JP2019071572A - Control apparatus and control method - Google Patents

Abstract

To achieve selection of more appropriate countermeasure against a security problem even when the security problem occurs.SOLUTION: The control apparatus includes: an authentication processing section for executing authentication to a security authentication bureau according to a predetermined condition; control unit which is provided independently of a unit for controlling a component connected with an on-vehicle network through a predetermined interface and controls an access to the component through the interface according to the result of the authentication.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a control device and control method.

  In recent years, a large number of devices called electronic control units (ECUs) are disposed in a system mounted on a vehicle, and these ECUs control various operations of the vehicle. In addition, these ECUs are connected to a network in a vehicle called an in-vehicle network. A large number of standards exist in in-vehicle networks, and a representative one is a standard called CAN (Controller Area Network). With such a configuration, for example, the ECU may also receive an instruction from another control unit (such as another ECU) via the vehicle-mounted network, and control the operation of various components in the vehicle based on the instruction. It becomes possible. Such components may also include arrangements for the operation of the vehicle, such as, for example, brakes, motors and the like.

  Also, in recent years, with the development of wireless communication technologies such as LTE, Bluetooth (registered trademark) and Wi-Fi (registered trademark), devices in the vehicle can be used as vehicles such as WAN (World Area Network) and the Internet. Various techniques have also been proposed to enable connection to external networks. As a specific example, devices in the vehicle can communicate with devices outside the vehicle by accessing an external network via a communication unit such as Data Communication Module (DCM) or Telematics Communication Unit (TCU). It becomes. In particular, in recent years, in order to realize so-called automatic driving and the like, a technology for controlling the operation of various configurations related to the operation of the vehicle has also attracted attention by accessing the device in the vehicle from the outside.

JP, 2017-73765, A International Publication No. 2014/199687

  On the other hand, by enabling communication between the device in the vehicle and the device outside the vehicle, the device in the vehicle is dangerous due to a malicious attack from the outside of the vehicle through the interface for the communication. There is a risk of exposure to In particular, when the code of the CPU or microcontroller is illegally rewritten due to an attack by a malicious attacker, there is a possibility that a component related to the operation of the vehicle may be illegally operated via the ECU. Situations may also be envisioned. From such a background, there is a demand for the realization of a technology for securing security in an in-vehicle system. For example, Patent Literatures 1 and 2 disclose an example of a technique for securing the security of the device in the on-vehicle system.

  On the other hand, even if some CPUs and microcontrollers are exposed to malicious attacks by attackers, the functions of other parts (for example, parts related to the operation of a vehicle) are not directly violated by the attack at that time. Not necessarily. That is, under such circumstances, it is not always realistic to invalidate the function including the portion that is not directly infringed upon the detection of a malicious attack. In particular, when operation of a vehicle is assumed, for example, even if a security problem occurs and some functions are lost, such functions are invalidated to enable operation of the vehicle, etc. A mechanism that makes it possible to take measures as much as possible is desired.

  Therefore, in the present disclosure, even when a security problem occurs, a technique is proposed that enables selection of a more suitable countermeasure against the problem.

  In order to solve the above problems, according to a predetermined condition, an authentication processing unit (111) that performs authentication with a security certificate authority, and a unit that controls a component connected to an in-vehicle network through a predetermined interface. And a control unit (113) for controlling access to the component via the interface according to the result of the authentication.

  Further, in order to solve the above problems, a computer provided independently of a unit that controls a component connected to the in-vehicle network via a predetermined interface is operated with the security certificate authority according to the predetermined condition. A control method is provided, comprising performing authentication between and controlling access to the component via the interface according to a result of the authentication.

  As described above, according to the present invention, it is possible to provide a technique that enables selection of a more suitable countermeasure against the problem even when a problem in security occurs.

It is a figure showing an example of composition of a control network which mutually connects a plurality of control devices carried in vehicles. It is a block diagram shown about an example of functional composition of a security surveillance part concerning one embodiment of this indication. It is an explanatory view for explaining an application example of a security surveillance part concerning the embodiment. It is an explanatory view for explaining an outline of a gateway. It is an explanatory view for explaining other examples of application of a security surveillance part concerning the embodiment. It is an explanatory view for explaining other examples of application of a security surveillance part concerning the embodiment. It is the flow chart which showed an example of the flow of a series of processings of the in-vehicle system concerning the embodiment. It is the flow chart which showed an example of the flow of a series of processings of the in-vehicle system concerning the embodiment. It is the flow chart which showed an example of the flow of a series of processings of the in-vehicle system concerning the embodiment. It is the flowchart which showed another example of the flow of a series of processes of the vehicle-mounted system which concerns on the embodiment. It is the flowchart which showed another example of the flow of a series of processes of the vehicle-mounted system which concerns on the embodiment. It is the flowchart which showed another example of the flow of a series of processes of the vehicle-mounted system which concerns on the embodiment.

