Security and Privacy in Intelligent Autonomous Vehicles

Abstract

In this chapter, we mostly focus on cybersecurity and privacy in intelligent and autonomous vehicles (IAV). This chapter starts with the basics of cryptography and then proceeds to different types of advanced security and encryption schemes that can be used in autonomous vehicles. The cyber security in intelligent and autonomous vehicles can be a combination of physical security, information security, security elements, policies, standards, legislation, and risk mitigation strategies. We introduced the updated cybersecurity framework that provides a specific categorization and structural framework for institutions to describe their current cybersecurity position, state for cybersecurity, identify and prioritize security improvements, assess security progress, and plan concerning cybersecurity risks. Then, we discuss about the five key technological cybersecurities to protect any company, organization, and IAV against a cyber-attacks. A threat modeling method (TMM) is also required to investigate the potential threats so that the IAV system is fully secured from unknown attacks. The TMM is used to defend the cyber-physical system from attackers and detect the threats before they create severe damage. Some of the examples of TMM are STRIDE, PASTA, VAST, etc. The vulnerability is the weak point in the scheme that is misused by the malicious attacker in the form of attacks for their own advantages. We discuss some of the taxonomy that can be found in vehicular system such as autonomous vehicle vulnerability taxonomy, defense taxonomy, and privacy taxonomy.

3.1 Overview

In this chapter, we mostly focus on cybersecurity and privacy in intelligent and autonomous vehicles (IAV). This chapter starts with the basics of cryptography and then proceeds to different types of advanced security and encryption schemes that can be used in autonomous vehicles. The cyber security in intelligent and autonomous vehicles can be a combination of physical security, information security, security elements, policies, standards, legislation, and risk mitigation strategies. We introduced the updated cybersecurity framework that provides a specific categorization and structural framework for institutions to describe their current cybersecurity position, state for cybersecurity, identify and prioritize security improvements, assess security progress, and plan concerning cybersecurity risks. Then, we discuss the five key technological cybersecurities to protect any company, organization, and IAV against cyber-attacks. A threat modeling method (TMM) is also required to investigate the potential threats so that the IAV system is fully secured from unknown attacks. The TMM is used to defend the cyber-physical system from attackers and detect the threats before they create severe damage. Some of the examples of TMM are STRIDE, PASTA, VAST, etc. The vulnerability is the weak point in the scheme that is misused by the malicious attacker in the form of attacks for their own advantages. We discuss some of the taxonomy that can be found in vehicular system such as autonomous vehicle vulnerability taxonomy, defense taxonomy, and privacy taxonomy.

3.2 Cryptography Introduction

Cryptography is the art and technique for securing the communication of creating ciphertext from plaintext in the presence of adversaries so that the adversaries cannot know the information of the ciphertext. Cryptography along with cryptanalysis are the two branches of cryptology. Cryptanalysis is the art of solving and revealing the contents of the code. In the modern context, cryptography and cryptology can be used interchangeably and defined as the techniques for secure communication between two parties. Cryptology is the study of codes for both purposes, i.e., creating and solving them. The purpose of cryptography is to secure digital data by converting the readable information to non-readable information or encrypted format as shown in Fig. 3.1. It provides fundamental information security services based on mathematical algorithms and prevents from the data from malicious activities. A cryptosystem is a set of cryptographic algorithms required to implement any security service. Cryptosystems generally consist of three algorithms; they are key generation, encryption, and decryption. A cryptosystem has the following components:

Fig. 3.1

A basic encryption system

• Plaintext: The plaintext information should be protected from hackers throughout the information exchange.

• Encryption algorithm: The encryption algorithm converts the input plaintext to a unique ciphertext outputs with the help of encryption key.

• Ciphertext: The encrypted plaintext element is transferred through the server.

• Decryption algorithm: The decryption algorithm reverses the encryption process. For input ciphertext and decryption key, it produces the original plaintext.

• Encryption key: It is the key used during the encryption algorithm to generate the ciphertext from the input plaintext.

• Decryption key: It is the key used to calculate plaintext from the ciphertext.

A basic encryption system is given below in Fig. 3.1.

3.3 Cryptography Objective

The primary purpose of cryptography is to guarantee the following four basic security services.

3.3.1 Confidentiality

It is the property, which ensures that the information is not disclosed to any unauthorized entity. It provides identity and location privacy of the user. The data confidentiality can be maintained by using encryption algorithms so that no third party can read the data except the sender and the receiver during the data transmission.

3.3.2 Data Integrity

Data integrity ensures that the data is not modified at the receiver side, therefore ensuring its accuracy and completeness. Data integrity ensures and verifies that the received data is unaltered during transmission from the source to the destination node. Data must be accurate and prevented from modification, corruption, or unauthorized access. The data integrity can be maintained by using data encryption, access control, data backups, data validation that confirms that the data is not corrupted during transmission.

3.3.3 Authentication

Authentication is the process of identifying the authorized entity of the message. It informs the receiver whether the data received was sent to an authorized entity. Authentication services have two types: (a) message authentication: identifies the sender and (b) entity authentication: identifies that the data was received from a specific entity. In addition, authentication provides information on parameters like date and time of creation of the message.

3.3.4 Non-repudiation

It ensures that an entity cannot refuse its ownership to any data or information was created by itself. If there is a dispute over the exchange of data, this property proves to be very useful. For example, if the non-repudiation service is enabled in a transaction, on placing in online order, the buyer cannot deny the purchase order.

3.4 Cryptographic Primitives

Cryptographic primitives are the cryptographic algorithms used to build cryptographic protocols for computer security systems. They are the tools and techniques that are employed to obtain a set of desired security services. They can be classified as shown in Fig. 3.2, and they are mentioned below.

Fig. 3.2

Encryption system classification

In cryptosystems, the below mentioned primitives are very intricately related and a combination of them is used to obtain required security services. In modern cryptosystems, strings of binary digits need to be processed and converted into other binary strings. Based on the method of processing of these binary strings, symmetric key encryption and asymmetric key encryption schemes can be classified into the following types.

Two main type of encryption algorithms are described below.

