Thierry Kouthon, a technical product manager at Rambus, recently wrote an article for Semiconductor Engineering that takes a closer look at the critical importance of securing automotive electronics. As Kouthon notes, modern cars can have up to 100 Electronic Control Units (ECUs) depending on their class, make, and model – with the number of ECUs rising even higher in electric vehicles.
What is an ECU?
“An ECU is an embedded system in the car’s electronics,” Kouthon explained. “They are used to control all the vehicle’s functions, including engine, powertrain, transmission, brakes, suspension, dashboard, entertainment systems and more.”
According to Kouthon, the increasing popularity of self-driving vehicles has accelerated this trend, especially given the critical reliance on sensors and actuators to control and respond to external conditions.
“The reliability of these electronic components can be mission critical to the safety and reliability of the vehicle,” he elaborated.
What is the most common automotive security standard?
“…industry standards [like] ISO 26262 have been developed to ensure the functional safety of automotive electrical and electronic systems.”
Essentially, the ISO 26262 standard defines a risk-based approach to dealing with (potential) hazardous operational situations occurring with the automobile’s electronic equipment. More specifically, the standard relies on Automotive Safety Integrity Levels (ASILs) to determine risk classes for various ECUs in the vehicle. For example, the engine control ECU belongs to a higher risk class than the ECU responsible for the taillights. Four integrity levels exist from A (the least demanding) to D (the strictest), leading to varying constraints and requirements for the ECUs.
From a practical standpoint, says Kouthon, designing ECUs to be ASIL-compliant requires the addition of verification hardware and safety mechanisms such as redundancy of critical components, error correction codes, Built-in Self-Tests (BIST), system watchdogs, and cyclic-redundancy checks.
“The ECUs also need to control an increasing number of sensors and actuators.
For example, an airbag ECU controls several airbags in a vehicle in addition to acceleration, angular rate, and pressure sensors to evaluate direction and intensity of impact,” he states. “These added mechanisms and components increase the complexity of the system and hardware verification process. They require a different verification flow than the one used for non-automotive hardware. The verification process must also support fault-injection to test for various fault handling scenarios.”
Is the verification of automotive ECUs and sensors a challenging process?
“[Yes], verification needs to cover real-time embedded mixed-signal domains and must be done at the system level, not only at the component level,” he continues. “[In addition, certain] verification scenarios require time to complete, which conflicts with the automotive industry’s stringent production calendars that demand first-time-right designs.”
Moreover, as there are four different ASIL levels, the verification scope must verify a device against both internal and external specifications (depending on its expected safety level). To be sure, all devices within a specified category must meet or exceed the ASIL established threshold. This approach provides a uniform, unbiased criteria for evaluating solutions that are essential components for the design of safety-critical systems.
As Kouthon emphasizes, automotive cybersecurity adds yet another set of constraints to verification because all safety-critical systems are security-critical systems. Indeed, a successful cyber-attack against a safety-critical system could potentially lead to human endangerment. However, the converse is not true, as security-critical systems, such as infotainment, are not necessarily safety critical.
“Automobiles are an attractive target for hackers,” he explains.
“They have been successfully breached in many highly publicized experiments, sometimes leading to a take-over of the vehicle from a remote location using its infotainment system as a gateway.”
Standards such as SAE J3061 and ISO/SAE 21434 focus on automotive cybersecurity to avoid such occurrences. In general, cybersecurity tends to focus on potential threats rather than hazards, and those threats are more challenging because they may be undiscovered.
“Security requires known behavior under all circumstances, so the verification scope must be increased to cover expected inputs and unexpected/unauthorized/illegal inputs,” Kouthon elaborates. “This dramatically increases the scale of the verification effort. The challenge is to include the additional input set and perform proper verification, and all this within the time constraints imposed by automotive production calendars.”
What is the foundation of safeguarding any electronic system?
As Kouthon points out, the foundation of safeguarding any electronic system is security anchored in hardware. This can be achieved by embedding a hardware root of trust in the ICs used in automotive ECUs.
For example, Rambus offers ISO-26262 ASIL-B and ASIL-D ready hardware root of trust cores tailored for automotive applications. These root of trust cores (RT-640 and RT-645 respectively) protect against a wide range of failures including permanent, transient and latent faults, and hardware and software attacks with state-of-the-art anti-tamper security techniques.
“By partnering with Rambus, a company with over 20 years of renowned security experience, automotive designers can help ensure their safety critical SoCs are safeguarded against cyberattack,” he concludes.