## Zero-Trust Cybersecurity for Vehicles

### Importance of Automotive Cybersecurity

- Automotive cybersecurity has become increasingly important due to the upcoming UNECE WP.29 R155 regulation, which mandates cybersecurity management systems for vehicles starting July 2024.

- Compliance with this regulation is essential for obtaining type approval in regions like Europe, Japan, and South Korea. Although not mandatory in the United States, US carmakers must comply if they wish to export vehicles abroad.

- Despite being a "check-the-box" regulation, ensuring true cybersecurity requires more than just meeting regulatory standards; it demands comprehensive and proactive security measures.

Block Harbor Cybersecurity | Automotive Security Research Group |
Automotive Cybersecurity Steps Up source

**Shift to Software-Defined Vehicles:**

- The transition to software-defined vehicles presents new cybersecurity challenges. Traditional firewall approaches, which created a secure perimeter, are inadequate for modern vehicles that require access to sensors and ECUs deep within the system.

- This transition is driving carmakers to reconsider their cybersecurity architectures, moving towards models like Zero-Trust, which mandates continuous authentication and authorization for all data sources, including external connections and onboard sensors.

Zero-Trust is being increasingly adopted in IT networks, healthcare systems, financial institutions, and now automotive systems, reflecting its versatility and effectiveness in enhancing security.

### Overview of Connected and Autonomous Vehicles (CAVs)


- **Definition and Functionality:**

  CAVs are vehicles equipped with advanced technologies that enable them to communicate with other vehicles, infrastructure, and even pedestrians, as well as operate autonomously without human intervention.

  These vehicles rely on a combination of sensors, cameras, LIDAR, radar, and artificial intelligence to perceive their environment, make decisions, and execute driving tasks.

- **Advancements in Transportation:**

   **Safety:** CAVs promise to reduce traffic accidents by eliminating human errors, which are responsible for most road incidents.

 **Efficiency:** By optimizing traffic flow and reducing congestion through vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication, CAVs can improve overall transportation efficiency.

  **Convenience:** Autonomous driving offers enhanced convenience, especially for long-distance travel, elderly drivers, and those with disabilities.

- **Emerging Security Challenges:**

  **Interconnectivity Risks:** As CAVs become more connected, they also become more susceptible to cyber-attacks. The interconnectivity between vehicles and infrastructure creates a larger attack surface.

  **Data Privacy Concerns:** CAVs collect vast amounts of data, including location, behavior, and biometrics, raising concerns about data privacy and potential misuse.

  **Real-Time Threats:** The need for real-time data processing and decision-making makes CAVs vulnerable to attacks that can have immediate and potentially catastrophic consequences.

## Importance of Security in CAVs

- **Complex Network of Systems:**

  CAVs consist of multiple interconnected systems, including the powertrain, infotainment, telematics, and advanced driver assistance systems (ADAS). Each system must interact securely with others, but their interdependence increases the risk of cascading failures if one system is compromised.

- **Vulnerability to Cyber-Attacks:**

  **Spoofing:** An attacker can inject false data into the vehicle’s network, misleading the CAV’s decision-making processes. For example, the vehicle might receive incorrect sensor data, leading it to make unsafe maneuvers.

 **Jamming:** Attackers can disrupt wireless communication channels, such as GPS signals or V2V communication, by overwhelming them with noise or interference. This can cause the vehicle to lose critical information needed for navigation or collision avoidance.


- **Impact on Public Safety:**

  A successful cyber-attack on a CAV could lead to severe consequences, including loss of control over the vehicle, accidents, and even fatalities.


## Security Risks Specific to the Controller Area Network (CAN)

**Security Risks Specific to the CAN Bus:**

 - The CAN bus is a vehicle’s internal network that allows microcontrollers and devices to communicate with each other without a host computer. It’s used for everything from engine management to braking and lighting.


  - The CAN bus was not originally designed with security in mind, making it vulnerable to various attacks.
  
  - **Lack of Authentication:** Messages on the CAN bus are not authenticated, meaning that any connected device can send commands as if it were a legitimate component of the vehicle.