3.4.1 Symmetric Key or Secret Key Encryption

Symmetric key encryption uses only one key for both the encryption and decryption purpose. The key plays the main role so for security reasons; secret key should not be revealed to the third party as shown in Fig. 3.3.

Fig. 3.3

Secret key encryption

Substitution and permutation are two main techniques used in most secret key algorithms for encryption. Substitution is the term used for the mapping of a set of values to another. While permutation is the term used for reordering the bit positions of every input. The iterative use of the aforementioned two processes is called rounds. As the number of rounds increases, the algorithm becomes more secure.

Since both the parties should have the secret key with them, this turns out to be a major problem with secret key cryptography. This is because transmitting the key over a secure channel is not easily achievable.

Types of symmetric encryption schemes are:

1. 1.

   Block ciphers: In block ciphers, the plain binary text is processed in either blocks or groups of bits at a time. The size of the block is fixed for a specific algorithm. For example, the DES scheme has a block size of 64 bits while the AES scheme has a block size of 128 bits. Several block cipher schemes are used for encryption. Most popular and prominent block ciphers [1] are described in Table 3.1.

   Table 3.1 Type of block cipher schemes

2. 2.

   Stream cipher: In stream ciphers, plain binary text is processed bit by bit, i.e., a series of operation is performed on a single bit of plaintext and one bit of ciphertext is generated. We can see stream cipher as a block cipher with blocks of size one bit each. The most common stream ciphers [2] are given in Table 3.2.

   Table 3.2 Types of stream ciphers schemes

3.4.2 Asymmetric Key or Public Key Encryption

In this scheme, a pair of keys is used for encryption and decryption algorithms. The public key is derived from the private key and the two keys should be different, however, they are mathematically related. One of the keys is called public key, as everyone knows it, while the other one is called private key only known to the owner. Therefore, asymmetric key cryptography is also known as the public-key cryptography as shown in Fig. 3.4.

Fig. 3.4

Asymmetric key encryption scheme

Properties of asymmetric key encryption algorithm are listed below.

• Every user must have a pair of different keys, private key, and public key. One meant for encryption of the data while the other meant for its decryption.

• The public key is put into public repository while the private key is stored as a secret.

• Though public and private key are mathematically related, it is computationally not possible to get one from another.

• When a sender needs to send data to the receiver, the sender obtains the public key of the receiver from the repository, encrypts the data, and then transmits it. The receiver uses his private key for decryption.

• The process of encryption and decryption is slower due to the key length. Hence, this scheme is slower than the symmetric key scheme.

The comparison of the common asymmetric encryption schemes [3] is given below in Table 3.3.

Table 3.3 Comparison of the common asymmetric encryption schemes

3.4.3 Digital Signatures

A digital signature is a technique that associates an entity with the digital data. The digital signature scheme is based on public-key cryptography. This association is independently verifiable by the receiver as well as any third party. Digital signature is a cryptographic value, which can be calculated from the data and some secret known to the signer.

1. 1.

   Encryption with Digital Signature

As the public key of the user is available in the open domain, so, anyone can spoof his identity and send any message to the receiver. This makes it important for users employing public-key encryption to use digital signatures along with encrypted data to be assured of message authentication and non-repudiation. This can be achieved by combining digital signatures with an encryption scheme. There can be two cases, either to digitally sign first or to do encryption first. In cryptosystem based on sign first and then encrypt, it has one limitation that is the receiver can exploit this scheme by spoofing the identity of the sender and use it to cause manipulation. Hence, this scheme is not preferred. The process of encrypting and then sign is more reliable and widely adopted as illustrated in Fig. 3.5. The receiver first verifies the signature by using sender’s public key after receiving the encrypted data and signature on it. After the validation of the signature is ensured, the receiver then uses his private key to decrypt the received data.

Fig. 3.5

Encryption technique

3.4.4 Homomorphic Encryption

The traditional secret key sharing encryption schemes are not completely secure for critical information. While using the third-party service provider, the plaintext may be leaked throughout the data processing during the encryption and decryption algorithm. Thus, homomorphic encryption (HE) is required to maintain the privacy of the user’s text. HE is an encryption scheme that allows users to encrypt their information using cryptographic keys. It permits the third party to accomplish specific type of mathematical operations on the encrypted information without decryption, while maintaining the privacy of the users’ encrypted information [4]. In HE, the mathematical operation on the plaintext during encryption is equivalent to another operation performed on the ciphertext. The common homomorphic operation on the plaintext with a corresponding ciphertext operation are as follows:

Let \(E\left( {x_{1} } \right) = x_{1}^{e} \,{\text{and}}\,E\left( {x_{2} } \right) = x_{2}^{e}\), then

Addition homomorphism:

$$E\left( {x_{1} } \right) + E\left( {x_{2} } \right) = x_{1}^{e} + x_{2}^{e} = \left( {x_{1} + x_{2} } \right)^{e} = E\left( {x_{1} + x_{2} } \right)$$

Multiplication homomorphism:

$$E\left( {x_{1} } \right) \times E\left( {x_{2} } \right) = x_{1}^{e} \times x_{2}^{e} = \left( {x_{1} \times x_{2} } \right)^{e} = E\left( {x_{1} \times x_{2} } \right)$$

In HE, there are four procedures including the evaluation algorithm [5] as shown in Fig. 3.6. Let the input message tuple (\(x_{1} , x_{2} , \ldots x_{n} )\) with plaintext as P = {0,1} and Boolean circuit as C [4]. The HE process is as follows:

