Systems Engineering and Security Challenges

Size: px

Start display at page:

Download "Systems Engineering and Security Challenges"

Juliet Hicks
5 years ago
Views:

1 Systems Engineering and Security Challenges Frank Kirschke-Biller Manager Global Core Software Process Ford Proprietary

2 Agenda 1 Introduction 2 Current system engineering solutions 3 Future system engineering needs and enhancements 4 Summary and outlook Ford Proprietary - 10/10/2017 2

The car is evolving from the ultimate industrial product into the ultimate technology product.

code Within a more complex and diversified mobility industry landscape, incumbent players will be forced to

3 Introduction THE MOBILITY EXPERIENCE.. Opening The Highways to all Mankind EE Hardware: Magneto & eventually electric Lights Software: Huh? The car is evolving from the ultimate industrial product into the ultimate technology product. Mark Fields former CEO Ford Motor Company EE Hardware: 70+ ECUs, Miles of Cabling Software: More than 100M Lines of code Within a more complex and diversified mobility industry landscape, incumbent players will be forced to simultaneously compete on multiple fronts and cooperate with competitors Automotive revolution perspective towards 2030 (McKinsey Study) EE Hardware: To Enable Software Software: Mobility Ecosystem Enabled Through Software Ford Proprietary - 10/10/2017 3

Features evolved from component functionality to

Systems Complex, Networked Systems Simple Lights

Adaptive Front Lighting (2005) ECU ECU 2000 2010+

4 Features evolved from component functionality to complex systems EXAMPLE: FRONT LIGHTING Single ECUs Systems Complex, Networked Systems Simple Lights (1995) Light Switch Relay Lamp ECU ECU ECU ECU ECU Adaptive Front Lighting (2005) ECU ECU Glare Free High Beam System (2015) Ford Proprietary - 10/10/2017 4

5 Functional growth is going to continue and will even accelerate software as key innovation driver TRADITIONAL INFOTAINMENT ADVANCED IVI (AUDIO/NAV/PHONE) CONNECTED VEHICLE SMART FEATURE & CUSTOMER SMART EXPERIENCE MOBILITY Feature growth mainly driven by IVI and driver assistance Distributed feature support move to smart features. ACTIVE SAFETY DRIVER ASSISTANCE Enabling: better customer experience, e.g. aligned and coordinated feature behaviour DNA support (e.g. SYNC) more efficient solutions e.g. shared usage of ECUs (e.g. Camera System) modular design for scalable and re-usable systems features as pure software solution (e.g. MyKey) Ford Proprietary - 10/10/2017 5

6 Agenda 1 Introduction 2 Current system engineering solutions 3 Future system engineering needs and enhancements 4 Summary and outlook Ford Proprietary - 10/10/2017 6

System Engineering initiatives to address challenges

Establish Feature Ownership as true Systems

from ECU oriented development to Systems Engineering

structure Specification templates Quality Assurance

chain Model Based System Engineering to manage

SysML) PLM and ALM solution to manage data and offer

7 System Engineering initiatives to address challenges System engineering initiatives 1 Feature Ownership Establish Feature Ownership as true Systems Engineering Role with defined deliverables Migration from ECU oriented development to Systems Engineering 2 Requirements Engineering Aligned Document structure Specification templates Quality Assurance 3 Model Based System Engineering and Integrated tool chain Model Based System Engineering to manage complexity (e.g. SysML) PLM and ALM solution to manage data and offer workflows Growing focus on complete system incl. Software and Mechatronics Ford Proprietary - 10/10/2017 7

Feature/Function Focused Systems Engineering Implement consistent Feature &

requirement driven design Contrasts with bottom up, functionality driven by

one (lead) person per Feature or Function Core Roles and Application Roles required

8 Feature/Function Focused Systems Engineering Implement consistent Feature & Function Engineering Using Systems Engineering principles This is top down, requirement driven design Contrasts with bottom up, functionality driven by components constraints Introduce dedicated Feature/Function Owner role in PD Assign one (lead) person per Feature or Function Core Roles and Application Roles required Feature Ownership = Responsibility across ECUs as well as organizations Ford Proprietary - 10/10/2017 8