  - **Susceptibility to Spoofing and Injection Attacks:** An attacker could inject malicious messages into the CAN bus, causing the vehicle to perform unintended actions, such as disabling the brakes or accelerating unexpectedly.

  - **Broadcast Nature:** Since CAN messages are broadcast to all nodes in the network, any compromised node can eavesdrop on the entire network, leading to potential data breaches.

  -  **Segmentation Attacks:** Segmentation attacks involve isolating parts of the network, disrupting communication between critical components.  By segmenting the network, attackers can prevent important messages from reaching their intended destination, leading to system failures.
*Example: An attacker could segment the CAN bus to prevent the transmission of braking commands, causing the vehicle to lose braking capability.*



## Application of ZTA in CAVs:

- **Securing Communication Channels:** ZTA can be applied to secure all communication channels within a CAV, ensuring that every message sent between sensors, ECUs, and external entities is authenticated and encrypted.


- **Dynamic Policy Enforcement:** ZTA allows for dynamic security policies that can adapt to changing conditions, such as the vehicle’s speed, location, and the presence of other vehicles.


- **Example of ZTA in Action:** If a CAV detects an unknown device attempting to connect to its network, ZTA policies would block the connection until the device is verified and authorized.

## NIST's Seven Tenets of Zero-Trust in CAVs



These tenets provide a framework for implementing Zero-Trust in any organization, focusing on securing resources, communication, and access control.

1. **All Data Sources and Computing Services Are Considered Resources:**

  Every data source, whether it’s within or outside the network, is treated as a resource that needs protection.

  *Example: In a CAV, every sensor, ECU, and external communication channel is a resource that requires secure access.*
2. **All Communication Is Secured Regardless of Network Location:**

  Whether the communication occurs within a secure internal network or over the internet, it must be encrypted and authenticated.

  *Example: Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications are encrypted to prevent eavesdropping and tampering.*
3. **Access to Resources Is Granted on a Per-Session Basis:**

  Each session requires a fresh authentication and authorization process, preventing unauthorized access from lingering sessions.

  *Example: After a vehicle stops and is restarted, all communications must be re-authenticated to ensure security.*
4. **Access to Resources Is Determined by Dynamic Policy:**

  Access decisions are made in real-time based on dynamic policies that consider various contextual factors, such as user behavior and threat intelligence.

  *Example: A CAV’s access policies might change based on its location, speed, or proximity to other vehicles.*
5. **Continuous Monitoring and Validation of Security Posture:**

  The network continuously monitors all entities and resources, ensuring that any changes in security posture (like a device becoming compromised) are immediately addressed.

  *Example: If a sensor in a CAV starts sending abnormal data, it is immediately isolated from the network until verified.*
6. **Environment Is Prepared for All Scenarios (Assume Breach):**

  The network is designed with the assumption that a breach will happen, and thus, it is prepared to mitigate damage through swift isolation and response.

  *Example: If an ECU is compromised, the system quickly isolates it and initiates a fail-safe mode to maintain safety.*
7. **Automation and Orchestration Are Emphasized:**

  Security policies and responses are automated to ensure consistency, speed, and scalability in defending against threats.

  *Example: Automated systems in a CAV can detect and respond to threats faster than human operators, reducing the impact of attacks.*

## Zero-Trust Architecture for CAVs

 ### ZT Policy



 Static vs. Dynamic Policy


#### **Static Policy:**

**Design Specific:** Static policies are set by the vehicle manufacturers during the design phase and are based on the anticipated use cases and operational environments.

**Limited Flexibility:** These policies are typically hard-coded into the system, making them less adaptable to unforeseen scenarios. This rigidity can be a double-edged sword; while it ensures consistency, it also limits the ability to respond to new threats.

Advantages: ✅Simplicity. ✅ Predictability ✅Lower Overhead.

Disadvantages: ❌Inflexibility ❌ Delayed Response ❌ Manual Updates


#### **Dynamic Policy:**

**Context-Aware Security:** Dynamic policies are designed to adapt to the current context, such as changes in the vehicle’s environment, operational status, or detected threats. This allows the system to respond more effectively to real-time conditions.