  The present invention will now be described more fully with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. In the present specification and the drawings, components having substantially the same functional configuration will be assigned the same reference numerals and redundant description will be omitted.

<< 1. Basic configuration example of in-vehicle network >>
First, with reference to FIG. 1, an example of a basic configuration of an in-vehicle network will be described. For example, FIG. 1 illustrates an example of the configuration of a control network 10 in which a plurality of control units (ECUs: Electronic Control Units) mounted on a vehicle are connected to each other.

  The illustrated control network 10 includes a body-based CAN network 20 and a chassis / powertrain-based CAN network 30. The body-based CAN network 20 and the chassis / power train-based CAN network 30 are communicably connected to each other via the gateway ECU 50 h.

  The body CAN network 20 and the chassis / power train CAN network 30 are respectively connected to a plurality of control devices 50a to 50h communicably connected via a CAN (Controller Area Network) communication line (hereinafter, particularly when distinction is required) Except for the control device 50).

  The body system CAN network 20 includes an air bag ECU 50a, a body control ECU 50b, an instrument panel control ECU 50c, and a meter ECU 50d, which are communicably connected to each other via a CAN communication line.

  The airbag ECU 50a mainly detects a collision of the vehicle and controls the airbag apparatus. A passenger seat occupant detection ECU 50i is connected to the air bag ECU 50a via a LIN (Local Internet Network).

  The body control ECU 50b mainly controls the air conditioner, the power window, the wiper device, the door lock and the power seat. The instrument panel control ECU 50c mainly controls display and lighting of an instrument panel in a vehicle compartment. The meter ECU 50d mainly detects and records the vehicle speed of the vehicle and transmits the recorded vehicle speed to other parts of the vehicle.

  The chassis / power train system CAN network 30 includes an automatic transmission ECU 50e, a vehicle stability control ECU 50f and an engine ECU 50g which are communicably connected to each other via a CAN communication line.

  The automatic transmission ECU 50e mainly controls the automatic transmission. The vehicle stability control ECU 50 f mainly controls the automatic transmission, the brake system, and the engine in an integrated manner to prevent the vehicle from slipping or the like. The engine ECU 50g mainly controls the engine.

  The example of the basic configuration of the in-vehicle network has been described above with reference to FIG.

<< 2. Security Considerations >>
After the outline of the security of the in-vehicle system is described, technical issues of the in-vehicle system according to the present embodiment will be organized.

  In recent years, with the development of wireless communication technology, devices in a vehicle directly or indirectly access a network such as the Internet or WAN via DCM or TCU to communicate information with devices outside the vehicle. It has become possible to transmit and receive. Provision of various services, such as automatic operation etc., is also examined by applying such a mechanism, for example.

  On the other hand, in the security industry, a problem that a malicious attacker can perform dangerous attacks on in-vehicle systems by exploiting the communication interface as described above is attracting attention. That is, by enabling communication between the device inside the vehicle and the device outside the vehicle, the device inside the vehicle is at risk due to malicious attacks from outside the vehicle via the communication interface for the communication. Risk can occur.

  As a specific example, a malicious attacker attempts to change the code of the CPU or microcontroller in the vehicle using the communication interface to execute its malicious code. Then, when the malicious attacker's code is executed, the attacker can substantially execute an action that can be executed by the ECU. Thus, for example, an attacker can acquire information based on detection results of various sensors provided in the vehicle, information such as GPS data, and the like. Also, the attacker can, for example, intentionally operate various actuators. This enables an attacker, for example, to intentionally control the operation of a component such as a brake or a motor in a desired situation to cause an accident. In the worst case, the attacker may cause each of the many vehicles to simultaneously perform dangerous actions (for example, sudden braking) by, for example, violating the ECUs of many vehicles via the Internet. It becomes possible.

  From such a background, securing security of devices in the vehicle (especially, ECU) becomes an important issue. Therefore, many techniques for securing the security of the ECU have been proposed. As an example of such a technique, HSM (Hardware Security Modules), IDS (Intrusion Detection Systems), etc. are mentioned.

  The current technology mainly focuses on preventing malicious attacks on a protection target (e.g., ECU), and for example, a malicious attacker can not execute the code of the attacker on a CPU or microcontroller such as an ECU. There is a tendency to make it a main task to confirm that. Because of this tendency, research on the above technology mainly focuses on speeding up detection of security breaches such as malicious attacks.

  On the other hand, when a security problem is identified, the priority is often set low in terms of what action can be taken. Therefore, the manufacturer may take measures such as disabling the ECU when a problem is detected.

