Analysis of Security Vulnerability Levels of In-Vehicle Network Topologies Applying Graph Representations

This article investigates cybersecurity issues related to in-vehicle communication networks. In-vehicle communication network security is evaluated based on the protection characteristics of the network components and the topology of the network. The automotive communication network topologies are represented as undirected weighted graphs, and their vulnerability is estimated based on the specific characteristics of the generated graph. Thirteen different vehicle models have been investigated to compare the vulnerability levels of the in-vehicle network using the Dijkstra's shortest route algorithm. An important advantage of the proposed method is that it is in accordance with the most relevant security evaluation models. On the other hand, the newly introduced approach considers the Secure-by-Design concept principles.


Introduction
Automotive security is a rapidly developing field, as the risk of securing automotive systems is increasing. New challenges emerge every day, which can lead to further security problems. Safety of vehicles from accidents and cyberattacks will become the priority research orientation of the future development processes. In the in-vehicle network (IVN) protocol design process, automotive engineers have not addressed the cybersecurity issues adequately, instead, they focused on the safety aspects. Fault tolerance, robustness, reliability and an acceptable bandwidth were the key research objectives in this subdomain. Nevertheless, automotive trends have shown that transport and vehicles will be automated and communicate with each other to increase road safety, and the number of ECUs (Electronic Control Units) with ever-expanding ADAS (Advanced Driver Assistance Systems) functions will continue to grow. The growing number of ECUs implies that the required bandwidth is to widen, more subnets are present, and consequently more error factors can be expected, which is already an embedded programming and electronic issue. If the problem is approached from a cyber-physical point of view, it can be seen that the protection of automotive communication networks is extremely important. The reason is that compromising the sensor or control data signals on the IVN can directly affect the physical operation of the vehicle, which has a direct impact on passenger safety. Based on these insights, it can be seen that security and safety co-engineering are required from the beginning of the design and development processes [21,24].
Network protocols used currently in vehicles are LIN, CAN, FlexRay, MOST, and the automotive version of the well-known high-bandwidth Ethernet protocol. LIN (Local Interconnect Network) networks carry simple control signals (e.g., door and window operation); they are commonly used in subnets, and are not critical from a safety perspective. The CAN (Controller Area Network) is widely used in vehicular systems for its high reliability, robustness and low cost, for applications that do not necessarily need higher bandwidth than 1 Mbps. The cyber protection of the CAN bus is based on simple defense mechanisms, e.g. Cyclic Redundancy Checksum (CRC), Acknowledge (ACK), End of Frame (EOF) fields. However, several improvements have been made to the protocol since the first version appeared, e.g. time-triggered CAN, which further increased its security level [2,6]. A newer generation communication protocol is FlexRay, a fault-tolerant, deterministic, high-speed protocol, which supports safety and time-critical applications such as X-by-wire. Additionally, it is suitable as a communication backbone, which connects heterogeneous subnets together. The protocol has two main modes: single or dual channel mode; and each channel has a maximum bandwidth of 10 Mbps. Therefore, a dualchannel configuration can operate 20 times faster than the CAN bus data rate specification [6]. From a security perspective, the FlexRay system has a huge advantage, if data transfer is jammed or fails during one channel transmission, data can be authenticated on the other channel [21]. Nowadays, cars have domain ECUs and central gateways, but in the near future, the emergence of zonal gateways and central computing platform is expected, which will revolutionize in-vehicle E/E (electrical / electronic) architectures, and the requirements will also be fullfilled for the automotive Ethernet protocol. Nevertheless, the current and oldest E/E architectures and domain controllers could offer a high level of security if the topology design is very precise, and there are additional sub gateways besides the central gateway, which connect safety-critical function controllers [7,19]. According to [20], segmented topologies and additional gateways support more stable and robust communication for critical applications by taking into account only a few ECUs interconnected by a small segment. Lots of vehicle functions need segment transitions (e.g. from CAN to FlexRay), and this presupposes resource-intensive load for ECUs, which actually act as transit gateways. Experience shows that intervening in additional ECU-gateways influences the overall network topology efficiency [9,20]. In vehicles where all four communication protocols mentioned above (except automotive Ethernet) are present, the following topology types are used: star, bus, ring, and a mixture of these called a hybrid topology. In star topology, all the ECUS are connected to the central hub with individual lines. If the central ECU or the main hub fails, then the entire communication breaks down. However, if only one ECU fails, then the rest of the network continues to function. This kind of topology could be suitable for security and safety applications. The most common topology is bus topology, in which all ECUs are connected to the mainline. If the mainline is interrupted, two segments are formed, which normally continue to function. Ring topology has two main types: single ring and double ring. In the single ring topology, the information is sent in one direction from one node to the next one until the messages reach the destination node. This kind of connection has a big disadvantage, because when a single node fails, it disables the whole communication system. In contrast, in the double ring topology, the information flow is bidirectional, which is more reliable.
In the next section, we discuss the related research, results, and threat and vulnerability assessment methods that can be used to explore the vulnerability of vehicles to cyber-attacks.

