E-safety Vehicle Intrusion Protected Applications (EVITA)

Status: Final Published

Date: Published November 2011 Region: Europe

Document: Link

Background

The EVITA project was an automotive cybersecurity initiative co-funded by the European Union, intended to improve the resilience of the automotive on-board network to attacks from new V2X applications, as well as the physical attacks made possible by the physical access that attackers can have to vehicles in the public environment. Through a process of identifying E/E use cases, analyzing potential threats, and their associated risk, EVITA developed a series of security requirements for on-board networks. This was then distilled into a standard recommending hardware and software architectures to fulfill the defined security requirements.

Summary

The EVITA standard sets out a recommend hardware and software architecture to satisfy safety requirements intended to mitigate the cybersecurity threats associated with typical connected car use cases, including Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications, smartphone integration, OTA updates, and diagnostic processes. Having identified these use cases, the EVITA project identified potential malicious agents and cybersecurity threats using an attack tree methodology. The level of risk associated with these threats was calculated by considering the severity of the threat, along with the likelihood that such an attack could occur. Once these threats and the level of risk had been identified, the EVITA project defined a series of security objectives using functional path mapping to mitigate threats. EVITA identified the following security requirements:

• HSMs must be tamperproof, or attempts at tempering must be detectable.
• In-vehicle software and locally stored data related to the connected car use cases must be
  “infeasible” or detectable within the platform.
• ECUs must be able to detect if messages and data sent by other ECUs have been altered by
  unauthorized agents.
• Data and messages sent within the vehicle must be kept confidential.
• Remote entities must be able to verify the integrity of the IVN network.
• Only authorized entities can be permitted to access or modify e-safety relevant data or assets.

In order to satisfy these security requirements, EVITA developed three hardware specifications:

• EVITA HSM Full: Intended as a hardware extension for ECUs in V2X applications, consisting of a cryptographic building block and a logic building block. The cryptographic block includes a high-performance cryptographic engine, an AES-based hash function, an encryption/decryption engine, a random generator, and a 64-bit monotonic counter. The EVITA HSM Full also features its own Central Processing Unit (CPU), which can only be accessed by the application CPU via secure interfaces.
• EVITA HSM Medium: Comparable to the HSM Full, but without a hardware Error Code Correction (ECC) engine or hardware hash engine. Intended to enable secure, but cost-effective protection of gateways and domain controllers.
• EVITA HSM Light: Designed for the protection of sensors, actuators, etc. This specification includes an AES hardware accelerator, with the security credentials handled by the main ECU application processor.

The EVITA specification also leverages the existing EMVY secure software framework, which provides mechanisms for authentication, secure storage, intrusion detection, malware protection, integration of back end services and smartphones, cryptographic algorithms, etc.

Notes

EVITA can be considered a competitor to the TPM 2.0 Automotive Thin Profile. However, EVITA does not offer remote attestation and cannot measure the state of the ECU against a set of pre-stored measurements. However, EVITA offers a comparable, flexible approach, allowing the hardware implementation to be varied in order to ensure cost-effective protection of the in-vehicle network.