Mitigation

Mitigation for cyber attacks can be categorised under two main types, authentication across boundary domains (including encryption of data) as the first line of defence to prevent

unauthorised access, and secondly intrusion detection as the second line of defence to monitor abnormal behaviours once the attackers get in the system. However, mitigation applying for each attack and risk can be varied as they can affect the operation of the assets which need to be protected. For example, encryption algorithms applied in the CAN network should be light weight with low delay given the limited memory and computing power of the ECUs; while encryptions in other networks could be more sophisticated to strengthen the defence. As a result, it is important to keep up to date with the reported mitigation towards specific attacks and risks. There are also attacks which aim at breaking certain mitigation, for example, the side-channel attacks such as power analysis aiming at exposing the encryption key. If this kind

of attack is successful, the targeted mitigation can become invalid. Therefore, it is essential to update the strength and weakness of each mitigation when applying to the security system. Table 8 synthesises the common security controls for mitigating the attacks in the vehicle’s communication444546_{. These controls are categorised based on the targeted components,}

while the ‘x’ marks their effectiveness to STRIDE threats. This table can be used to find suitable mitigation for threats or risks targeting components.

Table 8. Countermeasures applied in vehicle communication, derived from multiple sources

Components Countermeasures S T R I D E

Telematics gateway, a.k.a. T- Box

Detection of fake mobile networks x x x x x

Secure boot process x

Debug port authentication x x

Over the air software updates x x x

Memory randomisation to protect buffer overflow x x

IDS and IPS x x x x x x

Data encryption to secure client-server communications from the T-Box to the cloud services

x

Trust anchor for external communications x x x x

SMS authentication x

Hardening hardware security x x x x x x

Mobile network operator

SMS firewall x x x x

Secure SIM data x x x x

Telematics service provider

Encrypted communication x x

Adherence to security standards (ISO 27001) x x x x x x Mutual authentication for all client communications x ECUs/CAN

bus/OBD

OBD hardware covering x x

CAN bus firewall x x x x

44 _{Oyler, A., and Saiedian, H. (2016) ‘Security in automotive telematics: a survey of threats and risk} mitigation strategies to counter the existing and emerging attack vectors’, Security and Communication Networks, 9, (17), pp. 4330-4340

45 _{Graubart, R.D., McQuaid, R., and Woodill, J. (2019) ‘Cyber Resiliency Metrics and Scoring in Practice’}

Message authentication codes x x

ECU key management x x x x x x

CAN bus anomaly detection network monitor x x x x x x Validate source of messages and suppress invalid

messages

x x x x

Attestation functions for ECUs x x x x x x

Digital signing for ECU updates: require OEM digital signature for updating ECU firmware

x x x x x x

OBD lock either physical or logical to prevent unauthenticated CAN bus access via OBD

x x x x x

Centralised authentication x x

In-vehicle infotainment/ Radio

Digital signatures for applications x x x

Embedded virtualization x x x x x

Wi-Fi password policy x x x

Wi-Fi security compliance with NIST guidelines x x x x x Bluetooth security compliance with NIST guidelines x x x x x USB security compliance with best practices x x

Recovery by design x

Bug bounties x x x x x x

Periodic refresh of the Infotainment system x x x

Validate infotainment system x x x x x

Multi-Factor Authentication to strengthen the

authentication of door lock, e.g. PIN entry on the IVI to counter key fob relay attacks

x x

It is important to consider how much security of the system is improved after applying mitigation, and how to choose the mitigation effectively given the limited security resource that a system has. Attack Trees can be used to tackle these issues. The main idea is to build an Attack Tree for each of the potential risks and assess whether the root of the tree can still be reached with the available mitigation. For example, mitigation which can prevent any leaf of an ‘AND’ Attack Tree is enough to eliminate the risk corresponds to this tree, while the ’OR’ Attack Tree will require mitigation for all the leaves in the tree. The effectiveness of a mitigation should be

considered given all the Attack Trees within the security scope of the system rather than for just a single threat. There are also automation tools (e.g. isograph47_{) for Attack Trees which can}

speed up the analysis for selecting the effective mitigation.

Besides specific mitigation, there are other general mitigation strategies which employ system design to reduce the impacts of the attacks. The testing procedure also needs to revise the design of the target systems following these strategies for recommendations. The potential strategies include (but not limited to):

● Applying the principle of least privilege: the principle is about limiting the (access) rights of every program or application programming interface to only what is needed to complete the work or action48_{. This strategy is to prevent attackers from exploiting the vulnerability of one}

attack surface to escalate the access right to other components. This principle can be applied to many assets and services in vehicle communication. For example, messages from the telematics gateway should not be able to invoke access to the CAN bus; or SMS service provider should be whitelisting to prevent unauthorised remote operation services.

● Separating the safety-critical network segments from the external interfaces: if there exists any interface that connects a safety-critical network an external path, attackers can exploit an interface to manipulate the safety related functions, which can lead to safety issues. ● Planning different operation modes to react when the system is under attack: attacks can be

unavoidable in some circumstances despite all the defence efforts (e.g. due to unknown attack, zero-day vulnerability). Therefore, it is important to prepare for several scenarios such as “Safe Mode”49 _{in which all the non-essential communication functions of the vehicle are}

turn-off; or “Go Dark”49 _{mode where all the wireless interfaces are disabled to eliminate the}

remote attacks.