  As a specific example, when a problem occurs in a program such as an ECU, for example, a terminal device is connected to CANBAS via an on-board diagnostics (ODB) port or the like, and the ECU By operating the diagnostic function, measures such as reprogramming of the program are performed. On the other hand, when a security problem occurs, the self-diagnosis function is not executed, which makes it difficult to reprogram the problematic program (so-called "bricking"). Be in a state of being Under such circumstances, the manufacturer may have to replace hardware in the event of a security anomaly, and the cost of handling tends to further increase. In particular, in the case of providing services such as automatic driving, it is further assumed that devices in the vehicle such as an ECU acquire information from the infrastructure via the network, and the above-mentioned influence is more likely to occur. It is expected that it will be more likely to be manifested.

  Therefore, although it is possible to improve security by adopting the conventional technology, when a security problem actually occurs, the repair function or the minimum function of the device such as the ECU is lost. It is also difficult to repair the abnormality. Therefore, under such circumstances, the reliability of the device may be reduced.

  On the other hand, even under the situation where security problems occur and the function for repairing etc. is lost, the function related to the operation of the vehicle is not necessarily lost. For example, it may be assumed that the CPU itself of the ECU functions normally, and an abnormality is generated due to an incorrect instruction from the outside of the ECU. Even in such a case, it is difficult to say that the countermeasure of invalidating the ECU and replacing the ECU together with the hardware is a realistic countermeasure.

  In particular, when operation of a vehicle is assumed, for example, even if a security problem occurs and some functions are lost, such functions are invalidated to enable operation of the vehicle, etc. A mechanism that makes it possible to take measures as much as possible is desired.

  In view of such a situation, in the present disclosure, even when a security problem occurs, by protecting the device to be protected from the problem, it is possible to select a more suitable countermeasure against the problem. We propose the technology.

<< 3. Technical features >>
Subsequently, technical features of the in-vehicle system according to an embodiment of the present disclosure will be described.

<3.1. Security Watchdog (Security Watchdog)>
In the in-vehicle system according to the present embodiment, the introduction of the security monitoring unit (Security Watchdog) to various devices such as the ECU, the GW, and the TCU can be a protection target even when a security problem occurs. Protect components from the problem. Therefore, an example of a functional configuration of the security monitoring unit will be described first with reference to FIG. FIG. 2 is a block diagram showing an example of a functional configuration of a security monitoring unit according to an embodiment of the present disclosure.

  As shown in FIG. 2, the security monitoring unit 100 includes a cryptographic engine (Cryptographic engine) 101, a code generation unit (True Random Number Generator) 103, a communication interface (Communication Interface) 105, a timer 107, and a general-purpose input / output. And general purpose input output (GPIO) 109. The security monitoring unit 100 may include a plurality of general purpose input / output units 109. In this case, the timer 107 may be provided for each general purpose input / output unit 109.

  The communication interface 105 is a communication interface for each component in the security monitoring unit 100 to communicate with an external device of the security monitoring unit 100. The configuration of the communication interface 105 may be appropriately changed according to the network to which the communication interface 105 is connected. As a specific example, the communication interface 105 may be configured as a communication interface compliant with a standard such as Universal Asynchronous Receiver-Transmitter (UART), Stateful Packet Inspection (SPI), CAN, or Ethernet (registered trademark).

  The general-purpose input / output unit 109 sends a predetermined signal to a device connected via a transmission line such as a cable based on a predetermined trigger. As a specific example, the general-purpose input / output unit 109 selectively selects an enable signal and a disable signal with respect to an enable pin provided in the communication interface of the ECU. It may be switched and sent out. Such control makes it possible to selectively switch between enabling and disabling communication via the communication interface.

  The general-purpose input / output unit 109 may transmit the above-mentioned signal, for example, according to the time measurement result by the timer 107. Further, as another example, the general-purpose input / output unit 109 may send the above signal by using a predetermined event as a trigger. In the following description, it is assumed that the general-purpose input / output unit 109 sends out the above-mentioned signal according to the time measurement result by the timer 107.

  The timer 107 has a clocking function, and when the set period has elapsed, notifies the general-purpose input / output unit 109 that the period has elapsed. Further, the timer 107 may reset clocking of a set period in accordance with a predetermined instruction. The setting of the period may be changed in accordance with an external instruction.

  The encryption engine 101 includes an authentication processing unit 111 and a control unit 113. By accessing a predetermined security certificate authority (SA: Security Authority) via the communication interface 105, the authentication processing unit 111 executes processing related to authentication with the security certificate authority. The authentication method is not particularly limited as long as the authentication processing unit 111 can perform authentication with the security certificate authority.

  For example, a challenge and response method may be adopted as the method of the authentication. In this case, the authentication processing unit 111 may use, for example, the code generated by the code generation unit 103 described later for authentication with the security certificate authority.

  Specifically, the authentication processing unit 111 has common key information (Key store) 190 with the security certificate authority. The authentication processing unit 111 encrypts the code (challenge) generated by the code generation unit 103 with the key information 190, and transmits the encrypted code to the security certificate authority. In addition, the authentication processing unit 111 receives, as a response, the encrypted code from the security certificate authority, decrypts the encrypted code using the key information 190, and compares the decryption result with the code (challenge) based on By doing this, it is confirmed whether the authentication has been correctly performed (ie, whether the response to the challenge is correct).

