-
EuroSPI 2017 6.-8.9.17 1
Integrated Assessment of AutomotiveSPICE 3.0,
Functional Safety ISO 26262, Cybersecurity SAE J3061
Christian KreinerInstitute of Technical InformaticsTUGraz
Richard MessnarzISCN GesmbH
The “AQU” project is financially supported by the European
Commission in the Erasmus+ Programme under the project number
2015-1-CZ01-KA203-013986– P1 TUG. This website and the project’s
publications reflect the views only of the authors, and the
Commission cannot be held responsible for
any use which may be made of the information contained
therein.
-
EuroSPI 2017 6.-8.9.17 2
Institute of Technical InformaticsIndustrial Informatics
Workgroup
Workgroup hot topics:
• Functional safety and embedded systems security• ISO 26262,
IEC61508, J3061• ECQA Certified Training Provider for Functional
Safety• ECQA Certified Training Provider for AQUA
• Development methods• Product Line Engineering• Standard
Quality models (AutomotiveSPICE)• Agile Systems Engineering
• Model-based system development• Domain specific languages•
models@runtime
• (Embedded) software architecture• Component and middleware
architectures
Contact: [email protected]
mailto:[email protected]
-
EuroSPI 2017 6.-8.9.17 3
• Accreditated iNTACS™ training provider for ISO/IEC 15504 and
Automotive SPICE®
• VDA-QMC certified training provider• ECQA Certified Training
Provider for Functional Safety• Moderator of SoQrates group
> 20 leading German and Austrian companies share knowledge
concerning process improvement, safety, security.
http://soqrates.de
3
Contact: Dr Richard Messnarz, [email protected]
http://soqrates.demailto:[email protected]
-
EuroSPI 2017 6.-8.9.17 4
Contents
Example integration of ASPICE, Functional Safety and
Cybersecurity (ASQ – SQP Volumes)
Extended and integrated review and assessment approach (SOQRATES
Working Group)
Future of Static and Dynamic Cybersecurity System Architectures
and Function Groups in Cars
4
-
EuroSPI 2017 6.-8.9.17 5
Running example: Electronic Power Steering (EPS)
-
EuroSPI 2017 6.-8.9.17 66
Integrated Teams
Assembler Manufacturer
SW Safety & Security Designer
Mechatronic Designer
Technical Project Leader
HW Safety & Security Designer
System Safety
& Security Engineer
-
EuroSPI 2017 6.-8.9.17 7
AUTOMOTIVE SPICE 3.0
-
EuroSPI 2017 6.-8.9.17 8
The relationships between element, component, software unit, and
item, which are used consistently in the system and software
engineering processes.
Automotive SPICE 3.0 terminology:"Element", "Component", "Unit",
and "Item"
-
EuroSPI 2017 6.-8.9.17 9
Automotive SPICE key concept:Traceability of System Design and
Domain Plug-Ins
• System Architectural Design describes system functions and
their decomposition into hardware, software, mechanical components
and functions
-
EuroSPI 2017 6.-8.9.17 10
Automotive SPICE key concept:Traceability and Consistency
between the life cycle phases
-
EuroSPI 2017 6.-8.9.17 11
STEERING
-
EuroSPI 2017 6.-8.9.17 12
ASIL-D
ASIL-D
ASIL-D
Typical Scope of Supplier
Classic EPS scope
-
EuroSPI 2017 6.-8.9.17 13
Risk Classification
13
-
EuroSPI 2017 6.-8.9.17 1414
Risk Classification
-
EuroSPI 2017 6.-8.9.17 1515
Risk Classification
-
EuroSPI 2017 6.-8.9.17 16
Building a Requirements Traceability as Part of the Safety
Case
Customer Requirements
e.g. Steering angle assured by ASIL-D
e.g. Mechanical and software based
steering endstop
Hazard AnalysisIdentification and classification of
safety risks and hazards. e.g. Safety Goal : no uncontrolled
actuation of steering systemRisk: uncontrolled actuation can
happen with wrong sensor input or steering command
FMEA / FMEDAAnalysis of hazards and
safety risks and measures by FMEA and FMEDA
e.g. Measure: redundant and diverse rotor position
sensors, comparing internal steering angle with external (ADAS
command)
steering angle.
