This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.

Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity / Dagan, Tsvika; Montvelisky, Yuval; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Wool, Avishai. - In: SAE INTERNATIONAL JOURNAL OF TRANSPORTATION CYBERSECURITY AND PRIVACY. - ISSN 2572-1046. - 3(1):(2020), pp. 19-39. [10.4271/11-02-02-0006]

Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity

Tsvika Dagan;Mirco Marchetti;Dario Stabili;Michele Colajanni;
2020

Abstract

This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.
2020
3(1)
19
39
2-s2.0-85096672809
Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity / Dagan, Tsvika; Montvelisky, Yuval; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Wool, Avishai. - In: SAE INTERNATIONAL JOURNAL OF TRANSPORTATION CYBERSECURITY AND PRIVACY. - ISSN 2572-1046. - 3(1):(2020), pp. 19-39. [10.4271/11-02-02-0006]
Dagan, Tsvika; Montvelisky, Yuval; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Wool, Avishai
File in questo prodotto:
File Dimensione Formato  
VSM_Journal-R2.pdf

Accesso riservato

Descrizione: Articolo principale
Tipologia: Versione originale dell'autore proposta per la pubblicazione
Dimensione 568.39 kB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
568.39 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

Licenza Creative Commons
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11380/1217783
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? ND
social impact