  In the following, it is assumed that the authentication processing unit 111 performs authentication with the security certificate authority based on the complete range and response method using the code generated by the code generation unit 103.

  The control unit 113 controls transmission of a signal from the general-purpose input / output unit 109 in accordance with the result of authentication with the security certificate authority.

  As a specific example, the control unit 113 may reset the timer 107 when the authentication with the security certificate authority succeeds. Further, at this time, the control unit 113 may update the clocking period by the timer 107. Such control updates (for example, extends) the duration of the process related to time counting by the timer 107. Also, while the processing related to timing by the timer 107 is sustained, for example, the general-purpose input / output unit 109 sends an enable level signal (that is, an enable signal) to an enable pin provided in the communication interface of the ECU. You may In this case, for example, access to a predetermined component via the communication interface is validated.

  In addition, when authentication with the security certificate authority fails, the control unit 113 may not execute the process related to the reset of the timer 107 or the process related to the updating of the time interval by the timer 107. In this case, when the predetermined period has elapsed and the processing related to time counting by the timer 107 is completed, for example, the general-purpose input / output unit 109 sets the disable level to the enable pin provided in the communication interface of the ECU. A signal (ie, a disable signal) may be sent. Thereby, for example, access to a predetermined component via the communication interface is invalidated.

  The code generation unit 103 generates a code for the encryption engine 101 (authentication processing unit 111) to perform authentication with the security certificate authority. As a specific example, the code generation unit 103 may include a random number generator, and may output the random number generated by the random number generator to the encryption engine 101 as the code.

  The position at which the above-described security certificate authority is provided is not particularly limited. As a specific example, a function corresponding to the security certificate authority may be provided for the local HSM or IDS. That is, the HSM or the IDS may play the role of the security certificate authority. Further, even in the vehicle, another device (for example, a device connected via an in-vehicle network) different from the device provided with the security monitoring unit 100 is provided with a function equivalent to the security certificate authority. It is also good. Also, a remote key management server (KMS) may play the role of the security certificate authority.

  Heretofore, an example of the functional configuration of the security monitoring unit has been described with reference to FIG. A specific example of the various controls by the security monitoring unit will be described later in detail together with an application example of the security monitoring unit.

<3.2. Application example to automotive ECU>
Subsequently, as an application example of the security monitoring unit according to the present embodiment, an example in which the security monitoring unit is applied to an automotive ECU related to control of the operation of a vehicle will be described. For example, FIG. 3 is an explanatory diagram for explaining an application example of the security monitoring unit according to the present embodiment, and shows an example of a functional configuration of the automotive ECU when the security monitoring unit is applied to the automotive ECU. It is a block diagram.

  As shown in FIG. 3, the ECU 310 includes a main control unit 311, a detection unit 313, an actuator driver 315, a communication interface 317, and a security monitoring unit 100. The security monitoring unit 100 corresponds to the security monitoring unit 100 described with reference to FIG.

  The detection unit 313 corresponds to a configuration for collecting information from the outside. For example, the detection unit 313 may be configured by various sensors such as an acceleration sensor or a pressure sensor. The detection unit 313 may also play a role as an interface such as a button or the like for inputting information from the outside to the ECU 310.

  The actuator driver 315 controls, for example, driving of actuators (for example, the actuator 331 illustrated in FIG. 3) in various components related to the operation of the vehicle. As the said component, a brake, a light, a motor etc. are mentioned, for example.

  The communication interface 317 is a communication interface for each component in the ECU 310 to communicate with an external device of the ECU 310.

  As a specific example, the communication interface 317 may be configured as an interface for accessing the in-vehicle network 340 such as CAN. Thus, each component (for example, the main control unit 311 described later) in the ECU 310 can transmit and receive information to and from another ECU via the communication interface 317. As another example, the communication interface 317 may be configured as an interface for accessing a network outside the vehicle such as the Internet 350. Thus, each configuration in the ECU 310 can also transmit and receive information to and from an external device of the vehicle via the network. The communication interface 317 may be configured as an interface for accessing the wireless communication network 360. Thus, each configuration in the ECU 310 can also transmit and receive information to and from other devices via the wireless network.

  As described above, by providing the communication interface 317, each component in the ECU 310 can acquire other information different from the information acquired by the detection unit 313 from the outside of the ECU 310. In addition, each component in the ECU 310 can transmit (for example, broadcast) various types of information (for example, information acquired by the detection unit 313 or the like) to devices outside the ECU 310.

  The main control unit 311 controls various operations in the ECU 310. The main control unit 311 executes, for example, logic implemented and implemented by one or more CPUs (or microcontrollers).