System Requirements Specification
System Requirements
e.g. Steering angle is measured internally and
reported on the bus.
Safety Requirementse.g.
we need to trust the steering angle at ASIL D, 2 redundant
diverse rotor positions, plausi check, safe state in
case of deviation.Safe state is assured by a 6 or 12 phase motor
with a limp home
mode (in ADAS mode with no driver interference).
Requirements, safety requirements, and traceability
-
EuroSPI 2017 6.-8.9.17 17
Independent confirmation measures [ISO 26262-2, 6.4.7
Tab1]:•Confirmation reviews•F.Safety audit•F.Safety assessment
Independence of elements after decomposition:•No dependent
failures
or•Dependent failures have safety mechanism
17
Decomposition (ISO 26262)
-
EuroSPI 2017 6.-8.9.17 18
Functional flow
ASIL-D
ASIL-B
ASIL-D
ASIL-BRotor Position 1 Rotor Position 2
ASIC
ASIL-D
Sin,Cos,IndexPos 1
Sin,Cos,IndexPos 2
Functional Signal Flow
-
EuroSPI 2017 6.-8.9.17 19
INTEGRATION OF AUTOMOTIVE SPICE, FUNCTIONAL SAFETY,
CYBERSECURITY
-
EuroSPI 2017 6.-8.9.17 20
ASIL-D
ASIL-B
ASIL-D
ASIL-BRotor Position 1 Rotor Position 2
ASIC
ASIL-D
Sin,Cos,IndexPos 1
Sin,Cos,IndexPos 2
Functional Signal Flow
Steering Command
Network around the car
ASIL-D
Functional flow for ADAS scenarios
need „external“ steering commands
with ASIL-D
-
EuroSPI 2017 6.-8.9.17 21
IT Secure vehicleUnderstanding interference from IT Security
• Prio 1: Analyse IT Threats which can lead to the hazardouus
failure
• Prio 2: Analyse additional IT Security Threats
21
-
EuroSPI 2017 6.-8.9.17 22
Attack Type* Impact HowSpoofing Commands Messages on CAN
are used to simulate car is stopping. Checksum algorithm and
message structure hacked.
Sending a wrong steering commandwith the correct encryption and
identification.
Denial of service Messages on CAN are used to simulate car is
never stopping.
Overloading the bus with speed < 3 km/h so that the steering
lock is activated.
Tampering Changing configuration data in a memory (setting speed
limit for activating steering lock)
Changing parking mode from < 10 kmhto < 200 kmh so that
parking mode steering is used at high speed (resulting in a too big
steering angle)
*Following STRIDE security analysis method
Dependable vehicleUnderstanding interference from
Cybersecurity
-
EuroSPI 2017 6.-8.9.17 23
Attack Type* Impact How
Identity Spoofing Spoofing identity of garageSpoofing identity
of message
Presumptipon of above scenarios.
Information Disclosure Memory dump and copying of data, gaining
knolwedge about encryption keys, checksum algorithms.
Presumptipon of above scenarios.
Elevation of privilege Access to the gateway and access to the
priviliged bus in the car
Presumptipon of above scenarios.
*Following STRIDE security analysis method
Dependable vehicleUnderstanding interference from
Cybersecurity
-
EuroSPI 2017 6.-8.9.17 24
Dependable vehicleUnderstanding interference from
Cybersecurity
24
Maintenance tools, listening
tools
Information Disclosure
Elevation ofPriviliges
Vehicle Bus and Gateway
Spoofing Identity
Vehicle Steering Related ECUs
Spoofing ofCommands
Tampering
Vehicle Function Steering
Lock
Denial of service
Spoofing ofCommands leading to locking
Auto
mot
ive
Defe
nse
Laye
r 1
Auto
mot
ive
Defe
nse
Laye
r 2
Auto
mot
ive
Defe
nse
Laye
r 3
ASIL-D
Compared to function chains in Safety, we have to analyse a
completely different - „intrusion“ - structure
-
EuroSPI 2017 6.-8.9.17 25
Attack Type* Impact HowSpoofing Commands Messages on CAN
are used to simulate car is stopping. Checksum algorithm and
message structure hacked.
