Over the last half century the automotive industry has, initially slowly, and subsequently with great rapidity, been evolving from mechanical control systems for controlling a vehicle's functions to electronic “drive by wire” control systems for controlling the functions. In mechanical vehicular control systems a driver of a vehicle controls components of a vehicle that control vehicle functions by operating mechanical systems that directly couple the driver to the components via mechanical linkages. In drive by wire vehicle control systems a driver may be coupled directly, and/or very often indirectly, to vehicle control components that control vehicle functions by electronic control systems and electronic wire and/or wireless communication channels, rather than direct mechanical linkages. The driver controls the control components by generating electronic signals that are input to the electronic control systems and the communication channels.
Typically, a vehicular electronic control system comprises a driver interface for receiving driver actions intended to control a vehicle function, which comprises a plurality of driver action transducers (DATs) that convert driver actions to electronic driver control signals. Examples of DATs include an electronic accelerator pedal, an electronic brake pedal, an electronic steering wheel, electronic turn-signal levers, and cruise control buttons. An electronic control unit (ECU) of the control system receives the driver control signals, and responsive to these signals, operates to produce electronic control signals (“ECU output signals”) that provide information to other ECUs and/or control one or more actuators involved in performing a desired vehicle function. Generally, a vehicular electronic control system further comprises a plurality of sensors that generate signals (“sensor signals”) relevant to the vehicle function, and the ECU may receive and process sensor signals for generating appropriate ECU output signals. Driver control signals, ECU output signals, and sensor signals may be generically referred to herein as “control signals” or “signals”. The ECU of a given vehicle control system may also receive and process control signals relevant to performance of the vehicle function generated by, and/or by components in, other vehicle control systems. The sensors, actuators, and/or other control systems communicate with each other and the ECU of the given control system via a shared in-vehicle communication network, to cooperate in carrying out the function of the given control system.
By way of example, a vehicle throttle by wire control system that replaces a conventional cable between an accelerator pedal and an engine throttle may comprise an electronic accelerator pedal as a DAT, an ECU also referred to as an engine control module (ECM), and an electronic throttle valve as an actuator that controls airflow into the engine and thereby controls power that the engine produces. The electronic accelerator pedal generates driver control signals responsive to positions to which a driver depresses the pedal. The ECM receives driver control signals from the electronic accelerator pedal, and in addition receives signals that may be generated by various sensors, actuators, and electronic control systems in the vehicle that provide information relevant to the safe and efficient control of the engine via an in-vehicle communication network. The ECM processes the driver control signals and the various signals to generate ECM output signals that control the throttle valve. Other sensors, that may provide relevant signals to the ECM over the in-vehicle network include, but are not limited to, air-flow sensors, fuel injection sensors, engine speed sensors, vehicle speed sensors, brake force and other traction control sensors comprised in a brake by wire system, and cruise control sensors.
In-vehicle communication networks of modern vehicles are typically required to support communications for a relatively large and increasing number of electronic control systems of varying degrees of criticality to the safe and efficient operation of the vehicles. A modern vehicle may for example be home to as many as seventy or more control system ECUs that communicate with each other and sensors and actuators that monitor and control vehicle functions via the in-vehicle network. The ECUs may, by way of example, be used to control in addition to engine throttle described above, power steering, transmission, antilock braking (ABS), airbag deployment, cruise control, power windows, lights (headlights, brake lights, turn signals), doors, and mirror adjustment. In addition, an in-vehicle network typically supports on board diagnostic (OBD) systems and communication ports, various vehicle status warning systems, collision avoidance systems, audio and visual information and entertainment (infotainment) systems and processing of images acquired by on-board camera systems. The in-vehicle network in general also provides, by way of example, access to mobile communication networks, WiFi and Bluetooth communications, TPMS (tire pressure monitor system) V2X (vehicle to vehicle communication), keyless entry system, the Internet. and GPS (global positioning system).
Various communication protocols have been developed to configure, manage, and control communications of vehicle components that are connected to and communicate over an in-vehicle communication network. Popular in-vehicle network communication protocols currently available are CAN (control area network), FlexRay, MOST (Media Oriented Systems Transport), Ethernet, and LIN (local interconnect network). The protocols may define a communication bus and how the ECUs, sensors, and actuators, generically referred to as nodes, connected to the communication bus, access and use the bus to transmit control signals to each other.
A control signal may propagates over an in-vehicle network packaged in and part of a payload of an in-vehicle network message (which may be referred to herein as “message”). Typically, an in-vehicle network of a given vehicle model employs a predefined set of message categories. A given message's category may be identified in a message ID field in a header of the message. The message category defines a plurality of fields within the payload of the message and identification of control signals in the fields. A single message therefore typically comprises a plurality of control signals in its payload. Typically, message IDs for messages used an in-vehicle network of a given vehicle model are standardized and are expected to remain unchanged absent software updates for the in-vehicle network.
The growing multiplicity of electronic control systems, sensors, actuators. ECUs and communication interfaces and ports, that an in-vehicle communication network supports makes the in-vehicle communication network, and the vehicle components that communicate via the communication system, increasingly vulnerable to cyber-attacks that may dangerously compromise vehicle safety and performance. A cyber-attack may, for example, cause a driver action to fail to initiate its intended vehicle function, or conversely initiate an unwanted vehicle function. By way of example, a cyber-attack may cause brake pads or braking lights to become unresponsive to a driver's depression of a brake pedal. Alternatively, a cyber-attack may cause the car to randomly perform a braking function without instructions from the driver or a safety system to do so.