  As a specific example, when the rapid deceleration by the detection unit 313 is detected, the main control unit 311 operates the air bag by operating the actuator driver 315 responsible for controlling the actuator 331 of the air bag. May be Further, as another example, when an obstacle is detected by an ADAS (Advanced Driver Assistance System) or the like, the main control unit 311 operates the actuator driver 315 responsible for controlling the brake actuator 331 to thereby operate the brake. It is also possible to operate the

  Security monitoring unit 100 shares key information with security certificate authority 200. In the following description, for convenience, the key information held by the security monitoring unit 100 is referred to as “key information 190”, and the key information held by the security certificate authority 200 is referred to as “key information 195”. As a specific example, when the public key encryption method is adopted, security certificate authority 200 holds a secret key as key information 195, and security monitoring unit 100 publishes the key information 190 in relation to the secret key. It will hold the key. At this time, it is difficult for a configuration (for example, the main control unit 311) different from the security monitoring unit 100 to recognize the key information 190 held by the security monitoring unit 100.

  Further, at least one of the enabling and disabling of each configuration (for example, at least one of the main control unit 311, the detection unit 313, the actuator driver 315, and the communication interface 317) in the ECU 310 is performed by the security monitoring unit 100. It is controlled. That is, the security monitoring unit 100 validates or invalidates each component in the ECU 310 according to the result of the authentication with the security certificate authority 200. At this time, it is desirable that direct validation and invalidation of each component in the ECU 310 by the main control unit 311 be limited. As a result, it becomes difficult for the main control unit 311 to enable or disable other configurations without the intervention of the security monitoring unit 100.

  For example, the security monitoring unit 100 transmits a challenge range to the security certificate authority 200 every predetermined period, and waits for a response from the security certificate authority 200 to the challenge range. When the security certificate authority 200 detects a security problem, the security monitoring unit 100 stops the transmission of the response to the channel. In this case, the security monitoring unit 100 times out and transmits the disable signal to the desired configuration in the ECU 310 to invalidate the configuration.

  As a specific example, the security monitoring unit 100 may restrict access from the outside of the ECU 310 to the inside of the ECU 310 by disabling at least a part of the functions of the communication interface 317 when time out occurs. . In addition, the security monitoring unit 100 may temporarily invalidate the operation related to the detection of various information by invalidating the detection unit 313. Further, the security monitoring unit 100 may prevent the occurrence of a situation in which the operation of the actuator 331 corresponding to the actuator driver 315 is illegally controlled by disabling the actuator driver 315.

  As described above, in the ECU 310 according to the present embodiment, when the security certificate authority 200 detects a problem, the security monitoring unit 100 responds to an authentication result with the security certificate authority 200 to perform some functions (for example, At least a part of the configuration in the ECU 310 is invalidated. Such control protects the ECU 310 without disabling the CPU or the microcontroller, for example, by disabling important components (for example, the brake actuator etc.) even when security problems occur. It becomes possible.

  Thus, by applying the technology according to the present embodiment, for example, the ECU effectively deactivates some modules without temporarily or permanently shutting down the CPU or the microcontroller ( For example, it is possible to transition to the safe mode. Thus, for example, even when a serious security incident occurs, the manufacturer of the ECU can diagnose and repair the ECU instead of replacing the ECU. As a result, compared with physically replacing the ECU, it is possible to further reduce the cost involved in responding to a security incident.

  Further, as described above, the position at which the security certificate authority 200 is provided is not particularly limited, and, for example, the remote server may play the role of the security certificate authority 200. As described above, when the remote server takes on the role of the security certificate authority 200, for example, when there is a possibility that a security incident may occur, protection is performed in advance by disabling the function having risk in advance. It also becomes possible.

  This allows, for example, if an IDS is detecting a worldwide attack on an ADAS system, the manufacturer (eg, a car manufacturer) can also protect passengers by remotely disabling the ADAS. Become.

  In addition, when a security vulnerability is found, the manufacturer can also temporarily stop the function of the ECU until the provision of updated software is performed. In this case, for example, the manufacturer controls the remote server such that the remote server does not respond to the challenge from the security monitoring unit 100 in the corresponding ECU (for example, the remote server is invalidated). ) And good. As a result, the security monitoring unit 100 times out, and the function in the ECU is invalidated by the security monitoring unit 100.

  In addition, by applying the technology according to the present embodiment, it is possible to expect a reduction in the risk of hardware trojans and backdoors.

  Specifically, the manufacturer of the ECU should take complete measures in advance against security risks such as being violated by a hardware trojan in the design and manufacture of CPUs and microcontrollers. It is difficult. Even in such a situation, the security monitoring unit (Security Watchdog) is provided independently of the CPU and the macro controller, thereby securing the reliability of the ECU even when the CPU and the macro controller are not reliable. It becomes possible.