Related Works
In particular, the safety design principles must be followed throughout the life cycle of vehicle network design and production, in accordance with the Functional safety (ISO26262) and the Road Vehicles -Safety of the Intended Functionality (SOTIF) standard (ISO / PAS 21448). As state-of-the-art vehicle systems should be treated as cyberphysical systems, SAEJ3061 (Cybersecurity Guidebook for Cyber-Physical Vehicle Systems) standard should be considered with the same emphasis from the initial design phase. By adhering to these, several vulnerabilities may have emerged in the design of E/E architectures that would have been hidden during a traditional product development procedure. On the other hand, developers can support the robustness of the vehicle's network architecture by using the Secure by Design development concept, which reduces risks or, where appropriate, makes it nearly impossible for a malicious attacker to achieve its goal. In system evaluation processes, including vulnerability assessment, the main activity is threat modeling. Using the top-down deductive approach, threat modeling and vulnerability assessment tools help the developers make architectural decisions, reduce potential vulnerabilities, and consider every hidden security breach. In threat modeling, every development stage has its objectives with different requirements regarding input factors. One of the most widely used threat modeling procedures is STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privilege), a software-centric model that also forms the basis of other threat modeling methods. Initially used in business enterprise IT systems, however, it has been successfully adopted by the automotive industry, as it covers all essential cybersecurity principles. As part of the EVITA research project (E-Safety Vehicle Intrusion Protected Applications), the researchers identified the E/E use cases and the potential threats and risks associated with them [8]. The level of risk associated with threats was assessed as a function of severity and likelihood, similar to the HARA (Hazard Analysis and Risk Assessment) safety-oriented methodology [11]. Another systematic identification process is TVRA (Threat Vulnerability and Risk Analysis) [4], which was introduced by ETSI in order to support security-oriented standardization processes. A combination of the above-mentioned STRIDE and HARA methodology is the SAHARA (Safety aware hazard analysis and risk assessment) method [16], which considers safety and security co-engineering principles to enhance the effectiveness of security-aware safety development of cyber-physical systems.
Several studies have shown that at the embedded system level, it is worthwhile to examine the system architecture and provide innovative solutions at the processor and memory management level. Zheng et al. [28,29] shows how to prevent side-channel attacks (e.g., cache attack, timing attack) using the digital PUFs (Physical Unclonable Functions), applied in the authentication mechanism at the machine level as a digital fingerprint, thus protecting the embedded system from tampering. Research has also highlighted the importance of protecting the intellectual property (IP) and integrity of the hardware with more sophisticated countermeasures like IP watermarking [22]. Certain design phases may assume the inclusion of Hardware Trojans (HT) that can modify the operation and parameters of the hardware even by leaking private cryptographic keys, which can lead to severe consequences. In the review [10], the authors summarize the critical vulnerabilities of the IVN that a malicious attacker can exploit using a different types of attack scenarios. According to this study, one of the weakest points of IVN is that there is no authentication process, and it is sensitive to spoofing attacks when a rogue node sends authentic messages to the bus. Another weak point in the communication system is that the data is broadcasted on the bus and this is feasible to passive eavesdropping attacks. DoS attacks can take advantage of the arbitration mechanism of the CAN bus because messages with low IDs are prioritized, so flooding a similar message can disrupt the whole communication process. Replay attacks can take advantage of the design flaw that message frames do not contain timestamp information.
According to a basic research study [14], major hazards originate from the interconnection of different car bus systems via various gateway devices, and when a single node is compromised all the other nodes are endangered. Furthermore, gateways can also interpret and compose all the distinct physical interfaces and manage protocol conversion and error protection of message verification. As centralized architectures with Ethernet backbone are lacking, in our research, gateways have a central role. They are present in the IVN, they offer advanced security countermeasures and improve the functional safety of the whole vehicle. In order to improve security of the controllers and gateways, one of the most commonly used countermeasures to handle impersonation type attacks is authentication. Authentication confirms that only valid controllers can communicate within the automotive bus system. Controllers need to have a certificate to send messages to the gateway as a valid sender. The certificate consists of the controller ID, a public key and the authorization of the controller. Accordingly, gateways contain a public key of OEMs (Original Equipment Manufacturer) of vehicles. The controller certificates are verified from the OEMs with secret keys. Gateways use the public key of the OEM to verify the validity of the controller certificate [26].
Corresponding to the above-mentioned properties in the vehicular bus communication system, the gateway can be operated as a functional firewall [27]. The firewall rules are based on the authorization certificate (AC) between the gateway and the other controllers. Accordingly, only certified controllers can send messages into the vehicle bus system. The rules of firewalls can be applied to support the approval process related to the subnets. The vehicle has a vast number of components inside the vehicle communication network, and every component has a unique protection parameter. The aim of this study is to determine the vulnerability of a given vehicle. For this analysis, each protection parameter is represented as a cost function. To identify the shortest path from one component to another component, consecutive path lengths are examined. Hence, the vulnerability of a given vehicle is determined based on the shortest path.

