1、PUBLICNXP,THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V.ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS.2023 NXP B.V.Copyrights 2023 Garrett Motion Inc.I E E E E t h e r n e t&I P Te c h D a y s S e p t e m b e r 2 0 2 3Rajeev Ro

2、y,NXPBalaji Arumugam,GarrettEthernet Security-how effective is it?1PUBLICOVERVIEWEvolving network architecture and security challengesHolistic view-setting the contextThe Ethernet AngleSecure InterfacesSecure DomainSecure NetworksSecure Infrastructure(processing)2PUBLICVEHICLE ARCHITECTURE EVOLVING

3、ACROSS DOMAIN AND ZONE AXISDOMAIN BASED VEASDV-OPTIMIZED VEABODY ZONAL VEACROSS-DOMAIN ZONAL VEAGatewayADASChassisBodyIVIDrivetrainADASIVIDrivetrainBody+GatewayBodyZoneBodyZoneBodyZoneBodyZoneADASIVIVehicle ComputerX-domainZoneX-domain zoneX-domain zoneADASIVIVehicle ComputerzoneZoneZoneZonezoneZone

4、X-domain zoneWHY ARE THE SECURITY CHALLENGES INCREASING FOR SDV?3PUBLICSECURITY-WHY ARE THE CHALLENGES INCREASING?Surface area for attacks is increasing-both in-car and out of the carContinuously evolving landscape of attacks and attack types4PUBLICHOLISTIC APPROACH-SETTING THE CONTEXTPREVENTACCESSD

5、ETECTATTACKSREDUCEIMPACTFIX VULNERABILITIESSECURENETWORKSSecure MessagingMessage Filtering&Rate LimitationSECUREPROCESSINGCode/Data Authentication(run-time)Code/Data Authentication(start-up)Resource Control(virtualization)SECUREENGINEERINGThreat Monitoring,Intelligence Sharing,SDLC incl.Security Rev

6、iews&Testing,Incident Management/ResponseSecurity-Aware Organization,Policies,GovernanceSECUREINTERFACESM2M Authentication&FirewallingSecure Ranging(UWB)SECUREDOMAIN ISOLATIONFirewalling,VLAN,Separated Functional DomainsSecure UpdatesNetwork Intrusion Detection Systems(NIDS)5PUBLICSECURE INTERFACES-

7、THE ETHERNET ANGLESecure Interfaces:AuthenticationIEEE802.1X,Port Based Network Access Control(PNAC)is a common way to authenticate supplicants-it is an industry standard way of authentication and can prevent Man-in-the-Middle(MitM)and Evil Twin proxiesSupplicantAuthentication ServerIn wired Etherne

8、t,the Extensible Authentication Protocol over LAN(EAPOL)is used for a supplicant to authenticate with an authentication serverEAP:Extended Authentication ProtocolAuthenticatorEAP messagesEAP messagesWhat are the expected requirements?An authenticator has to block all communication from an unauthoris

9、ed supplicant(till authenticated)while allowing for EAP messagesWhat are the potential threats?EAP messages use the multicast address(01:80:c2:00:00:03)and this opens a window of opportunity for flooding(DoS)type attacks;MAC migration can lead to frame flooding(and related loss of performance)How ef

10、fective is it?Is it possible to identify specific(multicast)streams,meter and police them?Can stream forwarding be realized?Can MAC move be detected and prevented?Can MAC limiting be supported?6PUBLICSECURE DOMAIN ISOLATION-THE ETHERNET ANGLESecure Domain Isolation:VLANs(&IP subnets)VLANs complement

11、 and enhance isolation of a network along with IP subnetting.Partitioning can prevent or mitigate L2 attacks which influence L3 operations like-ARP spoofing(isolating an external entity from gratuitous ARP response),DHCP starvation(port binding and bounding to specific domains)Conceptually both doma

12、in and zonal network are switched Ethernet networks with the“Gateway”implementing routing functionality;Both architectures would also support tagged networks but this is a must have for the zonal networkWhat are the expected requirements?VLAN usage in automotive for most OEMs tends to be for functio

13、nal domain separation with one or more VLANs per logical domains-VIDs also tend to be used as“stream identifiers”for stream based forwarding and/or for diagnostic stream identificationWhat are the potential threats?Leakage of traffic across domains-consequent security and QoS concernsHow effective i

14、s it?Is the switch core supporting the necessary features?How robust is switch core performance for the desired configuration?Is there synergy in the L2 and L3 network design for partitioning?Is there ability to selectively mirror traffic for diagnostics/monitoring?GatewayADASChassisBodyIVIDrivetrai

