EP3542510A1

EP3542510A1 - Method for a communications network, and electronic control unit

Info

Publication number: EP3542510A1
Application number: EP17804113.3A
Authority: EP
Inventors: Helge ZINNER
Original assignee: Continental Automotive GmbH
Current assignee: Continental Automotive Technologies GmbH
Priority date: 2016-11-18
Filing date: 2017-11-13
Publication date: 2019-09-25
Also published as: US11038912B2; CN109937563A; JP2020501420A; DE102016222741A1; US20190268368A1; WO2018091401A1; KR102293752B1; KR20190065439A; CN109937563B

Abstract

The invention relates to a method for a communications network in a motor vehicle, wherein data is transmitted in at least one communication path (60) in order to perform communication in the communications network. The invention also relates to an electronic control unit.

Description

Method for a communication network and electronic control unit

The present invention relates to methods for a communication network according to claim 1 and an electronic control unit.

Based on the physical layer Ethernet and the overlying Internet Protocol (IP) find techniques in communication networks of vehicles collection, which are already widely used in the context of informa ^¬ tion of technical systems. In particular ^¬ sondere in terms of an increasing use of protocols Ethernet and Internet Protocol is a need for additional security measures to prevent unauthorized access. Due to the increasing use of radio technologies as well as related open and standardized protocols, there is thus, for the first time in the automotive sector, the possibility of accessing the communication networks of a vehicle remotely. For example, traffic to vehicles has become known in which attackers have managed to gain access to a vehicle over the radio and thus to influence important vehicle functions. Other industries have problems and solutions that can not be transferred to the automobile, since, for example, in a workstation, a firewall already works with data already present in the system and not, as ^required for vehicles, on-the-fly. In addition, workstations can be much more easily subjected to an update of the security software than software in the automobile.

A communication packet according to the prior art usually comprises headers of superordinate layers of a protocol stack of a transmitting device. A protocol stack of a packet reception device will proceed stepwise upon reception of this communication and investigate this by previously defi ned ^¬ filter to pass the transmitted data, for example, a corresponding software application. For example, a TCP / IP stack will be in a controller from a communication packet, such as an Ethernet message, and passed on the basis of the analysis of the content to the appropriate application. The complexity of protocol stacks increases significantly with the number of protocols used. For example, audio / video bridging (AVB) for the transmission and playback of audio and video data includes four sub-protocols and time-sensitive networking (TSN) even eleven sub-protocols and extensive specifications. The disadvantage here is that there is no simple detectability for a deterministic proto ^¬ kollstack given because due to the variety of protocols used a very large number of possibilities of branching arise that can not be easily represented. Thus, there are considerable problems to determine existing security ^¬ gaps of a protocol stack. For example, questionable how to proceed when intentionally or unintentionally, a new Ethernet type is used, which would be routed in case of doubt to the central computing unit, whereby a critical system state might be caused, and the functional capability of an underlying system considerably restricted and the safety of transport part ^¬ could be endangered. By means of a denial of service attack (DoS), which specifically searches for vulnerabilities in a protocol stack, a targeted unauthorized access could take place over previously unknown security vulnerabilities.

The object of the invention is to provide a method and a device by means of which a vehicle network can be designed to be safer with respect to third-party access.

This object is achieved by the method according to claim 1 and by the further independent claims.

The invention proposes a method for a communication network in a motor vehicle, wherein for communication in the communication network a data transmission in min. at least one communication path is performed. He invention ^¬ contemporary method comprising at least one step, preferably several steps. These steps relate at least to an evaluation of the communication paths in question with regard to their attack risk.

The attack risk represents the risk that the communication path has with regard to an attack to exploit security vulnerabilities. In other words, this is the risk of the communication path becoming the victim of a third party attack (cyberattack / hacker attack) that gains access to information or control over control mechanisms through its attack. Such a takeover of control by third parties can have an effect on safety in the automobile, in particular of the vehicle ^occupants , and is therefore to be avoided. This can be achieved by the invention.

