MADISON, Wis. -- In the conversation about automotive security, scare tactics might work with some gullible consumers, but they don't seem to work very well on penny-pinching automotive manufacturers. (And here, I'm not even talking about the born skeptics among the engineering crowd in EE Times' community.)
"To become security-aware takes a big learning curve," said Björn Steurich, senior manager of Automotive Systems Group in the automotive division at Infineon Technologies (Munich).
"Every industry has to go through the cycle, and it takes many years for both OEMs and the whole [automotive] eco-system" to reach that point, noted Martin Klimke, principal of technical marketing, Chip Card & Security division at Infineon.
For instance, the PC industry responded by developing Trusted Platform Modules (TPM). Similarly, the banking industry invested heavily in secure chip cards more than a decade ago. Taiwan, in particular, where the industry faced a high fraud rate, was among the first to embrace the practice. Industrial control systems also must react to cyber-security issues.
But it clearly takes more than a paper by university scholars, said Klimke, to justify a business case for security among automotive OEMs. (Klimke was referring to a 2011 paper, entitled as "Comprehensive Experimental Analyses of Automotive Attack Surfaces," written by researchers at the University of Washington and the University of California at San Diego.)
At this moment, no tragic automotive accident caused by external attacks has happened yet, he explained. So, it's really hard for anyone to measure the safety impact of extra security measures. With or without such enhancements, "the car operates just the same," he added.
So, do we conclude that the auto industry is waiting for some day of catastrophic reckoning before their taking any action?
No, not necessarily.
But to win over car companies to tighter automotive security, "we must offer scalable and flexible solutions," Steurich stressed. "We need to make sure that it is what's required and what's paid for."
Infineon, the world's second largest automotive chip company, has been working with a number of US and European car OEMs, tier-one module suppliers and engineering service providers. The needs in automotive security expressed by European auto companies (especially in Germany) are "hardware security, primarily driven out of anti-theft, anti-fraud, anti-tuning measures," said Steurich. For example, these OEMs are worried about things like odometer fraud and unauthorized engine tuning.
Meanwhile, US automotive OEMs are looking for microcontroller security, largely due to their concerns, or fear, of someone hacking into their cars, he added.
Breaking down attacks
Anticipating potential attacks on security controllers in a car, Infineon categorized them in four classes ranging from "logical" and "observing" to "semi-invasive" and "manipulating" attacks. The level of sophistication, time and cost to develop such attacks (and actually executing them) vary from one class to another.
Infineon anticipates different types of automotive security attacks
Types of attacks include: local attacks focused on "command abuse" and the development of "spike attacks" by hackers' observing. Hackers could also work on "power analysis" resulting in semi-invasive attacks, or moving up to "micro probing" to manipulating security controllers.
Infineon's strategy is to address each different classe of attacks with different chip solutions. Here, Infineon firmly believes that the company has a leg up against its competitors (such as NXP Semiconductors, which leads the smart card chip market but has become over the years more selective about its automotive electronics product line, and Freescale Semiconductor which currently offers no smart card chips) because it can offer both "scalability and flexibility" by leveraging "Infineon's 40 years of experience in automotive-grade electronics and 15 years of experience in the smart card chip market," claimed Steurich.