Dr. Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys Software Integrity GroupBlog

Safe and secure deployment of AVs

By Dr. Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys Software Integrity Group

To transform urban mobility in Singapore, the Land Transport Authority (LTA) has outlined a roadmap for the deployment of autonomous vehicles (AVs) in the country, which are an integral part of a smart nation. There are three phases defined in the AV deployment roadmap. The first phase involves trials in controlled environments such as training facilities in a closed area. The second phase is deployment on limited public roads with a safety operator available to take over if the vehicle is unable to handle certain situations. The third phase is deployment on public roads with a safety driver in a limited capacity or even without a safety driver. 

A set of updated provisional national standards, known as Technical Reference 68 (TR68), was recently released in Singapore to guide the deployment of safe and secure AVs. 

TR68 consists of four parts covering comprehensive guidance for AV developers and AV operators. The first part is on the basic behavior of AVs covering topics on Dynamic Driving Task (DDT) and Automated Driving System (ADS). The second part focuses on safety guidance for AVs including design, production, and safe operation. The third part covers cybersecurity, focusing on a cybersecurity assessment framework. The fourth part is on vehicular data types and formats related to data recorded for automated driving, HD mapping, and V2X information exchange.

Potential cybersecurity risks of AVs

In mere decades, vehicles have evolved from using mechanical systems to electrical/electronic systems. And in the last few years, vehicles have progressed to software-based systems, with AVs as the next natural step in the evolution. 

However, while AVs provide many benefits and allow for improved user experiences, there are also cybersecurity risks that need to be considered. A semi-autonomous vehicle can contain more than 300 million lines of code and it is estimated that a fully autonomous vehicle will contain more than 1 billion lines of code. The rapid increase in the usage of larger software codebases combined with the use of new and advanced technologies and interfaces such as AI (artificial intelligence), Lidar, sensors, cameras, V2X, and 5G, lead to increased attack surfaces on AVs. For example, AVs use sensors and cameras to gather input about their surroundings and process the input to make decisions using AI to control steering, braking, and acceleration. It is important to note that attackers can deliberately target these attack surfaces by providing malicious inputs. 

Figure 1: AVs using various inputs processed by AI to make decisions for vehicle control

If an attacker can take control or disrupt control of one or several AVs traveling at high speeds on a highway, it could lead to disastrous safety consequences. Besides an impact on safety, successful cybersecurity attacks may also have financial or privacy ramifications. For example, AVs may contain sensitive and valuable data such as pre-registered home and work destinations and recently traveled routes. Additionally, AVs may store camera images showing the surroundings of the vehicle, including your home or workplace.

TR68 Part 3 as a cybersecurity framework

While there exist other cybersecurity standards such as ISO/SAE 21434 and regulations such as UN R155 that organizations can use to establish a cybersecurity baseline, TR68 focuses specifically on AVs. In particular TR68-3:2021 “Autonomous vehicles – Part 3 : Cybersecurity principles and assessment framework” describes two levels of safeguards for secure deployment of AVs.

The first safeguard provides high-level cybersecurity principles for AV developers and AV operators to manage cybersecurity throughout the lifecycle of an AV, including design, development, operations, maintenance, and decommissioning. This part of TR68 provides general cybersecurity principles applied to AV systems, such as security-by-design, defense-in-depth, continuous operational management and oversight, and resiliency. It is imperative that especially the security-by-design and defense-in-depth principles are followed in the design phase to ensure that appropriate security controls are considered early in the development process. Adding on security during the latter stages of development is often costly, and there may be limitations on the type of security controls that can be applied due to the design.

The second safeguard describes a framework for cybersecurity assessment by an independent third-party assessor. This framework provides general assessment principles and a methodology for the cybersecurity assessment process. In addition, TR68 Part 3 provides step-by-step guidance on the assessments process. For example, a threat analysis and risk assessment should be performed to identify threats to the AV and high-risk areas that should be targeted during cybersecurity testing. The framework also gives examples of cybersecurity testing methods including vulnerability analysis, vulnerability scanning, fuzz testing, and attack simulation. This additional safeguard adds a secondary layer to improve cybersecurity where an independent third party is able to discover vulnerabilities that may have been missed by an AV developer or AV operator.

Figure 2: Threat analysis and risk assessment, and cybersecurity testing as part of the AV cybersecurity assessment framework

Performing the activities described for these two levels of safeguards will help AV developers and AV operators with the deployment of secure AVs.

Safe and secure AV testbed in Singapore

TR68 is applicable for the deployment of AVs in Singapore. However, many AV developers worldwide are looking at using Singapore as a testing bed for AVs, following through with the adoption of TR68 during development and testing. After AV testing is completed in Singapore, these AVs may then be deployed in other countries. Thus, it is important to note that the impact of TR68 would go beyond Singapore.

The development of AVs has gained traction in Asia in the past few years. In 2019, Volvo and NTU started trials of the world’s first full-size, autonomous bus in Singapore. Woven Planet, a subsidiary of Toyota, acquired the self-driving division Level 5 from Lyft and also recently acquired Renovo Motors to enhance their automated vehicle software. During the Tokyo Olympic and Paralympic Games 2020, Toyota deployed AV shuttles to transport staff and athletes around the athletes’ villages. In China, Baidu has been testing robot taxis in several major cities, including Shanghai. Earlier this year, Baidu launched the first driverless taxi service in Beijing. 

The development and deployment of AVs will continue rapidly, ranging from shuttles, buses, trucks, as well as passenger vehicles. As more advanced technologies and more software are used in AVs, safety and security become paramount. TR68 is a first step to provide guidance to help AV developers and AV operators in the development and deployment of safe and secure AVs.

Synopsys is an American electronic design automation company that focuses on silicon design and verification, silicon intellectual property and software security and quality.