A communication path is to be understood in the context of the invention such that a path comprises a plurality of communication subscribers and a connection for data transmission between the subscribers. In the motor vehicle, several communication paths may be present which are suitable for a specific communication or data transmission or various data transmissions.

By ascertaining the risk of attack of the available communication paths, it is possible to detect gaps even before the delivery of the motor vehicle or before commissioning, which could possibly be exploited by a third party for an attack. Thus, the gaps can either be eliminated and / or reduced, or connections between communication participants can be made such that there is a low security risk for an attack.

Preferably, according to a development of the invention, at least one data transmission protocol is provided for the data transmission in the communication path. According to the training For example, the data transmission protocols used for data transmission are also evaluated for their attack risk. In particular, the data transfer protocols are example ^¬, as Ethernet, FlexRay, VLAN (Virtual Local Area Network), IP (Internet Protocol), AVB (Audio / Video Bridging), TSN (time-sensitive networking) or SOME / IP (Scalable service-oriented middleware over IP). The additional evaluation of the data transfer protocols provides a broader database so that better coverage of gaps and thus better security against attacks can be achieved. In a preferred embodiment, the steps of the method also relate to the selection of a communication path and a data transmission protocol for data transmission ba ^¬ sierend on the determined measurement of the related attack risks and performing the data transmission with the selected communication path and the selected data transmission protocol. In the process, the data transmission can be configured by the assessments of the attack risk in such a way that there is a low security risk for an attack on the network.

Advantageously, the safety of a vehicle network can be increased by the invention, in particular without fi ^¬ nancial overhead. The use of Ethernet or other data transmission systems (such as FlexRay) in automobiles requires, among other things, mechanisms that exploit simple technologies and given properties of technologies in order to be able to dispense with expensive implementations and additional additional hardware. Early detection of attacks and misconduct through early analysis of communication paths helps to identify gaps and errors prior to delivery of the vehicle. The network system according to the invention is improved in terms of cost and reliability. The testability of the system is achieved by the invention clearly defined and thus test costs can be saved. In addition, the invention provides a transparent security ^¬ functionality. In a preferred development of the invention, each communication path comprises a plurality of communication users. The communication subscribers particularly preferably include at least one transmitter and one receiver, between which a communication in the form of a data transmission is performed. According to this development, at least one of the communication participants, ie either the transmitter or the receiver, is part of the communication network in the automobile. Preferably, this participant is arranged in the car. The other communication participant can either also be part of the communication network - and then would also be in the

Automobile arranged - or he is an external participant, who is thus externally positioned. An external subscriber can be, for example an externally arranged control unit or a computer cloud ( "cloud") According to the further development of the subscriber, which is part of the network, preferably as a control unit (eg, ECU - Electronic Control Unit). Of the motor vehicle from ^¬ formed.

In particular, connections to the outside of the vehicle are analyzed particularly critically and possibly evaluated, since external communication users are easier to manipulate by third parties because of the better accessibility and thus facilitate an attack on the vehicle network. In a further preferred development of the invention, the method preferably comprises, as further steps, a determination of interface parameters of at least one of the communication subscribers and / or connectivity parameters of at least one of the communication subscribers. The determined parameters are particularly preferably stored or stored in a database or in a common database. The at least one database can be particularly preferably on a central control unit or central _r

Memory or stored in the control units of the communication participants. According to a further preferred refinement, the interface parameters and / or connectivity parameters are tightened in terms of their attack ^risk in a further step for the evaluation of the communication ^paths .

Each communication subscriber preferably has one or more interfaces for data transmission. In a preferred embodiment of the invention, the interface parameters include at least information regarding the

Interfaces supported and / or forwarded data transmission protocols. It can also be provided, or alternatively, to determine whether the interfaces for a diagnostic function or a charging function (OBD,

Powerline ...) are provided. With a charging function, the vehicle (in particular electric vehicle) can be supplied with power via the interface. In particular, data can also be coupled in via the interface or on the power line. Further preferably, the interface is provided alternatively or additionally, be examined for their speed with respect to the Da ^¬ tenübertragung out.

