Securing V2X communications
First publishedin ITS International
Cybersecurity developments are moving fast in the automotive sector, but they’re a significant hurdle for the roll-out of C-ITS applications. Jon Masters reports.
In the wake of the high-profile hacking of the Jeep Cherokee and problems like the flaw in the Nissan Leaf’s companion app that could compromise the security of data about recent journeys, initiatives linked to vehicle cybersecurity seem to be moving rapidly.
Every few weeks a new project or partnership has been announced, aimed at addressing apparent shortcomings in vehicle security. Meanwhile, humming along quietly beneath this cybersecurity furore, an international collaboration has been progressing efforts to harmonise the security of C-ITS – connected vehicle systems.
This initiative has been underway for nearly two years, under the auspices of an international programme of coordinated research on cooperative vehicle systems. The results so far from ‘Harmonisation Working Group 6’ (HWG6), build a compelling case for having common ways of assuring C-ITS security, while also identifying some lingering problems and further delays to the roll-out of C-ITS applications.
Communications between vehicles, and between vehicles and the infrastructure, hold the potential for big benefits to safety and traffic management - the US ITS Joint Programme Office’s Connected Vehicle Reference Implementation Architecture, lists around 90 possible applications.
To some extent, the necessary in-vehicle technology and roadside and central ITS back office systems of C-ITS can be seen to stand apart from the electronic hardware and software prevalent in modern cars. Certainly, the majority of C-ITS applications – those involving communication with infrastructure – are reliant on oversight and direction from the public sector rather than promotion solely by vehicle manufacturers.
In many other ways, however, automotive and C-ITS technology are similar and the security issues, and possible solutions, are much the same. The key is authentication of identity and trust between vehicles and ITS systems, and the cryptology behind security protection software.
“We have seen a number of stories in the media reporting demonstrations of how vehicles can be hacked in one way or another,” says the European co-chair of HWG6, Knut Evensen.
“Security is only as good as its weakest point and while vehicles have to be protected, about 90% of C-ITS security will be in back office systems and the majority of services will store data in the cloud. Vehicles are devices at the end point of the service for the consumer.
Symbols from the EU's Green Light Optimal Speed Advisory (GLOSA) trial illustrate the necessity of cyber security
“For security purposes, appropriate hierarchies of trust between all parts of the overall system are vital, using sets of rules and certification procedures necessary for using devices safely.
It’s important that highway and traffic engineers have an awareness of this so they can check that adequate protection for security and data privacy is in place as C-ITS becomes more common.”
The HWG6 work spun out of a US-EU agreement to establish joint work on connected vehicle standards. The security harmonisation initiative includes security experts representing technology companies and academia, as well as the European Commission, the USDOT and Transport Certification Australia. A need for standardised security across Europe can be readily understood, but why pursue this internationally?
“The aim is partly to reduce manufacturing costs and to promote consistent knowledge and points of view on the whole subject internationally. If the US, Europe and Australia are doing the same thing, it’s setting the right lead for others to follow,” says HWG6 member and chief scientist for the US consultant Security Innovation, William Whyte.
HGW6 is aimed at the policy level of C-ITS developments. It does not deal with the technical detail of security software, rather its aim is to ‘facilitate successful implementation of any jurisdictional C-ITS seeking to harmonise with similar adjacent systems by presenting a C-ITS security framework’.
Crucial to security is the development and appropriate levels of trust between C-ITS Credential Management Systems (CCMS). These are most likely to be based on Public Key Infrastructure (PKI) similar to identity verification technology used commonly in the banking sector.
The working group has produced a series of policy recommendations, the main one being that policymakers keep numbers of individual CCMS to a minimum; essentially to keep complexities and costs as low as possible.
According to HWG6’s executive summary output report, different CCMS do not have to be completely compatible providing there is coordination at a policy level on the criteria to be used to determine whether a device is trustworthy for receiving security credentials.
This might appear to leave the roll-out of C-ITS hostage to the pace of political decisions, but politicians are likely to rely on the advice of the security experts. In reality, it is groups such as HWG6 that will decide procedures.
“It is an advantage, this technology being over the head of a lot of politicians. Generally they are happy to leave the technical decisions to us,” says Whyte.
The difficulty, it seems, comes from the fact that to date there is not a single CCMS ready for use. “Prototype systems have been built, but nothing is production ready,” Whyte says.
Evensen says: “Security, including protection of personal data, is now generally seen as being the big remaining issue delaying deployment of C-ITS. The European Car 2 Car Consortium previously said 2015 was going to be the year for the first application going live, but we know now this will be 2016 at the earliest. CCMS development is not moving much at present.”
And now Europe’s hopes for a 2016 deployment also look to be on shaky ground. Having been slightly ahead in the past, Europe is now behind the US where a mandate is expected in 2017 for fitting C-ITS to all new cars built from 2019.
“There is a value question against C-ITS in Europe, because it’s largely a voluntary approach and less of a priority there. If they had a mandate similar to the US, that would be a game changer,” says Whyte.
“Provision of security to a PKI approach will have to be managed by an appropriate authority. There’s considerable cost and complexity involved. The vehicle OEMs all have very sophisticated IT departments and they’re going to be better able to set up a PKI for security.
Researchers Charlie Miller and Chris Valasek highlighted cyber security flaws by crashing a Jeep in a staged demonstration.
“Basically, it’s all about ID management. One option is to spend a long time coordinating development of a single system for everyone, or alternatively, to let multiple CCMS appear and work out the interoperability later. We’ve concluded that this second route is best, but it’s still difficult.”
According to HWG6 reports, at least two CCMS pilot systems are developing – one in Europe, the other in the US. Australia is looking to build upon an existing PKI used for applying commercial vehicle regulations. A further recommendation from HWG6 is the establishment of governance over C-ITS security. This could come from an international organisation of CCMS managers responsible for standards, which HWG6 has also called for.
“We are trying to bed down the issues to the point where we have oversight and governance from an organisation of bureaucrats and industry working together,” Whyte says. “Selection of appropriate levels of security and its enforcement are difficult issues. Should we protect all or most systems?
“A certain level of protection will be needed, but C-ITS is going to be unaffordable to run if it’s too strict on security and no matter what a governance body says, it’s likely some will do things their own way, with a lighter touch, making their own mistakes.”
Such concerns may be unnecessary. Vehicle OEM supply chains report a significant step-up in security procedures. Technology suppliers claim to already have the right PKI enabling technology at the ready.
“These recent wake-ups for the automotive sector are not a surprise for the electronics and security industries. All of the car hacks we’ve seen over the past year would not have been possible if appropriate electronic locks using technology already available had been in place,” says Lars Regers, chief technology officer for automotive at NXP
“The same mechanisms can be put in place for C-ITS and the good news is that the expensive part is already effectively standardised in the form of the hardware and firmware that will go into crypto-controllers.
“Of course there has to be a sophisticated system of certificate exchange and mechanisms for regularly downloading and changing certificates to ensure security and privacy. But with the right levels of electronic lock, the costs can become efficient. The key is not necessarily having the right level of firewall in place, but that car infrastructure can detect a breach of its security and respond accordingly. Detectability is a big part of the story. Our chips have this capability.”