In recent years, cyber-physical systems and in particular autonomous vehicles have caught the eye of both consumers and businesses alike. Being an emerging technology and giving lots of advantages and business opportunities to whoever will successfully develop this concept, major automotive manufacturers, tech companies and start-ups massively invested in it. However, as the presence of autonomous vehicles on the roads will continue to grow as time passes, there are also questions and concerns about their resilience. Professor Marcus Völp, Head of the CritiX (Critical and Extreme Security and Dependability) research group at the University of Luxembourg’s Interdisciplinary Centre for Security, Reliability and Trust (SnT), caught-up with us about his latest project “ADMORPH” a Horizon 2020 project, founded by the European Commission, with industry partners such as Qmedia, Collins Aerospace, Thales, Sysgo, and six academic partners. Among other topics, this project investigates resilience techniques at all levels of the hardware and software stacks that control cyber-physical systems.

ADMORPH

“We started this project in 2020, and the pandemic struck shortly after our first meeting. Thus, we had no chance to get to know each other, but we all started with a dedication to bring cyber-physical systems security to a whole new level. The CritiX research group, composed of ten staff members, was already working on a project that addresses in-car resilience, which was part of the SnT Partnership programme. However, the challenges are much broader and, at least if you believe in companies like Tesla, the presence of autonomous vehicles on the road will soar sooner or later. At CritiX, we are looking into critical infrastructures, embedded systems, etc., and resilience is a big topic for us. Cyber-physical systems interact with high-value physical world assets, including humans. Therefore, they must be able not only to withstand, but tolerate cyberattacks being partially successful, and they have to do so autonomously and without human intervention. Autonomous vehicles are a good example of a relevant application scenario to show how important the interplay of safety and security of critical systems is.”

“There are dozens of car vendors around the world, but when you take a closer look at the technology providers, you discover that there are only four different companies that provide the technology of these cars' systems. There isn’t a large diversity for these systems, as each company develops its software pretty much the same way as the others. Once you manage to break into one of their systems, it’s very likely that you can break into all of them. Therefore, you have to develop software under the assumption of malicious adversaries and that something unexpected may happen at any time.”

A two-fold solution

“Autonomous vehicles must deal with a variety of cyberattacks, with the “Jeep Hack” being one of the most famous. Here, researchers broke through the car radio system, bypassed the gateway and managed to manipulate the driving stack. This is comparable to a situation where somebody remotely controls the car from his laptop while the driver sits on the backseat. During the last 20 to 30 years, we have seen that we are capable of building strong defences, making it more difficult for adversaries to break into systems. However, no matter how strong the defences are, they still have flaws. We do not prevent intrusion because that is impossible to achieve, but instead mitigate the impact of intruders gaining control of some of the functionalities of the system. At higher levels, one can adapt the system and repair the components that failed. However, at lower levels, you have to repair what keeps you safe. The latter typically takes much longer than the former.”

“At higher levels, we worked with the Apollo software stack, an open-source software stack dedicated to autonomous driving. We used it to create solutions where perception, i.e., the component responsible for understanding what is happening in the vehicle's proximity, failed and had to be restarted. Typically, such vehicles would need to stop because they endanger other traffic participants. However, we were able to avoid stopping the cars.”

“We worked mainly on two points to resist attacks. The first ensures that we can tolerate faults, whereas the second aims to achieve that faulty components are repaired, and that the system adapts to whatever situation it faces. For example, if one of the CPUs in a system stops operating correctly, we will shift critical tasks to the remaining ones and adjust the system to consider their commands. In particular, we can already boot, configure and run new subsystems before we make them responsible for keeping the system safe. During that time, we have the old system still capable of tolerating faults, at least for the little time while we need to bring up the replacement. As another example, a vehicle could approach the vehicles around, and ask them to help through critical situations. This even works with planes taxiing to their parking position.”

"Tolerance buys us the time we need to repair. That’s one of the secrets behind resilience.”

A step towards a safer cyberspace …

“Although we have the technology, people remain reluctant to spend money on security, at least until a big incident occurs. Until then, we can only raise awareness and demonstrate what is possible. I would love to live in a much safer space considering all the cyberattacks we have seen recently.”

“Governments could prevent mishaps from happening by enforcing the right laws to require systems to become resilient to cyberattacks. A key question is what responsibility is left to companies and what is the government’s liability, especially if the nation’s wealth and well-being is at stake. SnT is there to help.”