Each communication subscriber also preferably has several ways to connect with other communication participants. In a preferred development of the invention, the connectivity parameters comprise at least information regarding the support of connection technologies and / or distribution functionalities. The control unit may, for example, support various radio technologies, such as WLAN or Bluetooth. Whether the control unit has access to multiple buses, is part of the parameter of Verteilerfunkti ^¬ tionality. This also determines whether access to switches, bridges, routers and / or gateways is possible.

The parameters are preferably stored in a database, wherein particularly preferably also information regarding the MAC address and / or IP address of the control unit and with the Control unit directly connected to other devices are stored.

Advantageously, a state analysis is thus carried out according to the previously mentioned method, by determining which communication participants are present and what properties they bring with it. This state analysis is then subjected to a risk assessment to uncover gaps for possible attacks. Advantageously, by the collection or determination of parameters given in the network a precise analysis of the hazard potential of a communication path possible.

In a preferred development of the invention, parameters are also determined for the evaluation of the attack risk of the data transmission protocols and stored in a database. In particular, the protocol stack ^¬ (protocol stack) are particularly preferred analyzed. In a preferred development of the invention, the determined parameters of the data transmission protocols relate at least to the frequency of the data protocol used, the suitability for communication with a specific number of receivers and / or the type of transmission.

The type of transmission relates, for example, to the direction of the transmission, the synchronization or non-synchronization, the position of the communication participants and / or the connection orientation. In a connection orientation, the beginning and the end of a connection are defined by special packet sequences. In addition, it can be included as a parameter of the data transmission protocols, whether it is a packet-oriented communication or a streaming. In a preferred development of the invention, the communication paths and data transmission protocols are assigned to risk classes using the respectively associated evaluations. This will be the process of deciding for or made simpler against the data transmission by means of a communication path and data transmission protocol. In other words, it is easier to make a decision with which communication path and which data transmission protocol the communication should take place.

In a preferred embodiment of the invention Infor ^¬ mation are used to different attack scenarios for assessing the risk of attack communication paths. This information is preferably also stored in a database, which is stored in particular in a memory and is not constantly updated. Alternatively, however, the information on the attack scenarios can also be updated on a regular basis so that more recent attack scenarios can also be taken into account. The update can be done, for example, via updates from an external data connection, in which a comparison of the information takes place. The information most preferably relate to various possible ^¬ grabbed species and an assessment of the security risk for the automobile and its occupants. One possible type of attack is, for example, DoS - Denial of Service, in which an overload is caused by a third party, which leads to the failure of a function or a service. The evaluation of the communication path can thus be advantageously tailored to one or more attack scenarios, which, for example, occur statistically most frequently. Alternatively or additionally, the information on the various attack scenarios can also be used to evaluate the data transmission protocols. Advantageously, a detailed analysis is carried out by the procedure described above or there are detailed information stored in order to make an assessment of the attack risk of the network as accurately as possible. In a further preferred embodiment of the invention can be determined before selecting a suitable communication path and the appropriate data transmission protocol, whether the communication may take place at all or whether this - by too high security risks - should be prevented. In addition, other measures can be taken in response to one or more of the reviews - namely, for example, a specific configuration of the firewall.

The method according to the invention is preferably carried out once at the end of the tape (after the end of the production of the automobile), after a software update, after the disclosure of security vulnerabilities or when exchanging or updating a subscriber of the communication path. Thus, it is also advantageous to detect security vulnerabilities after delivery to the end customer, e.g. if an exchange of ECUs or a software update has been provided. Thus, an increased attack security during operation of the vehicle by the end customer is given.