**Continuous Evaluation:** Unlike static policies, dynamic policies are continuously evaluated and updated as the situation demands. This can involve inputs from various sensors, communication networks, and external threat intelligence sources.

Advantages: ✅ Adaptability ✅ Real-Time Response ✅ Automated Updates.

Disadvantages: ❌Complexity ❌ Higher Overhead ❌ Potential Instability

### Policy Enforcement in ZTA for CAVs


The Zero Trust Architecture (ZTA) for Connected and Autonomous Vehicles (CAVs) builds upon the foundational principles outlined by NIST for Zero Trust. In this context, we demonstrate how ZTA implements and enforces Zero Trust policies within the CAV's internal network. It incorporates several key components to ensure the security and integrity of the vehicle's communications. Each component plays a specific role, but they must work together to enforce comprehensive security policies across the vehicle’s internal network​.


- **Policy Enforcement Point (PEP):** The PEP is implemented within CAN bus nodes and acts to enforce the policy specifications compiled by the PE. It is responsible for establishing or closing communication flows between resources, ensuring that each resource implements its own PEP to protect the network​.

- **Policy Decision Point (PDP):** The PDP receives policy intent from the PA (Policy Administrator) and environmental information from the CM. It makes decisions about policy enforcement in real-time and communicates these decisions to the PE and PEPs within the network​.

- **Policy Engine (PE):** The PE translates the high-level policy intent into enforceable commands specific to each PEP. It works closely with the PDP to ensure that policies are enforced dynamically based on the current context​.

- **Context Manager (CM):** The CM monitors the vehicle’s CAN bus network, processing communication flows to maintain an accurate state of each resource. Because the CAN bus communication protocol relies on broadcast messages
across the entire bus medium. It also plays a crucial role in continuous context checks, which are integral to the overall Zero-Trust strategy within the vehicle​.

- **Device Fingerprinting (DF):** DF is implemented through the CM and involves identifying and verifying ECUs based on their traffic patterns and pre-registered characteristics. This ensures that only authorized and known devices can communicate within the network, helping to detect and prevent unauthorized access​.


<center><img src="https://github.com/moaldeen/trustzone/blob/main/CAVs.png?raw=true" alt="sup-learning.png" width="60%"></center>


**Workflow:**

- **Dynamic Policy Enforcement:** The PEPs enforce decisions made by the PDP in real-time, responding dynamically to changes in the vehicle’s operational environment​.

- **Continuous Contextual Monitoring:** The CM provides ongoing feedback to the PDP, allowing the system to adapt to new threats or changes in the network environment. This ensures that security policies remain effective even as conditions evolve​.

- **Device and Flow Validation:** DF and CM collaborate to validate devices and control communication flows, ensuring that only legitimate and authorized entities can interact within the network​.

**Example:**

When a sensor resource wants to access another sensor or ECU in the network, it must request permission from the PDP, for example, a proximity sensor wishing to interface with a parking-assist ECU. Therefore, a request will be made from the PEP and sent to the PDP. The PDP will attempt a policy match with input from the most recent subject and device context from the CM. Unlike the routine device continuous context check, this flow initiation request will include the resource to access. When a policy match occurs that results in an allowed flow, the PE will compile the policy specification down to PEP-specific syntax, which is pushed to the PEPs involved in the flow.





<center><img src="https://github.com/moaldeen/trustzone/blob/main/ZTA_workflow.png?raw=true" alt="sup-learning.png" width="60%"></center>



### ZTA for Hub-and-Spoke CAN Bus Networks

#### Rationale Behind Hub-and-Spoke Model:


 The primary issue with a flat, unsegmented CAN bus is its single broadcast domain, where any node on the bus can communicate with and listen to any other node, posing significant security risks.

The **hub-and-spoke design** is implemented to enhance the security of the vehicle’s internal network by segmenting the CAN bus into smaller, more manageable sections (spokes), each connected to a central hub.

**The Hub:** At the center of this model is the Zero-Trust (ZT) controller, which acts as the central point of control, enforcing security policies across the various segments. The ZT controller manages the flow of information between the different spokes, ensuring that each communication adheres to the Zero-Trust principles.

