Multiple security domain model of a vehicle in an automated platoon

This chapter focuses on the security of automated vehicle platoons. Speciﬁcally, it examines the vulnerabilities that occur via disruptions of the information ﬂows among the diﬀerent types of sensors, the communications network and the control unit in each vehicle of a platoon. Multiple security domain nondeducibility is employed to determine whether or not the system can detect attacks. The information ﬂows among the various domains provide insights into the vulnerabilities that exist in the system and whether the model is nondeducible. If nondeducibility is found to be true, then an attacker can create an undetectable attack. Defeating nondeducibility requires additional information sources, including invariants pertaining to vehicle platoon operation. A platoon is examined from the control unit perspective to determine if the vulnerabilities are associated with preventing situational awareness, which could lead to vehicle crashes.


Introduction
Automated vehicle systems are likely to be the future of transportation. The concept of a vehicle platoon where 8-25 vehicles follow each other and each vehicle mimics the actions performed by the vehicle in front of it is compelling. The Partners for Advanced Transit and Highways (PART) Project was introduced in 1986 to make this concept a reality. It was believed that introducing platoons would increase road capacity, reduce trip delays and limit energy consumption. A major reason for the PATH Program was to reduce accidents and breakdowns [13]. However, many people are hesitant to trust the decision making of driverless vehicles. As such, the approach taken in this research is to reduce the security threats that may impede vehicle decision making, reducing the barrier to the adoption of driverless vehicle technologies.
An automated vehicle is a cyber-physical system in which significant cyber, communications and physical components work together. The information present in the system may be cyber in nature or it may pertain to the physical properties of the system. Preserving correct information flows treats the security issues in the cyber-physical system uniformly. Disruption of information leads to the lack of deducibility of the system state.
The main contribution of this research is the development of a cyber-physical platoon model in which attacks are deducible. The goal is to create security domains such that, if an attack occurs in one domain, then the compromised domain can be detected with the help of information paths from the other domains. This research and its case scenarios demonstrate the potential to detect security problems in a cyber-physical system. Figure 1 presents a vehicle platoon and its information transfer paths. The vehicle platoon works in the following manner [16]:

System Model
The vehicle in front of the platoon is assigned the role of the lead vehicle. The lead vehicle decides the movements of the platoon. The vehicles behind the lead vehicle follow.
Each vehicle in the platoon (except for the lead vehicle) receives information from the previous vehicle and maneuvers accordingly.
If the lead vehicle wishes to slow down or take a turn, it indicates this via a beacon message and the other vehicles follow suit.
Each vehicle checks and compares the information it receives from sensors and from the communications network. If the information is consistent, the vehicle proceeds; otherwise, it raises a flag.
Other vehicles check the flagged vehicle information and decide whether to keep the vehicle in the platoon or remove it from the platoon.
Communications between autonomous vehicles create a vehicular ad hoc network. In platooning, each vehicle is connected directly to the vehicle in front, to the vehicle behind it and also to the lead vehicle (since each vehicle mimics the lead vehicle). This results in a constant number of connections (i.e., three connections) for each vehicle. All the vehicles in the platoon stay connected and the scalability problem is reduced.
This cyber-physical system consists of embedded computers, control units, a physical system, the vehicles and their sensors, and a message-passing communications network, each residing in its own security domain. Information flows among the various security domains.
The proposed model includes the following components: Communications Network: A platoon may use any wireless networking technology, the most prominent being a short range radio technology such as WLAN (standard Wi-Fi or ZigBee). Cellular technologies or LTE can also be used. In the United States, the IEEE 1609 WAVE (wireless access in vehicular environments) protocol stack builds on IEEE 802.11p WLAN that operates on seven reserved channels in the 5.9 GHz frequency band. The WAVE protocol stack is designed to provide multi-channel operation (even for vehicles equipped with a single radio), security and lightweight application layer protocols.
Sensors: Velodyne and HDL-64E LiDAR sensors are designed for obstacle detection and navigation by autonomous vehicles. Their durability, 360 • field of view and very high data rates render the sensors ideal for the most demanding perception applications as well as for 3D mobile data collection and mapping applications. The information received from a LiDAR sensor is sent to the vehicle control unit. RADAR sensors are currently used in advanced cruise control systems to measure vital parameters such as range, angle and Doppler velocity. This information is used to assess the driving situation and signal the control unit about potentially dangerous events.

