[go: up one dir, main page]

WO2019118430A1 - Cybersecurity services platform - Google Patents

Cybersecurity services platform Download PDF

Info

Publication number
WO2019118430A1
WO2019118430A1 PCT/US2018/064906 US2018064906W WO2019118430A1 WO 2019118430 A1 WO2019118430 A1 WO 2019118430A1 US 2018064906 W US2018064906 W US 2018064906W WO 2019118430 A1 WO2019118430 A1 WO 2019118430A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
intelligent device
intelligent
data
payload
Prior art date
Application number
PCT/US2018/064906
Other languages
French (fr)
Inventor
Samir Kumar MISHRA
Aaron Sanjaya BENEDEK
Vasanthakumar RAJENDRAN
Dominik HIBBELN
Original Assignee
Trillium Incorporated
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Trillium Incorporated filed Critical Trillium Incorporated
Publication of WO2019118430A1 publication Critical patent/WO2019118430A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • Intelligent devices are proliferating into virtually every aspect of daily life, from automobiles to thermostats to kitchen appliances and more.
  • multiple stakeholders may be involved in the design, manufacture, delivery, or operation of a particular device, subsystem, or complete system. Management and coordination of system updates, remote settings, data collection, and security are all issues, particularly when multiple stakeholders are involved.
  • a system including a database, communication platforms, security, and device-specific services manages two way information flow and programming changes for intelligent devices on behalf of one or more stakeholders. By limiting communication with the intelligent device to a single point of contact the risk of hacking or spoofing may be lowered.
  • the services may include, but are not limited to, registration, licensing, configuration, over-the-air (OTA) programming, and remote information gathering and provisioning. Because deployed intelligent devices may not be continuously available, the system may store and manage various data transfers as devices are available. The system may further gather and process information from the intelligent devices to reduce the volume of raw data sent from the system to the stakeholders.
  • FIG. 1 is a block diagram of a system using a core server to provide services to intelligent devices
  • FIG. 2 is a block diagram of illustrating an embodiment of a core server
  • FIG. 3 is a flowchart of a method of operating a core server.
  • Intelligent devices are proliferating into many different aspects of industrial, commercial, and consumer products. Such devices may be found in industrial controllers, automobiles, consumer appliances, as well as home controls including thermostats, home security, lighting, energy management and more. The functionality of these intelligent devices is also increasing. The simple remote camera of several years ago may now include motion sensors, temperature sensors, lighting controllers, security alarms, and more.
  • a core server 102 may, among other things, manage two- way communication between a number of executive systems 105, system users 126, and a number of intelligent devices 115.
  • the executive systems 105 may include, as discussed above, stakeholders of the various intelligent devices. While the following discussion is oriented to the automotive industry, the principles discussed are equally applicable to other intelligent devices such as any of the devices discussed above.
  • the executive systems 105 may include original equipment manufacturers (OEM) 106 and Tier 1/2 suppliers 108.
  • OEM may commonly refer to those companies who are nameplate auto manufacturers such as Hyundai, Ford, and General Motors. These companies often both develop their own subsystems as well as assemble components from other suppliers into a finished product.
  • Tier 1 suppliers may include subsystem suppliers such as Continental, Delphi, and Bosch, whose products may include braking systems, entertainment systems, or engine control systems.
  • Tier 2 suppliers may supply components to either or both of the OEM and Tier 1 companies. These may include audio equipment, semiconductors, tires and inflation systems, and the like.
  • Both OEM 106 and Tier 1/2 companies may supply and support intelligent devices at any system level that both receive data from one or more executive systems 105 and that may also provide data to those executive systems 105.
  • Other executive systems 105 may include insurance companies 110, network providers 112, and infrastructure providers 114. These systems may have additional roles with respect to the entire automobile or with individual components.
  • an insurance company 110 may gather data from a vehicle for use in calculating insurance rates.
  • a network provider 112 may support an in-vehicle network, for example, for an entertainment or navigation system while an infrastructure provider 114 may provide mapping and self-driving navigation data to the car.
  • the core server 102 may be connected on the upstream side via network connection 104.
  • the core server 102 may be connected on the downstream side via another network connection 116 to a number of intelligent devices 115.
  • the intelligent devices 115 may, in an embodiment, be homogeneous, such as all automobiles, or even one brand or model of automobile. In another embodiment, as illustrated in Fig. 1 , the intelligent devices 115 may be of different types.
  • a first class of devices 118 may include vehicles 120.
  • Another class of device 122 may include loT devices 124 such as home electronics but may also include smartphones.
  • a user class 126 may have a number of users 128, who may be an owner or operator of one of the an intelligent devices 115. While a user 128 is not an intelligent device 115, users have a particular role when interacting with the actual intelligent devices 115. Similar to an executive system 105, a user 128 has a need to send and receive data from the intelligent device. A user 128 may wish to read current
  • an intelligent device 120, 124 may perform local configuration of a device that does not rise to the level requiring intervention by an executive system.
  • a user 128 may want to remote start a car or change a cabin climate control setting. Flowever, operations such as these may be valuable targets for a thief or malicious hacker.
  • the user may be registered with the vehicle 120 and loT device 128 via the core service 102 so that communications between the user 128 and intelligent device 120, 124 may be monitored and protected.
  • the executive systems 105 and the users 128 may both be considered data owners for the various intelligent systems 115.
  • the core server 102 may receive, store, validate, and manage communications between executive systems 105 and users 126 with one or more intelligent devices 115. Similarly, the core server 102 may receive, process, evaluate, format, and manage communications from the intelligent devices 115 such as status and alarms. Communications on both sides of the core server 102 may be
  • Fig. 2 is a block diagram illustrating an exemplary embodiment of the core server 102.
  • the core server 102 may include a database system 140, that in some embodiments, may also include an access management function.
  • the database system 140 may manage incoming and outgoing data communication including authentication and encryption. The techniques for authentication and encryption between fixed systems is beyond the scope of this disclosure and is not discussed further.