Fig. 3.6

Homomorphic encryption scenario

• \({\text{Gen}}\left( {1^{\lambda } , \alpha } \right)\) is the key generation algorithm with three output keys along with evaluation key \(\left( {sk,pk,evk} \right)\),

  $$\left( {sk,pk,evk} \right) \leftarrow KeyGen\left( \$ \right)$$

• Enc(pk,x) is the encryption algorithm that encrypts a message (x) with the public key (pk) and outputs a ciphertext c,

  $$c \leftarrow Enc_{pk} \left( x \right)$$

• \(Eval(evk,C,c_{1} ,c_{1} , \ldots ..c_{n} )\) is the evaluation algorithm that generates evaluation output by using \(evk\) key as i/p, a circuit \({C}\,{\epsilon}\,{C}\) and tuple of i/p ciphertext, i.e., \(c_{1} \ldots c_{n}\) and previous evaluation results,

  $$c^{*} \leftarrow Eval_{evk} (evk,C,c_{1} ,c_{2} , \ldots c_{n} )$$

• Dec(sk, c) is the decryption algorithm that decrypts a ciphertext or evaluation output (\(c^{*}\)) using the secret key (\(sk\)). It generates the actual message x as the output,

  $$x \leftarrow Dec_{sk} (c).$$

3.5 Cyber Security in Intelligent and Autonomous Vehicles

There is a security threat and cyber-attack in hardware such as computer networks and information system such as data, programs, and other services due to unauthorized access and weak protection against malicious entities. So, the cyber security in intelligent and autonomous vehicles can be a combination of physical security, threat modeling, information security, policies, standards, legislation, and risk mitigation strategies.

Figure 3.7 shows the security elements of the intelligent and autonomous vehicles in terms of physical and cyber security. The figure shows the vulnerable parts of the intelligent vehicles that are easily targeted by the malicious attackers by using different means at different levels and their impacts on the vehicle’s physical and cyber security [6]. The vehicles security elements are easily targeted by the attacker if proper prevention cannot be taken efficiently. The physical attack only affects the vehicle and its properties; however, the cyber-attack on the intelligent vehicle might have serious consequences that might not only lead to the privacy and identity theft but also may cost the life of the driver, if the attacker manipulates the traffic conditions by changing the directions. The vehicle elements can be secured by isolating different components by their functions, securing their interfaces with other components, safe guarding the in-vehicle networks and communication channels by adopting cryptographic techniques such as IDS and firmware updates.

Fig. 3.7

Security elements of autonomous vehicles

We need to consider that the malicious nodes are capable of breaking the IAV security. The malicious nodes can tamper the onboard unit (OBU) and other in-vehicle sensors and can intercept message exchange between the vehicles in in-vehicle communication. The malicious nodes can be an insider attacker that may attack both in-vehicle and inter-vehicle communication. There are several attacker models that have been demonstrated.

3.5.1 Cyber Security Framework

In 2019, National Standards and Technology Institute (NIST) has launched the updated version 1.1 of cyber security framework (CSF) for improving critical cyber security infrastructure and to help institutions on their path toward the development of secure computer systems as shown in Fig. 3.8 [7]. The framework is split into five parts, covering identifying risks and vulnerabilities, protecting and maintaining critical infrastructure, detecting cyber risks as early as possible, responding adequately to attacks and recovering as rapidly and effectively as possible. The updated framework provides a specific categorization and structural framework for institutions to describe their current cyber security position, state of cybersecurity, identify and prioritize security improvements, assess security progress, and plan regarding cybersecurity risks. The framework is not a common suitable solution to every field for critical infrastructure management of the cybersecurity challenges. Every field will have specific challenges and threats, different flaws, and varying tolerances of hazards. Likewise, in case of vehicular networks, the frameworks should be adopted according to the vehicular network challenges, threats, attacks, and environment. The five functions of the NIST framework ver. 1.1 are briefly discussed as follows:

Fig. 3.8

NIST cybersecurity framework 1.1 including five functions

1. 1.

   Identify: The data, equipment, processes, and resources that allow the institution or system to accomplish functions are identified and handled in accordance with their relative value to the institutional priorities and its risk strategy. Institutional threats, including internal and external ones, are identified and documented. The identified hazards, vulnerabilities, likelihoods, and effects are used to determine the risk. Risk assessment and management are carried out, and risk responses are identified and prioritized.

2. 2.

   Protect: It is necessary to develop and implement adequate protection to ensure delivery of critical infrastructure resources to protect the system from cyberattacks. The identities and credentials for approved devices, users, and processes are issued, managed, handled, checked, revoked, and audited. The user equipment and other assets are authenticated (e.g., single-factor, multifactor) according to the transaction threats (e.g., security and privacy risks for entities, and other institutional risks). Policies, protocols, and practice for the safety of information systems are preserved and used for administration. In accordance with relevant protocols, processes, and arrangements, the strategic security solutions are handled to ensure the security and stability of the networks and its facilities.

3. 3.

   Detect: In the detection step, anomalous behaviors are easily identified and the potential consequences of incidents are known before the occurrence of a cyber-attack event. To detect cybersecurity incidents and check the efficiency of protective measures, the information system and properties are monitored continuously. Detection process and methods are maintained to ensure prompt and effective detection of anomalous incidents.

4. 4.

   Respond: In case of respond step, appropriate actions are taken by implementing secure activities based on the detected cybersecurity event. Response procedures and mechanisms are taken to ensure timely response to observed cybersecurity incidents. Analysis is carried out to guarantee appropriate response and to facilitate restoration initiatives. The new response activities are improved by combining knowledge gained from current detection/response activities and previous ones. The response activities include analysis and mitigate the cyber threat as they are detected.

5. 5.

   Recover: In recovery step, the recovery measures and techniques are carried out and managed to guarantee that the networks or properties damaged by cybersecurity incidents are recovered in less time. The recovery plan is enforced before or after an incident with cyber security. Similar to the respond step, the recovery activities such as recovery process and planning are improved by combining knowledge gained from current activities into future activities. The recovery operations should be communicated with domestic and external participants like ISPs, attack device owners, perpetrators, other ISPs and service providers.

3.5.2 Cybersecurity Layers by Design

The security of a vehicle should be considered, including its feature specification from its very inception and during the design stages. The security by design should be in the first place to evade the security risks. Addressing security problems earlier guarantees the vehicle security systems and equipment as well as reduces risks of vulnerabilities at later stages. Cybersecurity must be implemented into the design instead of including at the end of the development phase. Therefore, incorporating cybersecurity into the design requires a suitable cybersecurity layer. The cybersecurity layers achieve defense in depth following the principle of least privilege cyber security. Some of the popular threats to cybersecurity includes viruses, worms, spyware, and ransomware. However, cyberattack strategies are constantly evolving and it is difficult to prevent the security system from these cyber-attacks by implementing only one layer. This implies a need for continuous monitoring and multiple security layers. A multilayered solution is designed to reduce attackers’ resources and entry points. The concept employs multiple layers instead of having only one layer of defense, making it harder for cyber attackers to execute successful attacks. There are five key technological cybersecurity layers that need to be considered to protect any company or organization against a cyber-attack as shown in Fig. 3.9.

