Safe and Secure Automotive Over-the-Air Updates

  • Thomas ChowdhuryEmail author
  • Eric Lesiuta
  • Kerianne Rikley
  • Chung-Wei Lin
  • Eunsuk Kang
  • BaekGyu Kim
  • Shinichi Shiraishi
  • Mark Lawford
  • Alan Wassyng
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11093)


Over-the-air updates have been used for years in the software industry, allowing bug fixes and enhancements to desktop, laptop, and mobile operating systems and applications. Automotive vehicles now depend on software to the extent that manufacturers are turning to over-the-air updates for critical vehicle functionality. History shows that our software systems are most vulnerable to lapses in safety and dependability when they undergo change, and performing an update over a communication channel adds a significant security concern. This paper presents our ideas on assuring integrated safety and security of over-the-air updates through assurance case templates that comply with both ISO 26262 (functional safety) and SAE J3061 (cyber-security). Wisely, the authors of SAE J3061 structured the guidebook so that it meshes well with ISO 26262, and we have been able to use principles we developed for deriving an assurance case template from ISO 26262, to help include compliance with SAE J3061 in the template. The paper also demonstrates how a specialization of the template helps guide us to pre-emptively mitigate against potential vulnerabilities in over-the-air update implementations.


  1. 1.
    Amorim, T., et al.: Systematic pattern approach for safety and security co-engineering in the automotive domain. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10488, pp. 329–342. Springer, Cham (2017). Scholar
  2. 2.
    Aroms, E., et al.: NIST Special Publication 800–30 Risk Management Guide for Information Technology Systems (2012)Google Scholar
  3. 3.
    Barber, A.: Status of work in process on ISO/SAE 21434 Automotive Cybersecurity Standard. Accessed 28 May 2018
  4. 4.
    BBC News: Faulty update breaks Lexus cars’ maps and radio systems. Accessed 08 Jun 2016
  5. 5.
    Bloomfield, R., Bishop, P., Jones, C., Froome, P.: ASCAD. Adelard Safety Case Development Manual, Adelard (1998). ISBN 0-9533771-0 5Google Scholar
  6. 6.
    Bloomfield, R., Netkachova, K., Stroud, R.: Security-informed safety: if it’s not secure, it’s not safe. In: Gorbenko, A., Romanovsky, A., Kharchenko, V. (eds.) SERENE 2013. LNCS, vol. 8166, pp. 17–32. Springer, Heidelberg (2013). Scholar
  7. 7.
    Chowdhury, T., Lin, C.W., Kim, B., Lawford, M., Shiraishi, S., Wassyng, A.: Principles for systematic development of an assurance case template from ISO 26262. In: IEEE International Symposium on Software Reliability Engineering, pp. 69–72, October 2017Google Scholar
  8. 8.
    Friedberg, I., McLaughlin, K., Smith, P., Laverty, D., Sezer, S.: STPA-SafeSec: safety and security analysis for cyber-physical systems. J. Inf. Secur. Appl. 34, 183–196 (2017)Google Scholar
  9. 9.
    Graydon, P., Knight, J., Strunk, E.: Assurance based development of critical systems. In: 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2007, pp. 347–357, June 2007Google Scholar
  10. 10.
    ISO: 26262: Road vehicles-Functional safety. International Standard ISO 26262 (2011)Google Scholar
  11. 11.
    ISO/SAE AWI: 21434: Road vehicles-Cybersecurity Engineering [Under development]Google Scholar
  12. 12.
    ISO/WD PAS: 21448: Road vehicles - Safety of the intended functionality [Under development]Google Scholar
  13. 13.
    Karthik, T., Brown, A., Awwad, S., McCoy, D., Bielawski, R., Mott, C., Lauzon, S., Weimerskirch, A., Cappos, J.: Uptane: securing software updates for automobiles. In: International Conference on Embedded Security in Car, pp. 1–11 (2016)Google Scholar
  14. 14.
    Kelly, T.: Arguing safety - a systematic approach to managing safety cases. Ph.D. thesis, University of York, September 1998Google Scholar
  15. 15.
    Lauzon, S.: Secure software updates for automotive systems: introduction to the Uptane SOTA solution, May 2017Google Scholar
  16. 16.
    Leveson, N.: Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Cambridge (2011)Google Scholar
  17. 17.
    Macher, G., Armengaud, E., Brenner, E., Kreiner, C.: Threat and risk assessment methodologies in the automotive domain. Procedia Comput. Sci. 83, 1288–1294 (2016)CrossRefGoogle Scholar
  18. 18.
    Microsoft: Microsoft threat modeling tool. Accessed 20 Sept 2017
  19. 19.
    Microsoft: The STRIDE threat model. Accessed 20 Sept 2017
  20. 20.
  21. 21.
    Netkachova, K., Müller, K., Paulitsch, M., Bloomfield, R.: Security-informed safety case approach to analysing MILS systems (2015)Google Scholar
  22. 22.
    Pereira, D., Hirata, C., Pagliares, R., Nadjm-Tehrani, S.: Towards combined safety and security constraints analysis. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 70–80. Springer, Cham (2017). Scholar
  23. 23.
    Procter, S., Vasserman, E.Y., Hatcliff, J.: Safe and secure: deeply integrating security in a new hazard analysis. In: ARES, p. 66. ACM (2017)Google Scholar
  24. 24.
    SAE International: SAE J3061-Cybersecurity Guidebook for Cyber-Physical Automotive Systems. SAE-Society of Automotive Engineers (2016)Google Scholar
  25. 25.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)Google Scholar
  26. 26.
    Spaan, R., Batina, L., Schwabe, P., Verheijden, S.: Secure updates in automotive systems, pp. 1–71. Radboud University, Nijmegen (2016)Google Scholar
  27. 27.
    Summers, A., Tickner, C.: What is Security Analysis. Accessed 20 Sept 2017
  28. 28.
    US Department of Transportation: Architecture reference for cooperative and intelligent transportation. Accessed 24 Feb 2018
  29. 29.
    Wassyng, A., Joannou, P., Lawford, M., Maibaum, T.S., Singh, N.K.: Chapter 13 new standards for trustworthy cyber-physical systems. In: Trustworthy Cyber-Physical Systems Engineering, pp. 337–368. CRC Press (2016)Google Scholar
  30. 30.
    Wassyng, A., Maibaum, T., Lawford, M., Bherer, H.: Software certification: is there a case against safety cases? In: Calinescu, R., Jackson, E. (eds.) Monterey Workshop 2010. LNCS, vol. 6662, pp. 206–227. Springer, Heidelberg (2011). Scholar
  31. 31.
    Webtrend: threat modeling with STRIDE. Accessed 20 Sept 2017
  32. 32.
    Young, W., Leveson, N.: Systems thinking for safety and security. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 1–8. ACM (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Thomas Chowdhury
    • 1
    Email author
  • Eric Lesiuta
    • 1
  • Kerianne Rikley
    • 1
  • Chung-Wei Lin
    • 2
  • Eunsuk Kang
    • 2
  • BaekGyu Kim
    • 2
  • Shinichi Shiraishi
    • 3
  • Mark Lawford
    • 1
  • Alan Wassyng
    • 1
  1. 1.McMaster Centre for Software Certification, Department of Computing and SoftwareMcMaster UniversityHamiltonCanada
  2. 2.Systems and Software DivisionToyota InfoTechnology Center U.S.A. Inc.Mountain ViewUSA
  3. 3.Software Systems Group, System Architecture Research DivisionToyota InfoTechnology Center Co., Ltd.TokyoJapan

Personalised recommendations