At Southwest Research Institute (SwRI), cybersecurity spans multiple divisions because—after all—security is not confined to any one area or industry. As a Senior Research Engineer in the Automation and Data Systems Division's Cooperative Systems Section, Mark Brooks’ primary focus is on automotive (in the true sense of the word: relating to any self-propelled vehicle or machine). He became involved in cybersecurity and embedded systems more than 10 years ago when an off-highway client wanted to add security capabilities to its new ECU (electronic control unit) platforms. “We assisted them in the design of that product, and ever since then we’ve maintained a presence in embedded systems security—everything from penetration testing of existing products, helping to design and develop products, and researching brand-new security technologies,” he said. Brooks recently spoke with Off-Highway Engineering about “attribute-based encryption,” a topic he discussed at last year’s SAE Commercial Vehicle Engineering Congress, and many other cybersecurity issues affecting vehicles and machines.
In your SAE presentation you discussed an “alternative” encryption method that is attribute-based. Can you explain this method and how it’s different than other methods?
Attribute-based encryption is a subset of functional encryption. This is based on some research we’ve been doing with one of our clients. They are trying to commercialize attribute-based encryption. The nice thing about this method is that it encrypts data based on a policy. For example, you can set a policy saying that this data could be viewed if you are the automotive manufacturer, or if you’re a mechanic. If you satisfy either of those policy attributes, then you’re able to view the data. And this is from an encrypt-once type of situation. In symmetric encryption, you’d have to encrypt the same data at least twice, for anybody that you would want to be able to protect it from. Same thing with asymmetric encryption, you’d have to be able to use the public key from each of those entities to be able to protect it. So the nice thing about attribute-based encryption is that it allows you to do role-based access control or even content-based access control, where based upon what the contents of the data are is who’s allowed to view it. And you don’t have to do a lot of the additional key management, or the separate encryptions, to be able to protect the data as in asymmetric or symmetric key technologies.
Where does this technology stand in terms of product development?
Our client is working closely with the government on cloud-based computing, and for protecting data in the Cloud. You can see how the idea of protecting data with attribute-based encryption might be beneficial for the Cloud. What we’re looking to do is to bring it into automotive [including commercial vehicles]. We saw some synergy with what’s needed in the automotive sector, both possibly within a vehicle and also external to a vehicle—somebody trying to hack the data in and out, or even communications between vehicles. So at this research stage we want to be able to see, does it make sense for the automotive sector? Does it make sense based upon requirements for computation times, how intensive is it, can it fit on the boards on a vehicle? Those are questions we want to answer, so that’s what we’re investigating.
Does any one transportation sector drive cybersecurity technology and standards more than another?
I think that the multiple transportation sectors are all working on this concurrently. They all have separate cybersecurity solutions and standards that are trying to target their specific needs. There are different needs between off-road, for example, and passenger cars in terms of safety and regulations that they have to be able to achieve. So it’s a little hard to compare some of the needs between those sectors. I know that, for example, there are information-sharing assurance centers (ISACs) set up for service transportation; automotive is setting one up; aviation is in the process of getting one. So everybody’s trying to move forward for their respective industries.
Are there unique challenges in protecting passenger vehicles vs. commercial vehicles?
Off-road vehicles are adding a lot of autonomy, which provides a potential impact if a vulnerability or if an attack occurs. They’re also adding a lot of connectivity for communication, to be able to update things that are in the field and remote locations, so that’s another ‘attack surface’ that a hacker might be able to exploit. So these are things that they’re working toward protecting, and before they deploy they put solutions in place to build or protect firewalling and systems using various intrusion-detection systems, segregating different components, and things like that.
Each of these [industries] is going to have unique challenges as we get connected, and the regulations are going to be different, safety concerns are going to be different. Passenger cars focused a lot on infotainment driver experience, and that of course is not as much of a concern on the off-road side; it’s more about getting the job done and those capabilities, and those are going to have some differences in attack surfaces and the potential vulnerabilities.
Is cybersecurity at a point where it can properly protect automated vehicles already in operation?
Thankfully the information industry has been working for a long time, for many decades, to try to protect information systems, but it still does fall prey on a daily basis to attacks. Cybersecurity is a continuous process; everybody has to continue working that way. The companies and the businesses we work with are working hard to make sure that a product is secure before it’s deployed. But technology of course keeps increasing, so new attacks do surface. One of the things that companies need to do is to continually monitor, continually perform risk analysis and assessment, to be able to keep updating the software, keep updating the pieces that are in the field as threats are determined and risks arise.
What are the main challenges with protecting increasingly connected and automated commercial vehicles?
These are complex systems and there are going to be issues that arise, especially in the field, and things that just get missed; it’s a very complex problem. Fortunately, software is modifiable and can be patched after it’s delivered. But unfortunately, that software modifiability is another area that attackers might take advantage of, so there needs to be protective mechanisms in place to be able to protect that, and there are. But we need to keep abreast of what security issues might be out there.
One of the key things that I think would be the most beneficial in protecting, too, is information sharing—those ISACs are a good way to help share information. That way within an industry, if there’s a particular attack discovered, that information can be shared so that others might be able to work toward protecting themselves so it doesn’t bring down everybody within that industry. Also having in place internal security test teams, setting up the organization so that security is designed from the ground up for a product, making sure that you test, making sure that you keep active on what’s going on with threats so that you can keep updating your software and updating the patches.
One of the challenges with vehicles is that they are going to be out there for a long time, so sometimes the support ends up being longer than what you would expect with traditional IP with PC software, so they need to be able to keep up to date and keep protecting for the life of the vehicle.
You already mentioned attribute-based encryption. Are there any other areas or technologies you see that can help with cybersecurity for vehicles?
One of the areas that Southwest Research Institute is researching is LTE (Long-Term Evolution) security. As these vehicles are becoming connected, LTE becomes a common transportation layer for their communications and for telematics and control. We actually have an automotive consortium for embedded security that is looking at developing risk-analysis modeling tools. We’re looking at companies being able to perform their own threat analysis; we’re looking at helping to develop functional requirements and specifications so that the manufacturers and the suppliers can work together to have solid requirements and a good foundation for developing new products. Those are some of the areas that we’re directly looking at.
SAE also plays a very large role in information sharing. They’ve got the Vehicle Electrical System Security Committee, and I know they perform a lot of information sharing and they’re working to come up with some best practices and other pieces for the automotive industry. Being able to communicate all this information throughout the industry helps, because then when it is something that’s missed, everybody can react quicker so that it doesn’t have as large of an impact throughout the industry.
In the future, there'll be continually evolving threats. How can SwRI (and industry, in general) attempt to address such uncertainty? Do you anticipate certain threats, or is it more reactionary?
There’s obviously a little bit of both—not everything’s going to get caught, so there’s always going to be a reactionary piece to it. But there are tools available, like I said, part of that consortium is developing a risk modeling tool. Something that’s important for any company to be able to do, similar to what they do for safety and for failure mode analysis but also for security, is looking at what happened, what is the impact if an attacker was able to attack one of our pieces of equipment. And going through the attack tree and being able to determine what the overall impact to the organization is. That helps the company learn where to put in potential countermeasures and pieces to protect their product from that impact.