ID 139968771 © Suwin Puengsamrong | Dreamstime.com
66bf82c04db01f030344210d Autonetworking Dreamstime L 139968771

Going Beyond Ethernet: Securing Automotive Networks with MACsec

Aug. 16, 2024
As vehicles become more advanced, the need for increased security becomes a critical issue that MACsec looks to mitigate.

What you’ll learn:

  • Insight into automotive networks.
  • Connected vehicle vulnerabilities.
  • How MACsec can mitigate potential threats.

 

Most industries have already begun evolving into edge computing and integrating new technologies to join the Industrial 4.0 Revolution (4IR). The automotive industry is no exception. With consumer demand for connected vehicles, new and improved autonomous features, and higher performance, the sector is experiencing unprecedented growth and quickly evolving into one of the most dynamic arenas.

But not without a hiccup.

While these features continue pushing the envelope of innovation within the industry, they’re also simultaneously opening a gateway for an array of new security threats—from unauthorized access and eavesdropping to denial-of-service attacks and man-in-the-middle (MITM) attacks. Arguably, one of the most dangerous security risks within automotive today is the latter. In these types of attacks, hackers intercept the communication between a car and its back-end platforms, breaking the security between two chips meant to be communicating secretly.

Once this communication security is broken, attackers can eavesdrop and extract important information, alter and corrupt data, modify network traffic, or install malicious software that’s able to wreak havoc in a car’s system. In certain car models, this can even go as far as unlocking the vehicle by intercepting smartphone or key-fob signals.

Securing Zonal Architectures in Connected Cars with MACsec

Most modern cars rely on a zonal architecture approach where electronic control units (ECUs) are placed in physical zones within the vehicle, such as the front, back, sides or central core. As gateways move closer to sensors, this zonal approach enables greater connectivity, scalability and functionality. 

The Ethernet standard has quickly become the de facto solution to securing these zonal gateways and in-vehicle networks thanks to its ability to define a new physical layer of hardware that transmits data over the network. However, it also raises additional security considerations as these networks require in-depth visibility and detection capabilities into unwanted behavior. 

Dreamstime.com
Cybersecurity Promo
Security

Cybersecurity—More Important than Ever

The threat of cyberattacks seemingly becomes more ominous every passing day. Learn about the different types of vulnerabilities and methods of defeating such attacks in this TechXchange...

While a critical piece of the security, reliability, and compliance puzzle of today’s connected cars, standalone in-vehicle Ethernet solutions still fall short of truly mitigating the growing sophistication of cybersecurity risks, such as unauthorized access (via exposed busses), MITM, and replacement of parts from an untrusted source. This is where Media Access Control security (MACsec) comes into play.

MACsec is a layer 2 security protocol (IEEE standard 802.1AE) that provides point-to-point security on Ethernet links and secures data communications between devices. The addition of a MACsec security protocol in automotive Ethernet mitigates these types of security threats by adding various guardrails to in-vehicle networks.

Such guardrails include data confidentiality protection, but most importantly, data integrity protection, guaranteeing a trusted source (sensor, ECU, etc.) and unmodified transition of data. On top of that, MACsec offers statistics monitoring that enables quick differentiation between network security issues and malfunctions.

Deepening Security with a MACsec-Enabled SoC

For automotive manufacturers looking to shore up the security in their vehicles, they aim to integrate the security into the hardware itself. This is typically done by building a MACsec-enabled system-on-chip (SoC) or PHYs that can securely communicate with other systems using Ethernet ports. Successfully implementing MACsec in a system hinges on three key aspects.

The first is a control plane (CP) such as the MACsec Key Agreement (MKA), which implements a MACsec secure connection management protocol. This CP offers an API to upper-level components so that they can receive secure connection parameters. It also offers an API to control the data plane for initializing, installing, and managing secure connections with a sequence of session keys. 

The second is a data plane (DP) that not only implements the classification, the MACsec policy, and the MACsec cryptographic transformation functions, but also provides the required packet input/output and control interfaces to integrate into the Ethernet hardware and control software. The DP can be implemented in several ways: software-only, software with hardware acceleration, or entirely hardware-based, which offers lower latency and line-rate throughput. Since latency is critical in automotive networks, a hardware-based DP is unavoidable.

And third, integration into the network stack is needed to bind all components into a full working system (see figure). For hardware components, this includes integrating MACsec with the Ethernet MAC, the system data path, and the MKA packet. For software components, it involves integrating the CP with the MACsec DP drivers, Ethernet drivers, and upper-level management software.

MACsec IP in Perspective

With the growing threats going to advanced digital ADAS systems, it’s clear that a more robust approach to securing the next generation of in-vehicle networks is imperative.

A comprehensive MACsec IP solution can provide an added layer of authentication, confidentiality, and integrity for data in an easy-to-implement, plug-and-play block for Ethernet stacks. Providing a hardware-based data plane, it delivers a solution with minimal latency impact and full line-rate performance without compromise. 

From a design perspective, this type of solution also allows designers to significantly reduce development time, effort, and risk when working on a MACsec-capable system. As cars become increasingly connected and cybersecurity threats continue to evolve, deploying an automotive-grade MACsec solution will soon become critical to securing tomorrow’s cars.

Dreamstime.com
Cybersecurity Promo
Security

Cybersecurity—More Important than Ever

The threat of cyberattacks seemingly becomes more ominous every passing day. Learn about the different types of vulnerabilities and methods of defeating such attacks in this TechXchange...
About the Author

Gijs Willemse | Senior Director of Product Management, Security IP, Rambus

Gijs Willemse is senior director of product management for Rambus Security. Gijs has been working in the Security IP business for over 18 years. In various roles, he has always engaged directly with many of the Tier-1 SoC manufacturers, securing their assets and protecting their products from vulnerabilities in the field. His roots are in the high-speed networking IPs deployed in modern data centers and 5G networks. With Rambus, its security IPs, small footprint consumer devices to high-end/high-speed server products, are secured through their complete lifecycle.

Gijs has a Master’s degree in electrical engineering (Information Technology) from the Technical University in Eindhoven and holds several patents.

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!