Periodic Reporting for period 1 - DIAS (Smart Adaptive Remote Diagnostic Antitampering Systems)
Reporting period: 2019-09-01 to 2021-02-28
- Smart Adaptive Remote Diagnostic Anti-Tampering Systems (DIAS) aims to tackle tampering attempts at automotive environmental protection systems (EPS) in terms of prevention and detection. Tamperers (for more often financial or vehicle performance-related reasons) exploit or/and develops tampering with hardware (devices) and software to (partly) deactivate or bypass an EPS. Some of the most common tampering attempts are the deactivation of the SCR (Selective Catalytic Reduction) dosing system, the removal of the DPF (Diesel Particulate Filter), the deactivation of EGR (Exhaust Gas Recirculation) system and the removal of the TWC (Three-Way Catalyst).
- Even though air quality in Europe has improved over recent decades, the current levels of air pollutants can seriously affect human health and the environment. As an example, NOx contributes to the formation of ground-level ozone, to acid deposition and eutrophication of soil and water and, in particular, NO2 is associated with adverse effects on human health. Pollutant emissions of road vehicles have been reduced significantly thanks to the development and application of effective emissions control systems. Nevertheless, tampering with these systems leads to significantly elevated tailpipe emissions. Already in many European countries, tampered vehicles seem to cover a significant percentage of the vehicle’s fleet. For example, in early 2017, it was discovered that the SCR systems of up to 20% of eastern European heavy-duty vehicles on German roads are suspect of being manipulated. Tampering also exists for other important devices, such as tachographs or alcolocks. At the same time, automotive-type de-pollution technologies are applied in other sectors, such as rail, inland navigation, generators, earth-moving machinery, etc. In turn, any anti-tampering solution would also be relevant for these applications.
- The overall objective of DIAS is to support the transition to more effective protection and detection systems based on on-board diagnostics and monitoring (OBD/OBM) that will ensure a strong reduction of the tampering activities. The project aims at defining methods and providing a solid basis for future standards in the security and diagnostic systems to ensure that hardware, software and communication manipulation will be detected and that the detection will be successful regardless of the manipulation attempt has been foreseen or not during the initial design of the system.
The overall target is broken down into four main objectives as follows:
I. “Market” analysis and assessment of the operation of representative tampering systems and their effect on the performance of emission control systems
II. Identification and implementation of detection methods and countermeasures
III. Testing and demonstration of the success of measures
IV. Setup of guidelines and recommendations for future legislation for the introduction of future safe monitoring systems
- Even though air quality in Europe has improved over recent decades, the current levels of air pollutants can seriously affect human health and the environment. As an example, NOx contributes to the formation of ground-level ozone, to acid deposition and eutrophication of soil and water and, in particular, NO2 is associated with adverse effects on human health. Pollutant emissions of road vehicles have been reduced significantly thanks to the development and application of effective emissions control systems. Nevertheless, tampering with these systems leads to significantly elevated tailpipe emissions. Already in many European countries, tampered vehicles seem to cover a significant percentage of the vehicle’s fleet. For example, in early 2017, it was discovered that the SCR systems of up to 20% of eastern European heavy-duty vehicles on German roads are suspect of being manipulated. Tampering also exists for other important devices, such as tachographs or alcolocks. At the same time, automotive-type de-pollution technologies are applied in other sectors, such as rail, inland navigation, generators, earth-moving machinery, etc. In turn, any anti-tampering solution would also be relevant for these applications.
- The overall objective of DIAS is to support the transition to more effective protection and detection systems based on on-board diagnostics and monitoring (OBD/OBM) that will ensure a strong reduction of the tampering activities. The project aims at defining methods and providing a solid basis for future standards in the security and diagnostic systems to ensure that hardware, software and communication manipulation will be detected and that the detection will be successful regardless of the manipulation attempt has been foreseen or not during the initial design of the system.
The overall target is broken down into four main objectives as follows:
I. “Market” analysis and assessment of the operation of representative tampering systems and their effect on the performance of emission control systems
II. Identification and implementation of detection methods and countermeasures
III. Testing and demonstration of the success of measures
IV. Setup of guidelines and recommendations for future legislation for the introduction of future safe monitoring systems
The effort of the DIAS project in this first period has been focused on 3 pillars:
• Pillar a. includes market and system analysis to identify the way existing tampering systems operate and set anti-tampering requirements. An inventory of device providers was compiled through market research. Cheating devices were categorized in terms of the principle of operation and weaknesses of existing systems that tampering devices exploit. The tampering devices were tested in the laboratory and selected tampering equipment was installed on vehicles to demonstrate the effect of manipulation under real-world conditions and generate sufficient data signals for the analysis of the device operation. Finally, the vulnerabilities based on the most critical tampering cases that were tested were identified and anti-tampering requirements for various end-users (vehicle manufacturers, workshops, legislator, etc.) were proposed.
