Last month, Karamba Security’s Director of PMO, Helen Buchumensky spoke at the German Association of the Automotive Industry (VDA) conference about the importance of cybersecurity in safety critical systems, and why it is crucial that it doesn’t clash with Automotive functional safety requirements. This post is based on her presentation.
Imagine this scenario: You’re driving with your kids in your minivan to the grocery store, when a teenager behind the wheel of an SUV hits your vehicle head-on. It’s a low speed collision and your airbags are set to deploy, until the connected vehicle’s cybersecurity system blocks the action as suspicious. Your body lurches forward and instead of hitting the airbag, you strike the steering wheel at full force.
This scenario is not difficult to imagine, and as connected vehicles become more common on our roads, it is imperative that the cybersecurity tools that are installed to keep the vehicles safe from hackers don’t interfere with the on-board safety features that protect us from everyday road accidents, according to Karamba Security Director of PMO, Helen Buchumensky.
“A few years ago, safety-critical systems were only safety critical. Today, with all these new and fancy connectivity tools, safety critical systems are now cyber vulnerable as well,” Buchumensky said.
This means that now a cyberattack can potentially cause a road fatality, because “if hackers are playing with your car, you cant trust the vehicle’s safety mechanisms anymore. Nothing is more important than life so these risks must be prevented,” Buchumensky added.
However, having cyber security protection inside your safety system may create other risks.
Buchumensky described the cybersecurity system’s cancellation of the airbag deployment as an example of when a “false positive” can potentially result in physical harm to the product user, in this case the driver and/or the passengers in the vehicle. This phenomenon is called the “false positive paradox” - when a false positive can lead to more risks than a false negative.
Elimination of “false positive” failures must be an integral part of the design process of any product cybersecurity system, according to Buchumensky, if such cybersecurity is targeting to protect safety critical systems.
So how do manufacturers balance the demands of security with the need to keep safety as their top priority?
According to Buchumensky, OEMs must define performance targets for cybersecurity protection, taking into account ECU specifics: safety requirements, TARA analysis, resource limitations and operation use cases. The selected solution, which is usually a combination of several protection layers, must also make sure to verify that it matches the full spectrum of requirements of the safety critical system.
She added that one of the most reliable ways to ensure cybersecurity while not endangering safety is to have built-in software integrity as part of any vehicle design process.
“That’s why it is important to introduce cyber protection in the early development stage and make it fixed and permanent. Otherwise, an update of your cyber protection may risk the resources of your system,” Buchumensky said, adding that “safety, safety, safety” is the name of the game.