In a preferred embodiment the evaluation of the attack risk of the communication paths is performed by means of a Algo ^¬ algorithm. The algorithm can also create preferred risk classes by attack risk and assign the commu ^¬ nikationspfade risk classes. For this, the algorithm applies in particular one or more databases respect to the parameters of the communication paths, the supply Datenübertra ^¬ protocols and / or information on various attack scenarios in the evaluation a.

If a particular communication path is selected, provided or predetermined for the data transmission, then e.g. On the evaluation of the attack risk, a data transmission protocol for the communication are selected, which is a high

Security against attacks offers. The other way round this selection is possible. If a data transmission protocol is selected, specified or provided, the path can be selected based on the evaluation of the communication paths, which offers high security against attacks. Furthermore, the constellation can be selected from a plurality of possible communication paths and data transmission protocols, which can be selected in the interaction between communication path and data transmission protocol. Transmission protocol carries the least security risk.

In a preferred development of the invention, at least one of the databases, particularly preferably all databases or data used for the evaluation, is stored in a secure memory area. In particular, this secure memory area is provided with encryption and thus protected against attacks. The secure memory area may be e.g. be arranged on a central control unit.

The invention further relates to an electronic con troll ^¬ unit or control unit for a motor vehicle control device, which is designed for carrying out the method.

Further preferred embodiments will become apparent from the following description of exemplary embodiments with reference to figures.

In a schematic representation show:

1 shows the structure of a communication packet or stack,

Fig. 2 is an exemplary illustration of a software stack, Fig. 3 shows an exemplary example of a complex ether net / IP communication stack and its desperation ^¬ conditions,

4 shows an embodiment of the invention,

Fig. 5 shows an exemplary embodiment of the erfindungsge ^¬ MAESSEN process wherein a determination of connectivity parameters and Schnittstellenparame ^¬ tern a control device is shown,

Fig. 6 illustrates an exemplary embodiment of the erfindungsge ^¬ MAESSEN process wherein a determination of parameters is shown for data transmission protocols, 7 an exemplary risk assessment of the protocols,

8 shows an example path of a critical path in the vehicle with connection to a cloud or other external

Units as well

Fig. 9 embodiment of the method according to the invention for securing a communication path.

To provide a brief and simple description of the embodiments, like elements are given the same reference numerals. FIG. 1 shows the general structure of a known commu ^¬ nikationspakets or stack 1. The challenges with the advent of Ethernet and IP (Internet Protocol) are among others in the complexity of the new communication stacks (= Kommunikati ^¬ onsstapel). The first merger of the Internet world with AUTOSAR requires a lot of initial effort, since both worlds work quite differently (eg static vs. dynamic).

Fig. 1 shows a typical communication packet. A communication stack (= communication stack) steps in upon receipt of the packet and examines the packet for certain predefined filters to be forwarded to the correct recipient (e.g., an application).

The communication packet comprises the actual data content 3 and, by way of example, several headers 2a-d, the different ones

Layers of the software stack (see Fig. 2) are assigned. Provided for each layer of the software stack in a header, which provides the layer of the software stack necessary information for processing the communication packet.

FIG. 2 shows an exemplary illustration of a software stack 4 in a control device. Shown is an example of a TCP / IP stack 6. This is from a communication package (eg as shown in Figure 1), analyzing the packet. Based on the analysis of the content, it is determined to which application the communication packet is forwarded. The illustrated TCP / IP stack 6 comprises several layers, shown here as reference numerals 8, 10 and 12, wherein layer 8 as MAC (Media Access Control), layer 10 as IP (Internet Protocol) and layer 12 as TCP / UDP (Transmission Control Protocol / User Data Protocol) is formed. The headers of the communication packet (see FIG. 1) are each assigned to one of these layers.

