DE102016200775A1 - Method and device for protecting a vehicle against cyber attacks - Google Patents

Abstract

A method of protecting a vehicle (20) against cyberattacks, characterized by the following features: - a control device (21) identifies risks to the vehicle (20) associated with cyberattacks and subjects them to an analysis (22); Analysis (22) associated with appropriate defenses (23) according to an algorithm (24).

Description

The present invention relates to a method of protecting a vehicle from cyberattacks. The present invention also relates to a corresponding device, a corresponding computer program and a corresponding storage medium.

State of the art

In cyber-attack or cyber-attack, information security refers to any attack on a computer network intentionally carried out of a network. In addition to other network topologies, the fieldbuses widely used in vehicle technology and automation have recently become the target of such attacks.

DE 10 2014 114607 A1 provides methods, apparatus, and systems for programming a vehicle module to reduce the susceptibility or sensitivity of an exemplary vehicle to cyberattacks. The exemplary vehicle includes a first module, a gateway module communicatively coupled to the first module, and an update module communicatively coupled to the gateway module. The update module is configured to provide authorization information and programming data to the gateway module. The gateway module is configured to verify that the programming of the first module is at least partially authorized based on the authorization information and to provide the first module with the programming data after verifying that the programming of the first module is authorized.

Disclosure of the invention

The invention provides a method for protecting a vehicle from cyberattacks, a corresponding device, a corresponding computer program and a corresponding storage medium according to the independent claims.

The proposed approach is based on the knowledge that today's vehicle bus systems are not completely protected against cyber attacks. Effective and efficient risk mitigation measures can only be designed using the overall architecture, hardware (HW) and software (SW). Today's updates of the existing system should be further improved.

An up-to-date multi-layered protection system against cyber-attacks on vehicles ensures an effective and efficient risk-reduction measure for today's vehicles, their bus systems, drivers, passengers and the environment. The core of the system is the specific assignment of effective and efficient risk mitigation measures that specifically reduce the risks detected and analyzed. Basic system elements of different embodiments of the invention are an electronic control unit (ECU), detection and analysis, measures to limit the risk and an algorithm for assigning the defense measures to the risks.

The ECU or the system offers comprehensive protection against cyberattacks, which prevents entry via the ECU in electrical systems.

One advantage of this solution is that it uses a defined, preferably self-learning algorithm to assign the most effective and efficient measures for risk reduction to the detected and analyzed risks. The self-learning and detection of hazards may additionally z. B. done by abnormalities of communication. An inventive system allows in particular updates of application software and firmware over the air interface (over-the-air, OTA) and allows such. Eg daily software updates of system or components.

The measures listed in the dependent claims advantageous refinements and improvements of the independent claim basic idea are possible. Thus, it can be provided that the defensive measures are taken via an on-board diagnostics interface (OBD) of the vehicle in an electric-electronic (E / E) system of the vehicle. Such a system can be applied to any car with an OBD-II interface and therefore provides multi-layered protection also for vehicles in large garages, production and those with non-variable E / E architecture, hardware and software. It therefore limits the risk of intrusion into the vehicle and E / E system of actions in the E / E network and their potential impact.

According to a further aspect, it may be provided to adapt the standard threat detection and reporting to a specific detection, analysis and application of special, customer-specific risk limitation measures. A system according to the invention makes use of standard HW components available on the market and therefore offers a cost-optimized and standard-compliant solution for the inherent threat of cyberattacks.

Brief description of the drawings

Embodiments of the invention are illustrated in the drawings and explained in more detail in the following description. It shows:

1 the flowchart of a method according to an embodiment of the invention.

2 schematically the elements of a multi-layered protection system against cyberattacks on a vehicle.

3 an algorithm used in the system.

Embodiments of the invention

1 illustrates the basic steps of a procedure ( 10 ), whose conceptual elements are based on the 2 be clarified. A control unit ( 21 ) first identifies potential risks from cyberattacks for a vehicle ( 20 ) and undergoes (step 11 ) these risks of analysis ( 22 ). It may be an already manufactured vehicle or a vehicle still under development. Based on the present analysis ( 22 ) the risks are then adequately countermeasures ( 23 ) according to a predetermined algorithm ( 24 ) (step 12 ).

