在美国西南研究所（SwRI），网络安全研究由多个研究部门共同进行，因为安全问题本来就不是局限于某一个领域或某个行业。作为自动化与数据系统部门合作系统团队的高级研究工程师，Mark Brooks的主要研究内容为自动机（即任何靠自身动力推动的交通工具或机器）。Mark在10多年前开始从事网络安全与嵌入式系统的研究，当时他的一家非公路汽车客户要求在新推出的ECU（电子控制装置）平台上添加安全性能。“我们协助客户设计了这款产品，从此以后我们就开始持续进行嵌入式系统安全功能的研究，包括现有产品的普及性测试、产品设计研发的辅助工作，以及寻找全新的安全技术”。最近《非公路工程期刊》邀约Brooks参与访谈。在访谈中，他不仅提到了去年在SAE商用车工程大会上所讨论的“基于特征的加密技术”，还提到了许多与汽车和机器相关的其他网络安全技术。

您在SAE的演讲中提到了一种“替代式的”基于不同特征的加密技术。您能阐述一下它的具体内容以及与其他加密技术的区别吗？

基于特征的加密技术是功能性加密技术的一种。我们正在和一家客户开展一系列研究，他们打算将基于特征的加密技术商业化。这个技术的亮点在于，它是根据特定规则来加密数据的。比如说，你可以设定一个规则，规定该数据只能由汽车制造商或技师浏览。只要用户符合规则所要求的两个特征中的一种，你就可以浏览数据。这种是一次加密技术的应用。如果是对称加密，就必须将同一条信息加密至少两次，只有这样才能有效保护你的信息，不让任何你想拒之门外的人获取机密数据。使用不对称加密技术也是一样，你必须使用每个信息实体的公共密钥，才能保护数据。因此基于特征的加密的优势就在于，你可以基于职位职责，甚至是内容来设置规则，有效控制数据的访问，也就是说要看内容是什么，才能决定谁可以浏览。而且你也不需要像使用不对称或对称加密技术一样，进行许多额外的秘钥管理或采取独立的加密措施，才能保护数据。

这个技术能应用在产品研发的哪个阶段？

我们的客户正在与政府开展密切合作，开发云计算和云数据保护技术。用基于特征的加密技术来保护数据，将会促进云技术的发展。我们希望在汽车领域，包括商用车领域应用这项技术。我们发现，该技术与目前汽车领域的需求不谋而合，无论是汽车内部还是外部，都有应用这一技术的需求，因为会有人想给汽车植入数据，或从车上窃取数据，抑或是劫持车辆间的通讯。因此，在目前的研究阶段，我们希望确认，这个技术究竟是否能用于汽车领域？根据计算次数的要求，在汽车上使用该技术是否合理？它的计算强度如何，是否能够安装在车内的控制面板上？这些都是我们正在探索的问题。

在现今的交通运输领域中，有没有一种格外重视网络安全的技术和标准？

我认为，在交通运输领域的各个细分行业，都在努力试图在这方面取得进展。不同行业都有各自的网络安全方案和标准，以满足各自特定的要求。比如，非公路汽车和乘用车在安全性能上的需求就不一样，它们所适用的法规也不一样。因此，在不同领域间做比较是很困难的。据我了解，在运营性的交通运输行业，已经设立了许多信息共享保障中心（ISAC），汽车行业和航空航天领域也将仿照这个模式进行发展，总而言之，各个领域都在各尽所能，开发这方面所需的技术和标准。

与商用车相比，对乘用车进行信息保护，是否有其特定的挑战？

非公路汽车上加入了许多自动功能，如果系统不够坚固，或黑客发动攻击，这将会造成潜在的风险。此外它们还加入了许多通讯所需的连接功能，这样车主在野外或偏远地区的时候也能更新信息，而对黑客来说，这又是一个“攻击机会”。因此这些都是非公路开发者希望进行保护的方面。在正式进行功能部署之前，他们会开发解决方案，利用各种入侵侦查系统，并对组件进行隔离，通过各种手段建设防火墙，保护系统不受攻击。

无论什么行业，只要融入了互联网，就会遇到特定的挑战，而且不同行业的法规和安全问题也各不相同。乘用车的关注重点是信息娱乐系统和驾驶员体验，而这对非公路交通就没有那么重要了，在这个领域，更关注车辆的任务完成效果，以及与此相关的能力，这些区别都会导致网络攻击面和潜在漏洞风险的不同。

网络安全技术是否已经足以保护现有的无人驾驶汽车？

信息行业已经对如何保护系统进行了数十年的努力研究，但系统仍然会频繁遭受攻击。网络安全保护是不能间断的，每个人都不能松懈。与我们合作的公司在产品上市前竭尽全力，确保其安全可靠。但由于新技术不断出现，因此受攻击的风险也在不断变化。企业必须持续地进行监控、实施风险分析与评估，才能不断更新软件并升级产品硬件，应对不断上升的威胁与风险。

