety—for you, your passengers, and those around your vehicle—clearly relies on the sensors operating properly. Today’s vehicles boast at least 200 sensors, working in concert with sophisticated algorithms and powerful processors to deliver intelligence and autonomous functions. Considering the integral role they play in vehicle operations, it’s clear that this is an attack surface that attackers might focus on.

As such, it’s clear that automotive sensors must be designed according to the functional safety development process mandated by ISO 26262, which assures that these components will perform as intended. Security is the other part of the equation, as the increase in smart technology inside vehicles open the doors to additional points of vulnerability. For example, the U.S. National Highway Traffic Safety Administration (NHSTA) currently classifies vehicles as “cyber-physical systems and cybersecurity vulnerabilities could impact safety.” NHTSA has an updated 2020 draft of its Cybersecurity Best Practices for the Safety of Modern Vehicles document, which mandates compliance from anyone manufacturing or selling vehicles in the U.S.

All of this begets the question, “From a security perspective, what are the key areas of sensor vulnerability—and what makes it challenging to fortify them”?

Protecting Against Security Breaches—from Silicon to System

We can’t afford to consider sensors without also considering the systems in which they operate. System designers must safeguard system operations while striking the right balance in terms of alerts shared with drivers.

From a hardware perspective, preventing unintended activities comes down to ensuring that silicon chips, as well as the high-speed interfaces transferring the data to ECUs, are protected from exploitation. In a vehicle, each sensor typically has its own dedicated ECU. The challenge, for both hardware designers and software developers, is that sensors in the field are expected to receive “dirty” data; however, they need to have the logic to discern what is dirty and what is not. In other words, they cannot rely on the user or the backend to discern the data for them.

When something does go wrong due to a security breach, most systems today don’t have a really good way to communicate that an error occurred. Consider ADAS, which is designed to warn drivers of impending dangers on the road as well as potential system failures—early enough so that the driver (or the vehicle) can take appropriate action. There’s a delicate balance in terms of the amount of information to provide to the driver. It’s important not to limit the information provided to prevent user errors due to information overflow.  At best, incidents are often flagged internally to be investigated at a future date if the log is ever retrieved, normally due to an accident. Usually, such system errors or failures trigger a recall that requires a trip to the dealership and, for the carmaker, a potentially expensive fix. A better approach would be to build in the security to prevent a malicious act from causing the error in the first place.

Invest in Security Early to Prevent Costlier Damage Later

Assessing security from the system level is a pragmatic way to prioritize where safeguards should be implemented. Sensors for safety-critical applications like ADAS and airbags, for example, should be given top priority. Look at the chips supporting each sensor, as well as the high-speed buses that transfer sensor data to the respective ECU. Deploy redundancy where necessary, so that if one area goes down, this won’t affect another critical area (this is important not just from a cybersecurity perspective, as ISO 26262 also stipulates redundancy in the interest of functional safety compliance).

While you might expect that as automakers examine their balance sheets, some may be averse to the cost of integrating these security considerations into their designs to maximize profits, surprisingly the trend is the opposite. We’re seeing more and more openness in the industry with regards to investing in security upfront. As is the case with any business, protecting silicon, software, and systems against malicious attacks early on can prevent the costly damages associated with such attacks. In addition, given how long drivers keep their cars, preventing security-related problems helps reduce the overhead associated with addressing these issues over the course of the 11 years that an average vehicle spends on the road.

With our long history of delivering automotive design, verification, prototyping, IP, and software security solutions, Synopsys is dedicated to helping our customers develop safe, secure, reliable, high-quality automotive electronic systems. With our solutions and our expertise, you can:

• Align with ISO 26262, MISRA, and emerging automotive cybersecurity standards
• Create your own testing mechanisms and ensure that security protocols are implemented
• Identify risky design flaws, control defects, and asset vulnerabilities during the design phase
• Detect third-party components, security vulnerabilities, license use, and code weaknesses during the development phase
• Gain a deeper understanding of your architecture and design to uncover vulnerabilities that may stem from chips chosen years ago