No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Integrating Autonomous Vehicle Safety and Security
Abstract
Safety and security are two inter-dependent key properties
of autonomous vehicles. They are aimed at protecting the
vehicles from accidental failures and intentional attacks, which
could lead to injuries and loss of lives. The selection of safety and
security countermeasures for autonomous vehicles depends on the
driving automation levels, defined by the international standard
SAE J3016. However, current vehicle safety standards ISO 26262
do not take the driving automation levels into consideration. We
propose an approach for integrating autonomous vehicle safety
and security processes, which is compliant with the international
standards SAE J3016, SAE J3061, and ISO 26262, and which
considers driving automation levels. It uses the Six-Step Model
as a backbone for achieving integration and alignment among
safety and security processes and artefacts. The Six-Step Model
incorporates six hierarchies of autonomous vehicles, namely,
functions, structure, failures, attack, safety countermeasures, and
security countermeasures. It ensures the consistency among these
hierarchies throughout the entire autonomous vehicle’s life-cycle.
... Ensuring the safety of autonomous vehicles, i.e., reducing the number of traffic crashes to prevent injuries and save lives, is a top priority in autonomous vehicle development. Safety and security are interdependent (e.g., security attacks can cause safety failures, or security countermeasures may weaken CPS safety and vice versa), therefore they have to be aligned in the early system development phases to ensure the required level of protection [1][2] [3]. ...
... The Six-Step Model enables comprehensive analysis of CPS safety and security, as it utilizes system functions and structure as a knowledge base for understanding the effect of failures and attacks on the system. Furthermore, we presented an initial approach for applying the Six-Step Model for AV safety and security analysis in [1]. ...
... In this paper, we extend the initial approach, proposed in [1], to enable a comprehensive analysis of AV safety and security using STPA method and the Six-Step Model, which is compliant with the international standards SAE J3016, SAE J3061, and ISO 26262. ...
Safety and security are two inter-dependent key properties
of autonomous vehicles. They are aimed at protecting the
vehicles from accidental failures and intentional attacks, which
could lead to injuries and loss of lives. The selection of safety and
security countermeasures for autonomous vehicles depends on the
driving automation levels, defined by the international standard
SAE J3016. However, current vehicle safety standards ISO 26262
do not take the driving automation levels into consideration. We
propose an approach for integrating autonomous vehicle safety
and security processes, which is compliant with the international
standards SAE J3016, SAE J3061, and ISO 26262, and which
considers driving automation levels. It incorporates the System-
Theoretic Process Analysis method into autonomous vehicle safety
analysis, and uses the Six-Step Model as a backbone for achieving
integration and alignment among safety and security processes
and artefacts throughout the entire autonomous vehicle’s lifecycle.
... In our previous work, we proposed an approach for AV safety and security analysis, which uses a Six-Step Model for integrating and maintaining consistency among safety and security processes and artefacts of an AV at a single-vehicle level (Sabaliauskaite and Cui 2017). This approach is compliant with the international vehicle safety and cybersecurity standards, namely ISO 26262 "Road vehicles -functional safety" (ISO 26262-3 2011) and SAE J3061 "Cybersecurity guidebook for cyber-physical vehicle systems" (SAE J3061 2016a, b). ...
... Step Model are performed, where failures, attacks, and safety and security countermeasures are identified using the ISO 26262 and SAE J3061 standards and added to the model along with their relationships with other elements of the model. For more details, see (Sabaliauskaite and Cui 2017). ...