Fig. 3.9

Cybersecurity layers by design

The summarized five layers of security layers providing robust security protection are as follows:

1. 1.

   Perimeter: The perimeter layer secures interfaces, such as a tamper-proof trust anchor, which link the vehicle to the outside world. The objective of this layer is to secure the external connection of the IAV by limiting physical access to the vehicle control system to prevent the hackers from hacking the system. The first protective layer provides protection to the telematics control unit (TCU) or onboard diagnostic (OBD) port by adding a secure feature to ensure maximum security.

2. 2.

   Network: The network layer controls access from external interfaces like Internet to the vehicle’s internal network by using a firewall. It separates the networks physically and electronically using the central gateway with firewall. If the hackers get access to the network, then they can spoof the messages and take control of the vehicle system. The gateway firewall isolates the network and allows only legitimate devices to communicate with other nodes. One of the important functions of firewall from the security point of view, besides isolation is that firewall separates the external network interfaces from the safety-critical internal vehicle network.

3. 3.

   Endpoint security: The endpoint security delivers secure connection between electronic components. This layer prevents communicating nodes against various in-vehicle networks data theft. This layer includes the intrusion detection and intrusion prevention schemes. This layer secures the networks with bus control and secure transceiver with cryptographic capabilities for message authentication. It is responsible for access management and keeps communication private and reliable by securing the transceivers.

4. 4.

   Application: This layer ensures the software running on the processor is authorized, legitimate, and trustworthy. It secures the microprocessor unit (MPU) and microcontroller unit (MCU) as well as responsible for the secure updates of the security features of the vehicles.

5. 5.

   Data: The data layer is the fifth layer of the multilayered security system of the vehicle system. The data security is very important because it contains all the information about the user, including his identity, bank accounts, medical history, his whereabouts, etc. The integrity, confidentiality, and reliability of the data of the user must be guaranteed. This layer provides the security of the user or vehicle information.

The detailed cybersecurity layers for vehicular system are presented in Chap. 4.

3.5.3 Threat Modeling Method (TMM)

There are several kinds of hacker and attackers in IAV. In fact, there are various attackers, with different motivations, skill levels, and resources. For example, there may be academic researchers who try to take partial control over the vehicle, for scientific reasons. In addition, there may be organized criminals with large budgets, who want to steal valuable data from a vehicle, for financial gain. However, the threats do not only originate from third parties, but also from the user himself by tuning the internal car circuits to unlock extra features or improve engine performance. Furthermore, different attack vectors may be mounted directly from the in-vehicle electronic system. Therefore, a threat modeling method (TMM) is required to investigate the potential threats or attacks so that the IAV system is fully secured from unknown attacks. The TMM provides a structured method to protect the vehicle software from potential attackers, including their intention and goals that is based on attack types and libraries [8]. The TMM is used to defend the cyber-physical system (CPS) from attackers taking advantage of the system’s weakness and detect the threats before they create severe damage. There are several types of TMM, but not all of them work for a specific threat. The decision on which type of TMM to use should be based on the requirement of the project. The TMM works well if it is used early during the system design phase. Two or more TMM can be combined together to create a strong view of potential threat.

In this section, we will briefly discuss only specific type of TMM that is useful in autonomous vehicles, according to the evaluation done by the team of CMU researchers [9]. The list of evaluation criteria for selecting the candidate TMM is strengths, weakness, applicability, adoptability, automation, and tailor ability. Table 3.4 lists the features and objectives of different types of TMM. The potential TMM based on the above-mentioned criteria is as follows:

Table 3.4 Features and objectives of different types of TMM

1. 1.

   STRIDE: The STRIDE stands for spoofing of personal identity, tampering information, repudiation, information revealing, denial of service, and elevation of privilege. STRIDE helps to identify and classify the threats to the vehicular system. It was adopted by Microsoft in 2002 and has evolved over time; however, Microsoft developed and use another threat model named damage potential, reproducibility, exploitability, affected users, and discoverability (DREAD) [10]. It is the most popular and commonly used TMM in CPS and is a software-centric model. STRIDE can be applied all entry points to identify the threats to the vehicle including threats from hardware attacks, e.g., tampering of onboard units, local storage, etc. After identifying the threats and vulnerabilities, STRIDE threat model can be used as a reference to know how the threats directly affects each of the vehicle assets identified earlier. The STRIDE threat model is shown in Fig. 3.10. The STRIDE threat includes:

   Fig. 3.10

   

   STRIDE threat model

   • Spoofing of personal identity—Illegal use of the victim’s authenticated information to access the device.

   • Tampering information—maliciously modifying the information of the device

   • Repudiation—Deny performing a malicious action. Non-repudiation is the ability to counter the repudiation attacks.

   • Information revealing—Disclosing the user confidential information to public

   • Denial of Service—Temporarily disable the device and/or deny services to the user, which can threaten the availability

   • Elevation of privilege—Hacker login to the system as an administrator

2. 2.

   PASTA: PASTA stands for process for attack simulation and threat analysis. It is a seven-stage threat model framework developed by Tony UcedaVelez in 2012. It is a risk-centric framework with attacker-centric perspective, which produces asset-centric output. Most of the TMM that we are going to discuss are based on data flow diagrams (DFDs). DFD is a part of the design phase of the development cycle that helps to identify system objects, boundaries, and events in the system. PASTA uses DFD in application decomposition layer. The PASTA utilizes risk and impact analysis that overcomes the weakness of LINDDUN and STRIDE.

3. 3.

   LINDDUN: LINDDUN stands for linkability, identifiability, non-repudiation, detectability, disclosure of data, unawareness, and non-compliance. It has six methodical steps that provide data security and privacy of information. It uses DFD for data flow of the system, and it iterates over all model elements to analyze and detect different types of threats. However, in LINDDUN, the system complexity increases as the number of threat grows rapidly that impacts the adversely on the general threat detection.