The CAN bus is segmented into multiple spokes, each connecting back to the central hub—the ZT controller. This figure illustrates how the ZT controller manages security across these segments, enforcing policies and maintaining the integrity of the network by controlling the flow of information between the spokes.

The figure also highlights the physical and logical separation between different ECUs and sensors within the network, emphasizing how the design aids in protecting against attacks by ensuring that compromised segments can be quickly isolated without affecting the entire network.



<center><img src="https://github.com/moaldeen/trustzone/blob/main/hub-and-spoke.png?raw=true" alt="sup-learning.png" width="60%"></center>




#### Benefits of Segmentation

The segmentation of the CAN bus into multiple spokes significantly limits the potential impact of an attack. If one segment (spoke) is compromised, the attack is contained within that section, preventing it from spreading to other parts of the network.

Limiting the Attack Radius: By reducing the attack surface to individual segments, the hub-and-spoke architecture effectively limits the blast radius of any security breach. This isolation makes it more difficult for attackers to cause widespread damage or access multiple critical systems simultaneously.

Example: If a malicious entity gains access to one spoke of the CAN bus, the segmentation ensures that only the devices within that spoke are affected. The ZT controller can then isolate the compromised spoke from the rest of the network, thereby protecting the overall integrity of the vehicle’s systems.

**Components of ZTA:**
- **Policy Enforcement Points (PEPs):** Enforce security policies by allowing or denying access to resources.

- **Policy Decision Points (PDPs):** Make decisions on whether to grant or deny access based on current security policies.

- **Policy Engine (PE):** The brain of the system that processes security policies.

- **Policy Administrator (PA):** Manages and updates policies as required.

- **Context Manager (CM):** Continuously monitors the state of the network and its components to ensure that all entities are verified.

### Case Studies on ZTA on CAN

#### Excessive Speeding:

- Excessive speeding, defined as operating the vehicle well above designated speed limits, was a key focus area.

- The CM continuously monitored speed data from the vehicle's Electronic Control Units (ECUs) to detect when the vehicle exceeded safe speed thresholds.

- A ZT policy was defined to set speed limits; if the CM detected speed increases beyond these limits, it triggered an alert to the PDP.

- The PDP then instructed the PEP to take corrective action, such as adjusting the accelerator input to prevent further speeding, thereby enhancing safety by controlling the vehicle’s speed in real-time.


#### Harsh Acceleration:

- Harsh acceleration, indicative of aggressive driving, was another critical behavior monitored by the ZTA.

- The ZT policy for this case involved analyzing acceleration patterns over time, particularly looking for instances of rapid, full-throttle acceleration.

- When the frequency of such acceleration signals exceeded a predefined threshold, the CM alerted the PDP, which then determined the appropriate response.

- The PEP was directed to enforce measures such as limiting further acceleration or applying the brakes, promoting safer driving behaviors by curbing excessive acceleration.

#### Abrupt Lane Changes:

- Abrupt lane changes, which involve sudden shifts in lanes without signaling, pose significant traffic risks.

- The ZT policy addressed this by monitoring steering behavior and the use of turn indicators.

- If the CM detected frequent lane changes without the use of turn indicators, it flagged the behavior to the PDP.

- The PDP would then instruct the PEP to take actions such as reducing vehicle speed and ensuring turn indicators were used, thereby reducing the likelihood of accidents caused by unexpected lane changes.

#### Collision Scenarios:

- Collision scenarios were also simulated to assess the ZTA’s response to real-world accidents.

- The CM monitored critical data such as the activation of airbags, which served as indicators of a collision.

- Upon detecting these indicators, the CM alerted the PDP, which assessed the vehicle's speed and whether the operator was still accelerating.

- If unsafe conditions were confirmed, the PDP instructed the PEP to engage the vehicle’s braking system, gradually bringing the vehicle to a stop to minimize the impact and ensure occupant safety.

important links:
https://spectrum.ieee.org/zero-trust-security-autonomous-systems
https://www.swri.org/podcast/ep64?utm_source=YouTube&utm_medium=SM&utm_campaign=Podcast-64