Sending a wrong steering commandwith the correct encryption and
identification.
Denial of service Messages on CAN are used to simulate car is
never stopping.
Overloading the bus with speed < 3 km/h so that the steering
lock is activated.
Tampering Changing configuration data in a memory (setting speed
limit for activating steering lock)
Changing parking mode from < 10 kmhto < 200 kmh so that
parking mode steering is used at high speed (resulting in a too big
steering angle)
Dependable vehicle Understanding interference from
Cybersecurity
-
EuroSPI 2017 6.-8.9.17 26
Traceability
Threat Specification per Safety Goal
Safety – Security traceability
-
EuroSPI 2017 6.-8.9.17 27
SPOOFING OF COMMANDSLEADING TO UNINTENDED
STEERING
Automotive Defense Layers
-
EuroSPI 2017 6.-8.9.17 28
OBDOn Board Diganose
GWGateway
DDCDynamic Drive
Control
Electronic Steering ECU and Sensors
Motor and
Steering Rack
Aut
omot
ive
Def
ense
Laye
r 1
Aut
omot
ive
Def
ense
Laye
r 2
Aut
omot
ive
Def
ense
Laye
r 3
Aut
omot
ive
Def
ense
Laye
r 4
Flow Case 1 : vehicle infrastructure
Flow Case 2 service garage
Flows are highlighted by variables that can be monitored
Defence MechanismsLayer 1
Defence MechanismsLayer 2
Defence MechanismsLayer 3
Defence MechanismsLayer 4
28
Indicator: steering command
Indicators to be monitored: Combining steering command e.g. with
speed (active steering), requested torque, etc.
Indicator: Comparing steering angle with internally measured
angle by rotor position sensors
Dynamic Flow through Layers
-
EuroSPI 2017 6.-8.9.17 29
SteeringLockAPP
X (e.g. 10) -Core HW
Realtime VM
Defence Layer ModelModelling New Car Architectures and
App-Communication
29
FUNCTION GROUP STEERING
Steering APP
PLA APP …
Safe Operating System
SecureEthernet
X (e.g. 10) -Core HW
Realtime VM
FUNCTION GROUP POWERTRAIN
Gearbox APP
Motor Control
APP…
Safe Operating System
-
EuroSPI 2017 6.-8.9.17 30
SupplierAPP
X (e.g. 10) -Core HW
Realtime VM
Customer SSL AppsModelling New Car Architectures and
App-Communication
30
FUNCTION GROUP STEERING
Customer
SSL …
Safe Operating System
SecureEthernet
X (e.g. 10) -Core HW
Realtime VM
FUNCTION GROUP POWERTRAIN
Gearbox APP
Motor Control
APP…
Safe Operating System
Encryption bye.g. Autosar
Encryption By Customer
Function Flow with Autosar Encryption plus Internal Customer SSL
Encryption on Application Layer (all signals along this critical
path are encrypted)
-
EuroSPI 2017 6.-8.9.17 31
Nodewith
Service A[i]
X (e.g. 10) -Core HW
Realtime VM
SDN Driven SystemThe System is not just the car any more! What
is the system scope?
31
CAR i
Nodewith
Service B[i]
Nodewith
Service C[i] ..
Safe Operating System
X (e.g. 10) -Core HW
Realtime VM
CAR 1
Nodewith
Service A[1]
Nodewith
Service B[1]…
Safe Operating System
SDN Software Defined Network is a methid for a network set up
where the dependency on the hardware architecture is substituted by
a software controlled network where comtrolers
offer services in the network.
A[n]B[n]C[n]
-
EuroSPI 2017 6.-8.9.17 32
ASPICE 3.0 Integration Integrating Into Base Practices –Extended
Assessment Questions
32
(ASPICE) SYS.2.BP3 Analyze the impact on the operating
environment. Determine the interfaces between the system
requirements and other components of the operating environment, and
the impact that the requirements will have. [Outcome 3]
ISO 26262-4, 6.4.1 Specification of the technical safety
requirementsISO 26262-4, 6.4.1.1 The technical safety requirements
shall be specified in accordance with the functional
safety concept, the preliminary architectural assumptions of the
item and the following system properties:
a) the external interfaces, such as communication and user
interfaces, if applicable;b) the constraints, e.g. environmental
conditions or functional constraints; andc) the system
configuration requirements.NOTE: The ability to reconfigure a
system for alternative applications is a strategy to reuse existing
systems. NOTE: See questions for ISO 26262-4, 6.4.1 and ENG.2
BP1.