4. 4.

   Attack trees: In 1999, Bruce Schneider introduced the attack trees that depicts the diagram of attacks in tree form. The root of the tree is the goal while the branches are the methods to achieve that goal. The attack trees are used for security decision based on the evaluation of the specific type of attacks on the branches. It is easy to understand, use, and adopt as well as it can be combined with other methods such as STRIDE and PASTA.

5. 5.

   VAST: The VAST stands for visual, agile, and simple threat that is based on an automated threat-modeling platform called threat modeler. The VAST is scalable and applicable in big organizations that is based on application and operation threat models. The operational threat models use DFDs with an attacker’s perspective. It contributes to the risk management directly.

6. 6.

   Persona non Grata: The Persona non Grata (PnG) is a threat model that is based on the activity of the real human attacker. The PnG helps the security person to analyze the system’s vulnerabilities and weak points that assist in the early detection of the attacks. It helps in risk management as it is easy to adopt, but it can only detect a limited number of threats.

Adi et al. adapted the two threat modeling process TARA and STRIDE and implemented in the automotive industry for connected vehicles [11]. They presented the list of the most exposed areas of autonomous vehicles, with low-, medium-, and high-risk exposure. The verification is done using AUTOSAR and dedicated hardware. Similarly, Wenjun et al. implemented a connected vehicle threat model based on a tool called SecuriCAD and performed connected vehicle attack simulation [12]. The SecuriCAD is a threat modeling and risk management tool that helps user to model networks. The simulation engine is used to predict different attack success probability. The SecuriCAD attack simulation shows that the DoS attack on a drivetrain network is at high risks as shown in Fig. 3.11. The simulation results show that the firewall is the most vulnerable object found in the vehicle during the DoS attacks. It also shows that the attack can be prevented by improving the security rules of the FirewallKnownRuleSet.

Fig. 3.11

Generalized vehicular threat modeling by SecuriCAD [12]

3.5.4 HARA and TARA Safety and Security Methods

The advancement of intelligent and autonomous vehicles poses cyber security challenges and hazards to road and traffic safety. Securing automotive networks is one of the biggest challenges confronting the automobile industry experiencing a dramatic transition. The security engineering is required for the safety and security of the autonomous vehicles, and this can be achieved by threat modeling technique for security and risk analysis. The automotive functional safety standard organization ISO 26262 defines the road vehicles functional safety engineering and safety standards. It also defines hazards due to the automotive malfunction and introduced a method called hazard analysis and risk assessment (HARA). The HARA assessment is done by considering consequences of failure. It identifies hazards based on information on potential causes. The safety requirements can be divided into functional safety requirements and safety integrity requirements. Functional safety can be accomplished when each specified safety task is performed and the performance level needed for each safety function is met [13]. This is usually done by a method that involves following steps:

• Safety Function Identification: It is necessary to identify the required safety functions and threats.

• Safety function assessment: The Safety functions are required to access and reduce the risks; this involves the safety integrity level (SIL). A SIL refers not just to a feature or part of the system but an end-to-end safety function of the system. The SIL is designed to reduce the relative risk or specify the target level of risk reduction specified by a safety function. The European functional safety standard is established on the IEC 61508 specification that describes four SILs where the most reliable is SIL 4 and the least reliable is SIL 1. The automotive functional security standard (ISO 26262) requires at least automotive security integrity level (ASIL) specific safety features. ASIL is a risk classification method that is an adaptation of SIL. ASIL is used for safety measures specified to reduce the risk associated with potential hazards to an acceptable level.

• Safety function verification: Safety function verification validates if the assigned SIL meets the safety function. The verification function is carried out to decrease or eliminate the deviation to obtain acceptable safety level. The software accuracy, latency, and synchronization of vehicle dynamics should be validated to reduce safety hazards.

• Failure mode and effects analysis (FMEA): The critical or hazardous condition is defined from the FMEA and the failure mode effects and critical analysis (FMECA) of the system under test. Hence, FMEA is best tailored to new developments and improvements in goods and processes. The risk management allows for identifying key components and setting goals in error prevention. The safety engineering standards integrate FMEA and fault tree analysis (FTA) in the automotive domain.

• Functional safety audits activity: Investigate and analyze the proof that the correct life cycle management methods were systematically and extensively applied in the related life cycle phases.

The HARA process can be used for threat analysis that can be extended and adapted in cybersecurity field. In parallel view to HARA, the principle of safety requirements can be extended to security requirements, and therefore, an equivalent cybersecurity process is established for threat analysis and risk assessment (TARA) to identify possible cybersecurity attacks and risks linked to these attacks with security goals and functional requirements. TARA is based on ISO/IEC 27001 standards, which is an information security standard that manages the asset security. The TARA distinguishes and selects potential threats against the target vehicle that leads to security instances. Its objective is to protect the assets and prevent the system from threats and attacks. In concept phase, the emphasis is on the relationship between HARA and TARA and their coordination in defense system. In ISO 26262, automotive safety integrity level (ASIL) is used for safety measures specified to reduce the risk associated with potential hazards to an acceptable level [14].

Figure 3.12 shows the vehicles risk identification and classification based on functional safety and cyber security in terms of HARA and TARA methodologies.

Fig. 3.12

Classification of HARA and TARA safety—cybersecurity methods

3.5.5 Security and Privacy Threats in Vehicular Networks

There are several possible security attacks in intelligent autonomous vehicles, which are listed below:

• Fake information attack: The selfish attacker transmits fake information for his own benefits. For example, the attacker may transmit an emergency vehicle approach warning for his way on the road to be clear.

• Illegal preemption attack: During an emergency, if roadside unit (RSU) controls the traffic light then the attacker may lawlessly break out the traffic light via RSU for his own needs like the fake information attack.

• Message replay attack: The legitimate messages that were already sent by a valid source are sent again by fraudulent or malicious intention or with some delays to interfere the traffic.

• Integrity: It is one of the useful properties in securing the IAV. Integrity assures that the messages exchanged between two vehicles must not be tampered or go through any modification.