9 Why is Requirements Engineering (RE) Important? Three major product development (PD) project risks related to RE: Missing requirements Wrong requirements Changing requirements Any of the risks above lead to major problems of projects, e.g. increased costs, unplanned effort, bad quality, delays and deviation from committed milestones RE is to minimize and control these risks (Incl. Software Security!) Goal of RE: have good enough (not perfect) requirements to execute the project with acceptable risk However, there is no single best standard RE process or method that fits all organizations. The RE-Process has to be adopted to fit Ford s specific needs. Common abstraction levels (move from ECU/component level to Feature/Function level) Common templates (specification content, RE meta data, use cases, scenarios ) Common RE tool and RE review process Ford Proprietary - 10/10/2017 9

Solution: Requirements engineering for software enabled, feature design Requirements Product Architecture Customer Wants / Needs The Product seen as Blackbox Attribute Requirements Feature Level

10 Solution: Requirements engineering for software enabled, feature design Requirements Product Architecture Customer Wants / Needs The Product seen as Blackbox Attribute Requirements Feature Level Requirements System Design Incoming Requirements / Constraints from different Stakeholders for different levels Traceability Function Level Requirements Subsystem Design Component Level Requirements Implementation Requirements Engineering and Product Architecture interact and go hand in hand. Ford Proprietary - 10/10/

Solution: Common abstraction levels supported by Requirements engineering (RE) templates RE initiative defines template(s) for each abstraction level to High master Level Business complexity

Specification (AFS) Feature Document (per feature) Stakeholder Template Function Level Requirements Fnc1 Fnc 3 Fnc2 Fnc4 Function Specification (per function) Component Level Requirements F1 F4 ECU1

11 Solution: Common abstraction levels supported by Requirements engineering (RE) templates RE initiative defines template(s) for each abstraction level to High master Level Business complexity Requirements Enables consistent RE processes and methods across domains Product Requirements Document (optional) Feature Level Requirements Features Feat 1 Feat 2 Feat 3 Aggregated Feature Specification (AFS) Feature Document (per feature) Stakeholder Template Function Level Requirements Fnc1 Fnc 3 Fnc2 Fnc4 Function Specification (per function) Component Level Requirements F1 F4 ECU1 F3 ECU2 F2 F5 ECU 3 Feature Implementation Spec (per E/E platform) EE-Platform specific Concepts Interface Spec Interface Spec Ext. Interface Spec ECU Functional Spec (per component) SW Requirements HW Requirements ECU Engineering Specification (per ECU) Requirements need interface to architecture specification on each level RE Approach to Functions & Services 11

12 Drivers for change: connected vehicle & smart mobility require different system engineering approach TRADITIONAL INFOTAINMENT ADVANCED IVI (AUDIO/NAV/PHONE) CONNECTED VEHICLE SMART MOBILITY ACTIVE SAFETY DRIVER ASSISTANCE AUTONOMOUS VEHICLE Ford Proprietary - 10/10/

Drivers for change: Examples for connected service features E-Call Mandatory in-vehicle system that

accident or a manual ecall event is triggered by the user.

the vehicle s location on a map in the One Ford Owner App on the user s smartphone using GPS

WI-FI Hot Spot Wi-Fi Hotspot in the vehicle for passenge

ipad, computer, or cell phone ) and stream internet data through the cellular connection provided by

13 Drivers for change: Examples for connected service features E-Call Mandatory in-vehicle system that calls emergency services if an automatic ecall event is triggered by detection of a serious road accident or a manual ecall event is triggered by the user.? Vehicle Status Displays the vehicle s status (at keyoff) on a users smartphone via the embedded modem for e. g. Fuel Level, Oil Life, Tire Pressure, 12V Battery, Odometer, Alarm Activated Vehicle Locator Display the vehicle s location on a map in the One Ford Owner App on the user s smartphone using GPS location sent via embedded modem. WI-FI Hot Spot Wi-Fi Hotspot in the vehicle for passengers to connect Wi-Fi capable devices (e.g. ipad, computer, or cell phone ) and stream internet data through the cellular connection provided by the vehicle s embedded modem Door Lock/ Unlock Ability to Remotely Lock / Remotely Unlock their vehicle from virtually anywhere in the world, using the One Ford Owner App on their smartphone and an embedded modem Online Traffic Navigation systems to include re-routing or or regularly updated indication of the delay caused by traffic jams etc based on up-to-date traffic information Ford Proprietary - 10/10/

14 Key implications from a Systems Engineering perspective 1 Complexity of advanced distributed features will further increase with growth/shift from on-board to off-board Powertrain EESE CSSO Engine Control Body Control Module Telematics Control Unit Smart DLC Cloud Back-end Scheduled Remote Start Connected Door Lock/Unlock Current skill set of development engineer / Feature Owner maybe not sufficient IT competence for E2E solution and Security required Competency and organizational challenges growing interfaces Performance depends on external factors (off-board performance), not only on vehicle design Organizational interfaces become more complex Feature Specification includes vehicle and cloud functional requirements Feature Owner must coordinate both vehicle and off board development efforts Ford Proprietary - 10/10/

Key Implications - Architecture 2 Vehicle Architecture (HW and SW) is changing significantly External interfaces e.g. embedded modem Increase of communication bandwidth, e.g. using Ethernet New Design pattern (e.