The multilayered protection described here can be achieved by an independent, via the on-board diagnostic interface ( 25 ) to be connected control unit ( 21 ) be granted. The implementation by a with the on-board diagnostic interface ( 25 ) connected combination control unit (dongle), as for example in the context of fleet management or for the telematic connection of the individual vehicle ( 20 ) is being used. Finally, the control unit ( 21 ) as part of an independent solution directly in the bus system or in an existing ECU, for example in the form of an application-specific integrated circuit (ASIC), integrated. To think about the so-called gateway, which embodies as it were the radio interface of the bus system.

Objective of algorithmic recognition and analysis ( 22 ) are from outside the vehicle ( 20 ) initiated attacks on the bus system and its control units. Suitable algorithms can also be initially constructed and later used as a self-learning system ( 26 ) are used. Detection occurs in particular during start, stop or change of state of the E / E system ( 26 ) and motors, in certain events or continuously with specific evaluation algorithms into consideration.

• a. unbeabsichtigte oder ungeplante Schalter und Zustände in Diagnose- und Normalmodus der Bus-Kommunikation,
• b. fehlerhafte oder veränderte Prüfsummen der Bus-Pakete,
• c. doppelte oder nicht vorhandene Nachrichtenkennzeichen (message identifiers, IDs) in Bus-Paketen,
• d. unbeabsichtigtes oder ungeplantes Beschreiben des Flash-Speichers (flash) einzelner Steuergeräte mit einer neuen Firmware,
• e. unbeabsichtigte oder ungeplante Sequenzen durch Steuergeräte gesendeter Bus-Pakete,
• f. abweichende Prüfungsergebnisse bei einer Bandendekontrolle (end-of-line inspection, EOL) der Steuergeräte oder des Bus-Systems oder
• g. plötzliche, unerwartete Signale oder Wertänderungen der Bus-Pakete z. B. bei Lenkung, Brems- oder Gaspedal.

The detection and analysis ( 22 ) can be realized by two technical solutions: a recording of the introduction into the bus system and a recording and analysis ( 22 ) within the bus system and its elements. The capture and analysis ( 22 ) is based, for example, on the detection of specific patterns or signal anomalies, but is by no means limited to anomalies. In the first case, a collection and analysis ( 22 ) in the injection of malware into the CAN system ( 26 ) or other bus system based on the frequency of the bus communication in terms of speed and frequency of the exchanged packets. In the second case - recognition and analysis ( 22 ) within the bus system and its elements - a wide range of indicators can be considered, including

• a. unintentional or unplanned switches and states in diagnostic and normal modes of bus communication,
• b. incorrect or modified checksums of the bus packages,
• c. duplicate or nonexistent message identifiers (IDs) in bus packets,
• d. unintentional or unscheduled writing of the flash memory (flash) of individual ECUs with a new firmware,
• e. unintentional or unplanned sequences by control units sent bus packets,
• f. deviating test results in an end-of-line inspection (EOL) of the control units or the bus system or
• G. sudden, unexpected signals or value changes of the bus packets z. B. steering, brake or accelerator pedal.

Detection and analysis ( 22 ) can be set to given values and thresholds or - after a learning system - z. From the normal state within the bus system ( 26 ) derived values and thresholds. Possible error reporting ranges from the possible sending of error messages to specific error descriptions.

3 provides an overview of exemplary defensive measures ( 23 ). A short circuit proves to be of little practical use ( 30 ) of the bus system as an extreme emergency measure ( 28 ) for reducing the risk of a total failure of the vehicle ( 20 ). The main focus is rather on differentiated individual measures ( 29 ) for reducing the risk of a malfunction of the vehicle ( 20 ) to steer. These individual measures ( 29 ) can be essentially divided into two categories: An internal package of measures ( 31 ) is inside the vehicle ( 20 ), while an external package of measures ( 32 ) by transmission ( 38 ) at a remote station ( 48 . 51 . 53 . 57 ) outside the vehicle ( 20 ) is initiated.

