Cyber-Resilience of Connected and Autonomous Vehicles
Closing date: 17:00 BST, 12th October 2020
PhD project information
The thesis addresses ways of demonstrating cyber-resilient of connected and autonomous Vehicles (CAV). The work will allow practitioners to compare the cyber-resilience of different architectures of CAVs and the CAV ecosystem.
The thesis will develop a quantitative model-based approach to, safety and security co-engineering, specific for the CAV ecosystem of services supporting CAV awareness, in which cyber-resilience is seen as a way of guaranteeing CAV’s safety (for the passengers and the environment) in the presence of evolving cyber-attacks.
The work will result in a set of probabilistic models suitable for cyber-resilience assessment of individual CAVs and of the entire CAV eco-system, experimenting with these models under different cyber-threat scenarios provided by our collaborators CPC and other players in the area of CAVs, e.g. Intel Labs and the Automotive Electronic Systems Innovation Network (AESIN) in the UK with whom we have been collaborating recently on (C)AV safety and cyber resilience.
- Industrial partner: Connected Places Catapult
- Academic/research partner: City, University of London
- Number of available PhD positions: 1
- Duration: 4 years
- Innovation Focus Areas(s): Digital Cities
- DTC location: Trento
- This PhD will be funded by EIT Digital and Connected Places Catapult
The importance of cyber-security of CAV is recognised 1 2. Methods of „designing-in” cyber-resilience cost-effectively, however, are currently unknown. Using „best practices” for cyber-security is inadequate as it either relies on a „human-in-the-loop”, e.g. to adjudicate the alarms from intrusion detection systems (IDS) or on generic „intrusion-tolerant” solutions (based or replication and „proactive recovery” of replicas), which are only guaranteed to work correctly under specific assumptions unlikely to hold true in a large heterogeneous CAV eco-system. Fundamentally, with the current state-of-the art in cyber-security we cannot answer the question „Is my CAV system cyber-resilient enough?”.
Traditional methods for assessment are not credible. The community of “Safety and Security” is looking for credible alternatives. The tool developed will allow for models to be credible and also developed fast, hence save time and money.
Resilience by humans is “not credible”. Attacks on CAV are invisible to people. You must rely on monitoring and only then the humans may take action. In addition, there have been numerous studies demonstrating two phenomena (i) People’s performance under stress is worse than under normal circumstances, (ii) People who do nothing for a long period of time get bored and lose concentration. All these aspects can be studied using probabilistic models to gain insight! Thus, the proposed framework encompasses human factors affecting resilience, too.
Calculus of cyber-resilience is needed, which will allow for credible cyber-resilience assessment, a comparison of alternative CAV architectures, an assessment of the benefits from different combinations of cyber-security controls, and thus will allow for rational decision making about how to achieve cyber-resilience cost-effectively. The CAV ecosystem poses a number of unique challenges, not seen in the other cyber-physical systems. Some are listed below:
- Machine Learning (ML) is an essential part of sensing the environment in CAV (Level 4 and 5). Making ML cyber-secure is currently problematic due to “adversarial examples”, a threat almost unique to AVs, which are “surprisingly” easy to implement (https://arxiv.org/pdf/1903.05157.pdf),, hence pose a non-negligible risk to CAV. Comprehensive solutions to this type of attacks, however, are currently not known.
- Even for the lower level CAV (Level 3 and 4), the adequacy of “traditional” cyber resilience is questionable as it relies on “a human-in-the-loop” to deal with the high rate of false positives from IDS. A “human/operator-in-the loop” is clearly not exactly very appealing as the aspiration with CAV is to remove eventually the human from driving a car.
- The CAV infrastructure is a complex system of heterogeneous cyber-physical systems, in which trust among CAVs will be difficult to achieve. A number of non-functional requirements such as safety, hard real-time requirements, are essential for CAVs, which may be easily violated by the „emerging properties” in the CAV ecosystem due to the sheer scale of CAV ecosystem. The “emerging” properties in the CAV ecosystem, however, are either ignored or, if recognised as an important problem, dealing with them and their implications for CAV safety is often excluded from system analysis until, some say, the technology of the individual CAVs has matured 3.
