Attacks on safety-critical systems such as autonomous vehicles can have serious consequences, such as financial damage or even danger to life and limb. Through successful attacks on assets (e.g., software applications, control units, cryptographic keys, or messages), an attacker can cause damage directly or indirectly (by extending the attack from one asset to another). Classical safety measures such as Fault Detection, Isolation, and Recovery (FDIR) only protect against errors and not against targeted attacks. For example, an attacker could manipulate a component that is responsible for the isolation of a faulty component and for switching to a redundant instance. FDIR must therefore be extended to include suitable security measures. In particular, in addition to errors, it must be possible to detect and respond to attacks. To achieve resilience, mechanisms for isolation and recovery must be protected against manipulation as well. Furthermore, once an attack has been detected, a suitable response has to be selected at run-time of the system; this decision needs to be based on a risk computation and needs to take the specifics of the safety-critical system into consideration. In this proposal, we propose a project to advance attack detection, run-time risk assessment, isolation, and recovery to increase the resilience of safety-critical systems. The main focus lies on the last three aspects, as there are already several approaches for Intrusion Detection Systems (IDS) in safety-critical systems, while risk assessment, isolation and recovery have received much less attention. As application domain, we consider an autonomous vehicle, as it is a distributed and complex safety-critical system, consisting of several networked components, such as control units, sensors and actuators, with software applications running on them. For risk assessment, we investigate new methods to assess risk based on the dependencies between assets. Approaches for isolation and recovery known from the safety context are supplemented by security measures. We investigate how the zero trust paradigm can be applied to safety-critical systems. For this, we investigate, among other things, novel authentication mechanisms, access and usage control systems, and secure service-oriented architectures. Our developed solutions will be prototypically implemented and evaluated.

DFG Programme Priority Programmes

Subproject of SPP 2378:  Resilience in Connected Worlds – Mastering Failures, Overload, Attacks, and the Unexpected