Busting Up Vehicle Cyberattacks with CAN Bus: Q&A with Mercury Systems
Implementing changes, including those addressing security, that will have an impact upon multiple components in a vehicle is no easy task. Mercury Systems explains how it has risen to the challenge.
Editor’s Note: Not long after Mercury Systems announced its CANGuard security suite for protecting automotive vehicle data networks, Brian Sutton, the company’s Senior Embedded Systems Engineer Lead, Mercury Systems Secure Processing Solutions Group, responded to questions from EECatalog to offer perspective on the release and place it in the wider context of automotive security in general. Edited excerpts of the interview follow:
EECatalog: The news release announcing Mercury’s new CANGuard security suite notes, “CANGuard software requires no architectural changes to the vehicle nor additional hardware.” Were there some tough tradeoffs to avoid architectural changes? Is there an attitude on the part of any of your potential customers that might see a solution that doesn’t require architectural changes as perhaps not “big” enough or revolutionary enough to take on the seriousness of hacking which could cost lives?
Brian Sutton, Mercury: First and foremost, the automotive suppliers we have engaged with treat vehicle safety concerns very seriously. Over the past several years, we have continued to see a barrage of newfound security vulnerabilities arise due to the addition of Internet connectivity to our vehicles as part of the Internet of Things. This introduction of potential cybersecurity vulnerabilities into vehicles has caused safety and security to intersect in a pronounced way.
When designing a security solution to address these threats, a balance must be struck between the effectiveness of the solution and its ease of adoption. The automotive supplier landscape is quite complex. A significant number of interdependencies arise within vehicles due to the large number of OEMs, vehicle types, and tiered suppliers. Because of this ecosystem, there is a fair amount of inertia that makes rolling out changes that affect multiple components in a vehicle quite cumbersome.
Automotive suppliers are actively looking to identify security solutions that will address these cybersecurity threats in the vehicle. If the only security solutions that existed introduced vehicle architecture changes, I am sure the suppliers would begin making provisions to adopt them, even though this would be viewed as undesirable. The issue is that the threats we face are here today. A pragmatic ready-to-adopt solution is needed now that is also cost-effective. CANGuard helps address this challenge by enabling surgical mitigation of CAN bus security threats.
When designing CANGuard we took great efforts to ensure the solution would be isolated to a given component (e.g. ECU) without introducing interdependencies with the rest of the vehicle. An advantage of this approach is that each ECU can be updated independently; the entire vehicle does not need to be updated at the same time. The downside is that other components in the vehicle may have vulnerabilities that remain unaddressed—ensuring these other components are secure ultimately lands on the OEMs who are responsible for the security of the entire vehicle.
EECatalog: How has Mercury’s understanding of other hardware and software solutions for keeping access secure helped Mercury develop CANGuard?
Sutton, Mercury: The Secure Processing Solutions division within Mercury has an extensive heritage performing security assessments and system designs for a broad range of defense and commercial platforms, including automotive systems. The expertise gained during these protection designs was instrumental in identifying an effective security solution for the CAN bus.
Mercury utilizes a systematic threat-driven approach to security that is driven by a clear understanding of a system’s security need. We carefully avoid arbitrary application of security technologies based on their perceived effectiveness or hype. With this approach, we can gauge the strength of a protection design by identifying its weakest links. This approach then allows us to perform a cost-benefit analysis to determine if the solution is viable. As a security technology supplier, it is our responsibility to provide solutions to the market that can be used to help address the safety concerns we all now face with the introduction of cyber-connectivity to our vehicles.
EECatalog: Once an automotive industry decision maker tasked with addressing the problem of in-vehicle security learns about CANGuard as well as alternative solutions, what should be his or her next steps to determine which solution is the best fit?
Sutton, Mercury: It is all too easy to apply security technologies arbitrarily to a potential vulnerability without actually considering their effectiveness at solving the real problem. When someone sees a shiny new hammer, they instinctually want to apply it to everything in their sight, including screws. This is not a great way to approach security decisions.
We advocate the use of a threat-driven security approach to identify how best to mitigate system vulnerabilities. It is in the best interest of the decision maker and consumer to avoid needless application of security technologies to a vehicle and rather to take a surgical approach to security. Not all components within a system need the same level of security. By preventing transmission of messages an ECU is not authorized to send, CANGuard can prevent a successful cyberattack on one component from spreading throughout the vehicle. Mercury can assist with analysis of vehicle systems to determine if CANGuard is a proper fit. We believe that when such an analysis is performed for a vehicle, CANGuard will stand apart.
EECatalog: Beyond its reputation for being a “reliable workhorse,” as the CANGuard press release states, what is it about the Controller Area Network that has made it worth the time and effort to come up with CANGuard to stop hacker access—why isn’t it time to just switch horses?
Sutton, Mercury: CAN is a ubiquitous vehicle bus that is continuing to be adopted in new vehicle designs. Numerous investigations are underway to identify next-generation automotive vehicle busses, for example, Ethernet is a strong contender. However, before a bus technology can gain pervasive adoption it must be standardized and accepted into the automotive ecosystem. This is a very slow moving process, and we expect CAN to remain the dominant vehicle bus for many years to come.