The internal package of measures ( 31 ) like an application ( 33 ) of certain emergency functions. A fail-safe operating mode ( 39 ) or the restriction ( 40 ) certain vehicle functions. It seems conceivable that the whole ( 41 ) Vehicle ( 20 ) or at least all ( 42 ) or selected ( 43 ) Control devices of the vehicle ( 20 ) into a backup mode ( 34 ) to move. Occasionally, an override ( 35 ) crucial messages, for example by overwriting ( 44 ) of the flash memory (in technical terms: "flashing") of a control unit sending the messages ( 21 ) or the news itself ( 45 ), the simple rejection ( 36 ) erroneous messages or triggering ( 37 ) of an in-vehicle pictorial ( 46 ) or sonic ( 47 ) Signals to the driver.

With regard to the external package of measures ( 32 ) is, for example, to the error notification ( 49 ) of an original equipment manufacturer (OEM) or an emergency call ( 52 ) of the vehicle ( 20 ), which, for example, in the context of the eCall system to an external service provider ( 51 ) is discontinued. Also to request a software update ( 50 ) of the vehicle ( 20 ) or for transmission ( 38 ) of the analysis ( 22 ) are original equipment manufacturers ( 48 ) or service providers ( 51 ) suitable addressees. Alternatively, the remote station ( 48 . 51 . 53 . 57 ) a third party ( 53 ) like a fleet service provider ( 54 ), an authority ( 55 ) or a supplier company ( 56 ) be. Also the driver ( 57 ) of the vehicle ( 20 ) may - for example by mobile phone - of the implemented or to be initiated individual measures ( 29 ).

For the efficiency of the multilayer protection system, the correct assignment ( 12 ) of defense measures ( 23 ) on the identified risks are of central importance. This assignment ( 12 ) is based on a flexible system ( 26 ) on a case-by-case basis, taking into account the possible effects of the attack. The range of possible defenses ( 23 ) ranges from general remedies that cover the whole system ( 26 ), up to very specific, differentiated individual measures ( 29 ) to reduce a single risk.

The targeted assignment of defense measures ( 23 ) at any risk it allows possible effects on the vehicle ( 20 ) and its E / E system ( 26 ) and to limit the associated risk potential. A potential case is the following: Detected risks with limited impact on the vehicle ( 20 ) and E / E system ( 26 ) require only defensive measures ( 23 ) with limited effects. To condition z. For example, incorrect checksums of the bus packets may only be an internal set of measures ( 31 ), which is a visual signal ( 46 ) or simply discarding ( 36 ) of the erroneous messages.

A recognized risk affecting the vehicle ( 20 ) and E / E system ( 26 ), in addition to the vehicle ( 20 ) limited defensive measures ( 23 ) justify a more comprehensive error reporting. An unplanned sending of bus packets, for example, requires an external package of measures ( 32 ) in the form of a message to the original equipment manufacturer ( 48 ) or a transmission ( 38 ) of the analysis ( 22 ) to a service provider. Detecting a potential attack using a combination of unusual events such as incorrect checksums or increased traffic triggers an error notification ( 49 ) of the original equipment manufacturer ( 48 ) and its further analysis ( 22 ) as components of an external package of measures ( 32 ) out. In addition, in this scenario, the request for periodic software updates ( 50 ) of the vehicle ( 20 ) for a limited period of time for overwriting ( 44 ) of the flash memory of the controllers sending the messages.

A recognized risk with a strong impact on vehicle ( 20 ) and E / E system ( 26 ) calls for strict measures of considerable effect. An unscheduled flashing of control units, for example, requires the affected control units ( 43 ) in the backup mode ( 34 ) to move. The unplanned flashing of a safety-critical ECU solves an external package of measures ( 32 ), an error message ( 49 ) of the original equipment manufacturer ( 48 ) and after its further analysis ( 22 ) a software update ( 50 ) of the safety-critical ECU.