  • An executive system 105 may place data into the database system 140 and a service (discussed more below) internal to the core server 102 may retrieve that data and operate on it. Similarly, one or more of the services may place data into the database so that an authorized execution system 105 may retrieve that data.
  • a semaphore system may be set up to alert a receiving party that new data is available for retrieval. In another embodiment, each side may periodically poll the database system 140 for new communications.
  • any of the executive systems 105 or intelligent devices 115 may communicate through an access control function 168 that manages communication with the various external entities with which the core server 102 communicates.
  • the core server 102 may also include a number of exemplary services that act on behalf of various stakeholders using data from or generating data for those
  • Each service may have a corresponding control function that handles target device interactions including personalization and formatting.
  • the core server 102 may provide various levels of access to downstream systems. For example, the OEM may have full rights to access and update any system in a vehicle 120 while an insurance company 110 may only be able to query certain data fields relevant to driving habits.
  • An over-the-air (OTA) service 142 may manage downloads and programming updates for individual and groups of intelligent devices 115.
  • the OTA service 142 may operate using payload packages and corresponding instructions received primarily from an executive system 105 for eventual installation in one or more intelligent devices.
  • a user 128 may provide data for delivery via the OTA service 142 but in many embodiments user changes may be handled by a configuration service 158, discussed more below.
  • the OTA service 142 may operate in conjunction with an image provisioning function 144 that may handle device-specific details of provisioning, such as breaking a payload down into device-ready packages having the appropriate packet sizes, control instructions, and delivery/failure handling.
  • a memory image may be built or stored at the image provisioning function 144 and then installed as a block update to one or more memory locations in the intelligent device 115.
  • a service for intrusion detection and intrusion protection may provide intelligent devices 115 with capabilities to identify and respond to unexpected messages. These messages may include attempts to monitor, disrupt, or infiltrate internal communications within an individual or group of intelligent devices 115.
  • a vehicle 120 that uses an internal automobile network may have an IDPS function in at least one but often many nodes within a vehicle network (not depicted).
  • the internal IDPS function or functions may use rules to analyze internal
  • a vehicle 120 may generate an engine control unit (ECU) signature on startup that is transmitted to the IDPS service 146 for analysis related to system integrity. In the event of an error being detected any number of actions may be taken from sending an error message all the way to sending an encrypted and authenticated message to the vehicle to enter a reduced level of performance or limited operating strategy to protect the driver from an unpredictable situation.
  • ECU engine control unit
  • a rule provisioning function 148 may help to ensure that as new threats or protective measures are identified that they are correctly provisioned within the intelligent devices 115. For example, some rule sets may be appropriate only for certain models of intelligent device 115 or for such an intelligent device only when installed within a particular system-level model.
  • a particular threat may only be present in 4 wheel drive vehicles even though a braking system controller may be used in both 4 wheel drive and 2 wheel drive vehicles.
  • the rule provisioning function 148 may determine which vehicles need a given IDPS rule.
  • some rules may be dependent on other rules, so that rule updates may need to be performed atomically.
  • Telematics services 150 may generally be associated with data gathered from vehicles 118 but may also applicable to broader categories of information received from remote devices including loT devices 122, as shown in Fig. 2, but also encompassing other data gathering technologies for utilities metering, agriculture, shipping, etc.
  • telematics can be used for diagnostics for systems such as powertrain and brakes, as well as status of pollution controls, tire pressures, oil levels, etc.
  • telematics data may be used by insurance companies to evaluate driving patterns (e.g., short trips only) and driving characteristics (e.g.
  • a data analysis module 152 may perform data reductions and categorization so that corresponding executive systems 105 are not inundated with raw data as well as to reduce the volume of data sent to the executive system.
  • the data analysis function 152 may accumulate data from a variety of systems and only report summarized or out of specification data. Specifically, tire pressure data may be received every five minutes but unless the pressure in one or more tires is out of range, a report of average tire pressure may be sent to a Tier 2 supplier 108 once a day, along with, for example, miles driven. In this scenario, a Tier 2 tire supplier may be able to monitor tire condition and predict when tires should be checked for replacement.
  • the data analysis module 152 may also analyze data patterns and reported errors from, in particular, intelligent devices 115, for real time decision making.
  • the real time decision may be to send a warning to either or both the intelligent device involved and an executive system 105.
  • the warning may bring attention to a potentially dangerous situation such an engine or transmission code.
  • analysis of data received over time may indicate a more subtle issue such as a decrease in fuel economy that may prompt a check of engine systems, tires, etc.
  • an analysis of mileage in view of routine maintenance may prompt suggesting that a vehicle operator have the brakes checked. Given the rich data that may be reported to the core server 102 from the intelligent devices 115, there are a wide variety of analysis and corresponding actions available to the core server 102 beyond those suggested above.
  • the license service 154 may manage licenses for the various intelligent devices 115 in its domain. These may include, but are not limited to, entertainment-oriented licenses, emergency services (e.g. OnStar) licenses, wireless network licenses, and even embedded software licenses. In the last case, a license for embedded software may be inherent in the purchase of a vehicle but may only be covered during the warranty period so that updates after a certain mileage or time may not be covered by the OEM 106.
  • a license control function 156 may be used to monitor and update license status on individual devices 115. In an embodiment, the license control function 156 may update settings on a vehicle 120 or loT 124. In another embodiment, the license service 154 may be responsible for key injection and key revocation related to enabling certain functions in an intelligent system such as satellite radio in a vehicle 120.
