May 20, 2018

Threat Modelling for Automotive – Part 3


 Automotive Ethernet is a physical network that is used to connect components within a car using a wired network. It is designed to meet the needs of the automotive market, including meeting electrical requirements (EMI/RFI emissions and susceptibility), bandwidth requirements, latency requirements, synchronisation, and network management requirements.

To fully meet the automotive requirements, multiple new specifications and revisions to specification are being done in the IEEE 802.3 and 802.1 groups.

Until the specs get through the IEEE, there are some interim specs sponsored by special interest groups such as:-The OPEN (One-Pair Ethernet) group, which is sponsoring Broadcom’s 100Mbps BroadR-Reach solution as a multi-vendor licensed solution. This 100Mbps PHY implementation uses technologies from 1G Ethernet to enable 100Mbps transmission over a single pair in both directions (using echo cancellation) using more advanced encoding to reduce the base frequency to 66MHz (from 125 MHz) allowing Ethernet to meet the automotive EMI/RFI specs. • AVnu adopted Audio-Video bridging standards ahead of IEEE 802.1 standardisation process.

1. Reason Ethernet not used in Cars before

Even though Ethernet has existed for over 20 years, it could not be previously used in automobiles due to the following limitations:

  1. Ethernet did not meet the OEM EMI/RFI requirements for the automotive market. 100Mbps (and above) Ethernet have too much RF “noise,” and Ethernet is also susceptible to “alien” noise from other devices in a car.
  2. Ethernet could not guarantee latency down to the low microsecond range. This was required to replace communication to any sensor/control that needed fast reaction time.
  3. Ethernet did not have a way to control bandwidth allocation to different streams so it could not be used to transmit shared data from multiple types of sources.
  4. Ethernet did not have a way of synchronizing time between devices and having multiple devices sample data at the same time.

2. Automotive Ethernet Drivers

 The electronics in a car are getting more complicated with more sensors, controls, and interfaces with higher bandwidth requirements. The different computers and domains in the car need to increasingly communicate with one another. The complexity, cost, and weight of wiring harnesses has increased such that the wiring harness is the third costliest and third heaviest component in a car.

Today, multiple different proprietary standards for communication are used, with each component typically using a dedicated wire/cable. By moving to a single standard, all the communications from all the different components can coexist on the same switched Ethernet network, with a single pair going to each location in the car from a central switch. A joint study by Broadcom and Bosch estimated that using “unshielded twisted pair (UTP) cable to deliver data at a rate of 100Mbps, along with smaller and more compact connectors can reduce connectivity cost up to 80 percent and cabling weight up to 30 percent.”

  3. Anatomy of Future Car Electronics Using Automotive Ethernet

The diagram below shows the estimated progression of Automotive Ethernet from today (1st generation) through 2020 (3rd generation).

Figure 15. Automotive Ethernet in future Generation


Now we understand every detail that is required for designing a threat model for automotive cars. We will be using Microsoft Threat Modeling tool to design the model. The Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development. Also, the tool was designed with non-security experts in mind, making threat modelling easier for all developers by providing clear guidance on creating and analysing threat models.

The tool enables us to:

  • Communicate about the security design of their systems
  • Analyze those designs for potential security issues using a proven methodology
  • Suggest and manage mitigations for security issues

Here are some tooling capabilities and innovations, just to name a few:

  • Automation: Guidance and feedback in drawing a model
  • STRIDE per Element: Guided analysis of threats and mitigations
  • Reporting: Security activities and testing in the verification phase
  • Unique Methodology: Enables users to better visualize and understand threats
  • Designed for Developers and Centered on Software: many approaches are centered on assets or attackers. We are centered on software. We build on activities that all software developers and architects are familiar with — such as drawing pictures for their software architecture.
  • Focused on Design Analysis: The term “threat modeling” can refer to either a requirements or a design analysis technique. Sometimes, it refers to a complex blend of the two. The Microsoft SDL approach to threat modeling is a focused design analysis technique.

We will be using the Automotive Threat Modelling Template provided by NCC Group.The Automotive Threat Modelling (TM) Template was created using the Microsoft (MS) Threat Modelling Tool 2016 and therefore threat models are created using this product.A threat modelling workshop for automotive-related technologies requires DFDs with custom elements, tailored threats and specific recommendations. The lack of a specific template for automotive threat modelling brought about the development of the Automotive TM Template, which takes advantage of a new feature in the MS Threat Modelling Tool 2016 that allows the creation of entirely new customised templates.

 1. Setting Up Environment

Each entity has its own set of properties in the automotive threat modeling template. Thus we need to set up each and every entity that will be used in designing the Threat Model based on the configuration of the entity. You can view these properties in the following diagram:

fig 1.pngfig 1-1.pngFigure 1. Setting up Entities Environment


fig 2.png

Figure 2. DFD Diagram

fig 3.png

Figure 3. Top Layer view of Automotive Cars


 fig 4.png

 fig 5.png

fig 6.png

fig 7.png

Thus the Microsoft Threat Modelling tool provides a best way to analyse threats and the template is suitable for Threat Modelling in Automotive.

I hope you enjoyed! Please do share and comment.

Parminder Singh



Leave a Reply

Your email address will not be published. Required fields are marked *