Security in the context of functional safety

Figure 5 (see PDF) illustrates the relationship between ISO 26262 [5] and the general terminology / procedure according to [3].

The remaining risk (labeled "Risk" in Figure 5) is thus a combination of the initial risk and the probability of the hazard actually occurring (in the sense of a failure rate). If this remaining risk is to be limited to a level below an acceptable (unquantified!) residual risk, this means that the higher the initial risk, the lower the probability of the hazard actually occurring must be, e.g., the system failure rate.

The "enemies" addressed by ISO 26262 for the functional safety of road vehicles are systematic errors and random hardware failures. To prevent systematic errors, it sets requirements for the development process (safety life cycle); to manage random hardware failures and remaining systematic errors (whose prevention cannot always be fully guaranteed), it sets requirements for the technical implementation in the product (e.g., redundancies, monitoring, diagnostics).

Automotive Security from a Safety Perspective

Let us now leave behind the enemy images of functional safety, namely systematic and random hardware failures, and consider another enemy image: the deliberate attack on the vehicle or its E/E systems. First, it should be noted that this enemy image falls outside the scope of ISO 26262. Nevertheless, this enemy image can also lead to safety-critical behavior and is therefore, in principle, safety-relevant, as impressively demonstrated in [1]. The question that now needs to be answered from a safety perspective is: Are risk-reducing measures necessary for a given attack to ensure sufficient product safety?

Here too, the two-step approach described above and in [3] is recommended:

1. Determining the initial risk without considering risk-reducing measures in a hazard analysis and risk assessment. However, while ISO 26262 considers the probability of the driving situation (exposure) and the actual occurrence of the malfunction ("failure") to be fundamentally independent events, automotive security must take into account that the occurrence of a malfunction is deliberately provoked in a specific driving situation, so this independence cannot be assumed. Therefore, adopting the E-parameter and thus the ASIL classification from the hazard analysis and risk assessment of ISO 26262 is not permissible; a reassessment of the exposure must be carried out. In particular, limiting the consideration of safety-enhancing security measures to, for example, only ASIL C or D malfunctions would be insufficient.
2. Assessment of the remaining residual risk and, if necessary, implementation of measures to reduce the risk.

In step 1, the fundamental question is how likely an attack on the vehicle is. If it is highly probable, for example because the target is very attractive, and this results in an initial risk of a malfunction caused by the attack that exceeds the acceptable risk, then risk-reducing measures are necessary to ensure product safety. It is important to emphasize that assessing the probability of an attack is an expert assessment with very high uncertainties, as parameters such as attacker capabilities, attacker motivation, and the components surrounding the system under consideration strongly influence the result. In particular, the assessment of the probability of an attack can change significantly over time, for example, through the addition of a networking function not present in the initial assessment or through increasing attacker capabilities.

Interaction between Automotive Security and Functional Safety

Measures to ensure product safety must address the respective perceived threat; that is, a deliberate attack as a perceived threat falls within the scope of automotive security, and corresponding measures are, in principle, initially to be sought outside of functional safety/ISO 26262. However, closer examination reveals that the two topics are not as separate as one might initially assume.

A closer look at the procedures reveals that they are very similar (Figure 6, PDF).

Similar activities take place on the left side of the V-model, but with different content. Different expertise is required to carry them out; it is not necessarily sensible to assign security tasks to safety experts. However, it is important to introduce synchronization points where safety and security experts can coordinate their work to resolve contradictions, avoid conflicting measures in the product, and leverage potential synergies.

Since testing on the right side of the V-model ideally takes place against requirements, the source of the requirement (safety or security) should not play a (major) role here. A separation only occurs during the final validation; safety validation and security validation require significantly different approaches and measures.

When defining or implementing a "Security Engineering Process," it is important to ensure that the processes and procedures in the area of functional safety are already implemented and reflect the current state of the art. Security procedures and measures should integrate seamlessly and not contradict existing practices to enable efficient implementation.

At the technical level, the first priority is to prevent safety and security concepts from negatively impacting each other. This can be illustrated with a (highly simplified) example:

The most safety-critical malfunction of a driver's airbag is unintended deployment, which, according to ISO 26262, is assigned the highest ASIL D rating. Preventing this malfunction is of paramount importance; in particular, it must be ensured that this malfunction does not occur even in the event of a hacking attack – whether intentional or unintentional (safety requires security). On the other hand, an overly stringent security mechanism must not delay or even prevent airbag deployment in the event of an accident, as this would impair the intended function of the airbag: protecting the occupants in the event of a crash (security must not compromise safety).