  • a configuration service 158 may manage settings on the individual devices, either separately or in groups. These settings may be specified by the executive systems 105 but also may be specified by a user 128 who is registered with the core service 102 as having rights to access and/or set the intelligent device 115.
  • a connected cabin climate control may receive a master key roll instruction from its manufacturer 106 and may also receive a temperature setting change instruction from the registered user 128.
  • the former tells the thermostat to change what encryption key it is currently using and may be different from an actual software update that would be handled by the OTA and provisioning services 142, 144.
  • the latter may simply be a normal, supported interaction with a user 128.
  • the actual interaction with the smart thermostat, and other such communication with other intelligent devices may be coordinated by the settings configuration function 160 which may retain or obtain current settings, particularly security-related settings such as master and session keys, PKI keys, Diffie-Hellman or similar technique key exchange.
  • the local systems such as different intelligent devices 115 may generate and maintain their security settings.
  • the core service 102 may support or trigger master key rolling in an intelligent device 115 or may participate in a key agreement process to support an encrypted session.
  • these settings may also be applicable to communication with the executive systems 105 in order to provide authorization, authentication, and privacy for those communications as well.
  • the configuration function 160 may work in conjunction with the access management function of the database 140.
  • a registration service 162 may manage registration of intelligent devices 115, users 126, or both.
  • intelligent devices 115 may be populated into a registration table of the database system 140 at the time of manufacture or sale so that device configuration and capabilities are known to the core service 102. Then, when a particular intelligent device is placed into operation and is initially connected to the core service 102 via the registration function 164, the intelligent device’s characteristics are known. In this scenario, any programming or configuration updates may be queued up for automatic download, e.g., by the provisioning function 144.
  • an intelligent device 115 may introduce itself to the core service 102 at the time of initial production operation.
  • the intelligent device 115 may simply send model and version information, memory size if applicable, and other information at appropriate.
  • the registration service may create a record for the device and then query a corresponding executive system 105 regarding any updates or configuration requirements for the newly-registered device.
  • a user 128 may also register with the core server 102.
  • the user 128 may register apart from any other device registration or may be registered in conjunction with the registration of a specific intelligent device 115.
  • a user account may be created at a car dealership when the user takes possession of a new vehicle 120.
  • a user 128 may create an account and register when installing a new home appliance, such as a smart refrigerator.
  • a user 128 who may already be registered may add a new intelligent device 115 to an existing account. In this way, a user 128 may maintain a single account with the core server 102 and be able to access multiple intelligent devices without the need to create and maintain separate login and password accounts for each.
  • the core server 102 may simply act as a pipe between a user’s smart phone application and the intelligent device 115.
  • the core server 102 may present a user interface so that once a user has authenticated to the core server 102, the user may see all of the available intelligent devices associated with the account as well as appropriate interfaces for user-accessible settings.
  • the core server 102 may act as a‘mailbox’ for executive systems 105 to contact registered users 126. While a user 128 may change physical addresses, email addresses, phone numbers and more, users are highly likely to maintain connections to their vehicles 108 and other loT devices 122. Therefore, an executive system 105 may improve access to their customers via the core server 102 for high importance notifications such as recalls as well as simple marketing messages, when allowed.
  • an access control function 168 may handle protocols used to access disparate systems, including session establishment, authentication, and encryption, if used. The access control system 168 may also perform security checks such as packet inspection to reduce the risk of erroneous or malicious data from being introduced into the core server 102.
  • a security module 170 also sometimes known as a hardware security module (HSM) may be a system resource for tamper-proof storage of cryptographic material, key generation, cryptographic signing and verification, and other security-related functions.
  • HSM hardware security module
  • the security module 170 may be available to the database 140 and any of the services or functions discussed above.
  • a core server 102 may receive from a data owner 105, 126, a message targeting an intelligent device 120, 124, the message including a first payload, an address, and an instruction.
  • the first payload may be stored at a database 140.
  • the database 140 may store the entire message or, in an embodiment, the instruction and address may be parsed out prior to storing the payload.
  • a service may be activated, for example, one or more of the services 142, 146, 150, 154, 158 discussed above. In other embodiments, additional and/or different services may be available.
  • a second payload may be generated by the service, based on the first payload and the instruction.
  • the first payload may be evaluated and if needed, repackaged into packets or translated into a different format for transmission to and use by the intelligent device 120, 124.
  • This preparation of the data may be performed before or after block 210 where a connection to the intelligent device 120,
  • the first payload may be appropriately packaged prior to the connection.
  • the second payload may be delivered to the intelligent device 120, 124 via the connection.
  • the core server 102 may verify that a secondary action based on the delivery of the second payload has been completed, such as performing an update to system software or changing a system configuration or operational setting.
  • the techniques disclosed above benefit both executive system participants and users alike.
  • Executive system participants may use a single point of contact for interaction with the systems and subsystems with which they are affiliated while at the same time allowing Tier 1 , Tier 2 and other ecosystem participants to update and/or access relevant elements of the system.
  • a user such as an owner or operator of an intelligent device ranging from an automobile to a home thermostat and more may be able to access and query one or more of the intelligent devices 115 with which they are registered.
  • Overall security may be improved because highly secure paths may be established on both sides of the core server 102 because participants are known and qualified ahead of time, in some cases before an intelligent device even leaves the manufacturing facility.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Quality & Reliability (AREA)
  • Mathematical Physics (AREA)
  • Traffic Control Systems (AREA)