(Security) SAE J3061, 8.3.1 Feature DefinitionThe feature
definition defines the system being developed to which the
Cybersecurity process will be
applied. The feature definition identifies the physical
boundaries, Cybersecurity perimeter, and trust boundaries of the
feature, including the network perimeter of the feature. …
-
EuroSPI 2017 6.-8.9.17 33
SAFETY FUNCTIONS ANDCONNECTED VEHICLES
-
EuroSPI 2017 6.-8.9.17 34
Mobile internettechnologies
Infrastructure base stations
Driving events databases(OEM, authorities)
Driving data analysis
Cloud driving services
Vehicles report driving events into the cloud:
E.g. position, speed, steering angle, obstacles
detected, ...
Vehicles get driving situation, recommendations, commands from
the cloud:E.g. steering related:* instantaneous steering angle of
neighbor cars* typical steering angle for road position, *
obstacles detected, ...
Radio-navigation satellite systems
Cloud based infrastructure for driving support
The world is biggerADAS (connected) environments
Critical signal path scenario
1. Vehicle local sensors (correctness?)
2. signals sent to service infrastructure (correctly related to
position etc.?)
3. Cloud storage (corruption?)
4. merge with other cars signals (data poisoning?) in the
current vicinity (correct location?) and those ever operated near
the current position (depending on the algorithm for driving data
analysis, and its correctness).
5. Up-to date steering angle recommendation& road conditions
for the current position sent to all the cars (availablitiy, low
latency, correctness, scalability?).
6. Steering angle is applied to the cars’ steering (correct in
the current context?).
-
EuroSPI 2017 6.-8.9.17 35
Proposed ASPICE extension for Automotive Service Infrastructure
(ASI processes)
Expected typical properties • “ASIL-D” QoS (Quality of Service)
service monitoring for correct operation,
availability, scalability and low latency. • Preparedness for
interruption of connectivity - local take-over (challenging for
eg. platooning) • Cybersecurity of service infrastructure (eg.
wrong data injected, services
spoofed, stored data and algorithms tampered with, messages
altered) • Etc.
-
EuroSPI 2017 6.-8.9.17 36
Extension of ASPICE for Automotive Service Infrastructure ASI
processes
By example: ASI.2 Requirements Analysis Base practice BP4
ASI.2.BP4: Analyze the interfaces between the vehicle and the
service infrastructure. • Analog and linked to “SYS.2.BP4: Analyze
the impact on the operating environment” • Identify the interfaces
between the vehicle and the service infrastructure.• Analyze the
impact that the service infrastructure interfaces will have on the
vehicle
operating environment. • OUTCOMES: Quality of Service
(Availability), Defined reaction in case of no availability,
criticality of information, safety classification (if provided
as QM or validated among a set of data to be provided with an
ASIL), encryption and identification mechanisms to be
implemented.
Extended Cybersecurity (SAE J3061:2016) Assessment Questions :•
Related to SAE J3061:2016, clauses 8.3.1 Feature Definition –
identifies
• physical boundaries, • Cybersecurity perimeter, and • trust
boundaries of the feature, including the network perimeter of the
feature.• The feature definition defines the scope and interfaces
of the feature.
