V2X Security Is Multifaceted And Not All There

V2X Security Is Multifaceted And Not All There

Time Stamp: March 27, 2024 3:06 AM
Source Node: 2527928

Experts at the Table: Semiconductor Engineering sat down to discuss Vehicle-To-Everything (V2X) technology and potential security issues, with Shawn Carpenter, program director, 5G and space at Ansys; Lang Lin, principal product manager at Ansys; Daniel Dalpiaz, senior manager product marketing, Americas, green industrial power division at Infineon; David Fritz, vice president of virtual and hybrid systems at Siemens EDA; and Ron DiGiuseppe, senior marketing manager, automotive IP segment at Synopsys. What follows are excerpts from that conversation. To view part one of the discussion, click here.

L-R: Ansys' Carpenter; Ansys' Lin; Infineon’s Dalpiaz; Siemens EDA’s Fritz; Synopsys‘ DiGiuseppe.
L-R: Ansys‘ Carpenter; Ansys‘ Lin; Infineon’s Dalpiaz; Siemens EDA’s Fritz; Synopsys‘ DiGiuseppe.

SE: For V2X to really take off, security must be addressed. How is the industry approaching this?

Lin: We are facing at least three types of important issues for V2X system regarding security. One is the software side, of course. You have the capability of upgrading the system through the internet, and you need some permission controls. You cannot say, “Hey, everybody, you can just update my car.” What if the software is a Trojan or a bad tool that is trying to break your system? Can the user just click the button saying, “Update for me?” He has to be aware and he has to be very carefully giving permission to that update.

Two is the hardware side. Cryptography is always needed for any of these kinds of communication systems. Make sure your secret key/password is not disclosed by an attack — side channel, fault injection, etc. There are already some tools that start to check for these attacks and vulnerabilities from hardware. That’s another camp of important security concerns.

Three is sensor data integrity. Now you have an ADAS system collecting images to identify cars, for example, and it gets sensor data from different inputs, be it sensors or cameras or radar. So this data cannot be eavesdropped on. Vulnerability of that data to the attackers could be another concern.

Carpenter: A more blunt instrument of interference is just interference or denial of service by someone who walks in with a noisemaker, or a dirty business band radio that doesn’t have clean emissions, or something like that. What happens when someone just simply can’t get a signal? We hear the stories happening on some of the battlefields with denial of GPS and GNSS services, and that co-location is shut down. The same thing could be a potential security issue for the basic comms that are needed to enable V2X. Someone denies you service for a period of time by putting a noisemaker next to your car. We’ll probably have to re-look at what emission standards are going to be for these bands, as we have more emitters in that environment than a typical city setting.

DiGiuseppe: I would like to highlight what Lang mentioned earlier about the new standard, ISO 21434 cybersecurity, but there’s also a new UN regulation, UN 155, which mandates and regulates automotive, at least for Europe’s needs to have a cybersecurity management system for the supply chain. This means the automakers, Tier One suppliers, and the software suppliers need to have a cybersecurity management system that assesses the security threats, and then put in a plan to deal with any security vulnerabilities. That’s a step in the right direction — having mandates that cybersecurity is addressed. And since V2X is a wireless technology, cybersecurity vulnerabilities are absolutely a concern. There is a national deployment plan that the U.S. DoT released in October, which requires cybersecurity profiles and various certifications. Having those mandates are also important.

Dalpiaz: In Europe it is mandatory already to use a hardware security module that was mainly thought to safeguard the V2X communication. This is something that started four or five years ago, and a year and a half ago became mandatory in Europe. I don’t know about U.S., but I believe we might have something similar.

Fritz: Security is not a one-size-fits-all problem. There are security issues that occur at sensors, which could present false data to the system. There are security issues at actuators that could cause a command to be misinterpreted with catastrophic results. And there are the ‘conventional’ security intrusions. Security islands are coalescing into a technology that can be adopted into a design with little effort, making security a never-ending but solvable challenge.

SE: When it comes to the rollout of V2X, what can we realistically expect?

Carpenter: If you look at the DSRC band, I would have to say I’m not encouraged yet.

