随着互联功能的不断普及，汽车遭受网络攻击的风险也与日俱增。车辆在道路中的行驶时间越长，访问入口暴露出来的几率就越高。因此，整个汽车行业都加入了一场狂热的竞赛，各大公司都争先恐后地寻找各种网络防御措施，从而在各个层面实现安全可靠、实时监控的网络保护机制。在SAE 2016全球汽车年会上，一位来自英特尔公司(Intel)的技术专家，分享了对于“汽车行业该如何确保网联安全”这一问题的看法。

英特尔的物联网(IoT)安全部门总经理Lorie Wigle认为，虽然加密技术（特别是针对CAN总线的加密）一直受到大力吹捧，但“现实是，加密仅能解决部分网络威胁。”

Wigle表示，要解决汽车网络安全的问题，并不存在什么 “灵丹妙药”。安全防御应当是一系列持续性的行为，并没有一劳永逸的解决方案，安全防御的范围也不局限于车辆的本身。

云平台——面对威胁最大

“如何保证云平台和基础设施的安全是重中之重，”Wigle解释说，对于高威胁性的网络攻击者而言，“最简单的作法是直接攻击云端，而非汽车本身。”

Wigle表示，尽管许多人普遍认为当然的威胁风险很高，但事实上就汽车本身的系统复杂程度而言，仍属于相对较低的水平，虽然每辆车大约会搭载25到200个微处理器，运行多达6500万行代码，但其中50%均为多媒体系统所用。目前，一款豪华车型拥有144个电子控制单元(ECU)，其中73个位于CAN总线、61个位于LIN网络，其余10个位于Flexray系统中。此外，对于一辆顶配的汽车而言，车内为了实现内部控制可能会安装高达100个电机。

云平台或许是最佳的攻击目标，但汽车本身也有可能是很多黑客下手的对象。Wigle介绍了6种主要威胁：首先，最常见的一种是盗车贼，他们可以借助物理方法，或通过无线网络打开车门。接下来的一种更具技术含量，也就是那些渴望“一战成名”的黑客，他们完全是通过无线网络途径对目标进行攻击的。

然而，最具威胁性的一类罪犯，拥有相对较高的技术基础，能够将无线网络与物理访问相结合，甚至危害车内乘客的安全。此外，现在还存在拥有完全物理访问权限的调节器，可以直接修改车辆的控制设置。在很大程度上，上述最高威胁级别的黑客很可能就来自公司的竞争对手及伪造者，他们有能力获得完整的物理访问权限，并希望了解车辆的内部架构。

Wigle表示，虽然车辆的通信功能目前仍主要集中在信息娱乐系统之内，但未来却要面对一个全面互联的环境，包括V2V、V2I和V2X连接，即车间通信、车辆与基础设施通信，以及对车载驱动/制动系统的实时整合。就现阶段而言，汽车自动驾驶功能仅在极少数几款车型上配置，大多仍以适应性巡航控制和相关半自动系统的形式出现。

目前，车辆的车载数据分析主要集中在车辆性能及汽车位置等导航相关信息，但未来车辆与驾驶员的个人数据也将会被纳入其中。

Bumper-to--bumper防御

Wigle表示，“Bumper to Bumper”这个术语通常仅用于描述车辆的保修情况，但最近也用于描述车辆周边以及云端的适应性安全防护范围。行业最佳作法要求厂商在可能的情况下，尽量将“受攻击面”移到云端。Wigle称，英特尔下属麦克菲McAfee公司所开的IPS(入侵防御系统)就是一个这样的例子。

不过，英特尔还在同时推广公司的汽车增强通信单元，其中包括一个“硬件安全防御模块”，旨在提供全面的运行与安全硬件防御。该系统内置了风河公司(Wind River)的管理程序，可以在一款独立中央处理器上运行多操作系统，以及英特尔的计算机版“Trusted Execution Engine（可信执行引擎）”。这种硬件技术经过专门设计，可以验证平台及其操作系统的真实性，并授予不同级别的信任等级，从而提供安全防护。

Wigle表示，未来OTA（空中）软件升级并不会出现在两个独立设备之间，而是通过在两个授信的团体之间进行。

她指出，汽车电子系统的安全防护有两个方面。首先，正如 SAE J3061指南描述的那样，这种防护可以提供更加安全、灵活的开发流程。具体来说，这种做法需要首先识别所有的受攻击面，并为其编号，然后进行威胁分析，从而进一步减少攻击面的数量并加固软硬件系统。此外，SAE J3101标准也介绍了一系列仅通过软件功能无法实现的硬件保护措施。