Christian Kreiner,TUGraz Richard Messnarz, ISCN
-
EuroSPI 2017 6.-8.9.17 37
RELATED SKILLS PROJECTS
AQUA ECOSYSTEM
-
EuroSPI 2017 6.-8.9.17 38Christian Kreiner,TUGraz Richard
Messnarz, ISCN
AQUA - Knowledge Alliance for Training Quality and Excellence in
Automotive
http://automotive-knowledge-alliance.eu
EU Sector Skills Alliance for AutomotiveAims:
• A unique, sustainable strategic alliance for• modern certified
VET Curricula for the automotive sector• Industry aligned• Capable
of Europe-wide implementation
• Certified VET training course:• Integrated Quality, Functional
Safety, and Six Sigma in Automotive
• Certification by European Certification and Qualification
Association (http://ecqa.org)
• Incorporated into • Automotive Clusters Qualification
programmes • University Education (TUGraz, Grenoble INP)
This project has been funded with support from the European
Commission under agreement EAC-2012-0635. This
publication/communication reflects the views only of the author,
and the Commission
cannot be held responsible for any use which may be made of the
information contained therein.
http://automotive-knowledge-alliance.euhttp://ecqa.org)
-
EuroSPI 2017 6.-8.9.17 39
AQUA Skills Set„Automotive Quality Manager with AQUA Skills”
UnitID Unit Name Element ID Element NameAQUA.U1 Introduction
AQUA.U1.E1 Integration view and general part
AQUA.U1.E2 Organisational readiness
AQUA.U2 ProductDevelopment
AQUA.U2.E1 Lifecycle
AQUA.U2.E2 Requirements
AQUA.U2.E3 Design
AQUA.U2.E4 Integration and Testing
AQUA.U3 Quality and Safetymanagement
AQUA.U3.E1 Capability
AQUA.U3.E2 Hazard & Risk management
AQUA.U3.E3 Assessment and audit
AQUA.U4 Measure AQUA.U4.E1 Measurements
AQUA.U4.E2 Reliability
Each element contains four views:• integrated perspective•
Automotive SPICE perspective• Functional Safety perspetcive• Six
Sigma perspective
-
EuroSPI 2017 6.-8.9.17 40Christian Kreiner,TUGraz Richard
Messnarz, ISCN
SafEUr - ECQA Certified Functional Safety Manager
http://safeur.eu
• Industry training and TUGraz course:• Functional Safety
Introduction, Management, Engineering,
Production, Legal, Qualification topics• Modular: 15 course
elements• Face-to-face and online delivery• Heavily based on
Industry Best Practice• ISO26262, IEC61508
• Skills set aligned with Industry• Europe-wide certification by
European Certification and
Qualification Association (http://ecqa.org)• Contact:
[email protected]
http://safeur.euhttp://ecqa.org)mailto:[email protected]
-
EuroSPI 2017 6.-8.9.17 41
Automotive Quality Universities (AQU) AQUA alliance extension to
higher education
Partners• VŠB - Technical University of Ostrava, CZ• Graz
University of Technology, AT• UAS Joanneum, Graz, AT• University of
Maribor EE + CS, SLO• ISCN IE/AT
Christian Kreiner
• EMIRAcle (European Innovation in Manufacturing Association),
BE/FR
• Grenoble INP (EMIRAcle)• Hochschule Düsseldorf (EMIRAcle)•
ECQA Online Campus for Industry
•The “AQU” project is financially supported by the European
Commission in the Erasmus+ Programme under the project number
2015-1-CZ01-KA203-013986– P1 TUG. This website and the project’s
publications reflect
the views only of the authors, and the Commission cannot be held
responsible for any use which may be made of the information
contained therein.
-
EuroSPI 2017 6.-8.9.17 42
AQUA/AQU @ TU Graz• Regular student‘s course from 2014• AQUA
university course for industry (TU
Graz Life-long-learning progm. & ECQA)• 1st ECVET-ECTS
bridge between
university and industry education• Coordinator of AQUA project -
EU
funded Sector Skills Alliance 2013-15• Automotive Quality
Universities EU
project (partner)
Christian Kreiner
-
EuroSPI 2017 6.-8.9.17 43
The AQUA ecosystem – current state
Christian Kreiner
ECQA Functional SafetyManager /Engineer
Yellow BeltOrange Belt
Green BeltBlack Belt
intacs Automotive SPICE®
„AQUA for ROC“ (EQF Level 4-5)
AQUA extensionAQUA extensionIntegrated Cybersecurity
automotive & medical & automation
Planned
AQUA MOOCs ?
SPI manager/facilitatorIntegrated, interdisciplinaryInnovation
and improvment
ECQA Integrated Design Engineer More …
AQU - AQUA Quality Universities(EQF Level 6-8)