Control Unit:
The control unit is the brain of a vehicle and gives it directions. The control unit makes decisions based on the inputs it receives from the sources mentioned above. If discrepancies in the information paths are detected, the control unit alerts other vehicles by sending special-purpose messages. If enough information paths are available, the control unit can take corrective actions itself.
Monitor: Invariant equations (e.g., distance = speed × time (t)) are evaluated by an embedded monitor to compute where the vehicle would be at time t. The assumption is that the vehicle would have its own speed calculation mechanism such as a speedometer and a clock to tell the time. At each instant, the monitor computes the distance information and sends it to the control unit. The monitor evaluates the invariant using each information source to check for consistency.
Messages with information about speed and distance are passed from the lead vehicle to other vehicles in the platoon in the form of beacons (messages transmitted in the network from one vehicle to another) as shown in Figure 1. Beacons contain information about the speeds and distances of all the vehicles in front of a given vehicle. A control unit gathers information directly from the sensors and from the communications network that exists between the vehicles.

Related Work
Various security threats target confidentiality (e.g., an attacker tracks a vehicle), integrity (e.g., an attacker changes beacon information) and availability (e.g., an attacker jams the network that communicates speed and distance values). The attacker is defined as someone/something that is not authorized to access or modify the vehicle or system components, but is able to do so. The attacker may intend to cause a traffic jam or even a crash.

Confidentiality
Much research on confidentiality or privacy has focused on securing the entity itself. Separate access control [9] can prevent changes to vehicle control commands. Dividing each section on the control board restricts information flow based on the type of control implemented by the section. This preserves the privacy of the vehicle.
A virtual trip lane (VTL) with multiple zones (e.g., V T L 1 and V T L 2 ) [14] can preserve privacy by using the lane to regulate location and speed reports. The estimated time for V T L 1 is computed when the vehicle enters the next zone V T L 2 and is compared against the actual arrival time in V T L 2 . Releasing trajectory data only within a single virtual trip lane zone helps protect privacy.

Integrity
Research has focused on securing information using encryption [7], but this only provides conditional privacy (i.e., only the entities involved in the communications know about the communications). Several integrity attacks have targeted vehicles via direct access to the hardware or via a wireless channel. The main goal of an attacker is to access the controller area network (CAN) of a vehicle and control the vehicle.
Koscher et al. [8] discuss the vulnerabilities of controller area networks. Controller area network packets contain no authentication fields or even source identifier fields, meaning that any component can "invisibly" send packets to any other component in the network. This means that just one compromised component can be used to control all the other components on the controller area network bus. Koscher et al. report that broadcasting malicious data from an infected controller area network can enable an attacker to seize control of a vehicle.
A widely-reported wireless attack [11] took control of the engine control unit (ECU) of a Jeep that sends commands to the other components in the vehicle. The attack leveraged a cellular network connected to the vehicle entertainment system in order to compromise the controller area network. The attack was able to kill the brakes, steer the vehicle and control the horn and parking lights at will.
Koscher et al. [8] have also worked on wireless access, which is discussed in [3]. Access to the engine control unit is gained via Bluetooth and reverse engineering. Once access is gained, the attacker can make changes to the braking system and modify the speed of the vehicle.
Another recent attack targeted a Tesla S model by gaining wireless access to the controller area network of the vehicle [1]. The attack was launched when the driver connected to a malicious Wi-Fi hotspot. The researchers were able to devise an alternate authentication scheme using ECDSA with omission techniques and TESLA++. However, the problem of scalability still exists because each new vehicle has to be authenticated with every other vehicle in a group by a roadside unit (despite the fact that the authentication overhead is reduced when two groups intend to communicate). A special message is sent when the information is not authentic; the verification is performed by the engine control unit using information from another vehicle.

