汽车网络安全已经成为让整个行业担忧的问题之一。在2015年洛杉矶车展(Los Angeles Auto Show)中的互联汽车展(Connected Car Expo)上，专家们针对这一问题列出了数项汽车行业应当采取的措施。密歇根大学(University of Michigan)交通运输研究所(Transportation Research Institute)研究科学家Andre Weimerskirch所举的两个例子，为汽车行业敲响了警钟。

首先，最值得引起注意的汽车网络攻击事件，是吉普切诺基(Jeep Cherokee)被“黑”事件。2014年，两名网络安全专家Chris Valasek和Charlie Miller通过Sprint的网络入侵了一辆吉普切诺基的UConnect信息娱乐系统，并最终导致菲亚特克莱斯勒（Fiat Chrysler Automobiles，简称FCA）对多款车型进行了安全召回。在本次事件中，这两名“黑客”与车辆之间并无物理连接。目前，这两人都就职于优步(Uber)的高级技术中心(Advanced Technology Center)，能够利用该中心的技术手段远程启用或停用刹车，甚至关闭车辆发动机和改变行驶方向。

第二个例子是美国前进保险(Progressive Insurance)公司的加密狗(dongle)被“黑”事件。Digital Bond Labs实验室安全研究员Corey Thuen声称，已通过逆向工程(Reverse-engineering)入侵了美国前进保险(Progressive Insurance)公司的加密狗（dongle），并可限制其部分功能，这一事件暴露了该加密设备的脆弱性。据了解，这款加密狗（dongle）设备来自Xirgo Technologies公司，可以监测驾驶员的驾驶习惯并通过网络进行上报，保险公司会评估该装置收集的信息，并据此调整车主的保费。

“一切都能被黑” 

Weimerskirch表示，这还仅仅只是两个例子，“我们几乎可以入侵任何设备。”他向大家陈述了一个可怕的事实：熟悉IT技术的攻击者仅需了解一丁点车辆知识，就可以开始攻击汽车。

凯迪拉克(Cadillac)已经宣布，公司将为旗下2017年款CTS配备V2V车间通信功能。此时，对整个行业而言，应对汽车网络安全问题已经刻不容缓，因为其他生产商也有与凯迪拉克类似的计划。但Weimerskirch指出，对汽车网络安全的担忧，不应仅限于车辆与智能手机和电脑间的电子通讯范围内。他指出：“汽车安全非常难以保证，这是因为车辆是一件非常复杂的产品，拥有成千上万个零部件，而且这些零部件还来自成百上千个不同的供应商。”

Weimerskirch表示，当然汽车行业也在不断从其他行业吸取经验，但目前还没有可以直接拿来使用的网络安全解决方案。企业级的IT解决方案采用的是大型运营商所提供的硬件和控制软件，因而网络安全是可以保证的，但接入网络后的汽车安全性尚未得到保障，也还未能满足移动应用的需要。监控与数据采集系统（Supervisory Control and Data Acquisition，简称SCADA）可以进行工业控制，接入网络后的设备安全性已有保障，但也尚未进入移动应用阶段。他说，智能手机，特别是iPhone已经开发了一些相关解决方案，但这些解决方案并不是专门针对提高安全性的。 “尽管如此，iPhone的确有很多措施是非常合理的。” Weimerskirch说。

据Weimerskirch介绍，大约15年前，研究人员就发现，经过正规验证过的源代码和接口，可以构成更加稳健的电子架构。他们那时就看到了其中的价值，但时至今日，缺仍然无法使用这些电子架构。

通过融合技术提升可信度

Weimerskirch说，自动驾驶技术可将各种各样的雷达传感器、摄像头和无线连接技术带上汽车行业的舞台。他在论坛上表示，所有这些装置都可能被“黑”，区别是无线连接最容易，而摄像头最困难。虽然摄像头可以被遮住，但其图像却无法被伪造。而激光雷达和雷达传感器被“黑”的难度处于两者之间。  

Weimerskirch还说，因此我们必须采取措施，提升无线连接、传感器和摄像头的安全性，并将这些装置融合到一个系统中，保证其可信度处于可以接受的范围内。这可能意味着车辆的部分功能将被暂时限制，直到系统的安全级别达到一定水平后，才能继续发展。

需要开设汽车网络安全专业

就职于AutoImmune咨询公司的Karl Heimer是密歇根州的网络安全顾问之一，他认为，保证车辆的网络安全离不开对人才的培养。目前，汽车业内还没有汽车网络安全工程方面的专业人员，因为根本就没有这个专业。Heimer说，我们必须开设相关专业，并且，这个专业的毕业生应当拥有硬件和电子工程的背景、具备计算机科学方面的知识，并且了解汽车的运作方式。

