The present invention relates to communications bus data security, and particularly but not exclusively, to a system and method for real-time data security of a vehicle communications bus.
Modern vehicle electronics system and industrial control systems usually connect several units in a computer network that may be exposed to many cyber threats.
For example, a modern vehicle usually has several Electronic Control Units (ECU) installed thereon.
A Vehicle's Electronic Control Unit (ECU) is an electronic system within a vehicle, having processing capabilities (e.g. a radio system is an ECU while a wiper controlled by a relay is not).
Some of the vehicle's Electronic Control Systems may include an external communication interface, i.e. an interface used or communication with devices outside the vehicle's electrical system, including devices outside the vehicle itself. Occasionally, “ECU” also stands for “Engine Control Unit” which is a special type of an Electronic Control Unit (ECU).
Automobiles become more sophisticated and increasingly use computerized technology to control critical functions and components such as brakes, engines and even steering. While computerized technology enhances the performance of the vehicle, compromising the operation of one of those safety-critical ECUs may cause a severe damage to the vehicle, passengers, and potentially, even the surroundings, for example, when the vehicle is involved in an accident with other vehicles or pedestrians.
Vehicle ECUs are usually connected in a non-secure manner, say through a CAN (Control Area network) bus. A criminal may thus manage to use a car's CAN bus, to insert malicious messages into a safety critical ECU.
Some of the ECUs which are connected to a vehicle's communication bus have external connections, such as a vehicle's telemetric ECU or Infotainment System.
Consequently, it may be possible to compromise one of the vehicle's ECUs using a cyber-attack. The compromised ECU may thus be used as an entry point for launching the cyber-attack, as known in the art.
Reference is now made to FIG. 1, which is a block diagram schematically illustrating a first exemplary modern vehicle's electrical system, as known in the art.
A first exemplary modern vehicle's electrical system includes a single communications bus 105, say a CAN (Control Area network) bus, as known in the art. The bus 105 of the exemplary electrical system connects one or more ECUs 75 and is used by the ECUs 75, to communicate with each other.
Reference is now made to FIG. 2, which is a block diagram schematically illustrating a second exemplary modern vehicle's electrical system, as known in the art.
A second exemplary modern vehicle's electrical system includes two or more communications buses (also referred to hereinbelow as bus segments) 106, say CAN (Control Area network) buses, as known in the art. Each one of the bus segments 106 of the second exemplary electrical system is connected to one or more ECUs 75 and is used by one or more of the ECUs 75, to communicate messages to/from other ECUs.
A vehicle's communication bus like the ones 105 106 schematically illustrated in FIGS. 1 and 2, is an internal communication network that interconnects components inside a vehicle and implements a communications protocol. Examples for a protocol that may be implemented by such buses include CAN, Local Interconnect Network (LIN), Flex-Ray, Vehicle Area Network (VAN), Ethernet etc., as known in the art.
Thus, each one or more of the bus segments 106 of the second exemplary system may be of a different communications protocol, of a same protocol, of a same protocol though with different configuration, etc., as known in the art.
The second exemplary modern vehicle's electrical system further includes one or more gateways or bridges 109, connected between two or more of the bus segments 106, as known in the art.
A gateway or bridge 109 connects two or more bus segments 106 and allows messages to pass between them.
Gateways and bridges are designed for transferring messages between bus segments in a reliable manner, but are usually not designed from a cyber-security perspective.
One aspect of cyber-security-directed design, as opposed to reliability-directed design, is message filtering. For example, usually, a bridge or a gateway does not discard messages out of concern that the messages may be needed and that their absence may cause harm.
Indeed, vehicle communications buses have become very susceptible to attack, say for car theft, remote manipulation of ECUs.
A further issue compromised by inadequate security on vehicle communications buses is rather a financial threat that OEMs and Tier-1 suppliers are concerned about, namely—unauthorized ECU replacement.
The owner of a vehicle may replace an existing ECU with an unauthorized or unoriginal one, for several reasons. For example, an unauthorized replacement ECU is likely to be cheaper, a replacement ECU may give a vehicle more capabilities, similarly to chip tuning (say remove limitations from the engine giving more power—although it is not in the engine's specification, and thereby make the engine more prone to malfunction, safety issues, etc,).
The financial damage to the OEMs and Tier-1 suppliers is both because their original ECU is not purchased, and because the unauthorized replacement ECU may damage the vehicle when the vehicle is still under warranty.