Availability
An attack that impacts the availability of information can cause serious problems to connected vehicles. Traditional techniques such as beamforming (i.e., actively steering wireless transmission and reception beams to maximize useful signal reception while minimizing interfering signal reception) can combat jamming attacks on sensors [12].
A Sybil attack can be used to target connected vehicles. In this attack, the reputation system of a peer-to-peer network system is subverted maliciously by creating a large number of pseudonymous identities. Using these identities, the attacker can gain a disproportionately large influence on the functioning of the system. This attack can be detected efficiently using a less complex cryptographic technique and obtaining pseudonyms from roadside units at continuous intervals from a trusted source [2]. Distinct roadside units that periodically collect reports from communicating vehicles in the neighborhood reduce the vulnerability.
In the long term, it is believed that vehicles involved in a Sybil attack would pass similar information as the benign vehicles. A trust-based system for detecting malicious vehicles can employ an iterative filtering algorithm to detect malicious vehicles and address the problem of collusion [6], where vehicles attempt to improve the trust ratings of false vehicles.
Denial-of-service (DoS) attacks can be detected easily. Lyamin et al. [10] use time intervals to listen on a channel and determine whether or not all the beacons have been received. If there is a beacon loss, two nodes may be involved in a collision within the same group. To prevent collisions, the nodes must have an initialization phase. The initialization phase ensures that the nodes start from safe states (i.e., no attacks) and do not collide with each other. Some attacks are difficult to detect and mitigate using only one vehicle [11]. When multiple vehicles are present, the vehicles could examine the information they receive and determine that a vehicle is under attack. This is possible because the attacked vehicle would send information that would not match the information available to the other vehicles.
Sun et al. [14] have shown that the use of virtual trip lane zones can address privacy concerns. Their approach relies on real-time data. Therefore, if an attacker were to know the position of a vehicle in a virtual trip zone, the attacker would be track the movement of the vehicle in real time.
Certain attacks spoof data originating from a communications network and beacons [3,8]. Cryptography can be used to secure messages between vehicles [1,7]. Using a strong encryption method can secure communications, but the assumption is that the cryptographic keys are exchanged securely before communications are initiated. Another underlying assumption is that the vehicle itself is not compromised. In real-time scenarios involving vehicles it may not be possible to securely share information while the vehicles are in motion. The denial-of-service attacks discussed in [10,12] are based on reducing interference and listening to the channel periodically, but hazardous weather conditions could make it difficult to listen to the channel. Instead of treating all these issues separately, the proposed methodology adopts a scientific approach that uniformly models the interactions of distinct security domains.

Multiple Security Domain Nondeducibility
Nondeducibility was introduced by Sutherland [15] in an attempt to model infrastructures that secure information using a partitioned model. The partitions are grouped into two or more sets. These sets are usually labeled as high and low with all the information restricted to one side of the partition or the other. Information that cannot be determined from the other side of the domain is said to be nondeducibility secure. However, the partition must be absolute and simple. Overlapping security domains present severe difficulties for nondeducibility as do information flows that cannot be evaluated because the model lacks the required valuation functions.
V is a set of valuation functions such that V i sx (w) returns the value of a state variable s x as seen by an entity i in world w. For example, if a vehicle control unit c obtains distance information from sensor d s , then V c ds (w) returns true; otherwise, it returns false.

Definition.
A system is multiple security domain nondeducible (MSDND) secure if there exists a world with a pair of states where one state must be true and the other false (exclusive or), but an entity i has no valuation function for the states. An entity i in security domain SD i cannot know which state is true and which state is false [4]. In particular: where s x and s y are states, V i x and V i y are the valuation functions of s x in domain i and s y in domain i, respectively, and w is a world.

