Automotive Safety and Security – Current Trends and Challenges
Transcript of Automotive Safety and Security – Current Trends and Challenges
Automotive Safety and Security –current trends and challengesVector Cybersecurity Symposium 2021
Stefan KrisoHead of Bosch Center of Competence Vehicle SafetyRobert Bosch GmbH, Ludwigsburg
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Product SafetyAutomotive Safety and Security
2
Product Safety
ISO 26262„Functional Safety“
Safe
ty Im
pact
s(s
elec
tion) ISO 21448 *
„Safety of the Intended Functionality“
ISO/SAE 21434 *„Cybersecurity engineering“
*: Standardunder developm
ent
Prod
uct R
elea
se
Measures and standardsaccording state of the art (e.g.
reliability standards)
Product Safety Engineering is an interdisciplinary activity!
GOAL
No unreasonable
riskconsidering
state of the art matching
reasonable safety
expectations at point of timewhen placing
the product on the market
Random hardware faults
Systematic faults
Insufficient nominal performance
Controllability / usability reduction
Aging / wearout
Intentional manipulation of system
DU
TYO
FC
ARE
Safe
ty M
easu
res,
Lega
l and
nor
mat
ive
requ
irem
ents
“A product […] may only be made available on the market if its intended or foreseeable use does not put the health and safety of persons at risk.”
[§3(2) Product Safety Act]
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety – SOTIF – CybersecurityAutomotive Safety and Security
3
Functional Safety
SOTIFCyber-security
Absence of unreasonable risk due to hazards caused by malfunctioning
behavior of E/E systems.[ISO 26262-1:2018]
Absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.
[ISO/PAS 21448:2019]
Condition in which assets are sufficiently protected against threat scenarios to items of road vehicles, their functions and their electrical or
electronic components.[ISO/SAE FDIS 21434:2021]
SOTIF = Safety of the intended functionality
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety – CybersecurityAutomotive Safety and Security
4
FunctionalSafety
SOTIFCyber-security
Absence of unreasonable risk due to hazards caused by malfunctioning
behavior of E/E systems.[ISO 26262-1:2018]
Condition in which assets are sufficiently protected against threat scenarios to items of road vehicles, their functions and their electrical or
electronic components.[ISO/SAE FDIS 21434:2021]
SOTIF = Safety of the intended functionality
How to evaluate the safety risk of an
intended manipulation?
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Safety-Security-Integration in der Praxis
5
HARA according to ISO 26262
Risk of a hazard Probability of occurrence Severity= ⊗
Probability of the hazardous event
Probability of the hazardous situation
Possibility to control or mitigate
the hazard⊗ ⊗
see also:• ISO/IEC Guide 51:2004 (Safety aspects – Guidelines for their inclusion in standards)• ISO 26262-3:2018, Annex B.1 (Hazard analysis and risk assessment)
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
ASIL
Safety-Security-Integration in der Praxis
6
HARA according to ISO 26262
Risk of a hazard Probability of occurrence Severity= ⊗
Probability of the hazardous event
Probability of the hazardous situation
Possibility to control or mitigate
the hazard⊗ ⊗
see also:• ISO/IEC Guide 51:2004 (Safety aspects – Guidelines for their inclusion in standards)• ISO 26262-3:2018, Annex B.1 (Hazard analysis and risk assessment)
„Severity“ S
„Controllability“ C
„Exposure“EMalfunction
ASIL = Automotive Safety Integrity Level
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
?
Safety-Security-Integration in der Praxis
7
Cybersecurity vs. ASIL
Risk of a hazard Probability of occurrence Severity= ⊗
Probability of the hazardous event
Probability of the hazardous situation
Possibility to control or mitigate
the hazard⊗ ⊗
„Severity“ S
„Controllability“ C
„Exposure“E
Functional Safety: Statistical independence between driving situation (exposure) and probability of the malfunctionCybersecurity: Statistical independence is not given (Attacker may provoke malfunction in dedicated driving situation)
ASIL is not a meaningful parameter for the necessary safety risk reduction of an intended manipulation!