  In the above, as an application example of the security monitoring unit according to the present embodiment, an example in which the security monitoring unit is applied to an automotive ECU related to control of the operation of a vehicle will be described with reference to FIG.

<3.3. Application example to gateway (GW)>
Subsequently, as another application example of the security monitoring unit according to the present embodiment, an example in which the security monitoring unit is applied to an ECU operating as a gateway (GW) connecting between a plurality of networks in a vehicle will be described. Do.

  The gateway connects between different networks (sub-networks) in the vehicle and controls transmission and reception of information between the networks. Also, within the vehicle, networks with different priorities may exist. Specifically, among the plurality of networks, a network requiring higher security than the other networks may be set to have a higher priority than the other networks. As a more specific example, there may be cases where networks with devices not directly involved in the operation of the vehicle, such as air conditioners (Info conditioners), etc., are set with low priority. is there. On the other hand, devices that can be directly involved in the operation of the vehicle (in other words, devices that may become more critical due to abuse) such as powertrains and ECUs related to the chassis are connected. Networks may be set with high priority.

  For example, FIG. 4 is an explanatory diagram for describing an outline of the gateway. In the example shown in FIG. 4, the gateway 410 connects between the different networks N41 and N43, and controls the exchange of information between the networks N41 and N43.

  The network N41 schematically shows a network with higher priority, such as a network to which various devices that may be directly involved in the operation of a vehicle are connected. As a specific example, components such as an ADAS 430, a steering column 440, and a brake 450 are connected to the network N41.

  The network N43 is a network with a relatively low priority (for example, a network with a lower priority than the network N41), such as a network to which various devices not directly involved in the operation of a vehicle are connected. It is shown schematically. As a specific example, to the network N43, components such as an infotainment 460, an air conditioner 470, a diagnostic tool 480, and lights 490 are connected.

  As described above, in the case of connecting between a plurality of networks (between sub-networks) (in particular, in the case of connecting a plurality of networks having different priorities), information exchange between the networks is performed only for limited information. It is desirable that control be performed as it is done. From this background, it is important to ensure the security of the gateway.

  As a specific example, in the example illustrated in FIG. 4, a situation may be assumed in which the infotainment 460 displays information indicating the state of the ADAS 430. In this case, for example, information from ADAS 430 is transmitted to infotainment 460 via gateway 410.

  On the other hand, infotainment 460 is complicated in configuration, has many functions, and tends to have a higher risk of vulnerability than other devices. Assuming such a situation, even if it becomes difficult for the infotainment 460 to operate properly, the gateway 410 may trigger a message (for example, a braking signal, etc.) that may cause a dangerous state due to an erroneous operation. Must be guaranteed not to be sent. Therefore, the gateway 410 needs many security measures.

  Common measures include Secure Boot and Run Time Tuning Detection, which ensure the integrity of the microcontroller's memory at the gateway 410. However, if an error is detected in secure boot or runtime tuning detection, the current situation is to reset the gateway 410 or invalidate the gateway 410 as a possible countermeasure option (that is, the state of blitting). It is limited to the choice of In this case, the gateway 410 may be permanently undiagnosable and unrepairable.

  Thus, in the present disclosure, by providing the security monitoring unit 100 to the gateway 410, an example of a mechanism for solving the above-described problems will be described.

  For example, FIG. 5 is an explanatory diagram for explaining another application example of the security monitoring unit according to the present embodiment, and shows an example of a functional configuration of the gateway when the security monitoring unit is applied to the gateway. It is a block diagram.

  As shown in FIG. 5, the gateway 410 includes a main microcontroller 411 and CAN communication units 416a and 416b. The CAN communication unit 416a is connected to the network N41 shown in FIG. Further, the CAN communication unit 416b is connected to the network N43 shown in FIG. In the following description, it is assumed that the network N41 is required to have higher security than the network N43. That is, it is assumed that the network N41 is set to have a higher priority than the network N43.

  The main microcontroller 411 includes a control unit (CPU) 414, a memory 415, an HSM 413, and a security monitoring unit 100. In the example shown in FIG. 5, the HSM 413 plays a role as a security certificate authority. Therefore, key information is shared between the security monitoring unit 100 and the HSM 413. In the following description, for convenience, the key information held by the security monitoring unit 100 is referred to as “key information 190”, and the key information held by the HSM 413 (that is, the security certificate authority) is referred to as “key information 195”. .

  In the example shown in FIG. 4, the components connected to the network N41 are to be protected. That is, when a security problem is detected, the security monitoring unit 100 invalidates the CAN communication unit 416a to physically restrict access to the component from the outside of the network N41, thereby a malicious attack Protect the component from The specific content of the operation will be described below.

  The control unit 414 mediates the exchange of messages between the CAN communication units 416a and 416b. That is, the control unit 414 transfers the message acquired from one of the CAN communication units 416a and 416b to the other. Thereby, the message transmitted from the device connected to one of the networks N41 and N43 is transferred to the device connected to the other network.