The proposed PhD project sets out an ambitions and timely task to address the challenges listed above and to develop cyber-resilience assessment framework. The supervisors have a rare insight via their involvement in a number of projects on safety and security of embedded systems (see http://sesamo-project.eu/, https://aquas-project.eu/ for recent examples) and the recently completed project TIGARS (https://www.york.ac.uk/assuring-autonomy/projects/tigars/). Dr Popov is a member of the Working Group “Code of Practice: Safety and Security” setup by the UK National Cyber Security Centre working on guidelines for UK industry.
The CPC operates at the intersection between public and private sectors and between local government and transport authorities, focuses on growing businesses with innovations in mobility services and the built environment that enable new levels of physical, digital and social connectedness.
Connected Places Catapult (CPC) as industrial partner is interested in supporting a PhD related to the following topic area:
Security for CAVs and related street infrastructure to support these, and other transport related hardware like drones etc – ‘Cyber CAV’ - the cybersecurity of vehicles in the urban environment - what are the unique and distinctive challenges at work, through focus on design principles and human factors.
As part of the industry development, CPC would like to look at the skills and capabilities piece for local authorities and public services. The development of skills training as part of the doctoral work would therefore be of great interest to CPC, as well.
1 UK Government Guidance “The key principles of vehicle cyber security for connected and automated vehicles” https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles/the-key-principles-of-vehicle-cyber-security-for-connected-and-automated-vehicles
2 Publicly Available Specification (PAS) 1885 – 2018 “The Fundamental Principles of Automotive Cyber Security Specification” https://www.enigmatos.com/2019/01/23/bsi-pas-overview/
3 This statement is based on a private conversation within the Intel Labs “Collaborative Research Institute – Safe Automated Vehicles (ICRI - SAVe)”.
The outcome of this PhD work will be a methodology for cyber-resilience assessment which addresses the specifics of CAV. A set of probabilistic models will illustrate how cyber-resilience assessment will work on realistically complex CAV architectures for a range of CAV-specific vulnerabilities, exploiting which may affect the safe operation of CAV ecosystem:
- Vulnerabilities in the software and communication stack deployed on individual CAVs. Machine learning (ML) software solutions (e.g. convolutional neural networks) used for object recognition will be of particular interest, especially ways of dealing with adversarial examples;
- Implications of security vulnerabilities in communication of CAV with the CAV - supporting urban infrastructure. For example, compromises in the supporting infrastructure may lead to sub-optimal or even dangerous decisions taken by the individual CAVs. We will study feasibility of deploying security controls such as „cleansing” in the context of CAVs;
- Implications of security vulnerabilities in communication between several CAVs.
The main innovation in the proposed work is the probabilistic approach to cyber-resilience assessmentwhich will take into accounts different sources of uncertainty, e.g. in accuracy/”representativeness” of data used in ML, of the safety rules used in a CAV and also in the correctness of the assumptions (which in the context of CAV may be violated) on which “security-by-design” is built. Applying probabilistic models to quantitative cyber-risk assessment, thus, gives this proposal a unique advantage over the alternatives, e.g. data-driven by whatever data is available, or deterministic rule-based solutions (e.g. the approach to safety promoted by Mobileye in their “Responsibility-Sensitive Safety (RSS)” 1.
Probabilistic models are already used for the safety assurance; they are not new. What is new, is their application domain, their use for the cyber resilience assessment of CAVs. Examples of the methodologies have been tried in the past on related matter. The focus here is the AV and the specifics of the C(AV) domain. Safety of CAV relies on probabilistic models (Intel labs project is an example). Extending the safety model to account for cyber-threats is a “natural extension”. How to build models for cyber-resilience assessment is detailed in the referenced articles at the end of the proposal.