DiGiuseppe: Again, the national deployment plan, which is a U.S. plan, has short-term, medium-term, and long-term rollout goals. One of the rollout goals in the medium term is to have 75 top metro areas with 50% of the intersections enabled with V2X signals. These deployment goals include having a number of automakers/OEMs have those devices installed. Setting those goals and executing them provides that framework because it applies to the government localities, along with all of the different stakeholders that we talked about.

Fritz: Like many aspects of next-generation vehicles, V2X hype has pushed companies into rushed-to-market solutions. I’m aware that in some universities — and company skunkworks — more robust, adaptable, and secure V2X solutions are on the horizon. It could well be that the obvious solutions are not the winners in the long run.

SE: What V2X is in place already?

DiGiuseppe: At CES 2024 there were various announcements of deployments. For instance, Qualcomm and Ford had a collaboration and a deployment in localities. There are a number of deployments that have occurred. There are two different deployments in Colorado, but there was a lot of focus on the fact that if you drive from one deployment and the second deployment in Colorado, they don’t work together. That’s why interoperability is important. Having an isolated deployment is great as part of a smart city initiative, but when there’s a second deployment, being able to have it work between those two deployments is still a challenge. Individual deployments have occurred, and there is funding available —at least in the U.S. — for enabling those deployments.

Dalpiaz: From our side, we have been working on some solutions for quite some time. We do have some hardware security modules that are available today. These are basically plug-and-play solutions for V2X communications. And these are based on highly-secured, resistant microcontrollers for all security needs in V2X applications to protect the integrity and the authenticity of the messages, as well as the privacy of the users.

DiGiuseppe: Also in regard to deployment, from the software and application side there’s still no agreement on standardization as to what is the safety message, even with successful V2X activity. If there’s a safety issue being alerted, how will those alerts work? Will it be an audible safety message? Would it be a visible safety message? Haptic? So even the application standards need to be worked out, such that once the connection is made, what is the safety communication going to do? The application needs some additional agreement and standardization.

Lin: From the EDA side, we see increasingly important requests from customers about how to make sure the chip security vulnerability is minimized. There are simulation tools to evaluate the silicon, and for V2X it’s adding yet another level of integrity and security. You can think about a Level 3 to 4 to 5, which is a little bit higher standard than regular chip design. If they design a washing machine chip, maybe security is just a minimum check. But this is a V2X chip. You need to check if this chip is vulnerable to any fault injection from either the voltage drop or glitches, or maybe even electromagnetic emissions or interference. You’ve got to deeply check if your cryptography system could be resisting any malicious attacks, such as side-channel leakage. Will your key be leaked out through some unintentional channel? Also, fault tolerance. Can your system tolerate high temperature while your car is running in a desert? The car should also work then. Also, with temperature and voltage, how about your car running on a humid day? Will your chip be able to tolerate high humidity, or even high radiation from other vehicles or anything you can think of? This is about multi-physics simulation. You have to consider many different physics and consider the car running on the real scenario. What could cause safety and security problems? In a nutshell, we enforce higher rigid checks for the chips regarding security concerns than regular chips.

SE: Does all of the checking in the verification need to happen across the entire spectrum? For example, does it have to include the network all the way to the pedestrian level? There’s going to be your acceptance that your device can be a security beacon, or provide information back into the infrastructure. There are many pieces to this. How do you see various groups coming together to make it a reality?

Carpenter: We are starting to see telecommunication developers at least beginning to understand that they can’t continue to develop base station technology much further until they begin to collaborate a lot more closely with the handset developers. Just completing a cellular connection has become a lot more sophisticated. If they want to virtually test this stuff, or they want to do hardware-in-the-loop testing of this technology, they need to understand what’s on the other end of that channel even better than they do today.

At least in the telecommunications industry, they’re organically driving a closer relationship between handset developers and infrastructure developers. That seems to be happening. And it’s going to have to happen, because the systems they’re trying to pull together are too complex to simply have a dotted line with the 3GPP spec and say, ‘I hope it works. I think it’ll work.’ You really do have to validate this, either in a real test chamber, or some kind of virtualized hybrid where you do hardware-in-the-loop that’s informed by software.