A suitable algorithm ( 24 ) for the assignment ( 12 ) of the measures is based on the expertise of original equipment manufacturers ( 48 ) and suppliers, requirements of the E / E system ( 26 ) and possible future legal and regulatory requirements, but may also contain self-learning elements, without departing from the scope of the invention.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 102014114607 A1 [0003]

Claims (10)

Procedure ( 10 ) for protecting a vehicle ( 20 ) against cyber attacks, characterized by the following features: - by a control device ( 21 ) are associated with cyber-attacks risks to the vehicle ( 20 ) and an analysis ( 22 ) ( 11 ) and - the risks are calculated on the basis of the analysis ( 22 ) appropriate defense measures ( 23 ) according to the algorithm ( 24 ) ( 12 ). Procedure ( 10 ) according to claim 1, characterized by the following feature: - the defense measures ( 23 ) are transmitted via an on-board diagnostic interface ( 25 ) of the vehicle ( 20 ) in an electrical-electronic system ( 26 ) of the vehicle ( 20 ) met. Procedure ( 10 ) according to claim 1 or 2, characterized by the following features: - the defensive measures ( 23 ) include emergency measures ( 28 ) for reducing the risk of a total failure of the vehicle ( 20 ) and - the defensive measures ( 23 ) comprise differentiated individual measures ( 29 ) for reducing the risk of a malfunction of the vehicle ( 20 ). Procedure ( 10 ) according to claim 3, characterized by the following feature: - the emergency measures ( 28 ) include a short circuit ( 30 ) of a bus system of the vehicle ( 20 ). Procedure ( 10 ) according to claim 3 or 4, characterized by the following features: - an internal package of measures ( 31 ) is inside the vehicle ( 20 ) and - an external package of measures ( 32 ) is replaced by a transmission ( 38 ) to a remote site ( 48 . 51 . 53 . 57 ) outside the vehicle ( 20 ), whereby the packages of measures ( 31 . 32 ) the individual measures ( 29 ) partially. Procedure ( 10 ) according to claim 5, characterized in that the internal package of measures ( 31 ) at least one of the following individual measures ( 29 ) comprises: - an application ( 33 ) certain emergency running functions of the vehicle ( 20 ), in particular a fail-safe mode ( 39 ) or a restriction ( 40 ) certain functions, - a backup mode ( 34 ) in particular of the whole ( 41 ) Vehicle ( 20 ), all ( 42 ) or selected ( 43 ) Control devices of the vehicle ( 20 ), - an invalidation ( 35 ) crucial messages, in particular an overwrite ( 44 ) of a flash memory of a message sending or receiving control unit ( 21 ) or the news itself ( 45 ), - a rejection ( 36 ) erroneous messages or - triggering ( 37 ) of an in-vehicle, in particular pictorial ( 46 ) or sonic ( 47 ) Signals. Procedure ( 10 ) according to claim 5 or 6, characterized by at least one of the following features: - the remote site ( 48 . 51 . 53 . 57 ) is an original equipment manufacturer ( 48 ) of the vehicle ( 20 ) and the transmission ( 38 ) concerns an error notification ( 49 ) of the original equipment manufacturer ( 48 ), a software update ( 50 ) of the vehicle ( 20 ) or the analysis ( 22 ), - the remote site ( 48 . 51 . 53 . 57 ) is an external service provider ( 51 ) and the transmission ( 38 ) automatically affects the service provider ( 51 ) remote emergency call ( 52 ) of the vehicle ( 20 ), a software update ( 50 ) of the vehicle ( 20 ) or the analysis ( 22 ), - the remote site ( 48 . 51 . 53 . 57 ) is a third party ( 53 ), in particular a fleet service provider ( 54 ), an authority ( 55 ) or a supplier company ( 56 ) or - the remote site ( 48 . 51 . 53 . 57 ) is a driver ( 57 ) of the vehicle ( 20 ) and the transmission ( 38 ) concerns the individual measures implemented or to be 29 ). Computer program, which is set up the procedure ( 10 ) according to one of claims 1 to 7. Machine-readable storage medium on which the computer program according to claim 8 is stored. Contraption ( 20 . 21 ), which is set up, the procedure ( 10 ) according to one of claims 1 to 7.

Images