• Non-repudiation: Non-repudiation ensures that any message sent by a legal vehicle cannot deny the message or contents send by it.

• Access Control: Access control ensures reliability and security in the system by assigning responsibilities roles to the nodes. The roles are assigned to the authentic users of the system. For safety of the legal entities in the network, the misconducting entities are invalidated from the network.

• Privacy: Privacy ensures protection of personal information from illegal users. In IAVs, conditional privacy preservation is revealing the real identity of a vehicle to only authorized users of the network and concealing the real identity to other vehicles and infrastructure like RSU.

3.5.6 Autonomous Vehicle Cyber Security

Security should be the first priority in developing intelligent self-driving vehicles providing the highest standards, quality, and reliability. There is always a threat to the security of the autonomous vehicle since its creation. In other words, manufacturers can no longer solely rely on the physical protection offered by the vehicle’s chassis. The simple and most common security issue is vehicle theft and anonymity problem based on vehicle identity number (VIN) as well as fake use of license plate. In order to tackle this security threat, an effective security system was used which is based on the combination of central locking system, alarm, electronic/mechanical immobilizer, and tracker. However, with the advancement of technology, these security systems are not enough. The range of attacks that an IAV faces is extensive and diverse: it varies from relatively simple attacks, in which, for example, malicious messages are sent to a vehicle, to more sophisticated attacks in which hackers may open up ECUs and try to reverse engineer their microcontrollers and software.

Finally, the impact of a successful hacking attack may also widely differ. In certain cases, a hacker may target a specific vehicle, causing limited damage to that vehicle only. However, a hacker may also find an exploit that can be abused over complete control of vehicle. When attacks are easily reproduced by others, the hacker publishes tools and instructions on the Internet. Due to this, the attack impact and the financial damage are much larger. For example, a large-scale attack at random vehicles could easily have an economic impact, because it has the potential to interrupt the traffic in a large geographical region. In addition, the costs for vehicle manufacturers could be high, because of potential recalls and associated brand damage.

1. 1.

   Autonomous Vehicle Vulnerability Taxonomy

The big challenge for vehicle manufacturers is to implement solutions to prevent vehicle from wide variety of attacks by the hackers, with different motivations, resources, skill levels, and using many different attack vectors, in a cost-effective way. Security threats form a predominant undiscovered area for the automotive industry. Outside the automotive industry, standardized frameworks are used to get the customers in confidence by informing them that their security demands are protected, and they can easily trust the attributes of the product. However, the security researchers are successful in hacking the control system of Jeep Cherokee using the wireless connectivity of the vehicle’s entertainment system [15]. They compromised the CAN bus as well as other control functions such as braking systems and steering, by using the wireless communication like Bluetooth and Wi-Fi as attack vector. This shows that the security systems in the vehicles have not be properly implemented that might cause vulnerabilities in the vehicle control system. Therefore, it is essential to secure and protect the vehicle CAN bus system from vulnerabilities that send critical system information to other modules. The vulnerability is the weak point in the scheme that is misused by the malicious attacker in the form of attacks for their own advantages. The autonomous vehicle vulnerability taxonomy is shown in Fig. 3.13.

Fig. 3.13

Autonomous vehicle vulnerability taxonomy

The attack vectors are based on physical access and remote access. The attack vectors facilitate hackers to exploit the vehicular system vulnerabilities and gain access to the network to perform malicious activities. The attack vectors include Web sites, viruses, mail attachments, pop-up windows, SNS messages, chat rooms, and fake information. It is categorized into invasive and non-invasive methods. In case of invasive method, the attacker uses the onboard diagnostics (OBD2) port to interface with ECU and inject malicious code that gives the attacker access to unauthorized functions [16]. Similarly, the invasive attack may cause serious issues such as packet sniffing, fuzzing and spoofing that leads to falsifying information used by the vehicle’s system. An unauthorized user can attack the system and remotely access the vehicle based on user’s devices such as smartphones that are coupled to the infotainment system via Bluetooth or Wi-Fi technology, from external devices in proximity such as other V2X-equipped vehicles, or from the cloud.

It can target the critical objects and spoof the GPS information and provide false location information as well as cause jamming to the sensors that disrupt the vehicle sensors from getting critical information. The attacker can target different sensors such as LiDAR, radar, camera, ECU, GPS, and other in-vehicle communication system that can disrupt the proper functioning of the autonomous vehicle.

The consequences of the attacks are private information disclosure of the user. The attacker might take over the full control of the vehicle and the user cannot control the vehicle, which might have serious life threatening situation as well as loss of property.

1. 2.

   Autonomous vehicle defense taxonomy

Various automotive manufacturers, academia, and security companies propose the different solutions to combat numerous attacks and secure the in-vehicle networks, which is given in Fig. 3.14. The preventive countermeasures such as device and user authentication thwart the unauthorized users to access the in-vehicle system. Software security based on cryptographic algorithm such as encryption, signature, and digital certificate can prevent the ECU and CAN network from the attacker [17, 18]. The automotive manufacture can use asymmetric key cryptography for secure communication between different ECUs in the in-vehicle system. The firewall can be used to prevent the in-vehicle network by filtering harmful messages and blocking the malicious traffic sources in untrusted environment. In active defense system, continuous monitoring system is installed that keep track of all the logs and records all the activities of the system. Due to the vulnerabilities in the in-vehicle communication system, the attackers easily launch critical attacks remotely. So, continuous monitoring systems such as adaptive security and honeypots can be used to capture the log of the attacker and trace their activities that are vulnerable to the system. It can detect such malicious activities and can take proper action to prevent the in-vehicle system [19]. In case of passive defense system, Intrusion Detection System (IDS) and antimalware can be used to detect and eradicate the malicious code that has been injected by the malicious attacker into the ECU. In addition, each component should be isolated and independent from each other so that the attacker cannot easily hack into the system that are interconnected with each other. The isolation of the component ensures defense against harmful attacks from the attacker that might compromise the whole system. Moreover, the defense system should be recoverable from the attacks and should provide the trustworthy information at any time to the system for tracing back.