Automated Vehicles (AVs) are expected to help in significantly reducing traffic injuries and fatalities in the near future. However, to achieve this goal, they must be safe and secure. The recent news of the first fatal crash of AV including pedestrian confirm the urgent need of addressing AV safety and security issues to prevent such accidents from happening in the future. In order to outperform human drivers, AVs need to communicate with the other traffic participants, which makes them more vulnerable to cyberattacks. Cooperative Intelligent Transport Systems (C-ITS), which include vehicle-to-vehicle and vehicle-to-infrastructure communications, are expected to be launched in Europe next year. Thus, assuring their safety and security is crucial. This paper presents an approach, CESAM&SSM, for modelling safe and secure C-ITS using the CESAM method and the Six-Step Model. A combination of these two methods enables comprehensive analysis of C-ITS from operational, functional, constructional, safety, and security perspectives. The propose approach is compliant with three international standards: ISO 26262 – vehicle safety standard, SAE J3061 – vehicle cybersecurity standard, and ISO 21217 – intelligent transport system architecture standard.
... In [64], the authors pointed out that the current vehicle safety standard ISO26262 did not consider the security issues to avoid both unintentional and intentional attacks. Currently, there is no existing universal security or safety standard for CAVs. ...
... Yan et al. performed blinding attacks on camera as well as jamming and spoofing attacks on radar and ultrasonic sensors on a Tesla S automobile [3], [18]. Furthermore, Ethernet connections or inter-vehicle networks provide more feasibility to hack sensor data [19], [20]. Several methods to detect PEAs have been proposed in [2], [3], [16], [18], [21], including (1) adding redundancy by introducing more sensors, (2) using inter-vehicle communications to compare sensor measurements, (3) relying on other sensors to detect attacks. ...
Due to the great achievements in artificial intelligence, it is predicted that autonomous vehicles with little or even no human involvement will come to market in the near future. Autonomous vehicles are equipped with multiple types of sensors. An autonomous vehicle relies on its sensors to perceive its environment, and this sensory information plays a key role in the vehicle's driving decisions. Hence, ensuring the trustworthiness of the sensor data is crucial for drivers' safety. In this paper, we discuss the impact of perception error attacks (PEAs) on autonomous vehicles, and propose a countermeasure called LIFE (LIDAR and Image data Fusion for detecting perception Errors). LIFE detects PEAs by analyzing the consistency between camera image data and LIDAR data using novel machine learning and computer vision algorithms. The performance of LIFE has been evaluated extensively using the KITTI dataset.
... The assessment of cyber attacks is performed in Step 4 by utilizing the STRIDE method. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege [17]. The method enables the analysis of complex systems and environments similar to the APS [18,19]. ...
The digitalization of the maritime sector is continuously growing, leading to increased automation, such as, the development of autonomous vessels. The Autonomous Passenger Ship (APS) is a characteristic instantiation of this development, aiming to transport people on urban waterways. Although emerging technologies deployed in such APS aim to facilitate the functions and operations of the navigation and communication systems, various safety and security risks are inherent to the communication infrastructure due to their interconnectivity. The aim of this work is to study the safety and cyber security of the communication system of an APS, namely the MilliAmpere2 APS. The six step model (SSM) is utilized to facilitate the joint analysis. The application of the SSM enables, among others, the capturing of relationships between cyber attacks and component failures, the assessment of safety and cyber security countermeasures, as well as, the synergies between them. It has been found that most countermeasures in both categories are reinforcing or are conditionally dependent on each other, while few antagonize each another. These findings will allow for improved design and implementation of integrated safety and security management solutions.
... Four types of relationships are distinguished, high, medium, low, very low/ none. The relationships description is adopted from [16]. High relationships characterize high dependency of the main function on the supporting function for proper operation. ...
The digitalization of the maritime sector is continuously growing, leading to increased automation, such as, the development of autonomous vessels. The Autonomous Passenger Ship (APS) is a characteristic instantiation of this development, aiming to transport people on urban waterways. Although emerging technologies deployed in such APS aim to facilitate the functions and operations of the navigation and communication systems, various safety and security risks are inherent to the communication infrastructure due to their interconnectivity. The aim of this work is to study the safety and cyber security of the communication system of an APS, namely the MilliAmpere2 APS. The six step model (SSM) is utilized to facilitate the joint analysis. The application of the SSM enables, among others, the capturing of relationships between cyber attacks and component failures, the assessment of safety and cyber security countermeasures, as well as, the synergies between them. It has been found that most countermeasures in both categories are reinforcing or are conditionally dependent on each other, while few antagonize each another. These findings will allow for improved design and implementation of integrated safety and security management solutions.