Methodology
The main research idea is to identify the vulnerable points and the communication sublinks of a certain in-vehicle network. In this study, the degree of exposure of vehicular network topologies to cyberattacks was tested for fifteen vehicles. The analyzed vehicle types were selected based on which topologies were available online and those found in other cybersecurity studies [17]. Accordingly, in the first step, the topologies of the investigated communication networks were represented, then the communication links between the different components were ranked based on the security level of the given link. There are also industry standard vulnerability indicators like CVSS (Common Vulnerability Scoring System) [2], which generally evaluate software vulnerabilities in IT systems on a scale of 1 to 10. As the vulnerability score was evaluated according to automotive topologies, a new scoring system was developed.

Newly Developed Security Level Assessment Methodology
The results of our previous research pointed out that relatively few security levels can be adequate for efficiently characterizing the in-vehicle network's protection level. Based on the performed regression and cluster analyses, three levels are sufficient to rank the vulnerability of the vehicular communication networks [5]. In accordance with this, the typical IVN architecture frequently consists of three or four hierarchy levels: network domains separated by gateways (first level), subdomains handled by domain controllers (second level), and the bottom of the hierarchy tree is mainly built up from subnetworks (third level) [1]. Our scoring system distinguishes the protection status / vulnerability of a given communication link on 3 levels, which is briefly described below and presented in Table 1. If a link or section is not protected by any special security measures, including data encryption, authentication, gateway, HSM (Hardware Secure Module), or IDS (Intrusion Detection System), its security level is ranked 1. If the communication link is connected directly to a gateway, but no other security measures are applied (encryption, authentication), its security level is ranked 2. The third case is when a link is protected by a gateway acting as a firewall and has a strong authentication process: this corresponds to security level 3. The figure below (Fig 1) illustrates how an arbitrary vehicle network topology was transformed into an undirected weighted graph and what weights were assigned to each edge. In practice, this means that the security level of the link between two ECUs is 1, as no extra protection can be found, such as an interleaved gateway, because they communicate with each other on the same bus. (An authentication process can actually be present between controllers, this is just an example for illustration). If an intruder wants to reach the convenience ECU (node no. 10) through the central gateway (Main GW, node no. 0), this attack results in a cost of 4, as the cost of the edges is added upon the shortest route.