Abstract

A core server provides access control, configuration management, change control, and user management for one or more intelligent devices including vehicles and Internet of Things devices.

Description

CYBERSECURITY SERVICES PLATFORM
Background
[0001] The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
[0002] Intelligent devices are proliferating into virtually every aspect of daily life, from automobiles to thermostats to kitchen appliances and more. In many cases, multiple stakeholders may be involved in the design, manufacture, delivery, or operation of a particular device, subsystem, or complete system. Management and coordination of system updates, remote settings, data collection, and security are all issues, particularly when multiple stakeholders are involved.
Summary
[0003] A system including a database, communication platforms, security, and device-specific services manages two way information flow and programming changes for intelligent devices on behalf of one or more stakeholders. By limiting communication with the intelligent device to a single point of contact the risk of hacking or spoofing may be lowered. The services may include, but are not limited to, registration, licensing, configuration, over-the-air (OTA) programming, and remote information gathering and provisioning. Because deployed intelligent devices may not be continuously available, the system may store and manage various data transfers as devices are available. The system may further gather and process information from the intelligent devices to reduce the volume of raw data sent from the system to the stakeholders. Brief Description of the Drawings
[0004] The figures depict a preferred embodiment for purposes of illustration only. One skilled in the art may readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles described herein.
[0005] Fig. 1 is a block diagram of a system using a core server to provide services to intelligent devices;
[0006] Fig. 2 is a block diagram of illustrating an embodiment of a core server; and
[0007] Fig. 3 is a flowchart of a method of operating a core server.
Detailed Description
[0008] Intelligent devices are proliferating into many different aspects of industrial, commercial, and consumer products. Such devices may be found in industrial controllers, automobiles, consumer appliances, as well as home controls including thermostats, home security, lighting, energy management and more. The functionality of these intelligent devices is also increasing. The simple remote camera of several years ago may now include motion sensors, temperature sensors, lighting controllers, security alarms, and more.
[0009] Nowhere is this trend more apparent than in the automobile, where the car with an engine controller of the 1980’s now includes not only the engine controller, but may include controllers for the transmission, braking systems, body electronics, cabin environment, entertainment, and collision avoidance, to name a few. Already on the street are self-driving cars that include advanced environment sensors, mapping systems, and driving algorithms. These systems may often be developed as a combination of subsystems from OEMs, Tier 1 and Tier 2 suppliers, networking specialists, and others, depending on the application. Each subsystem may require configuration of operational parameters, updates to code and settings, and data monitoring of ongoing performance. Some updates may be performed independently of other subsystems while other updates may require coordination with updates for other subsystems. Because these intelligent systems may not always be available for data communication, coordination of external communication becomes a higher priority for their seamless operation.
[0010] Even as system functions and complexity increase, hackers are becoming more skilled at infiltrating systems at every level, including embedded systems. Internet of Things (loT) hacks have included placing bots on security cameras that are used to launch distribution denial of service attacks. Higher stakes hacks have included real time manipulation of automotive systems from outside the vehicle. Therefore, at a time when data traffic with intelligent devices is increasing, so is the threat of intrusion by unwanted parties.
[0011] Turning to Fig. 1 , a core server 102 may, among other things, manage two- way communication between a number of executive systems 105, system users 126, and a number of intelligent devices 115. The executive systems 105 may include, as discussed above, stakeholders of the various intelligent devices. While the following discussion is oriented to the automotive industry, the principles discussed are equally applicable to other intelligent devices such as any of the devices discussed above. As illustrated in Fig. 1 , the executive systems 105 may include original equipment manufacturers (OEM) 106 and Tier 1/2 suppliers 108. The term OEM may commonly refer to those companies who are nameplate auto manufacturers such as Honda, Ford, and General Motors. These companies often both develop their own subsystems as well as assemble components from other suppliers into a finished product. Tier 1 suppliers may include subsystem suppliers such as Continental, Delphi, and Bosch, whose products may include braking systems, entertainment systems, or engine control systems. Tier 2 suppliers may supply components to either or both of the OEM and Tier 1 companies. These may include audio equipment, semiconductors, tires and inflation systems, and the like. Both OEM 106 and Tier 1/2 companies may supply and support intelligent devices at any system level that both receive data from one or more executive systems 105 and that may also provide data to those executive systems 105. [0012] Other executive systems 105 may include insurance companies 110, network providers 112, and infrastructure providers 114. These systems may have additional roles with respect to the entire automobile or with individual components. For example, an insurance company 110 may gather data from a vehicle for use in calculating insurance rates. A network provider 112 may support an in-vehicle network, for example, for an entertainment or navigation system while an infrastructure provider 114 may provide mapping and self-driving navigation data to the car.
[0013] The core server 102 may be connected on the upstream side via network connection 104. The core server 102 may be connected on the downstream side via another network connection 116 to a number of intelligent devices 115. The intelligent devices 115 may, in an embodiment, be homogeneous, such as all automobiles, or even one brand or model of automobile. In another embodiment, as illustrated in Fig. 1 , the intelligent devices 115 may be of different types. For example, a first class of devices 118 may include vehicles 120. Another class of device 122 may include loT devices 124 such as home electronics but may also include smartphones.