Fully automated driving vehicles represent a major innovation in the automotive industry which will replacedriver tasks by software functions to make traffic more comfortable. Ensuring the operational safety of the fully automated vehicles is a big challenge. The operational safety is affected by different dependability attributes such as availability, reliability, and security. However, demands on fully automated driving vehicles, like a fail operational and nominative performance,are not covered by the current automotive safety standards like ISO 26262. These standardswere notestablished for fully automated driving vehicles. STPA (Systems-Theoretic Processes Analysis) is a safety analysis approach designed for evaluating the safety of complex systems. STPA has not been used, however,to evaluate the complex architecture design of fully automated driving vehicles. For this purpose, we propose a systematic approach based on STPA to consider the operational safety of the fully automated driving architecture regarding different aspects at an early stage. The approach aims at providing design recommendations to the engineers for the definition of the fully automated driving vehicle architecture. The application of the proposed approach is illustrated by a current projectof a fully automated driving system at Continental.
Safety and security issues are increasingly converging on the same critical systems, leading to new situations in which these closely interdependent notions should now be considered together. Indeed, the related requirements, technical and organizational measures can have various interactions and side-effects ranging from mutual reinforcements to complete antagonisms. A better characterization of these interdependencies is needed to ensure a controlled level of risk for the systems concerned by such a convergence. This paper describes the state of the art on this open issue and presents a new approach based on BDMP (Boolean logic Driven Markov Processes), allowing graphical modeling and advanced characterization of safety and security interdependencies. A simple use-case is used through diverse modeling variants, illustrating the capabilities, the contributions but also the limits with respect to other works dealing with safety and security interdependencies. We believe the proposed approach constitutes an original and valuable tool which could find its place in the ongoing research aiming at tackling this open and challenging task.
The introduction of autonomous vehicles in the surface transportation system could improve traffic safety and reduce traffic congestion and negative environmental effects. Although the continuous evolution in computing, sensing, and communication technologies can improve the performance of autonomous vehicles, the new combination of autonomous automotive and electronic communication technologies will present new challenges, such as interaction with other nonautonomous vehicles, which must be addressed before implementation. The objective of this study was to identify the risks associated with the failure of an autonomous vehicle in mixed traffic streams. To identify the risks, the autonomous vehicle system was first disassembled into vehicular components and transportation infrastructure components, and then a fault tree model was developed for each system. The failure probabilities of each component were estimated by reviewing the published literature and publicly available data sources. This analysis resulted in a failure probability of about 14% resulting from a sequential failure of the autonomous vehicular components alone in the vehicle's lifetime, particularly the components responsible for automation. After the failure probability of autonomous vehicle components was combined with the failure probability of transportation infrastructure components, an overall failure probability related to vehicular or infrastructure components was found: 158 per 1 million mi of travel. The most critical combination of events that could lead to failure of autonomous vehicles, known as minimal cut-sets, was also identified. Finally, the results of fault tree analysis were compared with real-world data available from the California Department of Motor Vehicles autonomous vehicle testing records.
An approach for integrating Six-Step Model (SSM) with Information Flow Diagrams (IFDs) is proposed. SSM is a model for Cyber-Physical System (CPS) safety and security analysis, which incorporates six hierarchies of CPS, namely, functions, structure, failures, safety countermeasures, cyber-attacks, and security countermeasures. Relationship matrices are used in SSM to identify inter-relationships between these hierarchies and determine the effect of failures and cyber-attacks on CPSs. Although SSM is a useful tool for CPS safety and security modeling, it lacks guidance for identifying failures and attacks, and selecting adequate set of safety and security countermeasures. To address this issue, an approach for integrating SSM with IFDs is proposed and explained using the water treatment system example.