  The control unit 414 also plays a role in limiting messages exchanged between the CAN communication units 416a and 416b (ie, between the networks N41 and N43). For example, among the messages transmitted from one of CAN communication units 416a and 416b, control unit 414 refuses the transfer to the other of the messages that do not satisfy the predetermined condition (that is, the transmission to the other). Shield). With such control, messages exchanged between the networks N41 and N43 are restricted by the gateway 410 (control unit 414).

  The memory 415 temporarily or permanently holds various information. As a specific example, the memory 415 may hold program data (eg, a library or the like) for realizing the function provided by the control unit 414, data of control information, and the like. In addition, the memory 415 may temporarily hold information (for example, at least a part of a message) exchanged between the CAN communication units 416a and 416b.

  The HSM 413 periodically monitors information held in the memory 415, for example, to detect an abnormality (for example, a security abnormality) when the abnormality occurs.

  The HSM 413 also operates as a security certificate authority. That is, when an abnormality is not detected, the HSM 413 generates a response based on the key information 195 for the challenge range transmitted from the security monitoring unit 100, and sends the response to the security monitoring unit 100. . On the other hand, when detecting an abnormality (for example, an abnormality in security), the HSM 413 restricts the response response to the challenge from the security monitoring unit 100. In this case, the timer of the security monitoring unit 100 will time out.

  The security monitoring unit 100 periodically performs authentication with the HSM 413 (that is, the security certificate authority). As a specific example, the security monitoring unit 100 transmits a challenge generated based on the key information 190 to the HSM 413, and performs authentication by decrypting a response returned from the HSM 413 based on the key information 190. In addition, when the authentication is successful, the security monitoring unit 100 resets the timer.

  On the other hand, the security monitoring unit 100 does not reset the timer unless the authentication is successful. That is, in the case where the HSM 413 detects an abnormality and restricts the response reply to the security monitoring unit 100, the counting of the timer proceeds and as a result, the timer times out. When the timer times out, the security monitoring unit 100 sends a signal (that is, a disable signal) for disabling the CAN communication unit 416a to the CAN communication unit 416a.

  As a specific example, in the example illustrated in FIG. 5, the CAN communication unit 416a is provided with an enable pin 417 as an interface for switching between enabling and disabling of the communication function of the CAN communication unit 416a. That is, when the disable signal transmitted from the security monitoring unit 100 is input to the CAN communication unit 416a via the enable pin 417, the CAN communication unit 416a is invalidated.

  With the above configuration, for example, even if a malicious message (signal) is transmitted from the control unit 414 to a component connected to the network N41, the transmission of the message is CAN. The communication unit 416a is physically shielded. Also under such circumstances, the network N43 is still activated, so it is possible, for example, to diagnose the gateway 410 with the diagnostic tool 480 via the network N43 and thus to repair the gateway 410. It becomes.

  Although the HSM 413 and the security monitoring unit 100 are shown as separate components in the example shown in FIG. 5, the HSM 413 and the security monitoring unit 100 may be integrally configured. Further, the part of the HSM 413 that performs authentication with the security monitoring unit 100 may be provided outside the gateway 410.

  As described above, as another application example of the security monitoring unit according to the present embodiment, referring to FIGS. 4 and 5, the security monitoring unit operates as a gateway (GW) connecting a plurality of networks in a vehicle. An example of the case of application to the ECU has been described.

<3.4. Application example to in-vehicle communication unit (TCU)>
Subsequently, as another application example of the security monitoring unit according to the present embodiment, an example in which the security monitoring unit is applied to a vehicle-mounted communication unit (TCU) will be described.

  The TCU is a configuration for realizing communication between the inside of the vehicle and the outside of the vehicle. For example, FIG. 6 is an explanatory diagram for explaining another application example of the security monitoring unit according to the present embodiment, and shows an example of a functional configuration of the TCU when the security monitoring unit is applied to the TCU. It is a block diagram.

  As shown in FIG. 6, the TCU 510 may be connected to an in-vehicle network such as the CAN 530. For example, the communication unit 512 schematically shows a communication interface for connecting the TCU 510 to the CAN 530. Further, the TCU 510 may be configured to be connectable to a network based on a wireless communication standard such as 3G / 4G, Wi-Fi (registered trademark), and Bluetooth (registered trademark). In FIG. 6, networks 550, 560, and 570 schematically show networks based on the 3G / 4G, Wi-Fi (registered trademark), and Bluetooth (registered trademark) communication standards. The communication units 513, 514, and 515 schematically show communication interfaces for connecting the TCU 510 to the networks 550, 560, and 570. Also, the TCU 510 may be configured to be connectable to infrastructures 540 such as a so-called smart city or the like. For example, the communication unit 512 schematically shows a communication interface for connecting the TCU 510 to the infrastructure 540.