Problem Statement
It is possible to devise an attack -like Stuxnet [5] -that changes the speed and distance values. However, it is important to be able to tell if the attack (i.e., changing sensor or network information) is MSDND. If the attack is MSDND, then the attacker has an advantage because the target would not know which component is malfunctioning. Therefore, the model should be designed to eliminate attacks that are MSDND secure. Figure 2 shows the security domain partitions and the interactions between vehicle control units and communications points. A monitor positioned in a vehicle evaluates the invariants pertaining to the vehicle state. If a discrepancy exists in the distance information sent by one of the paths to the control unit, then the control unit would know that something is wrong.
The following entities can be evaluated to determine the interactions between a vehicle and the communications system: c : The vehicle control unit c obtains data and computes the movement.

s : Each LiDAR sensor s provides a distance value d(s).
n : The communications network n between the vehicles provides the network value d(n).
ISV : The information source validator ISV is executed by the monitor to check if the information received from the information paths is valid. Table 1 shows that ISV sequentially checks sources against other sources and invariants that involve multiple sources.

Check Source
The term d(c) denotes the distance that the control unit accepts based on information received from the paths. For a given state, the valuation functions return the values of the corresponding state variables (c, s, n) as seen by the entity in control.
The control unit detects a compromised information path if the information it receives from the corresponding sensor is not equal to the value it receives from the communications network. In other words, it uses the result of a check ch i . If the check value is false, then the control unit knows that one of the information paths has been compromised.
Five cases and their sub-cases are discussed in the following sections. Figure 1 shows that there are two information paths, sensor and network. Case 1 assumes that a vehicle has exactly one information path -either sensor or network -that provides information about the distance between the vehicle and the vehicle in front of it. In particular, the goal is to show that one information path can make the system MSDND secure as well as not MSDND secure. Four sub-cases are considered.

Case 1(a):
Assume that the vehicles are connected only to network n and that the network provides correct information (i.e., d(n) = true): w |= (∃V c d(n) (w)) : Control unit receives distance information from the network.
It follows that: The system is not nondeducible secure to the control unit according to the definition because ∃V c d(n) (w).

Case 1(b):
Assume that the vehicles connected to network n receive incorrect information (i.e., ¬d(n) = true): w |= ( V c ¬d(n) (w)) : Control unit receives distance information from the network.
It follows that: The system is nondeducible secure to the control unit according to the definition.

Case 1(c):
Assume that the vehicles are connected only to sensor s, which provides correct information (i.e., d(s) = true). This case is similar to Case 1(a).

Case 1(d):
Assume that the vehicles are connected to sensor s and receive incorrect information (i.e., ¬d(s) = true). This case is similar to Case 1(b).
Although the goal is to create a model that is not nondeducible secure, the control unit in Cases 1(b) and 1(d) would believe the data and direct the vehicle accordingly. Having no other information path for verification is potentially hazardous because it is nondeducible if the information received is incorrect.

Case 2
In Case 2, the sensor and communications network provide distance information to the control unit. Upon receiving the distance information, the control unit attempts to determine whether or not the information provided is correct. The control unit would know that an information path is corrupted if there is a discrepancy in the information provided by the two paths. In the following, two sub-cases are examined.

Case 2(a):
If n is faulty, then the system has been compromised. The attacker can manipulate the information and, thus, incorrect information is received by the control unit from the network (i.e., ¬d(n) = true and d(s) = true). From statement S3, the control unit would know that an information path has been compromised.
Combining statements S1 and S2 yields the following expression: The system is not nondeducible to the control unit because the unit can deduce that something is wrong. But it cannot determine which information path is responsible. An additional information path is needed to determine the path that transmits incorrect data.