[0014] A user class 126 may have a number of users 128, who may be an owner or operator of one of the an intelligent devices 115. While a user 128 is not an intelligent device 115, users have a particular role when interacting with the actual intelligent devices 115. Similar to an executive system 105, a user 128 has a need to send and receive data from the intelligent device. A user 128 may wish to read current
operational values of an intelligent device 120, 124 or perform local configuration of a device that does not rise to the level requiring intervention by an executive system. For example, a user 128 may want to remote start a car or change a cabin climate control setting. Flowever, operations such as these may be valuable targets for a thief or malicious hacker. In order to protect even such simply operations, the user may be registered with the vehicle 120 and loT device 128 via the core service 102 so that communications between the user 128 and intelligent device 120, 124 may be monitored and protected. The executive systems 105 and the users 128 may both be considered data owners for the various intelligent systems 115. [0015] In operation, the core server 102 may receive, store, validate, and manage communications between executive systems 105 and users 126 with one or more intelligent devices 115. Similarly, the core server 102 may receive, process, evaluate, format, and manage communications from the intelligent devices 115 such as status and alarms. Communications on both sides of the core server 102 may be
authenticated and encrypted to improve resilience from eavesdropping, spoofing, and unauthorized access.
[0016] Fig. 2 is a block diagram illustrating an exemplary embodiment of the core server 102. The core server 102 may include a database system 140, that in some embodiments, may also include an access management function. The database system 140 may manage incoming and outgoing data communication including authentication and encryption. The techniques for authentication and encryption between fixed systems is beyond the scope of this disclosure and is not discussed further. An executive system 105 may place data into the database system 140 and a service (discussed more below) internal to the core server 102 may retrieve that data and operate on it. Similarly, one or more of the services may place data into the database so that an authorized execution system 105 may retrieve that data. A semaphore system may be set up to alert a receiving party that new data is available for retrieval. In another embodiment, each side may periodically poll the database system 140 for new communications. To access the database, any of the executive systems 105 or intelligent devices 115 may communicate through an access control function 168 that manages communication with the various external entities with which the core server 102 communicates.
[0017] The core server 102 may also include a number of exemplary services that act on behalf of various stakeholders using data from or generating data for those
stakeholders. Each service may have a corresponding control function that handles target device interactions including personalization and formatting. In an embodiment, the core server 102 may provide various levels of access to downstream systems. For example, the OEM may have full rights to access and update any system in a vehicle 120 while an insurance company 110 may only be able to query certain data fields relevant to driving habits.
[0018] An over-the-air (OTA) service 142 may manage downloads and programming updates for individual and groups of intelligent devices 115. The OTA service 142 may operate using payload packages and corresponding instructions received primarily from an executive system 105 for eventual installation in one or more intelligent devices. In some cases, a user 128 may provide data for delivery via the OTA service 142 but in many embodiments user changes may be handled by a configuration service 158, discussed more below. The OTA service 142 may operate in conjunction with an image provisioning function 144 that may handle device-specific details of provisioning, such as breaking a payload down into device-ready packages having the appropriate packet sizes, control instructions, and delivery/failure handling. In some systems, a memory image may be built or stored at the image provisioning function 144 and then installed as a block update to one or more memory locations in the intelligent device 115.
[0019] A service for intrusion detection and intrusion protection (IDPS service 146) may provide intelligent devices 115 with capabilities to identify and respond to unexpected messages. These messages may include attempts to monitor, disrupt, or infiltrate internal communications within an individual or group of intelligent devices 115. For example, a vehicle 120 that uses an internal automobile network may have an IDPS function in at least one but often many nodes within a vehicle network (not depicted). The internal IDPS function or functions may use rules to analyze internal
communications and validate legitimate communications and take appropriate actions when internal communications are suspicious or worse. For example, a vehicle 120 may generate an engine control unit (ECU) signature on startup that is transmitted to the IDPS service 146 for analysis related to system integrity. In the event of an error being detected any number of actions may be taken from sending an error message all the way to sending an encrypted and authenticated message to the vehicle to enter a reduced level of performance or limited operating strategy to protect the driver from an unpredictable situation. [0020] A rule provisioning function 148 may help to ensure that as new threats or protective measures are identified that they are correctly provisioned within the intelligent devices 115. For example, some rule sets may be appropriate only for certain models of intelligent device 115 or for such an intelligent device only when installed within a particular system-level model. To illustrate, a particular threat may only be present in 4 wheel drive vehicles even though a braking system controller may be used in both 4 wheel drive and 2 wheel drive vehicles. In this case, the rule provisioning function 148 may determine which vehicles need a given IDPS rule. In other embodiments, some rules may be dependent on other rules, so that rule updates may need to be performed atomically.