Malfunction
ASIL = Automotive Safety Integrity Level
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Safety and Security
8D. Förster, C. Loderhose, Th. Bruckschlögl, F. Wiemer (Bosch): Safety Goals in Vehicle Security Analyses, ESCAR 2019
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety – SOTIFAutomotive Safety and Security
9
Functional Safety
SOTIFCyber-security
Absence of unreasonable risk due to hazards caused by malfunctioning
behavior of E/E systems.[ISO 26262-1:2018]
Absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.
[ISO/PAS 21448:2019]
SOTIF = Safety of the intended functionality
How do Functional Safety and SOTIF
interact?
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety vs. SOTIFAutomotive Safety and Security
10
ISO
/PAS
214
48:2
019
Intendedfunction
Malfunction
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Safety of the Intendend Functionality (SOTIF)Automotive Safety and Security
11
Is the performance of the sensors / the system sufficient to ensure a sufficient/reasonably safe operation of the system? Is the situational awareness sufficient?
[https://www.engadget.com/2010/09/08/optical-illusion-lets-you-safely-run-over-fake-children]
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SOTIF – CybersecurityAutomotive Safety and Security
12
Functional Safety
SOTIFCyber-security
Absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.
[ISO/PAS 21448:2019]
Condition in which assets are sufficiently protected against threat scenarios to items of road vehicles, their functions and their electrical or
electronic components.[ISO/SAE FDIS 21434:2021]
SOTIF = Safety of the intended functionality
Manipulation of the environment?
(“Environmental Hacks”)
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
„Environmental Hacks“: Traffic signAutomotive Safety and Security
13
http
s://w
infu
ture
.de/
new
s,99
034.
htm
l
Similar to pollution of the traffic sign (e.g. by snow), therefore in principle already addressed in SOTIF
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
„Environmental Hacks“: Example Projection of traffic signs Automotive Safety and Security
14
http
s://w
ww
.you
tube
.com
/wat
ch?v
=C-J
xNH
Kqgt
kA speed limit traffic sign is projected by a
drone on wall…
Car considers 90 km/h speed limit as real!
From system point of view, input data are “valid”, therefore not addressed in SOTIF
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
„Environmental Hacks“: Processual approachAutomotive Safety and Security
15
Test, verification & validation as part of the “standard” product development process
SystemTest
SystemDesign
HW/SW Design
HW/SWTest
SystemIntegration
RequirementsAnalysis
HW/SW Implementation
Non-security disciplines: Define & implement countermeasures to address identified relevant attack scenarios
Research Series Development Production After-Sales/
Maintainance
Security: Identify relevant environmental attack scenarios
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
The systematic collaboration between the different safety and security disciplines become more and more important
… and will be required therefore by different safety standards and regulations in future!
16
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
ISO 26262-2:2018Automotive Safety and Security
17
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
UN-ECE R157 (2021-03)Automotive Safety and Security
18
https://unece.org/sites/default/files/2021-03/R157e.pdf
M/ENG-CVS | 2021-10-06CoC-VS 2021-047© Robert Bosch GmbH 2021. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Overview Automotive Safety Standard (without claim of completeness …)
Automotive Safety and Security
19
Relevant for ADAS/AD AI specific
Published
Under development
ISO 26262(2018)
ISO/PAS 21448(2019)
ISO/TR 4804(2020)
ISO 21448(03/2022)
ISO/TS 5083(02/2023)
ISO 34502(09/2022)
ISO/TR 5469(04/2022)
ISO 21434(07/2021)
In preparation: • ISO TR Predictive Maintenance• ISO PAS Qualification of preexisting SW
Planed:• Automotive specific safety standard for AI
Not relevant in the automotive context: UL 4600
Standard contains AI specific issuesNote: Other standards (e.g. ISO
24089 Road vehicles —Software update engineering
(under development)) can also be relevant