Truck & Off-Highway Engineering - October 2021 - 20

DEFENDING THE
HEAVY-VEHICLE
CYBER
DOMAIN
" Cybersecurity tends
to not be a profit
generator. "
- Dr. Jeremy Daily,
Colorado State University
industry standards, " he said. " We've got things like [SAE] J1939 that
is fundamentally not secure. You can send a command to the engine
or the transmission requesting more torque, and it's very simple to
do and it's published. "
The issue spreads throughout the entire supply chain. " Things that
we can do as product developers are limited by the microprocessors
we have to work with and their capabilities, " York said. " And there's
only a handful of micros that all of us can use that are suitable for an
automotive environment, particularly on engine. So, getting things that
have the crypto-capability and resources to do the things that you
need to do is challenging. It's coming along - the things that we're
developing today are a lot better than the things we had 10 years ago. "
CAN FD (flexible data rate) can help with the growing need to exchange
more information in a secure environment. " It provides a
larger payload, " Daily said. " With a larger payload, you can better
implement cryptographic primitives, [but] you can screw up protocols
and solve the wrong problem just as easily with CAN FD as you
can with [traditional CAN]. It's very much an implementation issue as
opposed to an underlying technology. "
" What CAN FD provides is the capacity to solve the problem, " York
added. " If you look at CAN FD and Ethernet, you have a lot more
space to work in than a CAN with an 8-byte frame. " With CAN FD,
the message payload size has been increased to 64 bytes of data in
each CAN-frame/message.
The experts agreed that nefarious actors gaining wireless access to
a fleet of vehicles, for example, is more worrisome than someone
gaining physical access to a single vehicle. " Is it possible to create
havoc touching a vehicle? Certainly. But the scope of it is onesiestwosies, "
Heimer said. " Threat actors tend to go for longer range,
greater bandwidth. " From a risk perspective, that is the greater concern
for manufacturers and fleet owners.
Telematics vendors such as Geotab and Omnitracs have participated
in the CyberTruck event and offer some perspective on potential
threats. " Students always ask me, 'what keeps you up at night?'
Remote attacks and attacks at scale, " York said. " If you can shut
down an entire fleet or an entire brand of telematics, that would be a
Colonial Pipeline type of thing. "
20 October 2021
Future CyberTruck courses will increasingly address electric and
autonomous vehicles and the unique cyber threats they pose.
Attackers chain things together, so physical access
could initiate a snowball effect, York explained. " You can
learn things with physical access and then go find a vulnerability
in a telematics system that lets you get access to
the truck and CAN to send messages that cause an ECU to
stop working or reset. And then if you've got a vulnerability
in the wireless carrier that allows you to enumerate the
serial numbers of all the vehicles, then you can scale it. "
Service technicians can serve as unwitting accomplices
who provide access. " You should probably be
drawing your system boundary around that service
technician, which makes your attack surface that much
bigger, " Daily said. " You're not compromising an ECU
anymore, you're compromising their Windows computer.
If I were advising a nation state on how to go
attack trucks, I would say leverage your cyber insider,
which is the technician. "
Protecting electric and
autonomous trucks
Electrification and autonomy are driving increased vehicle
complexity, which undoubtedly will complicate efforts
to combat cyberattacks. " I'd say it's going to go to a
whole new level, especially through your wireless-communication
vulnerabilities, " said Mark Pope, product specialist
at DG Technologies and the session's moderator.
Electric and autonomous trucks will have a lot more
electronic controllers and networks. " There are more
operating systems involved probably than there have
been in the past; therefore, there's more variety of networks, "
York said. " So, we might have CAN and CAN
FD and Ethernet or LIN all turning up on a vehicle. As
TRUCK & OFF-HIGHWAY ENGINEERING
FROM LEFT: RYAN GEHM/SAE; CYBERTRUCK CHALLENGE
Truck & Off-Highway Engineering - October 2021

Table of Contents for the Digital Edition of Truck & Off-Highway Engineering - October 2021