要对互联程度和自动化程度越来越高的商用车进行保护，主要困难是什么？

商用车所使用的组件，都是复杂的系统，因此在网络安全方面一定会出现问题，同时也有一些东西为我们所忽略。这是非常复杂的问题。幸运的是，在软件交付给客户以后，还可以修改，并进行补丁程序的编制。但不幸的是，软件的可修改性也是黑客可能利用的一个方面，所以有必要开发相应的保护机制。但我们依然需要时刻保持警惕，了解外界还可能有哪些安全隐患。

我认为，还有一个技术对信息保护特别重要，那就是信息共享，而ISAC就是一种很好的信息共享方法。如果某个行业里出现了某种特殊的攻击，在获得共享信息后，其他人就有可能找到办法保护自己，这样攻击就不会蔓延到整个行业。设立公司内部的安全测试团队也非常重要，这样不仅可以在产品研发伊始就重复考虑安全问题，而且还能时刻掌握威胁信息，及时更新软件和补丁。

汽车领域的一个难点是汽车长时间在户外，提供网络支持所需的时间会比通过传统IP地址给电脑软件提供服务所用的时间更长，所以公司必须时刻更新信息，并保护汽车在整个使用寿命中的网络安全。

您已经介绍了基于特征的加密技术。您认为还有其他领域或技术有助于提升汽车的网络安全性吗？

美国西南研究所正在研究“LTE/4G”的安全技术。随着汽车互联程度的提高，LTE会成为车间通讯、车载资讯与控制的信息传输层。有一个专门研究嵌入式安全的汽车企业联盟正在研发风险分析建模工具。我们期待汽车企业能够独自实施威胁分析，并希望帮助企业开发出功能性的要求与规范，这样制造商和供应商便可以合作制定出开发新产品所需的要求，并建立起牢固的技术基础。这些都是我们正在研究的课题。

SAE在信息共享方面也扮演着重要的角色。SAE设立了汽车电器系统安全委员会，我知道这个委员会进行了很多信息共享方面的努力，而且他们正在为汽车行业总结最佳的实践经验。在全行业分享所有信息真的很有用，因为一旦发现漏洞，大家都可以很快做出反应，而不至于让负面影响蔓延至整个行业。

未来的威胁还将继续发展。西南研究院以及汽车行业将怎样应对这种不确定性？你们是否对威胁进行了预测，还是决定兵来将挡，见招拆招呢？

两种情况当然都会存在。你不能预见未来的所有情况，所以有时候必须根据临时状况进行应对。但我们也有一些工具，就像刚才说的，有汽车企业联盟正在研发一种风险建模工具。这种工具有点类似物理安全分析和失效模式分析工件，但现在是将其用于信息安全领域。这一方法首先要考察在过去发生了什么情况，并思考如果黑客攻击我们的设备，会造成什么影响。接着按照“攻击树”的轨迹，确定攻击会对整个组织造成什么影响。企业可以凭借这种方法，明确应该在哪里部署应对潜在危机的策略和相关设备，以保护产品免受攻击。

作者：Ryan Gehm

来源：SAE 《非公路用车杂志》

Cybersecurity for commercial vehicles

At Southwest Research Institute (SwRI), cybersecurity spans multiple divisions because—after all—security is not confined to any one area or industry. As a Senior Research Engineer in the Automation and Data Systems Division's Cooperative Systems Section, Mark Brooks’ primary focus is on automotive (in the true sense of the word: relating to any self-propelled vehicle or machine). He became involved in cybersecurity and embedded systems more than 10 years ago when an off-highway client wanted to add security capabilities to its new ECU (electronic control unit) platforms. “We assisted them in the design of that product, and ever since then we’ve maintained a presence in embedded systems security—everything from penetration testing of existing products, helping to design and develop products, and researching brand-new security technologies,” he said. Brooks recently spoke with Off-Highway Engineering about “attribute-based encryption,” a topic he discussed at last year’s SAE Commercial Vehicle Engineering Congress, and many other cybersecurity issues affecting vehicles and machines.

In your SAE presentation you discussed an “alternative” encryption method that is attribute-based. Can you explain this method and how it’s different than other methods?

Attribute-based encryption is a subset of functional encryption. This is based on some research we’ve been doing with one of our clients. They are trying to commercialize attribute-based encryption. The nice thing about this method is that it encrypts data based on a policy. For example, you can set a policy saying that this data could be viewed if you are the automotive manufacturer, or if you’re a mechanic. If you satisfy either of those policy attributes, then you’re able to view the data. And this is from an encrypt-once type of situation. In symmetric encryption, you’d have to encrypt the same data at least twice, for anybody that you would want to be able to protect it from. Same thing with asymmetric encryption, you’d have to be able to use the public key from each of those entities to be able to protect it. So the nice thing about attribute-based encryption is that it allows you to do role-based access control or even content-based access control, where based upon what the contents of the data are is who’s allowed to view it. And you don’t have to do a lot of the additional key management, or the separate encryptions, to be able to protect the data as in asymmetric or symmetric key technologies.

Where does this technology stand in terms of product development?