[0021] Telematics services 150 may generally be associated with data gathered from vehicles 118 but may also applicable to broader categories of information received from remote devices including loT devices 122, as shown in Fig. 2, but also encompassing other data gathering technologies for utilities metering, agriculture, shipping, etc. In vehicles, for example, telematics can be used for diagnostics for systems such as powertrain and brakes, as well as status of pollution controls, tire pressures, oil levels, etc. In other embodiments, telematics data may be used by insurance companies to evaluate driving patterns (e.g., short trips only) and driving characteristics (e.g.
excessive speeds). A data analysis module 152 may perform data reductions and categorization so that corresponding executive systems 105 are not inundated with raw data as well as to reduce the volume of data sent to the executive system. For example, the data analysis function 152 may accumulate data from a variety of systems and only report summarized or out of specification data. Specifically, tire pressure data may be received every five minutes but unless the pressure in one or more tires is out of range, a report of average tire pressure may be sent to a Tier 2 supplier 108 once a day, along with, for example, miles driven. In this scenario, a Tier 2 tire supplier may be able to monitor tire condition and predict when tires should be checked for replacement.
[0022] In some embodiments, the data analysis module 152 may also analyze data patterns and reported errors from, in particular, intelligent devices 115, for real time decision making. In some cases, the real time decision may be to send a warning to either or both the intelligent device involved and an executive system 105. The warning may bring attention to a potentially dangerous situation such an engine or transmission code. In another case, analysis of data received over time may indicate a more subtle issue such as a decrease in fuel economy that may prompt a check of engine systems, tires, etc. In yet another case, an analysis of mileage in view of routine maintenance may prompt suggesting that a vehicle operator have the brakes checked. Given the rich data that may be reported to the core server 102 from the intelligent devices 115, there are a wide variety of analysis and corresponding actions available to the core server 102 beyond those suggested above.
[0023] As with many services and subscriptions, different aspects of intelligent device function may be associated with licenses or subscriptions. The license service 154 may manage licenses for the various intelligent devices 115 in its domain. These may include, but are not limited to, entertainment-oriented licenses, emergency services (e.g. OnStar) licenses, wireless network licenses, and even embedded software licenses. In the last case, a license for embedded software may be inherent in the purchase of a vehicle but may only be covered during the warranty period so that updates after a certain mileage or time may not be covered by the OEM 106. A license control function 156 may be used to monitor and update license status on individual devices 115. In an embodiment, the license control function 156 may update settings on a vehicle 120 or loT 124. In another embodiment, the license service 154 may be responsible for key injection and key revocation related to enabling certain functions in an intelligent system such as satellite radio in a vehicle 120.
[0024] A configuration service 158 may manage settings on the individual devices, either separately or in groups. These settings may be specified by the executive systems 105 but also may be specified by a user 128 who is registered with the core service 102 as having rights to access and/or set the intelligent device 115. For example, in an embodiment a connected cabin climate control may receive a master key roll instruction from its manufacturer 106 and may also receive a temperature setting change instruction from the registered user 128. The former tells the thermostat to change what encryption key it is currently using and may be different from an actual software update that would be handled by the OTA and provisioning services 142, 144. The latter may simply be a normal, supported interaction with a user 128. The actual interaction with the smart thermostat, and other such communication with other intelligent devices, may be coordinated by the settings configuration function 160 which may retain or obtain current settings, particularly security-related settings such as master and session keys, PKI keys, Diffie-Hellman or similar technique key exchange.
In some embodiments, the local systems, such as different intelligent devices 115 may generate and maintain their security settings. In some embodiments, the core service 102 may support or trigger master key rolling in an intelligent device 115 or may participate in a key agreement process to support an encrypted session. In an embodiment, these settings may also be applicable to communication with the executive systems 105 in order to provide authorization, authentication, and privacy for those communications as well. In an embodiment, the configuration function 160 may work in conjunction with the access management function of the database 140.
[0025] A registration service 162 may manage registration of intelligent devices 115, users 126, or both. In an embodiment, intelligent devices 115 may be populated into a registration table of the database system 140 at the time of manufacture or sale so that device configuration and capabilities are known to the core service 102. Then, when a particular intelligent device is placed into operation and is initially connected to the core service 102 via the registration function 164, the intelligent device’s characteristics are known. In this scenario, any programming or configuration updates may be queued up for automatic download, e.g., by the provisioning function 144. In another embodiment, an intelligent device 115 may introduce itself to the core service 102 at the time of initial production operation. In such an embodiment, the intelligent device 115 may simply send model and version information, memory size if applicable, and other information at appropriate. Upon receipt, the registration service may create a record for the device and then query a corresponding executive system 105 regarding any updates or configuration requirements for the newly-registered device.