The MAC layer 8 is representative of the layers one (physical layer) (eg with header 2a in FIG. 1) and two (bit transmission) (eg with header 2b in FIG. 1) according to the well-known OSI model, IP for the third layer (eg with header 2c in FIG. 1) of the OSI model and TCP / UDP for the fourth layer (eg with header 2d in FIG. 1) of the OSI model. In the layer 14, the layer "middleware" ready to what the layers of five and six of the OSI model corresponds to (Kommu ^¬ nikationssteuerung and Presentation). In a seventh layer 16 followed by an application ( "Application" layer).

Ethernet frames, that is the data packets 1, are transmitted to the TCP / IP stack 6. The data and administration information 18 of a layer (PDUs = payload data unit) can be transmitted, for example, from the TCP / IP stack 6 to the "middleware layer" 14.

Fig. 3 shows an exemplary example of a complex Ethernet / IP communication stack and its branches. It is evident that there are many ways of the contents of an Ethernet packet, which must be processed in such a soft ^¬ ware stack. The complexity of software stacks is increasing dramatically in the automobile with the advent of Ethernet and IP. The detectability for a deterministic software stack is no longer so easy, especially because of the manifold possibilities of branching. 4 shows an embodiment of the invention in which a database 20 is stored in a central gateway 22 or the central gateway 22 has access to this database 20. The database 20 contains information which is determined by the method according to the invention. Branching off the central gateway 22 are further gateways (GW) and control devices or possible communication partners (drawn as boxes) which are represented by CAN (Control Area Network), LIN (Local Interconnect Network), FlexRay, MOST (Media Oriented Systems Transport). , Wireless Local Area Network (WLAN), Low Voltage Differential Signaling (LVDS), Bluetooth or Ethernet.

All of these different possible connections are taken into account in the method according to the invention, wherein risk assessments for the individual connection options are stored at least in one database (eg 20). The risk assessments indicate the risk of obtaining access to data and / or control of control mechanisms in the vehicle from third parties via the connection. The information of this database 20 is used - eg by an algorithm - to assign communication paths and data transmission protocols to risk classes. On the basis of the risk classes, it is then selected which communication path, in combination with which data transmission protocol, the communication or data transmission is to carry out between several participants. In this case, a combination of communications path and data transmission protocol is selected ^¬ preferred which have a relatively low security risk or in which a relatively low risk of attack has been detected.

5 shows an exemplary embodiment of the invention for determining connectivity parameters and interface parameters of a control unit.

Explanation of the individual steps:

30: Start of the control unit query for connectivity and interfaces 32: Does the ECU support wireless technologies such as WLAN, Bluetooth?

33: Request for MAC address and IP address of this device incl. the addresses of the directly connected control units

34: Does the ECU have interfaces for diagnosis or charging (OBD, Powerline ...)?

35: Request the MAC address and IP address of this device including the addresses of the directly connected ECUs and the power status

36: Does the ECU have a distributor functionality (switch, router, gateway)?

37: Request the IP address of this device and the port states and speeds

38: Does the ECU have fast interfaces like lOOBaseTl, comparable or faster?

39: Query on policing and rate-limiting functions

40: end

For example, it can be queried whether the control unit (ECU) supports radio links such as WLAN or Bluetooth (reference numeral 32). If so, the MAC address and / or the IP address of the device are determined 33 and stored in a database 20. Preferably, the addresses (MAC and IP) of the devices connected to the control unit are also stored in the database 20. Furthermore, it can be queried, for example, whether the control unit has interfaces which are suitable for diagnosis or charging (OBD - on - board diagnostics, PLC - Powerline Communication, ...) 34. Again, the addresses can be stored here as well as the Power status (if there is an interface for Powerline Communication) 35. Power status in this case can be the way the interface is powered, such as from an external battery or from an internal battery. Another example proper interrogation, the distributor radio ^¬ ality of the control unit concern 36. When the control unit ^¬ has a distribution functionality, it can access ver ^¬ different buses and different communication reach participants (eg switch, router, gateway). In addition to the storage of IP addresses of this control unit and the connectable communication participants, the respective state of the ports and the possible speeds in the database 20 are preferably also stored here 37. The state of the ports can be, for example, the energy states such as "off", "on "," Energy Saving Mode "," Wake up "etc. may be provided.