A Six-Step Model (SSM) is proposed for modeling and analysis of Cyber-Physical System (CPS) safety and security. SSM incorporates six dimensions (hierarchies) of a CPS, namely, functions, structure, failures, safety countermeasures, cyber-attacks, and security countermeasures. The inter-dependencies between these dimensions are de�ned using a set of relationship matrices. SSM enables comprehensive analysis of CPS safety and security, as it uses system functions and structure as a knowledge-base for understanding what e�ect the failures, cyber-attacks, and selected safety and security countermeasures might have on the system. A water treatment system is used as an example to illustrate how the proposed model could serve as a useful tool in the safety and security modeling and analysis of critical infrastructures.
As the Technology Readiness Levels (TRLs) of self-driving vehicles increase, it is necessary to investigate the Electrical/Electronic(E/E) system architectures for autonomous driving, beyond proof-of-concept prototypes. Relevant patterns and anti-patterns need to be raised into debate and documented. This paper presents the principal components needed in a functional architecture for autonomous driving, along with reasoning for how they should be distributed across the architecture. A functional architecture integrating all the concepts and reasoning is also presented.
Autonomous vehicles are an emerging application of automotive technology. They can recognize the scene, plan the path, and control the motion by themselves while interacting with drivers. Although they receive considerable attention, components of autonomous vehicles are not accessible to the public but instead are developed as proprietary assets. To facilitate the development of autonomous vehicles, this article introduces an open platform using commodity vehicles and sensors. Specifically, the authors present algorithms, software libraries, and datasets required for scene recognition, path planning, and vehicle control. This open platform allows researchers and developers to study the basis of autonomous vehicles, design new algorithms, and test their performance using the common interface.
The purpose of this paper is to give a comprehensive view of methods, models, tools and techniques that have been created in safety engineering and transposed to security engineering, or vice versa. Since the concepts of safety and security can somewhat vary according to the context, the first section of the paper deals with the scope and definitions that will be used in the sequel. The similarities and differences between the two domains are analyzed. A careful screening of the literature (this paper contains 201 references) made it possible to identify cross-fertilizations in various fields such as architectural concepts (e.g. defense in depth, security or safety kernels), graphical formalisms (e.g. attack trees), structured risk analyses or fault tolerance and prevention techniques.
Attack trees provide a methodical way of describing threats against, and countermeasures protecting, a system. By extension, attack trees provide a methodical way of representing the security of systems. They allow people to make calculations about security, compare the security of different systems, and do a whole bunch of other cool things. This chapter starts with a simple attack tree for a noncomputer security system, and builds the concepts up slowly. it illustrates a simple attack tree against a physical safe, and an attack tree for the PGP e-mail security program. Once people build up a library of attack trees against particular computer programs, door and window locks, network security protocols, or whatever, they can reuse them whenever they need to. For a national security agency concerned about compartmentalizing attack expertise, this kind of system is very useful.
Defining Autonomous Functions Using Iterative Hazard Analysis and Requirements Refinement
- F Warg
F. Warg et al., Defining Autonomous Functions Using Iterative
Hazard Analysis and Requirements Refinement. Cham: Springer
International Publishing, 2016, pp. 286-297. [Online]. Available:
https://doi.org/10.1007/978-3-319-45480-1 23
Threat modeling for automotive security analysis
- Z Ma
- C Schmittner
Z. Ma and C. Schmittner, "Threat modeling for automotive security
analysis," Advanced Science and Technology Letters, vol. 139, 2016,
pp. 333-339.
Remote Attacks on Automated Vehicles Sensors: Experiments on Camera and LiDAR
- J Petit
- B Stottelaar
- M Feiri
- F Kargl
J. Petit, B. Stottelaar, M. Feiri, and F. Kargl, "Remote Attacks on
Automated Vehicles Sensors: Experiments on Camera and LiDAR," in
Black Hat Europe, Nov. 2015.