[0026] Similarly, a user 128 may also register with the core server 102. The user 128 may register apart from any other device registration or may be registered in conjunction with the registration of a specific intelligent device 115. For example, a user account may be created at a car dealership when the user takes possession of a new vehicle 120. In another embodiment, a user 128 may create an account and register when installing a new home appliance, such as a smart refrigerator. In yet another embodiment, a user 128 who may already be registered may add a new intelligent device 115 to an existing account. In this way, a user 128 may maintain a single account with the core server 102 and be able to access multiple intelligent devices without the need to create and maintain separate login and password accounts for each. In an embodiment, the core server 102 may simply act as a pipe between a user’s smart phone application and the intelligent device 115. In another embodiment, the core server 102 may present a user interface so that once a user has authenticated to the core server 102, the user may see all of the available intelligent devices associated with the account as well as appropriate interfaces for user-accessible settings. In another embodiment, the core server 102 may act as a‘mailbox’ for executive systems 105 to contact registered users 126. While a user 128 may change physical addresses, email addresses, phone numbers and more, users are highly likely to maintain connections to their vehicles 108 and other loT devices 122. Therefore, an executive system 105 may improve access to their customers via the core server 102 for high importance notifications such as recalls as well as simple marketing messages, when allowed.
[0027] In some embodiments, for example when a particular device may rarely be connected or simply gets a lot of changes, some updates and configuration setting changes may accumulate. In such a case, there may be either a sequence or a priority associated with various updates. A priority manager 166 may help to ensure that a given sequence is followed or that more important updates are scheduled before less important updates. That is, a powertrain update to a vehicle 120 may be prioritized ahead of an entertainment system update. In some embodiments, an access control function 168 may handle protocols used to access disparate systems, including session establishment, authentication, and encryption, if used. The access control system 168 may also perform security checks such as packet inspection to reduce the risk of erroneous or malicious data from being introduced into the core server 102.
[0028] A security module 170, also sometimes known as a hardware security module (HSM) may be a system resource for tamper-proof storage of cryptographic material, key generation, cryptographic signing and verification, and other security-related functions. The security module 170 may be available to the database 140 and any of the services or functions discussed above.
[0029] A flowchart of a method 200 of managing communications with an intelligent device may be illustrated in Fig. 3. At block 202, a core server 102 may receive from a data owner 105, 126, a message targeting an intelligent device 120, 124, the message including a first payload, an address, and an instruction.
[0030] At block 204, the first payload may be stored at a database 140. The database 140 may store the entire message or, in an embodiment, the instruction and address may be parsed out prior to storing the payload.
[0031] In response to a characteristic of the message, at block 206, a service may be activated, for example, one or more of the services 142, 146, 150, 154, 158 discussed above. In other embodiments, additional and/or different services may be available.
[0032] At block 208, a second payload may be generated by the service, based on the first payload and the instruction. At this step the first payload may be evaluated and if needed, repackaged into packets or translated into a different format for transmission to and use by the intelligent device 120, 124. This preparation of the data may be performed before or after block 210 where a connection to the intelligent device 120,
124 may be established and verified. For example, if the characteristics of the intelligent device 120, 124 are known to the core server 102, the first payload may be appropriately packaged prior to the connection. Flowever, if configuration data for the intelligent device 120, 124 is not known a priori the decision to reformat, if needed, may be postponed until after the connection is made and/or verified. [0033] Finally, at block 212, the second payload may be delivered to the intelligent device 120, 124 via the connection. In an embodiment, the core server 102 may verify that a secondary action based on the delivery of the second payload has been completed, such as performing an update to system software or changing a system configuration or operational setting.
[0034] The techniques disclosed above benefit both executive system participants and users alike. Executive system participants may use a single point of contact for interaction with the systems and subsystems with which they are affiliated while at the same time allowing Tier 1 , Tier 2 and other ecosystem participants to update and/or access relevant elements of the system. Similarly, a user such as an owner or operator of an intelligent device ranging from an automobile to a home thermostat and more may be able to access and query one or more of the intelligent devices 115 with which they are registered. Overall security may be improved because highly secure paths may be established on both sides of the core server 102 because participants are known and qualified ahead of time, in some cases before an intelligent device even leaves the manufacturing facility.
[0035] The figures depict preferred embodiments for purposes of illustration only.
One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles described herein.
[0036] Upon reading this disclosure, those of skill in the art will appreciate still additional alternative structural and functional designs for the systems and methods described herein through the disclosed principles herein. Thus, while particular embodiments and applications have been illustrated and described, it is to be
understood that the disclosed embodiments are not limited to the precise construction and components disclosed herein. Various modifications, changes and variations, which will be apparent to those skilled in the art, may be made in the arrangement, operation and details of the systems and methods disclosed herein without departing from the spirit and scope defined in any appended claims.