As an additional query, it may be provided, for example, to determine the speed of the interfaces, in particular whether a fast interface such as e.g. 100BASE-T1 is present, or not 38. In this regard, preference is given to information about policing and rate-limiting functions. As part of a rate limiting function, a data rate is set relative to a unit of time. When so-called.

Policing is then monitored so that the maximum data rate per unit time is not exceeded. If overshoot occurs, e.g. if more data than set are sent, these will be e.g. discarded. The information or settings relating to the functions mentioned can be recorded 39 as parameters for the interfaces and stored in a database 20.

The individual interrogation steps can be run through in a programming loop and form part of an algorithm which can be used, for example, on a central control unit, e.g. Gateway 22, and preferably stored in a secure memory ready. The databases 20 are preferably stored in this or another secure memory area.

The handenen in a network of a vehicle in front ^¬ control devices are preferably arranged by means of the abovementioned process based on their connectivity to risk classes to store important Pa ^¬ parameters, will take place standardized mechanisms assignment to security based on their. These ECUs are either equipped with wireless technologies or with open network interfaces, which can be contacted. ,,

16

Subsequently, for example, a check on the protocol support can take place. This can happen once (end of tape), before pending connections to the outside, after a software update or when security holes become known in existing protocols. The method can be triggered centrally or requested by individual ECUs. If there is, for example, the creation of a commu ^¬ nikationspfades and to be transmitted from one antenna module by radio, for example, diagnostic data, the antenna module may examine the respective neighboring devices on their proto ^¬ kollunterstützung.

6 shows by way of example a part of the method according to the invention and the individual steps or

Procedure steps of the algorithm. The individual steps are: 50: Start the Audit on Protocol Implementations Each controller 51 examines each interface 52 as to whether certain protocol types 53 are supported 54 and / or forwarded 55.

Step 54: It is determined if the interface supports the protocol.

Step 55: It is determined if the interface forwards the protocol.

Step 56: storing information in a database 20, the information being e.g. the ECU, the interface and the type of protocol.

57: End of the program

In Fig. 6, some comments in the figure are listed in addition to the reference numerals, as these represent a program sequence ^¬ represent, which is better understood by the comments.

Thus, it is determined for each ECU and for each interface of the ECUs whether different protocol types are supported 51-54. The protocol types are preferably queried individually by the algorithm 53. The results are stored in a database 20. This results preferably in a table with the mention of the ECU, the interface and whether the respective protocol type is supported. Example could such a result table as shown in Fig. 7, are created. The matrix shown in Figure 7 reflects the actual implementation, not the specification. Errors during implementation or gaps can be identified by this. In addition, the matrix can serve, for example, the TÜV or system manufacturer to verify and test a vehicle for security - regardless of the resulting mechanisms and even before the vehicle is delivered to the end customer.

By way of example, FIG. 8 shows a critical path 60, which in this case consists of an external connection (eg radio connection to a cloud) 62. External connections are preferably considered in the analysis parameters a priori as critical or evaluated as an exclusively internal Verbin ^¬ applications. For example, a data transfer in the form of a software download 64 is to be initiated, wherein the software is to be downloaded from the cloud 62. An internal memory 66 is for example connected to a gateway 68 (can be identical to 22) via a head unit 70 and the gateway 68 via a WLAN connection module 72 to the cloud 62. This chain of communication partners 62-72 thus provides according to the example This path 60 is evaluated for its attack risk, ie, how high the risk of becoming a victim of a third party attack, which could possibly endanger the safety in the vehicle. For this, the individual communication participants 62-72 are examined for their connectivity parameters and their interface parameters.