Probabilistic models can operate at different levels of abstraction, thus can be adjusted to the specific needs, thus the result of the PhD will be compatible to the emerging, competing and still open, software, hardware, protocols.
The supervisors have worked in the area of probabilistic modelling of different systems, ranging from embedded devices to large critical infrastructures, and this expertise will be used to guide the PhD work with the CAV eco-system. As indicated above, the work will progress from building models of a single CAV to modelling parts of the entire CAV eco-system with attack scenarios provided by respectable partners (CPC and others).
The academic outcome will be sought in:
- Making significant contributions in demonstrating that assessing CAV cyber-resilience is feasible even against unknown attacks.
- Publications in technical journals and prestigious conferences such as Dependable Systems and Networks
- Executable probabilistic models, which allow practitioners assess cyber-resilience of a typical or bespoke CAV architecture under different assumptions about the adverse environment in which CAV are operating (e.g. low, moderate or significant intensity of the attackers with different cyber skills). The models will allow a practitioner to change the CAV architecture by adding additional security controls and assess their effectiveness under different cyber-attack scenarios.
- A PhD Thesis
- New methodology applying probabilistic models to assessing the resilience of individual CAV, but also of the entire system-of-systems in which multiple CAVs and the CAV supporting infrastructure communicate.
- software tools to assess cyber resilience used by practitioners:
- Preliminary Interdependent Analysis tool support, to build quickly models of cyber-physical systems suitable for cyber-resilience assessment of CAV ecosystem and individual CAVs 1.
- Model transformation from SysML to Stochastic Activity Networks (SAN), which allows for dependability/security models to be automatically derived from a given architecture of a cyber-physical system and a set of cyber-attacks 2.
- Connected Places Catapult and City University of London plan to explore the creation and launch of a new company to offer resilience analysis service for CAV manufacturers, government departments, local authorities, etc. We expect that by the end of the 2nd year of the PhD, the technical work will have progressed significantly enough to allow meaningful business development to exploit commercially the research outcome of the PhD work. We will consider various licensing options for the tools, too. This effort will be led by CPC.
1 An open-source version of the tool can be accessed at: https://github.com/AlexAtNet/nordic32
2 A description of an early prototype of such a model-transformation tool based on a 3rd party software products can be found at: www.staff.city.ac.uk/~ptp/IS3_FinalReport/SysML2SAN/SysML2SAN.zip
The concrete business result will be a framework and a prototype software for the CAV resilience assessment. As indicated above, details about how to take the results to the market will be assessed at a later stage but we envisage a number of options:
- Paid licenses by commercial organisations;
- Free academic licences for research purposes. We are aware of many examples of co-existence of the two licensing models. Many commercial vendors offer the universities time-limited (typically a year) academic licences. City University has benefited from such arrangements for a number of years
- We are aware that some Universities operate a similar mixed licencing model, too. For instance, the University of Illinois at Urbana-Champaign has been doing it with the popular tool Mobius, which will adopt in the proposed PhD work. The supervisors have been working with the team supporting Mobius and will be able to learn from the US colleagues when tool licensing become practical.
Commercial exploitation will be sought through a exploring the creation spin out company, which will commercialise the software developed in the PhD and will provide consultancy. Unique selling point for such companies is the highly specialised know-how of the method implemented by the highly specialised software, which makes it very difficult/impossible for “general public” to use the highly specialised software tool without consultancy.
CPC will benefit from this PhD as the research outcome will extend the portfolio of demonstration services that CPC can offer to their target audience: a new service of CAV resilience assessment will be added to CPC portfolio.
Resilience assessment is one of the central concepts of the working Group “Code of Practice: Safety and Security” setup by the UK National Cyber Security Centre working on guidelines for UK industry. The result of the PhD will contribute to the definition of new regulations, and new standards. (Intel Lab collaboration predicts that all CAV will have to be demonstrated to be resilient.)