Case 2(b):
If s is faulty, then the system has been compromised. The attacker can manipulate the information and, thus, incorrect information is received by the control unit from the network (i.e., ¬d(s) = true and d(n) = true). The following statements hold: S1: w |= ( V c ¬d(s) (w)) : Control unit receives information from the sensor. From statement S3, the control unit would know that an information path has been compromised. Combining statements S1 and S2 yields the following expression: The system is not nondeducible to the control unit because the unit can deduce that something is wrong. But it cannot determine which information path is responsible for transmitting the incorrect data.
Invariants relate the properties of a vehicle in a manner that, if one portion of the model is compromised, then the invariant is falsified. The MSDND model is extended as follows: invariant dist (d(i)): distance = speed × time. Each vehicle has its own speedometer that enables it to compute the distance that it has traveled during a period of time.
Based on the model, the three sources that provide distance information are: The three sources, sensor, network and invariant, are shown in Figure 3.  Figure 4. Specifically, the vehicle can calculate the distance covered in the t 2 − t 1 interval using the latitude (lat) and longitude (lon) and by computing: distance = speed × time. If at time t 1 , the network gives a certain location for vehicle V i+1 , and at t 2 , the network gives another location for V i+1 . Then, vehicle V i can compute the distance moved by V i+1 because it has its speed and the duration. If there is a discrepancy in the information, then the network has been compromised.
The control unit would have the correct distance information if a valuation function exists for any one of ch 1 , ch 2 or ch 3 .

Case 3
In Case 3, another information path (invariant path) is added to the model. This additional information path helps make the model not MSDND secure. The control unit would also have the correct distance information if a valuation function exists for any one of the checks ch 1 , ch 2 or ch 3 , which can indicate which path is compromised. Thus, the control unit can sense that something is wrong.
: From statement S5. It follows that: This is not nondeducible secure because the control unit can deduce that something is wrong and can determine that the network is responsible for the incorrect data being transmitted.

Case 3(b): s is faulty (i.e., ¬d(s) = true). This case is similar to Case 3(a).
It is assumed that the invariant is always true and that the information about the speed is unaltered. However, as discussed in [11], the attacker can also change the information received by the control unit. In this situation, the other two components, sensor and network, can provide the correct information.
Assume that there are multiple vehicles in the platoon and multiple platoons are nearby. This situation is shown in Figure 5.
The sources of information are: s : Each LiDAR sensor s provides a distance value d(s).
n : The communications network n between the vehicles provides the network value d(n).

Case 4
In Case 4, multiple vehicles are in a platoon and no other platoons are nearby. Vehicles communicate information between each other using beacons. A beacon is an additional information path to the control unit that can help detect an incorrect information path.
Consider the situation where a vehicle provides incorrect information (i.e., ¬beacon = true). The following statements hold: S1: w |= (∃V c d(n) ) : Control unit receives information from the network. It follows that: This is not nondeducible secure because the control unit can deduce that something is wrong and can determine that beacon i is responsible for the incorrect data being transmitted. Thus, it is possible to detect if a vehicle in the platoon has been compromised.

Case 5
In Case 5, there are multiple platoons as shown in Figure 5. Information paths exist between adjacent platoons. The information paths help detect an incorrect data path when multiple information paths are compromised.
Consider the situation where ¬beacon i = true. The following statements hold: S1: w |= (∃V c d(n) ) : Control unit receives information from the network. It follows that: This is not nondeducible secure because the control unit can detect that something is wrong and can determine that beacon i is responsible for the incorrect data being transmitted.
As demonstrated above, information from other platoons can be used to detect the compromised information path and, ultimately, the compromised vehicle. The case where platoons can detect if a vehicle has been compromised is considered because Case 4 demonstrates that it is possible to detect a compromised vehicle without a platoon. However, if other information sources are compromised, then having the additional source assists in attack detection.

Conclusions
MSDND is useful to model attacks where the goal is to hide critical information from an attacker. MSDND secure is a major disadvantage to a vehicle platoon and a boon to an attacker because information can be hidden by making it impossible to detect an attack or the valuation function could be falsified to produce an invalid valuation, rendering the information MSDND secure and undetectable. As demonstrated in the case study, the vehicle control units in a platoon may be unable to determine which vehicle has been compromised.
This research has focused on securing vehicles in an automated platoon. Minimizing the number of assumptions made in the model is a topic of future research. It is also necessary to handle situations where more than half of the information sources are compromised. Another problem is to handle cases where two sets of information sources provide the same incorrect information. Other vehicular scenarios that will be considered include platoon joining, lane changing and platoon splitting.