At the same time, preference is given to the evaluation of the risk of the individual possible data transmission protocols. To be selected 60 for the communication of this path and it turns out that the proposed protocol at Be ^¬ trachtung the attack risk of the path 60 is too uncertain a different protocol for the transmission of data, for example, be chosen. Alternatively, other, safer paths can be selected for communication.

This path 60 shown by way of example in FIG. 8 can be specified by the system designer or architect and can be specified as such are also defined or determined dynamically.

Furthermore, after examining the matrix (FIG. 7), the path 60 can additionally be checked for its gaps. So it can happen that an uncritical path nevertheless becomes critical. For example, due to a malfunction of a control unit whose data are forwarded to a CPU, whereby another control unit is blocked and comes to a standstill. Example of communication path and parameters:

Involved ECUs:

Antenna, Gateway (incl. Switch), Headunit

Protocols:

Ethernet, VLAN, time synchronization, IP, TCP, SOME / IP

News Frequency:

x / packets per second Ethernet, x / packets per second TCP, ... max. packet size

A data stream, which is considered safe, can be a danger if, instead of 10 data packets per second, 1000 are to be processed suddenly by a central processing unit. The CPU (can also be several) is therefore so important because incoming data packets are always processed with a high priority (taken ^¬ and stored). If too many packets arrive at too high a frequency and packet size, the CPU may be blocked and the controller may fail altogether.

If a communication path is fixed, for example like that in FIG. 8, then the control devices 62-72 involved can be asked about their risk class and its protocol support. With the help of the necessary protocols for communication, gaps and / or risks can be identified immediately. For example, in this connection, the TCP traffic is routed to the CPU in the head unit 70. This information is available for the risk assessment. Even before the actual connection is established, the TCP traffic can be limited in the head unit 70 or earlier (in the gateway 68), ie a maximum packet data rate per second can be set. Furthermore, based on the communication parameters and the (already) detected gaps, a firewall in the head unit 70 can be configured. This means that the filters of the firewall are set to this communication or higher priority is given.

Fig. 9 shows a possible overall view of the method according to the invention. Accordingly, at the beginning of the method, queries are first of all made to the individual communication users with regard to their interfaces and their connectivity parameters 80. The results are stored in a database 20. Furthermore, eg as the next step, the supported data transmission protocols are queried 82 and also stored in a database. The risk of attack of the respective data transmission protocols is also stored. Generally there different types of data ^¬ tragungsprotokollen are already known, each existing attack risks may also already be stored as information in a database that is used then upon detection of protocols. The evaluation of the attack risk of the data transmission protocols then takes place on the basis of the stored information.

Overall, a risk matrix 84 (as shown in FIG. 7) may arise. The path is then evaluated for its attack risk 86. This can be done by means of an algorithm. Subsequently, from the supported data transmission protocols, the protocol for the communication can be selected, which has a relatively low security risk (risk for an attack on the network).

The classifications also allow the level of potential security resources to be determined and allocated 90, thereby allowing network planning and implementation to be planned and implemented during design, tape end programming, or a dynamic and disruptive architecture. Overview of the steps:

80: Determination of the connectivity parameters and interface parameters of the communication participants

82: Determining which protocols are supported

84: Creation of a risk matrix

86: calculation / inquiry of the critical path

88: Analysis of the necessary protocols / selection of a suitable

Data transmission protocol

90: Definition of security procedures

The storage of the databases 20 and / or the algorithm for the evaluation is particularly preferably both centrally and in each individual control unit. On the basis of the supported and not supported protocols and their processing, a so-called risk assessment results. This risk assessment can then be used to analyze and secure a communication path. This matrix is queried when creating a communication path and, if necessary, actions are defined. The resulting matrix reflects the actual implementation and not the specification. Errors during implementation or security gaps can be identified. In addition, regardless of resulting mechanisms, the matrix can serve to verify and test a vehicle for information security.