The outcome of the PhD will be exploitable independently of the PhD student, CPC has a wealth of expertise in innovation, the supervisors will use their existing commercial contacts for assistance in promoting the ideas (Intel Lab - Mobilye are seen by many as one of the leaders in the AV market, in the UK building links with ASIM – Peter Davies, Thales).
It is pertinent to note that CPC (under former title Transport Systems Catapult) spun out a company, Immense Simulations, in 2016. The company successfully creates software which co-ordinates autonomous fleets and continues to be active in the R&D space. Their experience exists to inform the new PhD where relevant. The potential impact of this company in a mentoring role, if there was a fit, cannot be over-emphasised. Their involvement in the newly funded SERVCity project, and track record in technical innovation can be leveraged via CPC to the benefit of the student, exposing them to current thinking, B2B opportunities and, under commercial in confidence agreements, insights into customer concerns around security of value to the technical roadmap (https://immense.ai).
PhD thesis time-line and milestones
|Year 1||Mobilisation of resources, state-of the art in CAV cyber-security. |
Developing the approach using Mobius SAN and ADVISE formalisms.
Starting the development of SAN models of cyber threats on CAV.
At least one position conference paper on the approach at a good technical conference.
|Year 2||Experimenting with model-based assessment of CAV architectures, urban CAV infrastructure and communication between vehicles. 2-3 papers in technical journal/technical conferences. |
CPC will work with a variety of partners in OLEV/CCAV domains to accelerate the business modelling for the innovation, linking with major new CAV investments, such as the SERVCity project https://trl.co.uk/news/news/servcity-project-gets-green-light
CPC will support and organise a technology briefing event with City University
|Year 3||Further advances with model-based assessment approach to cyber-resilience assessment of CAV and relevant infrastructure. 2-3 papers in journals/technical conferences. |
Comparison of different cyber-threat defences of CAV.
|Year 4||Tool development and write up. Appearance in at least two public events (Workshop, conference) and a paper in a prestigious technical journal. We expect that commercial exploitation will start in year 3 and will accelerate in Y4.|
A detailed GANTT chart is available here.
Intel - Labs in Karlsruhe, Germany. Existing partnership via a research institute in Safe Autonomous Vehicles.
University of Illinois, Urbana-Champaign, USA.
No. The student is not expected to directly work on business development. But they will support the development through their research at City and as well as at the premises of the company and the EIT Digital.
Netkachov, O., Popov, P. T. ID and Salako, K. (2019). Quantitative Evaluation of the Efficacy of Defence-in-Depth in Critical Infrastructures. In: Resilience of Cyber-Physical Systems. (pp. 89-121). Berlin, Germany: Springer International Publishing. ISBN 978-3-319-95597-1/
Popov, P. T. (2017). Models of Reliability of Fault-Tolerant Software Under Cyber-Attacks. doi: 10.1109/ISSRE.2017.23 ISSN 2332-6549
Popov, P. T. (2015). Stochastic Modeling of Safety and Security of the e-Motor, an ASIL-D Device. Paper presented at the 34th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2015, 23-09-2015 - 25-09-2015, Delft University of Technology, Netherlands.
Bloomfield, R. E., Popov, P. T., Salako, K., Stankovic, V. and Wright, D. (2017). Preliminary Interdependency Analysis: An Approach to Support Critical Infrastructure Risk Assessment. Reliability Engineering and System Safety, 167, pp. 198-217. doi: 10.1016/j.ress.2017.05.030
Netkachov, O., Popov, P. T. and Salako, K. (2014). Model-based Evaluation of the Resilience of Critical Infrastructures under Cyber Attacks. Lecture Notes in Computer Science, 8985, pp. 231-243. doi: 10.1007/978-3-319-31664-2_24
Applications, consisting of a CV, a motivation letter, and documents showing your academic track records, should be submitted to EIT Digital Doctoral School Office at firstname.lastname@example.org.
Closing date: 17:00 BST, 12th October 2020