15、nDomainADASIVIVehicle ComputerX-domainZoneX-domain zoneX-domain zoneX-domain zoneZonal(Logical)Domain A(Logical)Domain B(Logical)Domain CVehicle(logical)domainsL2/L3 SwitchingRouting7PUBLICSECURE DOMAIN ISOLATION-THE ETHERNET ANGLESWITCH#2P11P12P1_INTP1_EXTP1nSWITCH#1SWITCH#2SWITCH#3ROUTERP2_INT1VID

16、#P111VID#EXTVID#SW1VID#P121VID#PnP1_EXTP11P12P1nP1_INTSWITCH#1VID#122P2_INT1VID#122A typical example of VLANs in Switch#1 and#2(partly)illustrating how VLANs could be used for isolation-including examples of a primary VLAN with private VLANs,VLAN across two switches and a dedicated VLAN for external

17、 traffic;VID#SW1VID#EXTVLANs not only complement IP subnetting for network partitioning-they are essential to realise isolation 8PUBLICSECURE NETWORKS-THE ETHERNET ANGLESecure Networks:Stream Identification,Metering and FilteringIEEE802.1Qci,Per Stream Filtering and Policing(PSFP)provides a frame wo

18、rk for handling streams,metering and take a consequent action-typical implementations provide more functionality to this by supporting mechanisms for selective mirroring,actions on frames such as-dropping or forwarding/duplicating to designated portsNote:Several other consequent actions can be typic

19、ally realised-these are not illustratedWhat are the expected requirements?Stream(or flow)identification is needed to decide on a consequent action on that stream-typically for implementing rules,policies and for Intrusion Detection and Prevention(ID/PS)systems What are the potential threats?Potentia

20、lly stream based decisions can over-ride usual bridging behaviour and can lead to unintended actions on the frame forwardingHow effective is it?To what granularity can streams be defined(e.g.filter UDP port from a specific source IP)?Can sufficient rules be defined to realise an effective ID/PS impl

21、ementation?Can the streams be properly metered and consequent actions taken?Can a proper reconciliation of frame counters be done?Ingress TrafficLookup and Stream IdentificationStreamsMetering and counter(s)per streamActionRate LimitDrop9PUBLICSECURE NETWORKS-THE ETHERNET ANGLEWhat are the expected

22、requirements?MACsec provides a fast means for authentication with the benefits of integrity check and encryptionWhat are the potential threats?Compromising the secret keysHow effective is it?In automotive applications it is common to use pre-shared keys(PSKs)is the implementation such that it cannot

23、 scale to fleet attacks?Standards are in definition for multi drop systemsExchange of keys in clear text(e.g.PHYs)?Sufficient hardware support for intended CAK?XPN supported?Secure Association(Active)Secure Association(Standby)Secure ChannelSecure ChannelAuthenticityIntegrityConfidentialitySecure Ne

24、tworks:MACsecIEEE802.1AE,MAC Security(MACsec)can ensure authenticity,integrity and confidentiality of data-this is one of the key features seen as a must have to ensure that nodes which can be easily tampered with(e.g.radars on bumpers)can be authenticated.Integrity check ensures against data tamper

25、ing and encryption ensures confidentiality1 0PUBLICSECURE INFRASTRUCTURE-THE ETHERNET ANGLEPrevent Access:Secure BootSecure boot is a means to boot with authenticated software(firmware)and the process also ensures the integrity of the software.What are the expected requirements?Device can boot using

26、 authenticated software in the specified start up timeWhat are the potential threats?Implementation which stores secrets for authentication without sufficient safe-guardsHow effective is it?What is the security strength of the encryptiontechnology?Are any secrets stored in the device-and if so,is th

27、e device hardened?Are there sufficient hardware accelerators to ensure a start up time as per specifications?Is a chain of trust built in?Is there a version numbering built in?Is there a bypass for secure-boot?Conceptual view of secure boot with asymmetric encryption-details on Chain of Trust(CoT)et

28、c are not illustrated;Sign with private keyPublic key andSigned firmwareAuthenticate(Hash)Public KeyAuthenticated:Execute firmwareNot Authenticated:Block execution1 1PUBLICATTACK COSTS VS.ATTACK SCALABILITYLOCAL ATTACKSREMOTE ATTACKSECU(IC)Local interfacesRemote interfacesAttack Costs(Identification