Upon recognition of the protocol support, e.g. An ECU will change its protocol option as there are problems on a path. Here, for example, safer protocols can be selected.

The databases are provided with the reference numeral 20 in the present figures. However, the individual parameters and the risks of attack can also be stored in separate / own databases. In this case, there is then a database for each of the interface parameters for which

Connectivity parameters, for the attack risk of the communication paths or communication users, for the attack risk of the data transmission protocols and for the sicoclasses.

The invention defines mechanisms to select the correct software branches for potential attack functions. The invention sets out which packages can and which do not find which type of application.

The invention can be applied to tape end programming and system testing. Furthermore, more and more software updates for the car will be offered in the future, which will enable new functions. Due to the large variety of variants, the invention offers to check the software stacks in the vehicle after an update in the entirety, as well as partially and re-evaluate. The invention proposes a method that makes these control mechanisms and options via an interface in the network configured and usable. This makes it clear which potential gaps exist and whether the software meets given requirements. This process can also create transparency, making the whole network much easier to test and test in terms of security.

Claims

claims

1. A method for a communication network in a motor vehicle, wherein for a communication in the communication network a data transmission in at least one

Communication path (60) is performed, characterized in that

the method comprises the following method step:

- Rating (86) of the communication paths coming into question for data transmission (60) with respect to their Angriffsri ^¬ sikos,

wherein the risk of attack is the risk of having the respective communication path (60) with respect to a handle at ^¬ for exploiting security vulnerabilities.

2. The method according to claim 1, characterized in that for the communication in the communication path (60) at least one data transmission protocol (4) is provided, wherein the method additionally comprises the following step:

- evaluation (82) of the data transmission candidates

Data transfer protocols (4) with respect to their on ^¬ handle risk.

3. The method according to claim 2, characterized in that the method comprises the following steps:

- selection of a communication path (60) and a ^¬ Since tenübertragungsprotokolls (4) for data transmission ba ^¬ sierend on the evaluation (86) of the attack risk of the communication path and the evaluation (82) of the attack risk of data transmission protocols, and

- Carrying out the data transmission with the selected communication path (60) and the selected Datenüber ^¬ tragungsprotokoll (4).

4. The method according to any one of claims 1 to 3, characterized in that

- Each communication path (60) a plurality of communication participants ^¬ (62, 66, 68, 70, 72), wherein at least one of the communication participants is part of the communication network and is designed as a control unit in the motor vehicle,

the method comprising the following further steps:

Determining interface parameters of the at least one control unit and

- Storage of the interface parameters in a database (20), as well

- Using the interface parameters for the evaluation (86) of the communication paths (60).

Method according to one of claims 1 to 4, characterized in that

- each communication path (60) comprises a plurality of communication ^¬ subscriber (62, 66, 68, 70, 72), wherein at least one of the communication stations is part of the communication network and is configured as a control unit in the motor vehicle,

the method comprising the following further steps:

Determination of connectivity parameters of the at least one control unit and

- Storage of the connectivity parameters in a database (20), as well as

- Using the determined connectivity parameters for the evaluation (86) of the communication paths (60).

Method according to one of the preceding claims, characterized in that the method comprises the following method step:

- Assignment of the communication paths (60) and Datenüber ^¬ tragungsprotokoll (4) to risk classes, using the respective associated assessment of the risk of attack (86, 82).

Method according to one of the preceding claims, characterized in that for the evaluation (86, 82) of the handle An ^¬ risk of the communication paths (60) and / or the Data transmission protocols (4) Information on ver ^¬ different attack scenarios are used.

Method according to one of the preceding claims, characterized in that the method is carried out once at the end of the tape, after a software update, after the disclosure of security vulnerabilities or when replacing or updating a subscriber of the communication path (60).

Electronic control unit for a Kraftfahrzeugsteu ^¬ ergerät, characterized in that the motor vehicle ^¬ control unit is designed to perform the method according to one of claims 1 to 8.