Claims

WE CLAIM WE CLAIM:
1. A system coupled between a first network that communicates data with a plurality of data owners and a second network that communicates with a plurality of intelligent devices, each of the plurality of intelligent devices associated with one or more data owners, the system comprising:
a plurality of service functions coupled between the first and second network interfaces, each of the service functions managing an operational aspect of one of the intelligent devices of the plurality of intelligent devices on behalf of a respective data owner;
a plurality of operations functions each receiving data from at least one of the plurality of intelligent devices and programmed to perform a specific data reduction prior to sending a resulting reduced data set to one of the data owners via the first network interface; and
a communication management function that monitors network connectivity with each of the plurality of intelligent devices and manages data communication responsive to individual network connectivity.
2. The system of claim 1 , wherein one of the plurality of service functions is an
intelligent device registration service used to validate access to the intelligent device by the respective data owner.
3. The system of claim 1 , wherein one of the plurality of service functions is an
over-the-air service that controls downloading payload packages and corresponding instructions from the respective data owner to the corresponding intelligent device.
4. The system of claim 1 , wherein one of the plurality of service functions is an intrusion detection and intrusion protection (IDPS) service.
5. The system of claim 4, wherein the IDPS service sends a limited operation
command to an intelligent device of the plurality of intelligent devices responsive to analysis of an internal communication from the intelligent device.
6. The system of claim 5, wherein the intelligent device is an engine controller and the internal communication is an engine control signature.
7. The system of claim 1 , further comprising a priority manager that schedules updates based on an importance of the update for intelligent devices with limited communication access to the system.
8. A method of managing multiple independent communications with an intelligent device via a communications system, the method comprising: receiving, from a data owner, a message targeting an intelligent device, the message including a first payload, an address, and an instruction;
storing, at a database, the first payload;
activating a service responsive to the message;
generating, via the service, a second payload based on the first payload and the instruction;
verifying a connection to the intelligent device; and
delivering the second payload to the intelligent device via the connection.
9. The method of claim 8, wherein activating the service responsive to the message comprises activating the service responsive to one of a characteristic of the first payload or a characteristic of the instruction.
10. The method of claim 8, further comprising determining a priority of the second payload compared to other payloads intended for the intelligent device.
11. The method of claim 8, further comprising qualifying the message via a security screening process prior to storing the first payload of the message.
12. The method of claim 11 , wherein qualifying the message comprises activating an intrusion detection and intrusion protection (IDPS) service.
13. The method of claim 12, further comprising receiving from the intelligent device an internal communication that is processed by the IDPS service for qualification prior to operation of the intelligent device.
14. The method of claim 12, further comprising sending a message to the intelligent device that causes the intelligent device to operate at a reduced level of performance responsive to identifying an abnormal aspect of the internal communication at the IDPS service.
15. The method of claim 8, further comprising activating a license at the intelligent device via a license service of the communications system.
PCT/US2018/064906 2017-12-11 2018-12-11 Cybersecurity services platform WO2019118430A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762597221P 2017-12-11 2017-12-11
US62/597,221 2017-12-11

Publications (1)

Publication Number Publication Date
WO2019118430A1 true WO2019118430A1 (en) 2019-06-20

Family

ID=66819755

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/064906 WO2019118430A1 (en) 2017-12-11 2018-12-11 Cybersecurity services platform

Country Status (1)

Country Link
WO (1) WO2019118430A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217283A1 (en) * 2002-05-20 2003-11-20 Scott Hrastar Method and system for encrypted network management and intrusion detection
US20090187297A1 (en) * 2008-01-17 2009-07-23 Loretta Kish Integrated Vessel Monitoring and Control System
US20170208540A1 (en) * 2014-11-04 2017-07-20 Dell Products, Lp Method and apparatus for a smart vehicle gateway with connection context aware radio communication management and multi-radio technology
US20170289323A1 (en) * 1999-10-06 2017-10-05 Behnov GMBH, LLC Apparatus for internetworked wireless integrated network sensors (wins)

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170289323A1 (en) * 1999-10-06 2017-10-05 Behnov GMBH, LLC Apparatus for internetworked wireless integrated network sensors (wins)
US20030217283A1 (en) * 2002-05-20 2003-11-20 Scott Hrastar Method and system for encrypted network management and intrusion detection
US20090187297A1 (en) * 2008-01-17 2009-07-23 Loretta Kish Integrated Vessel Monitoring and Control System
US20170208540A1 (en) * 2014-11-04 2017-07-20 Dell Products, Lp Method and apparatus for a smart vehicle gateway with connection context aware radio communication management and multi-radio technology

Similar Documents

Publication Publication Date Title
US12073665B2 (en) System, method, and apparatus for managing vehicle data collection
JP7197638B2 (en) Security processing method and server
JP7496404B2 (en) Security processing method and server
Hodge et al. Vehicle cybersecurity threats and mitigation approaches
EP3829136B1 (en) Approach for securing a vehicle access port
Sagstetter et al. Security challenges in automotive hardware/software architecture design
WO2021178979A1 (en) System, method, and apparatus for managing vehicle data collection
US9361465B2 (en) Privacy-enhanced car data distribution
EP3157203A1 (en) Network system, communication control method, and storage medium
Takahashi An overview of cyber security for connected vehicles
Oyler et al. Security in automotive telematics: a survey of threats and risk mitigation strategies to counter the existing and emerging attack vectors
KR20150089697A (en) Secure system and method for smart cars using a mobile device
Efstathiadis et al. Smart cars and over-the-air updates
Humayed An overview of vehicle OBD-II port countermeasures
WO2019118430A1 (en) Cybersecurity services platform
Schweppe Security and privacy in automotive on-board networks
Möller et al. Automotive electronics, IT, and cybersecurity
van Roermund In-vehicle networks and security
Subke et al. Measures to prevent unauthorized access to the in-vehicle e/e system, due to the security vulnerability of a remote diagnostic tester
Zhang et al. Securing connected vehicles end to end
Bertschy Vehicle computer and network security: Vulnerabilities and recommendations
Sadeghi et al. Cybersecurity on wheels: Information and communications security challenges in intelligent and connected vehicles
Van Huynh Lea et al. Security and Privacy for Innovative Automotive Applications: A Survey

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18888298

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 10.09.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18888298

Country of ref document: EP

Kind code of ref document: A1