29、)Attack Scalability(Exploitation)IEIEIE$Biggest concerns for our customers(high rewards for hackers/criminals)IIdentify vulnerabilityEExploit vulnerabilityCopyrights 2023 Garrett Motion Inc.Garrett InternalEnhancing security with Network IDPSWhat is NIDPS?Network Intrusion Detection and Protection S

30、ystemModeling of known behaviors on network and alert on violations Software or/and Hardware SolutionWhat are the key features?Vehicle context-based evaluationHardware accelerated detectorsStateful analysis/inspectionDeep Packet Inspection-from L2 to L5(application layer)Rule-based evaluation with S

31、ignatures and Patterns or ML/AI approachAnomaly reports with meaningful information Cyber Attack by connected or remoteBlock known attacksIntrusion PreventionAttack ReportingVehicle Network or Host intrusionIDPSOEM Analysis&RemediationSecurity Incident&Events ManagementSOCDetect Communication&Execut

32、ion AnomaliesIntrusion DetectionCopyrights 2023 Garrett Motion Inc.Garrett InternalWhat it does?Monitors network traffic in order to detect:Unknown/Abnormal/Invalid traffic(e.g.:New Connection)Attacks(e.g.:D/Dos,Man in the Middle)Harmful patterns(e.g.:Teardrop)Reports anomaliesPrevents detected thre

33、atsNetwork IDPSWhy is switch(Firewall)not enough?Cannot inspect payload for threat patterns Cannot detect if a device from the network is corruptedCannot monitor and prevent malicious activity for both internal and external communicationCannot report malicious activity(e.g.:new device is connected t

34、o the network or corrupted network devices)Corrupted DeviceMalicious activitySwitchTelematicsADASCameraCopyrights 2023 Garrett Motion Inc.Garrett InternalNetwork IDPS ArchitectureData Acquisition EngineAnalytic EngineReporting EngineCaptures traffic from specific protocol layerRAW,IP,Socket etc.Prot

35、ection EngineReport detected anomalies toSystem LogIDS ReporterCloud(V-SOC)Block attacks byDropping packetsConfiguring SwitchConfiguring OS firewall Data Acquisition EngineAnalytic EngineReporting EngineProtection EngineAnalyze incoming traffic based onSignaturesPatternsHeuristicML/AICopyrights 2023

36、 Garrett Motion Inc.Garrett InternalDEPLOYMENT TYPESCONFIGURATIONSCentralized IDPS hosted on one processorDistributed IDPS hosted on multiples processorsMonitoring Analyzing the traffic passivelyInline Analyzing the traffic activelyReporter Manages reports from multiple IDPS hostsNetwork IDPS Deploy

37、ment Types&ConfigurationsInlineNetwork TrafficIDPSNetworking StackAPP 1APP nCentralizedIDPSECU 1ECU nDistributedIDPSReporterECU 1IDPSECU nIDPSEither deployment type can support any configurationMonitoringNetworkTrafficIDPSNetworking StackAPP 1APP nIDPSIDPSCopyrights 2023 Garrett Motion Inc.Garrett I

38、nternalNetwork IDPS and Switch IntegrationIntegration with Ethernet Switch provides capability to optimize performanceEnhance overall capabilities to implement anomaly-based protectionSupport both types of deployments Central and DistributedExample architecture with switchIDS Agent Module performing

39、 protection actionsIDPSSwitch+IDS AgentECU 1ECU 2ECU nLocal IDPSIn Switch IDPSCopyrights 2023 Garrett Motion Inc.Garrett InternalNetwork IDPS perfect solution?Dependent on hardware capability and prioritizationNeeds to be updated constantly to cover new attacks Overall IDPS solution requires real wo

40、rld data and feedback loopHigh false positive rates if IDPS model not developed with stable designNot able to detect harmful patterns if traffic is encrypted1 8PUBLICFrom a holistic view-Ethernet(traffic)related mechanisms can only address a small part of the pictureThese focus on traffic aspects of

41、 authentication,encryption,traffic identification and traffic managementThe techniques themselves are effective for the scope of operationSeveral factors determine how effective they are and it is important to address these“Defence in depth”is a mantra which is very relevant for security-so while we

42、 address only a small part of the picture-care needs to be taken in the implementation to make them effectiveAll the aspects discussed can be prevented from scaling up to fleet attacks-when properly implementedIDPS forms an essential element of security,a firewall in isolation is not enough and the IDPS needs sufficient amount of hardware hooks to provide an effective coverSummaryNXP,THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V.ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS.2020 NXP B.V.