Thus, the examined networks were represented by graphs, and considering the protection level of the edges as resistance-like parameters, we estimated the overall protection level of each communication network. According to our concept, if a network is built-up from relatively less protected components, then the sum of the shortest path between the network nodes will be lower. Following this, in our study, the shortest path was identified from one vehicle component to the other in a vehicle communication network using the generalized Dijkstra's algorithm by assuming the protection level of components [3]. Then a comprehensive database was constructed to characterize vehicle security-related parameters. The Dijkstra's algorithm checks the shortest path from the starting node to the destination point. The generalized Dijkstra's algorithm assumes the initial node has zero weight, and it compares the next minimum weight functions (summing the edges' costs of the given route towards the destination node) from the origin point. At every node, it seeks the minimum weight to the next node, and then later, it forms the shortest path according to the lowest weight. We described the applied model by the following pseudo-code. The command i ← nodes in N with min distance[i], finds the node i in the node set N that has the least distance [i] value. Length(i, j) represents the length of the newly added link among the points i and j. The parameter former describes the length of the route between the starting point and the point j (in the case of entering i). If the current shortest route is shorter than the newly defined route assigned to j, then the actual route is replaced with this diff path. The former array includes the pointer to the "following-target" point of the investigated network to identify the shortest path to the starting point. There is no protection between the connected nodes 2 In the evaluated link, the examined nodes are on a separate subnetwork 3 The link is protected with additional security measures (e.g., authentication, IDS)

Fig. 1 Simplified in-vehicle network topology (left) transformed into a weighted undirected graph (right)
We created a MATLAB code to construct the network topologies: the edges of a network were defined by their starting points s and their terminating points t. The estimated security level of the edges is described by w. The graph of the topology is built up by the graph command, and the shortest path command defines the shortest routes between the nodes of the graph. Finally, the total security parameter of the topology is stored in A. The symbolic representation of A can be given as follows: Where, -A is the security parameter characterizing the protection level of the network; -SR i,j is the shortest route between i and j nodes; n is the number of nodes in the graph.
The code below describes the algorithm responsible for generating the A parameter. Figure 2 represents the generated simplified topology diagram of an Audi A6 as an example. The diagram is a simplified topology that provides an overall view of the communication architecture of the vehicle and the control unit protocol that performs the key functions. As the figure below shows, all communication buses are connected to the central gateway, which already presupposes a higher level of security. Most of the safety-critical control units are connected to the FlexRay bus. Some of these ECUs also have other bus connections, e.g. the Power Steering Control Module is also connected to the Powertrain CAN. The gateway can be accessed via an OBD-II connection on the diagnostic CAN. The multimedia-related ECUs are connected to the MOST bus in a ring topology. The heating, ventilation, and air conditioning (HVAC) module, illumination control module, and other sensors are connected to the LIN subnetworks. The control units with comfort functions (e.g. seat control) are connected to the Convenience CAN, which usually operates at 100 kbps, in contrast to the Powertrain CAN, which supports data transfer at a speed of 500 kbps.