Fig. 3.14

Taxonomy of defense system in VANET

3.5.7 Connected Vehicle Security

The wireless interfaces in connected vehicle imposes the biggest security risks, because they open the door for remote attacks. The attacker does not need to be in direct proximity of the vehicle to gain access to its internal systems, the attacker can access the system remotely by breaching the wireless interfaces.

3.5.7.1 Components of IAV

The components of IAV can be classified into three categories based on the infrastructure, message content, and vehicular system. The classification helps in security assessment and risk analysis. The three categories are as follows:

1. i.

   Infrastructure: It consists of central entities, RSU, and other third parties such as transportation authority.

2. ii.

   Information content: It consists of different types of messages such as beacon, safety, and infotainment messages that help safe and secure driving of the IAV on the road.

3. iii.

   Vehicular system: It consists of vehicular nodes, driver and communication networks.

3.5.7.2 Vehicular Ad Hoc Networks Vulnerabilities

The IAV are vulnerable to different types of attacks where the malicious attacker exploits the vehicular communication network for their own benefit. The vulnerabilities are classified as shown in Fig. 3.15. The Vehicular Ad hoc Networks (VANET) is vulnerable to physical access by the attackers that has direct risk on the vehicle’s wireless communication capabilities as well as its sensing systems. The user’s privacy might be at risk if secure credentials are not used while exchanging information using wireless communications. Similarly, attackers might exploit the system to launch various attacks based on insecure cryptographic algorithm and inefficient key management. The sensitive messages like user information and safety messages are very important and should be secured all the time by using encryption mechanism. If information is not encrypted properly and there is weak integrity checks then the messages might be modified by the malicious attackers resulting in alteration or non-availability of the message. This vulnerability in information exchange might have negative impact on the system.

Fig. 3.15

Vulnerability taxonomy in VANET

Some of the major attacks in the vehicular system are jamming attacks, sensor impersonation attack, bogus information attack, remote access attack, physical attack, Malware attack, social engineering attack, privacy attack, eavesdropping attack, man-in-the-middle attack and wormhole attacks. The major attacks on information are eavesdropping, jamming attacks, impersonation attacks, MITM attacks, and spoofing attacks. Similarly, attacks on infrastructure are Sybil attacks and false message between central entity and RSU.

3.5.7.3 Privacy in VANET

In VANET communication, privacy and authentication are of utmost importance to provide full security to the vehicular nodes. The system verifies the identity of the vehicle user while providing privacy to the user’s private data, i.e., his private and confidential information will not be revealed. However, the user should be traceable by the authority in case of legal issues like accidents. Some of the privacy and authentication are similar with the one mentioned in Sect. 3.3. We will summarize some more privacy and authentication requirements for VANETs.

• Anonymity: Anonymity of the individual vehicular nodes should be maintained while communicating with other nodes or infrastructure so that his real identity is not disclosed as well as privacy is maintained. To preserve the identity privacy, the nodes should send the data anonymously so that his identity cannot be traced but in case of his malicious activity, his identity cannot be detected. Therefore, there is a trade-off between privacy and traceability.

• Anonymous authentication: The anonymous authentication protects unauthorized vehicular nodes from gaining access to the system and prevents from unauthorized attackers. We need to consider the privacy while designing anonymous authentication for the VANET nodes.

• Unlinkability: The real identity of the vehicular nodes should not be linked with his location or other parameters. The vehicle should use a temporary identity known as pseudo id, which is heterogeneous to the real identity of the vehicle. The temporary identity of the vehicle should change frequently overtime to achieve unlinkability. Even if the attacker tries to obtain his pseudo id, the attacker cannot relate them to the real identity that protects the vehicle from tracking.

Figure 3.16 shows the privacy based on authentication in VANET. It can be classified into three categories. They are identity-based authentication scheme, group signature-based, and cryptography-based scheme. We describe the three categories briefly below.

Fig. 3.16

Privacy in VANET

1. 1.

   Identity-based authentication scheme: The identity-based authentication scheme is based on cryptography and authentication that simplify the certificate management process by using vehicle’s identity while signing and verification of digital signatures. It reduces the communication overhead. It is of three types and they are as follows:

   • Pseudo-ID based: This scheme uses ID-based signature verification as well as self-generated pseudonyms with specifications of V2I and V2V authentication [20]. Likewise, dual pseudonymous authentication scheme has been presented earlier [21]. The vehicle receives first pseudonym from the trusted authority (TA), and it changes the pseudonym after certain period through RSU.

   • Batch verification based: In case of threat detection, the identity-based batch verification method for vehicle to RSU communication scheme provides the user privacy information to the system that can be traced back to the malicious user [22].

   • PKI and pseudonym based: A software-based solution was used for shared secret keys to maintain the privacy of the users. In addition, it has lower message overhead as compared to the previous versions [23].

2. 2.

   Group signature based: In a group signature-based scheme, the group signature ensures the source anonymity as well as the integrity of the information. Each member of the group anonymously signs the message before sending and can be verified easily. In addition, the identity of the each vehicle that signs the message can be revealed only by the manager of the group while maintaining the privacy of the vehicles [24].

3. 3.

   Cryptography-based scheme: This scheme utilizes the cryptography on the privacy-preserving authentication to preserve the vehicle anonymity, reduce the communication overhead, non-repudiation, and prevent from misbehaving vehicles. This scheme is of two types, i.e., symmetric key and asymmetric key based. In case of symmetric key-based scheme, they used the symmetric keys for message authentication [25]. Each vehicle uses shared group keys or own key for creating and verifying the message authentication codes (MAC). In case of asymmetric key-based scheme, public and private keys are used for group signing and creating digital signatures. It needs to connect to the RSU for verifying the certificates, to revoke keys for malicious vehicles or collect keys from new vehicles that are registered to the RSU [26]

3.5.8 Trust Management in VANET

Besides, security and privacy in VANET, researchers worked on several trust management system to ensure the message safety. In VANET, message safety is very crucial as the vehicles communicate with neighbor vehicles and infrastructure frequently. If the attacker changes the message content such as insert bogus message or falsified message, then it might cause serious damage to the network as the false message force the legitimate vehicles to take unsafe actions resulting in fatal accidents. An efficient trust management system should be developed that can prevent the message exchange in vehicular communication from malicious attackers in real time. It should be decentralized, scalable, robust, and maintain the vehicular node’s privacy. According to [27], the trust management system can be categorized into infrastructure-based, non-infrastructure-based, PKI-based, and non-PKI-based system as shown in Fig. 3.17.