Our client is working closely with the government on cloud-based computing, and for protecting data in the Cloud. You can see how the idea of protecting data with attribute-based encryption might be beneficial for the Cloud. What we’re looking to do is to bring it into automotive [including commercial vehicles]. We saw some synergy with what’s needed in the automotive sector, both possibly within a vehicle and also external to a vehicle—somebody trying to hack the data in and out, or even communications between vehicles. So at this research stage we want to be able to see, does it make sense for the automotive sector? Does it make sense based upon requirements for computation times, how intensive is it, can it fit on the boards on a vehicle? Those are questions we want to answer, so that’s what we’re investigating.

Does any one transportation sector drive cybersecurity technology and standards more than another?

I think that the multiple transportation sectors are all working on this concurrently. They all have separate cybersecurity solutions and standards that are trying to target their specific needs. There are different needs between off-road, for example, and passenger cars in terms of safety and regulations that they have to be able to achieve. So it’s a little hard to compare some of the needs between those sectors. I know that, for example, there are information-sharing assurance centers (ISACs) set up for service transportation; automotive is setting one up; aviation is in the process of getting one. So everybody’s trying to move forward for their respective industries.

Are there unique challenges in protecting passenger vehicles vs. commercial vehicles?

Off-road vehicles are adding a lot of autonomy, which provides a potential impact if a vulnerability or if an attack occurs. They’re also adding a lot of connectivity for communication, to be able to update things that are in the field and remote locations, so that’s another ‘attack surface’ that a hacker might be able to exploit. So these are things that they’re working toward protecting, and before they deploy they put solutions in place to build or protect firewalling and systems using various intrusion-detection systems, segregating different components, and things like that.

Each of these [industries] is going to have unique challenges as we get connected, and the regulations are going to be different, safety concerns are going to be different. Passenger cars focused a lot on infotainment driver experience, and that of course is not as much of a concern on the off-road side; it’s more about getting the job done and those capabilities, and those are going to have some differences in attack surfaces and the potential vulnerabilities.

Is cybersecurity at a point where it can properly protect automated vehicles already in operation?

Thankfully the information industry has been working for a long time, for many decades, to try to protect information systems, but it still does fall prey on a daily basis to attacks. Cybersecurity is a continuous process; everybody has to continue working that way. The companies and the businesses we work with are working hard to make sure that a product is secure before it’s deployed. But technology of course keeps increasing, so new attacks do surface. One of the things that companies need to do is to continually monitor, continually perform risk analysis and assessment, to be able to keep updating the software, keep updating the pieces that are in the field as threats are determined and risks arise.

What are the main challenges with protecting increasingly connected and automated commercial vehicles?

These are complex systems and there are going to be issues that arise, especially in the field, and things that just get missed; it’s a very complex problem. Fortunately, software is modifiable and can be patched after it’s delivered. But unfortunately, that software modifiability is another area that attackers might take advantage of, so there needs to be protective mechanisms in place to be able to protect that, and there are. But we need to keep abreast of what security issues might be out there.

One of the key things that I think would be the most beneficial in protecting, too, is information sharing—those ISACs are a good way to help share information. That way within an industry, if there’s a particular attack discovered, that information can be shared so that others might be able to work toward protecting themselves so it doesn’t bring down everybody within that industry. Also having in place internal security test teams, setting up the organization so that security is designed from the ground up for a product, making sure that you test, making sure that you keep active on what’s going on with threats so that you can keep updating your software and updating the patches.

One of the challenges with vehicles is that they are going to be out there for a long time, so sometimes the support ends up being longer than what you would expect with traditional IP with PC software, so they need to be able to keep up to date and keep protecting for the life of the vehicle.

You already mentioned attribute-based encryption. Are there any other areas or technologies you see that can help with cybersecurity for vehicles?

One of the areas that Southwest Research Institute is researching is LTE (Long-Term Evolution) security. As these vehicles are becoming connected, LTE becomes a common transportation layer for their communications and for telematics and control. We actually have an automotive consortium for embedded security that is looking at developing risk-analysis modeling tools. We’re looking at companies being able to perform their own threat analysis; we’re looking at helping to develop functional requirements and specifications so that the manufacturers and the suppliers can work together to have solid requirements and a good foundation for developing new products. Those are some of the areas that we’re directly looking at.

SAE also plays a very large role in information sharing. They’ve got the Vehicle Electrical System Security Committee, and I know they perform a lot of information sharing and they’re working to come up with some best practices and other pieces for the automotive industry. Being able to communicate all this information throughout the industry helps, because then when it is something that’s missed, everybody can react quicker so that it doesn’t have as large of an impact throughout the industry.

In the future, there'll be continually evolving threats. How can SwRI (and industry, in general) attempt to address such uncertainty? Do you anticipate certain threats, or is it more reactionary?

There’s obviously a little bit of both—not everything’s going to get caught, so there’s always going to be a reactionary piece to it. But there are tools available, like I said, part of that consortium is developing a risk modeling tool. Something that’s important for any company to be able to do, similar to what they do for safety and for failure mode analysis but also for security, is looking at what happened, what is the impact if an attacker was able to attack one of our pieces of equipment. And going through the attack tree and being able to determine what the overall impact to the organization is. That helps the company learn where to put in potential countermeasures and pieces to protect their product from that impact.