他还补充说，这个专业的学生还应在整车厂、供应商或网络安全公司进行实习。“天天与生产商、开发商呆在一起，根本无法了解黑客是如何进行攻击的。”因此，学生们必须多了解真正发起攻击的那些人。设置这个专业的最终目的，是为整车厂输送能够进行研发工作，或能够胜任评估/质保工作的网络安全人员。

Heimer指出，每家整车厂和供应商都有不同需求，因此也应采取不同的措施，但密歇根州经济发展公司(Michigan Economic Development Corp.)正在尝试开发一套所有大学都能采用的通用基础培训课程。

新提议、新政策

在SAE年度Battelle Cyberauto Challenge研讨会上，专家们一致认为，网络安全教育领域的机会正在不断增加。这一研讨会为期5天，与会人员在这一平台上探讨了汽车领域的最新趋势。下一届会议将在2016年7月25日到29日举行。

David Strickland是一位律师，曾担任美国国家高速公路安全局（NHTSA）局长。他指出，目前立法者已经开始就2015年的SPY Car Act法案展开讨论。据了解，该法案要求车辆必须“合理”采取包括入侵检测在内的多项措施，保护自身不受网络攻击侵害。当然，国会并不知道具体该怎么办，因此，这项工作自然落到了NHTSA和联邦贸易委员会(Federal Trade Commission)肩上。

David Strickland还同时提到了刚刚成立的Auto ISAC，即汽车信息共享分析中心（Information Sharing and Analysis Center）。Strickland称，该中心的成立是汽车行业成员为互通网络威胁信息而迈出的第一步，这里说的行业成员既包括汽车制造商，也包括供应商。

目前，整车厂使用的是独立的测试方法和设备，与会专家对此提出了担忧，因为这些装置可能通过车辆的CAN总线或信息娱乐系统的无线网络接入汽车，给黑客提供攻击的机会。

安全对功能的影响

Weimerskirch表示，我们必须依靠设计手段来保证安全，而不能直接封锁接入信息娱乐系统的信息入口，其他与会专家也同意这一点，“我们知道该怎么做。”Heimer补充说，我们不能靠隐藏诊断所需数据包的内容来抵御网络攻击，而是应当通过设计手段，保证数据包的内容不被篡改、所含的指令不被拦截。

与会专家均认为，由于网络安全方面仍存在隐患，车辆的部分功能目前还无法发挥最佳效果。Weimerskirch举例说，如果无线网络被“黑”，马路上行驶的汽车之间就必须保持更大的车距，因为此时系统必须重新从雷达和摄像头读取数据，并且需要进行道路上的实时调整。Heimer补充说，车主能够下载的内容也会受到限制，“不能指望整车厂”为车主下载行为所带来的全部风险买单。

发言人承认，为了提升车辆抵御网络威胁的能力，通过“无线传输(over-the-air)”进行的软件升级必不可少。他们指出特斯拉(Tesla)的“空中升级”做法，比向车主邮寄闪存盘来进行软件更新要好得多。目前已有其他生产商表达了转向“空中升级”的意向。

作者：Paul Weissler
来源：SAE《汽车工程杂志》
翻译：SAE上海办公室

Cyber security issues, need for college curriculum raised at Connected Car Expo

Automotive cyber security is moving to the front of the line of industry concerns, and panelists at the recent 2015 Los Angeles Auto Show's Connected Car Expo outlined approaches that the industry should take. A pair of loud wake-up calls were cited by Andre Weimerskirch, a research scientist at the University of Michigan's Transportation Research Institute.

The most noteworthy auto cyber hack was a project by Chris Valasek and Charlie Miller, now researchers at Uber Advanced Technology Center, in which they remotely could apply or disable the brakes, even kill the engine and affect steering. Their work, applied to a 2014 Jeep Cherokee, through the UConnect infotainment system with Sprint cellular, led to a Fiat Chrysler Automobiles safety recall on a wide range of models. The control was exercised without physical access to the vehicle itself.

Still another security researcher, Corey Thuen of Digital Bond Labs, claimed he had reverse-engineered the Progressive Insurance dongle, and performed limited functions that indicated it was vulnerable. The dongle, supplied by Xirgo Technologies, monitors driving patterns, reports via cellular, and the information is used to adjust policy rates.