Comparative Methods
We briefly present a security analysis and evaluation procedure developed during a previous research process using an alternative method to compare previous results with the current results. In the first step of the method, the relevant characteristics of the IVN topologies (the number of safety-critical ECUs protected, etc.) were determined [5]. Homogeneous vehicle groups were identified by cluster analysis of the relevant characteristics. Subsequently, the security level of each vehicle was determined using a regression estimation procedure. Ordinal logistic regression was performed in order to estimate the protection cluster of the investigated vehicle. The applied method uses a cumulative probability model. The sum of the cluster probabilities is 1. C represents the number of categories, while c represents each specific category. The likelihood of classifying an object into the c-th category is c . In accordance with this, in the case of the cumulative log link function, ( c ) the log odd ratio provides the relationship between likelihood of being contained by cluster c ( c ) and its complementary likelihood ( 1 − c ). The log odd ratio is expressed below: (2) c =

Main Findings of the Evaluation
The result of the performed vulnerability analysis is presented below. Towards the bottom of the table, the security of the network increases and accordingly, the estimated vulnerability of the topologies decreases. Based on the presented investigation, we can conclude that the 2014 Chrysler has the lowest security level, it seems to be the most vulnerable model out of the examined fifteen vehicles. On the other hand, the 2018 Toyota Avensis has the highest protection score, accordingly, it appears to be the least vulnerable one. Compared to other research studies [5,17,18] that have in some way ranked vulnerability levels of vehicles on the basis of in-vehicle network topology/architecture, it can be seen that similar results were obtained. A well-known remote exploitation experiment [18] has proven how vulnerable the Jeep Cherokee is, and our analytical calculation gave the same result. Higher-ranking cars, like BMW, Audi, tend to be in the middle and upper field, but the brand is no guarantee that the vehicle will be protected from a cybersecurity standpoint. As considered by the applied methodology, the vehicle components with lower security value are more vulnerable. On the other hand, a vehicle with a higher security score has more protection among the elements of the communication network (see Table 2).
Based on the defined Spearman rank correlation coefficient ( r s = -0.8712), the association between the results of the two compared methods is statistically significant on an = 0.05 significance level (p = 0.00002).

Effectiveness of the Proposed Method Related to the Relevant Attack Scenarios
The essential objective of protecting the in-vehicle network is to ensure the reliability of the communication process, especially considering integrity, availability, confidentiality. Assuming a malicious intervention, a breach of integrity can be accomplished by sending compromised messages (e.g., replay attack, injection attack). On the other hand, the availability of the communication network can be reduced by overloading the system with an excessive amount of messages (e.g., Denialof-Service type attack). Confidentiality can be mainly harmed by applying passive attacks such as eavesdropping when a malicious attacker gathers sensitive data from the network.

Conclusion
In our study, the vulnerability of different in-vehicle networks was investigated based on Dijkstra's shortest path algorithm. In the first step, from the database of the investigated communication networks, the topologies were generated. Then the communication links between the different components were ranked (1, 2, 3) based on the security level of the given link. Following this, the analyzed networks were represented by undirected weighted graphs, and considering the protection level of the edges as resistance-like parameters, the overall protection level of each communication network was estimated. According to this concept, if a network is built-up from relatively less protected components, then the sum of the shortest path between the network nodes will be lower. Results shown that the 2018 Toyota Avensis had the highest vulnerability score from analyzed vehicles. One of the limitations of our method is that it works when the E/E architecture of the investigated car consists of domain controllers and has a central gateway. If the IVN has redundant computing platforms and automotive Ethernet as a backbone communication protocol, then this graph-based algorithm has to be reconsidered and upgraded. After adapting the requirements of different state-of-the-art communication protocols, the proposed methodological approach can be widely used in the automotive security evaluation domain. An important advantage of the proposed method that it is in accordance with the most relevant security evaluation models (TARA, C-SIL, EVITA, Heaven [12,13,15,23,25]). On the other hand, the newly introduced approach considers the Secureby-design concept principles (e.g., network segmentation, making compromise and disruption difficult).