• Pillar b. includes security analysis at the three levels of data flow, i.e. hardware, software and communications, the challenges in these fields and the available technologies to cope with these challenges. A generic vehicle architecture was defined for reference which includes most of the important sensors, control units and communication protocols typically found in a modern vehicle. This was evaluated from the security point of view to understand the tampering possibilities and develop security requirements for protection against them and security threat analysis and risk assessment were performed. Through this process, the identified threats were rated and assigned a security level to prioritize them. The output of the task was high-level security requirements.
• Pillar c. includes on-board diagnostics. Tampering attempts (mainly through hardware modification) are prevented or detected in case that an intrusion cannot be effectively prevented by system security solutions only. As a first countermeasure, enhanced and new software algorithms were investigated. Weaknesses of respective tampering mechanism were considered for plausibilisation of certain signals to detect tampering. The investigations comprised the usage of existing On Board Diagnosis functions with advanced calibration as well as dedicated tampering detection functions, both integrated into the Engine Control Unit, thus called level 1 countermeasure (on-going activity).
• Pillar a. includes market and system analysis to identify the way existing tampering systems operate and set anti-tampering requirements. An inventory of device providers was compiled through market research. Cheating devices were categorized in terms of the principle of operation and weaknesses of existing systems that tampering devices exploit. The tampering devices were tested in the laboratory and selected tampering equipment was installed on vehicles to demonstrate the effect of manipulation under real-world conditions and generate sufficient data signals for the analysis of the device operation. Finally, the vulnerabilities based on the most critical tampering cases that were tested were identified and anti-tampering requirements for various end-users (vehicle manufacturers, workshops, legislator, etc.) were proposed.
• Pillar b. includes security analysis at the three levels of data flow, i.e. hardware, software and communications, the challenges in these fields and the available technologies to cope with these challenges. A generic vehicle architecture was defined for reference which includes most of the important sensors, control units and communication protocols typically found in a modern vehicle. This was evaluated from the security point of view to understand the tampering possibilities and develop security requirements for protection against them and security threat analysis and risk assessment were performed. Through this process, the identified threats were rated and assigned a security level to prioritize them. The output of the task was high-level security requirements.
• Pillar c. includes on-board diagnostics. Tampering attempts (mainly through hardware modification) are prevented or detected in case that an intrusion cannot be effectively prevented by system security solutions only. As a first countermeasure, enhanced and new software algorithms were investigated. Weaknesses of respective tampering mechanism were considered for plausibilisation of certain signals to detect tampering. The investigations comprised the usage of existing On Board Diagnosis functions with advanced calibration as well as dedicated tampering detection functions, both integrated into the Engine Control Unit, thus called level 1 countermeasure (on-going activity).
Although DIAS level 1 measures are not expected to suppress all tampering methods, they have the advantage of making more robust conventional systems providing a framework for less demanding requirements that can be implemented in intermediate regulatory steps. To allow complete resolution of any possible known or unknown (current or future) tampering methods that already exist or may appear in the market, level 2 will develop advanced anomaly detection systems mainly by utilizing the full potential of connecting to the cloud. Future tampering attempts will be prevented or detected by an advanced anomaly detection system. Future-proofing of the measures will be also achieved by approaching this challenge with the most modern technologies available (secure hardware, verifiable software, Internet-of-Things (IoT), and anomaly detection) that offer the needed flexibility and dynamics to always keep one step ahead of the tampering threats. All developed concepts and architectures including prototype ECU, CCU and a cloud-based system will be integrated into a demonstrator vehicle. The capability of diagnostic systems to detect tampering methods will be assessed by means of independent testing as well as within open competitions organized within the project (Hackathons). For these events, ethical hackers will be invited to hack the system to find vulnerabilities that can be exploited to manipulate the emissions control system of the vehicle.
The knowledge gained in the testing of tampering devices and the development of anti-tampering measures will be leveraged to recommend regulatory provisions that prevent misinterpretation and regulation beating. The proposals will be reviewed by several stakeholders including the advisory board, the associated industry as well as drivers’ and consumers’ associations.
The knowledge gained in the testing of tampering devices and the development of anti-tampering measures will be leveraged to recommend regulatory provisions that prevent misinterpretation and regulation beating. The proposals will be reviewed by several stakeholders including the advisory board, the associated industry as well as drivers’ and consumers’ associations.