Besides the challenge of implementing safety and security together and without contradictions, there are also potential synergies at the technical level. Examples include the message security measures CRC (Cyclic Redundancy Check) and MAC (Message Authentication Code) (Figure 7)., PDF). Under certain conditions, it is possible to replace message protection by the CRC with protection by the MAC, so that it benefits both safety and security [7], [8].

Furthermore, there are other potential synergies at both the technical and process levels that make close cooperation between safety and security experts beneficial.

standardization

As with safety, there is no absolute certainty in security either. Therefore, any individual solution can subsequently be accused of being insufficiently safe. A step in the right direction would be industry-wide agreement on the procedures for achieving the minimum state of the art. In the field of safety, numerous standards exist for this purpose. Specifically for the functional safety of road vehicles, ISO 26262, published in November 2011 and currently under revision, describes the requirements for the development of functionally safe electrical/electronic (E/E) systems in automobiles. Particular consideration is given to the specific characteristics of the automotive domain, such as the procedures for distributed development across multiple suppliers. This standard thus represents the automotive industry's common view on functional safety; its application is a necessary but not sufficient condition for achieving the state of the art.

In the field of automotive security, such a standard is currently lacking. While a guideline (SAE J3061, [9]) is being developed as an initial step in this direction, it primarily describes possible measures ("what needs to be done") without normative intent and without placing them within a corresponding lifecycle context ("when and how much needs to be done"). A standard comparable to ISO 26262 would be desirable here, one that standardizes procedures for developing secure systems in road vehicles, for example, how to classify the necessary risk reduction measures.

Furthermore, the SAE guideline focuses too heavily on safety as an asset to be protected by security measures and gives insufficient consideration to other assets, such as privacy or confidentiality. This should be given greater consideration in future standardization efforts. Such a standard, comparable to ISO 26262, could also contribute to a common understanding of automotive security within the automotive industry, thereby improving the development of secure systems across supplier boundaries.

Summary

With the increasing connectivity of road vehicles and the resulting new external access possibilities, automotive security is gaining ever greater importance. Alongside other assets requiring protection, (functional) safety will increasingly come into focus in the future, as attacks that trigger safety-critical behavior can already be demonstrated today – albeit currently primarily at an academic level. From a product safety perspective, security measures are necessary when the probability of an attack leads to a safety risk, such that the product no longer offers the expected level of safety. Synergies between functional safety and automotive security are possible at both the process level and in technical implementation, making coordination between the two disciplines both necessary and beneficial. A standard for automotive security comparable to ISO 26262 can promote a shared understanding within the automotive industry and contribute to the development of secure systems, even across supplier boundaries. On the one hand, it does not make sense to standardize the topic of automotive security within ISO 26262, but on the other hand, care must be taken to ensure that such a standard does not contradict ISO 26262, as otherwise efficient implementation in companies will not be possible.

References

[1] „Hacker remotely crashes Jeep,“ The Telegraph (accessed on 03.08.2015)

[2] Act on the Provision of Products on the Market (Product Safety Act – ProdSG), 08.11.11

[3] ISO/IEC Guide 51:2014: „Safety aspects – Guidelines for their inclusion in standards“

[4] IEC 61508:2010: „Functional safety of electrical/electronic/programmable electronic safety-related systems“

[5] ISO 26262:2011: „Road vehicles – Functional safety“

[6] M. Klauda, S. Kriso: „Security as a driver of future system development“, ESE Management Summit 2014, Würzburg, 10 July 2014

[7] B. Glas et al.: „Automotive Safety and Security Integration Challenges“, In: Automotive – Safety & Security 2015, Lecture Notes in Informatics, Volume P-240, 2015, ISBN 978-3-88579-634-3.

[8] B. Glas, C. Gebauer: „Safety & Security: Synergies and Challenges of Integrity-protected Bus Communication“ (to be published)

[9] „SAE committee busy developing standards to confront the cybersecurity threat„, SAE, (accessed on 11.08.2015)

Download the article as a PDF