15 Key Implications - Architecture 2 Vehicle Architecture (HW and SW) is changing significantly External interfaces e.g. embedded modem Increase of communication bandwidth, e.g. using Ethernet New Design pattern (e.g. Service based communication) Extended infrastructure for over the air SW download Move from Microcontroller to Microprocessors Different functional deployment (Domain/Zone oriented) more flexible SW deployment Alternative operating systems (Unix, AUTOSAR Adaptive etc.) Ford Proprietary - 10/10/

Key Implication - Cybersecurity 3 Vehicle Architecture (e.g.

Security Process utilizing best practice and (future) standards SAE J3061

Hackers are interested in: Money through manipulation of: Mileage counter/

Plagiarism Scientific Reputation by proving the: Threat potential Weakness of

16 Key Implication - Cybersecurity 3 Vehicle Architecture (e.g. Firewall, Encrypted communication) plays major role. Security Process utilizing best practice and (future) standards SAE J3061 ISO-SAE AWI Road Vehicles Cybersecurity Engineering AUTOSAR AUTO ISAC Hackers are interested in: Money through manipulation of: Mileage counter/ Truck tachograph Airbag controller Headunit Engine/transmission controllers Plagiarism Scientific Reputation by proving the: Threat potential Weakness of todays security Extortion by threatening: OEMs Countries to immobilize traffic to destruct image Ford Proprietary - 10/10/

17 Agenda 1 Introduction 2 Current system engineering solutions 3 Future system engineering needs and enhancements 4 Summary and outlook Ford Proprietary - 10/10/

18 Impact to Methodologies Combined Methodologies & Standards will be required for Effective & Timely development Integrated Methodologies Will require updates to Validation methods & procedures Relationship of Cyber Security, Functional Safety, SW Quality & overall SW process to be considered Ford Proprietary - 10/10/

19 Cybersecurity and Systems Engineering DEVELOP A CYBERSECURITY CULTURE SET-UP A DEDICATED CYBERSECURITY TEAM AND PROCESS DEVELOP TRAINING AND AWARENESS PROGRAMS VEHICLE CYBERSECURITY LIFECYCLE DEFINE INFORMATION SECURITY MANAGEMENT SYSTEM PROVIDE SECURITY BY DESIGN / ARCHITECTURE IMPLEMENT SECURITY FUNCTIONS, E.G. SECURITY LOGS COMMUNICATION PROTECTION CONTROL KEYS AND ACCESS USER DATA PROTECTION IDENTIFICATION, AUTHENTICATION, AUTHORIZATION SELF-PROTECTION VEHICLE CYBERSECURITY LIFECYCLE SECURING THE SUPPLY CHAIN, INCL. SW QA IMPLEMENT APPROPRIATE TESTING FOR SECURITY FUNCTIONS SELF AUDITING AND TESTING DEFINE A SECURITY UPDATE POLICY ASSES THE SECURITY CONTROLS AND PATCH VULNERABILITIES INCIDENT RESPONSE AND RECOVERY IMPROVE INFORMATION SHARING AMONGST INDUSTRY ACTORS COLLABORATION IN INDUSTRY IMPROVE INFORMATION SHARING AMONGST INDUSTRY ACTORS JOINT WORK AND STANDARDS AND BEST PRACTICES Ford Proprietary - 10/10/

20 Impact to Organisation Liaison & Integration Roles become more Critical and Must be Formalized Ford Proprietary - 10/10/

21 Agenda 1 Introduction 2 Current system engineering solutions 3 Future system engineering needs and enhancements 4 Summary and outlook Ford Proprietary - 10/10/

22 Summary Customer functionality and technical complexity will continue to increase Connectivity features with off-board functionality are game changing from different aspects Roles and Responsibilities and organizational setup needs to reflect those challenges System Engineering methods and tools (e.g. Requirements Engineering) needs to be enhanced to cope with connected features and services Cybersecurity needs dedicated design and processes (aligned with Functional Safety and general SW processes) Ford Proprietary - 10/10/