Service Orientated Architectures Pitch for OTA Security

The security risks of centralized automotive architectures and over-the-air updates are clear.

Meanwhile, vehicle functions are increasingly defined by software, making them more hackable. The evolution of automotive electrical engineering toward service-oriented architectures changes the paradigm for the security of OTA updates, as well as security in general. Says Luca De Ambroggi, chief analyst with Ward’s Intelligence: “From the automotive and engineering perspectives, hardware security that you can implement in silicon is known to be the safest. With software, you can update something and use the same path to hack it. The perception is that it’s less safe. Nonetheless, the car is going to be controlled by software for cost and security reasons.”

Consumer experience: a megatrend

Consumer demand is a major influence on the move toward software-defined vehicles. Consumers expect the digital experience in the car to rival that of their phones, says Robert Redfield, director of business development for Green Hills Software. Add to that the amount of software needed for ADAS and semi-autonomous driving, and, “OEMs realized the existing electrical engineering foundation couldn’t scale”.

Whether it’s adding new functionality to ADAS or infotainment, or patching vulnerabilities, OTA updates are a valuable solution. Service-oriented architectures (SOAs) make handling vehicle software more efficient and economical, and they can improve the security of OTA updates.

SOAs simplify software development, De Ambroggi says, because software is broken up into small, self-contained modules that can be updated individually, whether that’s an upgrade in functionality or eliminating a vulnerability. Updates can also be more frequent. When a change is made, he adds: “You don’t have to requalify the entire 400 million lines of code in the vehicle. You just certify the submodule that’s responsible for this area of the function.”

New architectures, new security

One of the advantages of siloed ECUs was security – an exploit of one ECU couldn’t reach others. “As you connect those ECUs, you run the risk of, if one gets infected, others can be, too,” says Redfield. “You have to think very carefully about how to separate cyber-security risks coming from outside car to life critical functions in car.”

SOAs can exacerbate security concerns if their architectures are not properly designed, as De Ambroggi and Redfield note. Owing to the fact that ECUs are connected, Redfield says: “The vehicle architecture better have software and hardware to either block attacks coming in from any source or safely partition them.” De Ambroggi said that one issue with SOAs in the past was connectivity. “The networking of the car was really low bandwidth. Implementing a security protocol to secure transmission of data would have created unbearable overhead.”

Now, with ethernet in the car, automakers can implement security protocols that have long been used in the IT industry, such as TLS. With implementation of ethernet in the car, de Ambroggi says: “You need to be able to address a specific module, so each ECU in car will have its own IP address that will be secure and frequently updated by the OEM. This is exactly what major OEMs are targeting.”

Gradual shift to SOAs

Decoupling infotainment functions from safety-critical functions by means of domain-specific controllers will persist as a strategy for a while, De Ambroggi thinks, because it provides a more controlled and secure path for updating those safety functions. However, SOAs do allow for a more centralized architecture with software-defined functions.

Within an SOA, services can be defined as largely independent software components with standardized interfaces in a modular structure, according to Günter Reichart, spokesperson for AUTOSAR. He says: “This makes it easier to reuse these software components compared to modules that are designed for signal-based communication. The decoupling of software components in service-oriented systems significantly simplifies the update and upgrade processes.”

Strategy Analytics expects the use of central automotive gateway modules to grow to almost 100% by 2027, in line with the growing complexity of vehicle electronics and software, plus the concomitant need for more security. “As the automotive gateway module becomes the central focal point for increasing volumes of data, issues of security including cyber-security and the use of software and hypervisors will also become central to the automotive gateway module offering,” report author Asif Anwar said in a press release.

Despite the potential risks of OTA updates themselves, Reichart says: “Fast over-the-air updates and upgrades will play an important role in our defense against external attacks.” While SOA may be the future, it’s not the only future for automotive architectures. Reichart adds: “Signal-based systems also have their advantages, especially when high levels of functional safety have to be achieved, and will continue to exist in vehicle networks.”

Leave a comment

Your email address will not be published. Required fields are marked *