Fig. 3.17

Classification of trust management system

The trust management schemes based on infrastructure use RSU or central authority for trust evaluation but without depending upon PKI such as TRIP [24] and RaBTM [25]. On the other hand, the trust management system based on infrastructure and PKI can effectively identify attacker with some degree of accuracy such as DTE [28], ESA [29], etc. There are researchers who work on solving the issues in message trustworthiness based on PKI but without depending upon the infrastructures [30]. The existing system has limitations such as single point of failure in infrastructure-based environment and consumes high computation capacity while using PKI and cryptography. Some researcher proposed trust management scheme that works in a distributed environment in an infrastructureless environment without using PKI that helps to overcome the limitation of the other trust management system [31, 27].

3.5.9 Blockchain as a Security in VANET

Blockchain is a distributed, decentralized immutable ledger that works in trustless environment. Some of the features of blockchain are anonymity, decentralization, transparency, immutability, traceability, and non-repudiation. Because of these features, blockchain has gained lots of attention from different sectors such as industry, academia, health, and financial sectors. Some of the popular blockchain technologies are bitcoin, ethereum, litecoin, etc. As the vehicle is becoming intelligent and autonomous, they exchange data for communicating with different sensors as well as peer vehicles and infrastructures in intelligent transportation system. The message exchange between the vehicles is vulnerable to different types of attacks as the vehicles do not trust each other. The blockchain can be a solution to secure the communication between untrusted vehicular nodes in VANET. The blockchain is considered to tolerate the untrustworthy vehicles within the network because of the use of consensus protocol in the trustless environment. There are three major types of blockchain as shown in Fig. 3.18.

Fig. 3.18

Types of blockchain in VANET

1. 1.

   Public blockchain: The public blockchain is a global blockchain where any nodes can join the network, read, write, and participate in the consensus mechanism such as proof of work (PoW), and proof of stake (PoS) to determine if new block is added to the blockchain and know the current state of the blockchain. It is fully decentralized and secure as all the participating nodes verify the transactions in the blockchain. However, it is inefficient and consumes power as well as time because all the participating nodes should verify the transactions.

2. 2.

   Private blockchain: The private blockchain is a blockchain which is controlled by a single highly trusted owner of the blockchain. It is partially decentralized network. The nodes need permission to participate and access the blockchain. The nodes require authorization to read and write the information onto the blockchain and public auditability can be restricted. This type of blockchain is efficient because the blockchain owner does the verification. However, the single controlling power might lead to 51% attack in the network.

3. 3.

   Consortium blockchain: The consortium blockchain is a kind of hybrid blockchain, which is the combination of public and private blockchain. It is also partially decentralized network. Only few predetermined nodes control the consensus mechanism. They have authority to read, write, and verify the blocks in the blockchain. The selection of predetermined nodes varies for different entity on the blockchain. The advantage lies in between the public and private blockchain where it takes relatively lower time to verify the transactions by the predetermined nodes.

In VANET, although several security mechanisms have been proposed to solve the security issues, the privacy and trust management issues are still of major concern. Other security mechanisms are successful in securing the vehicular communication from external attacks but not the internal attacks as the forged messages are difficult to solve. There are some attacks that analyzes the broadcasted messages between the vehicles and forge or modify the message that cause severe effects such as deroute the vehicle from its original destination and event serious accidents. Thus, the blockchain can be used to store the event logs as transactions including vehicle node trustworthiness and message trustworthiness in the blocks of blockchain that acts as a ground truth for forensics when there is a serious accident [32]. Several researchers have used blockchain technologies in vehicular networks based on cryptocurrencies such as bitcoin [33] and ethereum [34] while other have modified or proposed a new type of blockchain [32] suitable for vehicular networks. Similarly, overlay network based on block chain technology has been proposed in automotive security [10]. The overlay networks use some nodes that can manage blocks called overlay block managers in the blockchain. The nodes in overlay network have cluster heads that operates and manages the blockchain. Rowan et al. proposed blockchain for securing intelligent vehicles communication based on acoustic channel and visible light communication [35]. They have used different types of communication for securing the intelligent vehicle that is based on public blockchain and side channels using session cryptographic keys. Alternative distributed ledger systems have developed with entirely different methods of consensus mechanisms, such as directed acyclic graphs (DAGs), which no longer require the formation of a block chain, but rather use alternative cryptoeconomic methods to achieve consensus. For instance, projects such as “IOTA,” “Byteball,” or “Nano.” The authors in [36] proposed IOTA-VPKI, a vehicular PKI (VPKI) based on IOTA distributed ledger technology (DLT) that enhances the state of the art and eliminates a single point of failure with seamless user scalability. Several works have been done in intelligent and autonomous vehicle using blockchain and details can be found in Chap. 6.

3.6 Summary

In this chapter, we discuss about the automation, intelligence, and connectivity in IAV and their implementation concerning safety, security, and privacy. The malicious attackers use different means of attack strategies at different levels, and it severely affects the vehicle’s physical and cyber security system. The malicious nodes can tamper the vehicle sensors such as onboard systems, in-vehicle sensors and can intercept message exchange between the vehicles. The malicious nodes can be an insider attacker that may attack both the in-vehicle and inter-vehicle communication. Several attacker models have been demonstrated. It provides some of the security and privacy threats such as fake information attack, message replay attack, integrity, non-repudiation, access control, and privacy attack. The vulnerability is the weak point in the autonomous vehicle system that is misused and easily attacked by the attackers for their own advantages. A detailed autonomous vulnerability taxonomy of the vehicles is given, and solution mechanisms such as preventive, active, and passive defense are also provided. It also deals with the privacy of the autonomous vehicles. Some of the privacy measures discussed are cryptography-based schemes, trust management schemes, and blockchain schemes.