Analytic cyberattack detection and edge-cloud computing technologies aiming to realize a safe, secure, and prosperous mobility society
Hitachi, Ltd. has developed core technologies to detect and respond to cyberattacks on connected cars with higher precision and speed. These technologies enabled two new features: (1) the creation of rules to broadly detect cyberattacks, even when there are few cases of cyber attack against vehicles, and (2) transferring of some functions used for collecting and analyzing data in an integrated manner, which typically have been done by the Vehicle Security Operation Center (V-SOC*1), to the in-vehicle ECU*2 by Hitachi Astemo, Ltd. This was realized for the first time by combining Hitachi's two security technologies, cybersecurity technology for connected vehicles and cyber attack monitoring technology for information technology (IT) systems.
Going forward, Hitachi and Hitachi Astemo will work with automotive manufacturers and various other customers and partners to demonstrate the validity of these technologies. The end goal is to realize a safe, secure, and prosperous mobility society.
Hitachi Astemo presented part of this achievement at the Trend Micro Exhibition Booth in the 15th Automotive World Advanced Automotive Technology Show held at Tokyo Big Site from January 25, 2023.
Background and Issues Addressed
The market for connected cars has been expanding alongside the advancement of digital technologies. This growth has put a spotlight on connected cars as next-generation automobiles that can provide both safe and comfortable services. However, these vehicles come with the threat of cyberattacks when connecting to networks. To accurately and quickly detect and respond to cyberattacks or signs of cyberattacks, connected cars require security measures not only inside the vehicle but also for the platforms to which they connect to. These kinds of systems must also support constant cybersecurity monitoring. The technologies developed offer the features outlined in Figure 1 above.
Technology Details
(1) Analytic cyberattack detection technology
Typically, the collection of numerous cases of cyberattacks has been necessary to create rules to detect cyberattacks. However, creating these rules for connected cars has been difficult as the number of such cases has been insufficient. To address this, Hitachi developed the analytic cyberattack detection technology described below to create these rules by combining its knowledge of IT system security technologies in the financial and public sectors with its expertise in vehicle system development.
First, the technology exhaustively extracts the threats of attacks against the vehicle system by applying the 5W*3 method of a security risk assessment for IT systems. Next, the technology analogically associates the threats with the attacker behavior based on numerous cases of cyberattacks collected in the IT system field. At this point, the attacker behavior does not yet reflect the characteristics of the in-vehicle system. Therefore, the technology adjusts the attacker behavior associated above according to relevance of the system specifications and the attacker behavior. In the last step, the technology creates detection rules to detect attacker behavior from the log data.
This series of processes has been implemented as a new tool to support the creation of rules to detect cyberattacks in vehicle systems. The technology can create about five times the number of detection rules in half the man-hours or fewer compared to detection rules created using only known cases of cyberattacks.
(2) Connected car edge-cloud technology
The V-SOC, located in the back-end system, has functions to collect log data from connected cars and the servers that provide connected car applications and to detect and respond to cyberattacks in an integrated manner. However, the implementation of connected and autonomous-driving functions in vehicles increases the risk of future cyberattacks and requires faster and more accurate detection and response. Therefore, some of the integrated analysis functions that had been entrusted to the V-SOC has migrated to the Central Gateway (CGW*4), which is one in-vehicle ECU. The technology can efficiently link Security Incident and Event Management (SIEM*5) on the V-SOC with the Edge-SIEM on the connected vehicle to improve the accuracy and speed of cyberattack detection and response.
Hitachi and Hitachi Astemo, in collaboration with Trend Micro Inc., also developed a prototype system in which the CGW and V-SOC work together with a car navigation ECU with Linux OS running an intrusion detection and prevention software of VicOne Inc., a Trend Micro subsidiary specializing in automotive cybersecurity (Figure 2). This system monitors logs from the navigation system using the Edge-SIEM on the connected car to detect and respond to cyberattacks. This has demonstrated the ability to efficiently expand the scope of monitoring and countermeasures. In addition, it is the joint development between Hitachi Astemo and Trend Micro announced recently*6 that has made this system possible.
*1 V-SOC: Vehicle Security Operation Center
*2 ECU: Electronic Control Unit
*3 5W method: Security System Planning Method for Information System, Journal of Information Processing, Vol. 41, No. 1, January 2000
*4 CGW: Central Gateway
*5 SIEM: Security Information and Event Management
*6 January 24, 2023 News Release: Hitachi Astemo, Trend Micro, and VicOne Expand Collaboration on Security Solutions for Connected Cars, Targeting 2025 Commercialization
(https://www.hitachi.co.jp/New/cnews/month/2023/01/0124.html)
For more information, use the enquiry form below to contact the Research & Development Group, Hitachi, Ltd. Please make sure to include the title of the article.
https://www8.hitachi.co.jp/inquiry/hitachi-ltd/hqrd/news/en/form.jsp