"Hack into everything" 

Those were just examples, Weimerskirch said, adding, "we can hack into pretty much everything that's out there." A fearsome issue he cited: an attacker just needs a tiny bit of automotive background because, assuming familiarity with enterprise IT, he/she can hit the car.

Cadillac's announcement that it will introduce V2V (vehicle-to-vehicle) communication on the 2017 CTS gives a sense of urgency within the industry, as the rest of the industry is preparing to do the same. But, he pointed out, the car raises concerns beyond electronic communication via smartphones and computers. Weimserskirch noted three primary issues: "safety, a super complex supply chain with hundreds of suppliers, and a complex product—the car with thousands of components."

The auto industry, of course, is looking at what other industries are doing, Weimerskirch said, but there is no other application in which the auto industry could just adapt its cyber security solutions. Enterprise IT, which deals with the hardware and control software systems used by large operations, must be cyber-secure, but it doesn't involve the same level of safety or mobile use. SCADA (Supervisory Control and Data Acquisition) deals with industrial controls, so safety is involved, but not mobile use. Smartphones, he said, particularly the iPhone, has developed relevant solutions, but not in the area of safety.  "However, [the] iPhone does a lot of stuff right," he added.

Some 15 years ago, Weimerskirch continued, researchers saw the value of more resilient electronic architectures with formally verified source code and interfaces, and today we're still not using them."So let's start," he urged.

Fusing to raise confidence level 

The move to autonomous driving, he said, will bring in use of various types of radar sensors, cameras, and wireless. Each can be hacked, with wireless the easiest and cameras the hardest. Although cameras can be blinded, their images can't be forged. Lidar and radar sensors are somewhere in between, he told the forum.  

So the approach, Weimerskirch continued, must be to take the security levels of wireless, sensors, and cameras, and fuse them into a system that raises the total confidence level to an acceptable perch. That is likely to mean that some features will have to be limited until the security level can be made high enough.

Cybersecurity curriculum 

This work will require trained talent, observed Karl Heimer of AutoImmune, a cyber security consultant to the State of Michigan. There are no cybersecurity engineering degree graduates, because there is no degree program in the subject. A curriculum is needed, he said, including a good background in hardware/electrical engineering, education in computer science, and how automobiles work.

The degree program, he added, also should include internships at either an OE manufacturer or supplier and a hacking company. "You don't get to understand how break-ins occur by being with a maker or developer," he said.  So the interns have to live with the people who actually do the hacking. The objective is for the OE to end up with cyber security people who can work in development or assessment/quality assurance.

He noted that each OE maker and supplier has different needs and therefore likely different approaches, but the Michigan Economic Development Corp., working in curriculum development, is trying to establish a common base that colleges can adopt.

New initiatives, legislation 

Cyber security education opportunities are proliferating, the panelists agreed, pointing to the annual SAE Battelle Cyberauto Challenge, a five-day workshop to identify trends in the field (the next is July 25-29, 2016)

David Strickland, an attorney who once headed NHTSA, noted that legislators already are in the fray, with the SPY Car Act of 2015 requiring vehicles to be "reasonably" equipped to protect against hacking, including intrusion detection systems. Naturally, Congress doesn't know how to do this, so it assigns the job to NHTSA and the Federal Trade Commission.

He also pointed to Auto ISAC (Auto Information Sharing and Analysis Center), a consortium which has just gone live. Strickland described it as a foundational step to share information about cyber threats among industry members, who include carmakers and suppliers.

Forum attendees expressed concern about the possible effect of OE cyber security measures on the access of independent mechanics and their test equipment to the vehicle's CAN (Controller Area Network) buses, which also are entry points, via infotainment systems' wireless, for hackers.

Security effect on features 

Weimerskirch said security, therefore, must be by design, not by obscurity (denying access to the information); "we know how to do that." The other panelists agreed.Heimer added that it should not be necessary to hide the contents of a packet needed for diagnosis, and secure design would prevent it from being changed or the command it contains not going through.

Cyber security is likely to affect the maximum performance of some features, the panelists agreed. Weimerskirch said, for example, that the distance maintained between a roadway line of cars might have to be increased because if the wireless were hacked, the system would have to fall back on readings from radar and camera with on-board adjustments.  Heimer added that car owners might have to be limited in what they can download; "you can't burden an OE" with the threats of any download choice the driver makes.

To improve vehicle protection against cyber threats, "over-the-air" software updates are essential, the speakers conceded, pointing to Tesla's success in that area as a superior approach to sending out flash drives for owners to use. Other makes have indicated their future intentions to do the same.