For vehicles, part of the question about the rollout is a consumer who’s being asked to pay more for more hardware, and another set of computers on the car. What are they getting? It’s the same thing that I go through when I decide whether I’m going to upgrade to the latest mobile phone. What’s the benefit? What’s the extra thing that I need? Can I stream two cat videos simultaneously? What’s the thing that I’m willing to go for? And I don’t know if that messaging has gone forward to consumers yet to say, ‘Yes, I’d pony up extra dollars, whether it’s a subscription-based service that keeps reprogramming my safety system, or whether it’s some new service that I haven’t seen before, but looks really compelling to me.’ I would buy the car that has that, or I would buy the service on that car that has that. And I don’t know yet whether that messaging is going to go through. And if I’m an automaker, I’ve got enough systems I’m worried about right now. I need to know that a market is there for me. How do I prepare that market? How do I assess it? How do I do the addressable market analysis on this to know that if I build it, they will come. I’m not sure I have a good sense of where the wind’s blowing on this yet but I see the automakers working more with telecommunication providers. That’s clearly happening. The conversations are sparking on their own because they know they have to. But whether or not the message goes all the way through to the consumers to stand up and say, ‘Yep, we’re the market, we see what that service is, we want that,’ I believe it’ll be there. But I’m not sure it’s been fully articulated, captured, then given to the consumer as a vision yet. Who could have anticipated 10 years ago what we’d do with our smartphones today. People were in that same quandary, taking the step from 3G to 4G, or maybe from 2G to 3G, but there needs to be that compelling argument, and it becomes a chicken-and-egg problem. Do we invest so the consumers will come? Or can we get the vision out enough to consumers to understand what we could do if they signaled they’re interested, so we’ll take that next step and invest that way. We’re still kind of walking around that merry-go-round.

Fritz: If, as engineers, we get too deep into the technical details of an individual component of the solution, it is very difficult to show that everything will work together as expected. Managing ‘everything’ creates corner cases that are unlikely to be comprehended let alone tested. The most robust way to test everything is to have all of the system interoperating and exposing it to complex ‘human-level’ scenarios that can be identified by regulatory bodies. This scenario-based approach is beginning to gain purchase because policy makers can envision a set of scenarios inclusive of local situations built on top of typical situations within a broader region.

DiGiuseppe: One of the things Shawn was highlighting was there needs to be an education program to educate the consumers over the value. From a safety perspective, there are very clear benefits. They have forecasts to say that just implementing two V2X applications — one being, for instance, the intersection movement with the streetlights, and left turn assist — would reduce 500,000 automotive crashes. That benefits everyone. It reduces insurance, so there is a clear benefit. And with more than 40,000 fatal car accidents per year, just those two applications would save over 1,000 fatalities in those crashes. Educating the consumer on those kinds of benefits is a requirement.

Dalpiaz: It’s education, but also, we are living through an energy revolution right now. Everything is being electrified. V2X is part of a bigger smart ecosystem. I understand communication security, but if you live in the countryside, you might be able to use your electric vehicle as a way to provide backup power to anything. It’s an indication that this bi-directionality is something much bigger, and it starts from the utility companies, the OEMs, the suppliers, the semiconductors — it’s a full supply chain that has to raise awareness.

Fritz: Much of the intelligent decision-making must be in-vehicle, and anomalous or predictive adjustments to the environment perceived by the vehicle come from the infrastructure or other vehicle if and when it exists.

SE: How will this work for people who don’t live near charging stations?

Dalpiaz: I drive an electric car, and as long as you have a charger at home, you wake up every day with the car having a full tank. It’s a pity that I cannot use the car for energy storage, because I’d like to provide the energy back to my home. That’s my point. The goal is ultimately to have us users driving the way we consume energy. And when I say consume, not only buying from utility companies, but also selling energy back as we need to.

Fritz: We have a cabin up in the mountains of California east of LA. It is not unusual to see an EV in a turn-out having incorrectly anticipated their uphill range, and I’ve yet to see AAA show up with a charger. Range over route estimation is important.

Read part one of the discussion:
V2X Path To Deployment Still Murky
While industry experts expect many benefits of V2X technology, there are technological and social hurdles to cross. But there is progress.

Time Stamp:

More from Semi Engineering