EEA Safety and Security Perspective 01

[Samuel WENG]AI, Cybersecurity, and safety investigatorThis is series of articles discussing EEA era how the safety and security perspective will perform.When in one common day, Xiaoming get up early and go to company for work, who work for one OEM in China acting as EE architecture designer. Early getting up cannot heal his mood, after several days of hot debating with his safety colleagues Laura and security colleagues Tom.They are discussing about how to build up one new development platform in EE architecture and at best way to get functional safety and cybersecurity fusion, as well low cost.Xiaoming explain a lot that their companyare using Domain Centralized EE architecture, and have sharp budget constraint, and in some domain the ECUs perhaps will suffers from ASIL level or CAL level down. However, Laura will say how critical are those ECUs can not down and the real time operation including FTTI shall be followed, vise verse Tom will say that domain controller did not have enough cybersecurity controls since the private data are hugely collected there even though they are not safety critical.Finally they cannot get good results and even several weeks, the projects stopped, finally they come to me and we will discussed it.Chapter 0: BackgroundWorldwide, almost from 2018, we had gonethrough many innovation technologies like-       V2X-       ADS system-       Software Define VehicleMost of us will know the EE architecturewill have following roadmap as highlighted by BOSCH when in 2019:

Chapter 1: Overall ECU functional safetyFor common ECUs when in Distributed E/E architecture era, the ECU functional safety classification can be rated as following table, which symbolize 77 ECUs ASIL level and cybersecurity assurance level:(referto article https://mp.weixin.qq.com/s?__biz=Mzg5NTIwMTEzOA==&mid=2247484581&idx=1&sn=076b64811576eca1da8bc6f6916427e5&chksm=c012beb8f76537aeb769ae5408fadb91ac0b0d4af76b3e04936a75eebc7eb084d44c014e6b47&token=1293115818&lang=zh_CN#rd)IDECU nameDomainASILCAL01GatewayCar body comfortB402Domain controllerCar body comfortB303Intelligent power switchCar body comfortB204T-BOXCar body comfortB305Adaptive head lightCar body comfortA106Sunroof motor control module(anti-pinch)Car body comfortA107Body control ModuleCar body comfortB308Car remote control keyCar body comfortA209Intelligent dashboard systemCar body comfortA210Electrically controlled seat adjustment systemCar body comfortB211Construction machinery controllerCar body comfortN/AN/A12Door control moduleCar body comfortA213Air Conditioning control unitCar body comfortA114LKACar safeD215LCACar safeD216ACCCar safeD217AEBCar safeD318LDWCar safeQM219FCWCar safeB120DMSCar safeB221APSCar safeB222Night visionCar safeB123Pedestrian protection systemCar safeA224Traffic Sign DetectionCar safeQM225Blind Spot DetectionCar safeQM226Downhill control systemCar safeB127APACar safeB228ALKSCar safeD229mmRADARCar safeB230LIDARCar safeB231CAMERACar safeB232Angle RADARCar safeQM233Highway PilotCar safeD234Traffic Jam   PilotCar safeD235Level 4 in close roadsCar safeD337Sensor fusionCar safeD238Tire Pressure Monitoring SystemCar safeD239EPBCar safeB240ESPCar safeD241ABSCar safeD242Intelligent Air Suspension SystemCar safeB243Electronic hydraulic steering control systemCar safeB244EPSCar safeD245Steering wheel Angle sensorCar safeC246Autonomous parking systemCar safeC247Electronic brake assistHybrid powerD248VCUHybrid powerC249Vehicle Motor control system in new energy vehicleHybrid powerD250Brushless DC motor controllerHybrid powerD251Extender control systemHybrid powerB or C252OBC-DCDC for electric vehicleHybrid powerB253Integrated power control unit for electric vehicleHybrid powerC254Remote Monitoring and Data Service System for  electric  vehicleHybrid powerB355BMSHybrid powerD256Engine Management SystemHybrid powerD357Electronic clutchPowertrainB258Electric pumpPowertrainA159Engine control unitPowertrainD360Diesel engine reprocessing control systemPowertrainC261High pressure common rail system control unit of  diesel  enginePowertrainN/AN/A62AMT(Automatic Mechanical Transmission control unit)PowertrainC363TCM(Transmission system)PowertrainC364CAN FDCommon Servicedepends on detail service or functionality265CAN HSCommon Servicedepends on detail service or functionality266LINCommon Servicedepends on detail service or functionality267ETHERNETCommon Servicedepends on detail service or functionality368FLEXRAYCommon Servicedepends on detail service or functionality269MOSTCommon Servicedepends on detail service or functionality27012V POWER SUPPLYCommon ServiceD271High dimension mapCar safeD472BluetoothCommon ServiceQM273WIFICommon ServiceQM274Cellular communicationCommon ServiceQM475V2XCommon ServiceB476OTA ServerBackendSIL4477PKI allocationBackendSIL44EE architecture can be rated as, and ASIL level classification rated as following:

Adding up the ASIL level, it will be

If considering the CAL level, it will be

Usually we will list out the state of arttechnical mechanisms using in ECUs:

Normally there will be mechanisms adopting for different levels of methodology:ClassificationSafety mechanismsCybersecurity controlASILDFor communication in Ethernet: end to end  communication protectionAlive counter, time out warning, CRC(32)Hamming distance >=4CAN: E2E, CRC 16bitHamming distance >=4Hamming weight >=4E-GAS architecture or redundant  processors + actuatorsASILCFor communication in Ethernet: end to end  communication protectionAlive counter, time out warning, CRC(16)Hamming distance >=4CAN: E2E, CRC 16bitHamming distance >=4Hamming weight >=3E-GAS architecture or redundant  processorsASILBFor communication in Ethernet: end to end  communication protectionAlive counter, time out warning, CRC(8)Hamming distance >=3CAN: E2E, CRC 8bitHamming distance >=3Hamming weight >=2Single core with sufficient safety  mechanismsASILAFor communication in Ethernet: end to end  communication protectionAlive counter, time out warning, CRC(4)Hamming distance >=2CAN: E2E, CRC 4bitHamming distance >=2Hamming weight >=2Single core with sufficient safety  mechanismsCAL4Firewall mandatory for external attack  surfaceIDPS proposedWhen in OTA, PKCS or PUF requested, back  up memory mandatory and regression mechanisms can be completely acceptedSymmetric encryption not OKRSA >=2048ECC>=256Pentest and TARA shall perform longer  than half yearUsing development cost can up to 3 times  of asset valueSecure boot, secure storage, secure  driving, secure separation etcCAL3Firewall mandatory for external attack  surfaceIDPS proposedWhen in OTA, PKCS or PUF requested, back  up memory mandatory and regression mechanisms can be completely acceptedSymmetric encryption not OKRSA >=2048ECC>=256Pentest and TARA shall perform longer  than 4monthUsing development cost can up to 2 times  of asset valueCAL2When in OTA, PKCS or PUF requestedSymmetric encryptionAES 256Pentest and TARA shall perform longer  than 3monthUsing development cost can up to 1.5  times of asset valueCAL1When in OTA, PKCS or PUF requestedSymmetric encryptionAES 256 OR 128Pentest and TARA shall perform longer  than 2monthUsing development cost can up to 1 times  of asset valueWe will stop here and then to see more in the next article.