ERA GLONASS project

Funktionale Sicherheit sowie
Informationssicherheit
Zertifizierung von sicherheitskritischen GNSS-Anwendungen
Roland Bauernfeind
07.07.2016
Vorstellung NavCert
 2006 gegründet als Gemeinschaftsunternehmen von TÜV SÜD und OECON
 2012 von OECON zu 100% übernommen
 Standort in München und Braunschweig
 ISO 17025 akkreditiertes Labor für GNSS
Messsysteme und Anwendungen
 Benannte Stelle (NB2603) für den
europäischen elektronischen Mautdienst
 Aktuelle F&E-Projekte:
– GNSS: FOSTER ITS, Robust EGNSS Timing Services
– eCall: HeERO2, EMYNOS
© NavCert
2
Überblick





Automotive GNSS
Zertifizierung
Funktionale Sicherheit (ISO 26262)
Informationssicherheit (CC, SAE J3061)
Zusammenfassung
© NavCert
3
Automotive GNSS
 Galileo Authentication Services,
“different levels of authentication
in Galileo’s Open, Commercial and
PRS services – all of which will soon
be available”
Robustness
 u-blox strategic priorities 2016 “Cost effective ways of developing
hardware and software compatible with international functional safety
standards (ISO 26262)”
 NovAtel, “plans to achieve ISO/TS 16949 compliance by the end of 2016.
This is the first, but important, milestone in the Safety Critical Systems
Group’s path to success and will be followed by an ISO 26262 compliant
product.”
PRS
CS-Auth
OS NMA
Governmental Professional
Mass Market
Volume
© NavCert
4
Automotive GNSS
 Combining Safety and Security
 Funded by GSA within H2020 (2015-2017)
First Operational, Secured and Trusted galilEo Receiver for ITS
 Features: Multi-Constellation, Sensor-Fusion, Galileo OS NMA,
Attack Detection, QM, CC EAL4+
 Consortium:
© NavCert
5
Automotive GNSS
 Smart Tachograph (4th generation tachogaph)
– Draft COMMISSION IMPLEMENTING REGULATION (EU) …/... of XXX
implementing Regulation (EU) No 165/2014
 Collision Avoidance
– ETSI TS 101 539-3 ”V2X Applications; Part 3: Longitudinal Collision Risk
Warning”
– UN/ECE R 131 “Advanced Emergency Braking Systems (AEBS)
 Adaptive Cruise Control
– ETSI TR 103 299 ”Intelligent Transport Systems (ITS); Cooperative Adaptive
Cruise Control (CACC); Pre-standardization study”
– ISO TC204 WG14 ”Vehicle/Roadway and Control Systems”
• PWI 20035 Intelligent Transport Systems – Cooperative Adaptive Cruise
Control (CACC) – Performance Requirements and Test Procedures
• Extending ”ISO 15622 Adaptive Cruise Control Systems”
© NavCert
6
Zertifizierung
 Mandatory schemes defined as part of regulations (type approval).
In Europe two Type Approval of whole vehicles, vehicle systems, and
separate components
– one based on EC Directives
– the other part of the United Nations Economic Commission for
Europe regulations (UNECE)
 Voluntary schemes defined by industry for
– Assuring compliance with standards
– Provide minimum level of performance
– Pre-certification of sub-systems
– Confirmation measure
© NavCert
7
Funktionale Sicherheit
 ISO 26262 "Road vehicles – Functional safety“
 Addresses functional safety in automotive electrical/electronic systems by
defining requirements for the entire development process
 Risk-based approach for determining Automotive Safety Integrity Level (ASIL)
 Use of ASIL for specifying the item's necessary safety requirements for
achieving an acceptable residual risk
Source: Stefan Kriso,
“Automotive Security im Kontext
der Funktionalen Sicherheit”
© NavCert
8
Funktionale Sicherheit
 Confirmation measures that shall be performed, by a person from a
different department or organization
for all ASILs incl. QM
– Confirmation review of the hazard analysis & risk assessment
for all ASIL D
– Confirmation review of the safety plan
– Confirmation review of the safety analyses (FMEA, FTA)
– Confirmation review of the proven in use arguments, of the candidates
– Confirmation review of the completeness of the safety case
– Audit of functional safety processes
– Functional safety assessment
 Functional safety assessment report (incl. Audit report, Confirmation
review report)
© NavCert
9
Informationssicherheit
 Common Criteria for Information Technology
Security Evaluation, ISO/IEC 15408
– Security Functional Requirements (SFR)
– Security Assurance Requirements (SAR)
 PP is an independent set of security requirements
for a particular category, e.g. external GNSS facility
 ST describes the TOE and based on PP the
requirements for the specific implementation,
ST claims conformance to PP
 Developed TOE is evaluated against ST according
EAL, e.g. Smart Tachograph requires EAL 4+
 PP and TOE are registered at Evaluation Authority
© NavCert
Protection
Profile
(PP)
Security
Target (ST)
Target of
Evaluation
(TOE)
Evaluation
Assurance
Level
(EAL)
10
Informationssicherheit
 Evaluation Assurance Levels (EAL) 1…7
 Responsibilities of the roles:
Sponsor
• Requests an evaluation
• Ensures that evidence is provided
• Produces the TOE
Developer
• Provides the evidence
Evaluator
Level
Description
EAL 1
Functionally tested.
EAL 2
Structurally tested.
EAL 3
Methodically tested and
checked.
EAL 4
Methodically designed,
tested and reviewed.
• Performs the evaluation tasks
• Provides the evaluation assessment
Evaluation • Establishes and maintains the scheme
Authority • Issues certification/validation reports
© NavCert
11
Informationssicherheit
 Similar approach proposed for V2X box: C2C-CC – Trust Assurance Levels (TAL)
[Source: PRESERVE D5.4 „Deployment Issues Report V4“ ]
© NavCert
12
Informationssicherheit
 SAE J3061 „Cybersecurity Guidebook for Cyber-Physical Automotive Systems“
– Issued in January 2016
– Focus on building cybersecurity into the design
 Functional safety focus on product development whereas cybersecurity has
to consider the complete product lifetime
– Field Monitoring Process, e.g. Automobile Intelligence Sharing and
Analysis Center (Auto-ISAC) to disseminate and exchange cyber threat
information
 Cybersecurity engineering process framework based on ISO 26262
 Communication channels between ISO 26262 and cybersecurity development
© NavCert
13
Informationssicherheit
 SAE J3061 proposed communication channels
Feature Definition
Initialization of Cybersecurity
Lifecycle (Planning)
Threat Analysis and Risk
Assessment
Hazard Analysis and Risk
Assessment
Cybersecurity Concept
Functional Safety Concept
Identify Functional
Cybersecurity Requirements
Functional Safety
Requirements
Initial Cybersecurity
Assessment
Concept Phase Review
Concept Phase Review
© NavCert
14
Zusammenfassung
 Hohe Relevanz von funktionaler Sicherheit sowie Informationssicherheit für zukünftige Automotive GNSS-Anwendungen
 Grundlagen für zukünftige Zertifizierung der Informationssicherheit
sind noch in der Entwicklung, z.B. Schutzprofil für GNSS
 SAE J3061 ist ein erster Ansatz um Synergien von Funktionaler
Sicherheit und Informationssicherheit sinnvoll auszunutzen.
© NavCert
15
NavCert GmbH
Im Tal 26
80331 München
[email protected]
www.navcert.com