Wigle同时指出，英特尔还集合了来自汽车行业供应商的研发人员，成立了汽车安全审查委员会（Automotive Security Review Board，简称ASRB），从而共同开发基于英特尔平台的解决方案。目前，ASRB还联合“白帽”安全研究组织IOActive、iamthecavalry.org和opengarages.org，共同招募网络安全专家，为汽车网络安全做出贡献。

作者：Paul Weissler
来源：SAE《汽车工程》杂志
翻译：SAE中国办公室

Intel's "bumper-to-bumper" vehicle security approach

As vehicle connectivity becomes ubiquitous, the threat of being hacked rises. The longer a car is on the road, the more its access points become exposed. Thus the industry's feverish race to find a robust and ongoing cyber defense at every level. At the 2016 SAE World Congress, an expert at microprocessor supplier Intel gave her assessment of what the industry must do to ensure that defense.

According to Lorie Wigle, General Manager of Intel's Internet of Things (IoT) Security, while encryption (particularly of the CAN bus) has been highly-touted, "the reality is encryption is going to address just part of the threat."

There is no "silver bullet" solution, Wigle said. Security must be a continuing operation, not a single preparatory event. And it extends beyond the vehicle.

Biggest bang in cloud

"Clouds and infrastructure also must be secured," she explained, noting that the "biggest bang for the buck" for a high-threat attacker is in "the cloud," not the car parc.

Although many consider today's threat level high, the automotive fleet actually represents relatively low complexity, despite the fact that a typical car has 25 to 200 microprocessors and up to 65 million lines of codes, about half of which are for the multimedia systems, she said. A current luxury model has 144 ECU connections—73 are on CAN busses, 61 are on LIN (Local Interconnect Networks) and 10 on FlexRay. Further, a fully-optioned vehicle may have up to 100 electric motors for interior controls.

The cloud may be the highest value target, but the vehicle itself is the object of many groups of potential attackers. Wigle pointed out six primary threat models. The most common is the car thief, whose access into the vehicle is typically physical entry but also via wireless. More technically astute is the hacker seeking his minutes of fame and working the purely wireless approach.

The highest threats, however, come from the criminal who may have medium to very high technical knowledge and can combine wireless with physical access to pose a danger to passengers. There's also the workshop tuner with total physical access to modify a vehicle's control settings. Perhaps the highest hacker-threat comes from counterfeiters and competitors, who have physical access and are looking to understand the vehicle architecture.

According to Wigle, the present level of telematics is largely in the entertainment area, whereas the future is a fully connected environment—V2V, V2I and V2X (vehicle to vehicle and infrastructure, and real-time integration with on-board drive/brake systems). Vehicle automated operation is on a handful of cars, and limited in most cases to advanced forms of adaptive cruise and related semi-autonomous systems.

Data analytics on-board is currently focused on performance and such navigation-related items as vehicle location, whereas the future will go well beyond, into vehicle-driver personal data.

Bumper-to-bumper defense

The term "bumper to bumper" used to only describe a vehicle's warranty. Recently it has also come to describe the adaptive security perimeter around the vehicle and extending into the cloud, Wigle said. Best practices will require moving "attack surfaces" to the cloud where possible. She pointed to Intel McAfee's cloud-based IPS (Intrusion Prevention System) as an example.

However, Intel also is promoting its vehicle enhanced head unit including a "Hardware Security Module" intended to provide broad-based operating and security hardware coverage. The system includes a Wind River hypervisor, which can run multiple operating systems on a single central processing unit, and Intel's PC-established "Trusted Execution Engine." This hardware technology is designed to attest to the authenticity of a platform and its operating system and establish levels of trust to provide security.

OTA (over the air) software updates, Wigle said, will not be between individual devices, but from and to certified groups.

There are two sides of providing vehicle electrical system security, she noted. One is a secure, flexible development process as described in the guidebook for SAE J3061. This requires identifying and numbering all attack surfaces and conducting threat analyses, reducing attack surfaces and hardening the hardware and software. It is accompanied by SAE J3101, which defines a common set of requirements for hardware protection which exceeds the capability of the software alone.

Wigle also pointed to Intel's formation of the Automotive Security Review Board, to be composed of researchers from industry vendors, to develop solutions using Intel-based platforms. ASRB is working with three "white hat" security research operations—IOActive, iamthecavalry.org and opengarages.org—to recruit cybersecurity professionals to contribute.

Author: Paul Weissler
Source: SAE Automotive Engineering Magazine