  As shown in FIG. 6, the TCU 510 is configured to be connectable to a plurality of networks including a network inside the vehicle and a network outside the vehicle. Such a configuration enables, for example, transmission and reception of information between the device in the vehicle and the device outside the vehicle via the TCU 510. Therefore, the TCU 510 is often associated with an important function (for example, unlocking a door, etc.), and the risk of vulnerability tends to be high. Further, as an example of a malicious attack on the TCU 510, there is a so-called "global attack". Specifically, when a vulnerability exists in the interface of TCU 510, a situation may be assumed where the interface is used to spread worms and the like.

  An IDS may be introduced to obtain information about events such as those described above (e.g. worm entry etc). However, IDS alone may make it difficult to take measures other than detection.

  In addition, as a countermeasure against the above-mentioned event, distribution of the update program can be mentioned. On the other hand, although the countermeasure by applying the update works effectively for TCUs that have not yet been violated by a threat such as a worm, it does not necessarily work effectively for TCUs that have already been violated (ie, the problem). May not be solved).

  Thus, in the present disclosure, an example of a mechanism for solving the above-described problem will be described by providing the security monitoring unit 100 to the TCU 510.

  For example, in the example illustrated in FIG. 6, the TCU 510 includes the security monitoring unit 100, and the security monitoring unit 100 includes the security certificate authority 200 provided outside the vehicle, such as a remote key management server (KMS). Authentication between That is, the security monitoring unit 100 accesses the security certificate authority 200 via the wireless network 550 based on the 3G / 4G communication standard, the wireless network 560 based on the Wi-Fi (registered trademark) communication standard, or the like. Authentication is performed with the security certificate authority 200. Further, in the example shown in FIG. 6, key information is shared between the security monitoring unit 100 and the security certificate authority 200. In the following description, for convenience, the key information held by the security monitoring unit 100 is referred to as “key information 190”, and the key information held by the security certificate authority 200 is referred to as “key information 195”.

  In the example shown in FIG. 6, the general purpose input / output unit (GPIO) of the security monitoring unit 100 is connected to the enable pin of each of the communication units 511 to 515 via the transmission path. Also, as long as a response is returned from the security certificate authority 200, the security monitoring unit 100 keeps updating the timer of the general-purpose input / output unit. That is, as long as the security certificate authority 200 returns a response, each of the communication units 511 to 515 will be validated.

  On the other hand, for example, it is assumed that the IDS detects a vulnerability (for example, infection with a worm) of an interface (for example, the communication unit 513) for accessing the network 550 based on the 3G / 4G standard. In this case, the security certificate authority 200 (for example, KMS) can limit the response to the response from the security monitoring unit 100 based on the detection result by the IDS.

  Specifically, the security monitoring unit 100 generates a challenge based on the key information 190, and transmits the challenge to the remote security certificate authority 200 (for example, KMS) via the network 550 or 560. When the security certificate authority 200 confirms the validity of the challenge transmitted from the security monitoring unit 100 based on the key information 195, it determines the value of the timer corresponding to each of the communication units 511 to 515. At this time, the security certificate authority 200 may independently determine the values of the timers respectively corresponding to the communication units 511 to 515 individually. Then, the security certificate authority 200 associates the value of the determined timer with the response to the challenge from the security monitoring unit 100, and transmits the response to the security monitoring unit 100. The security monitoring unit 100 confirms the legitimacy of the response returned from the security certificate authority 200 based on the key information 190. When the security monitoring unit 100 confirms the legitimacy of the response, the security monitoring unit 100 updates the timer corresponding to each of the communication units 511 to 515 based on the value of the timer associated with the response.

  When the manufacturer of the TCU 510 invalidates at least part of the interface of the TCU 510 (for example, any of the communication units 511 to 515) based on such a configuration, the security monitoring unit by the security certificate authority 200 You may want to limit the sending of responses to 100. In this case, when the security monitoring unit 100 times out, the security monitoring unit 100 sends a disable signal to the corresponding interface to physically invalidate the interface.

  Also, as another example, information associated with a response from the security certificate authority 200 to the security monitoring unit 100 (that is, the value of the timer) is controlled such that “0” is set as the value of the timer. It is also good. In this case, the security monitoring unit 100 updates the value of the timer to 0 along with the reception of the response. That is, the timer immediately times out, the security monitoring unit 100 sends a disable signal to the corresponding interface, and the interface is physically invalidated.

  The control as described above enables the TCU 510 to prevent the occurrence of a situation in which the worm continues to spread as the interface is violated. Also, since the corresponding interface (for example, the communication units 511 to 515 etc.) is disabled in hardware by the security monitoring unit 100, it is difficult for malicious programs such as worms to spread by software bypass. .

  Further, although the example described above focuses on the example in which the interface of the TCU 510 is violated, the present invention is not necessarily limited to the same aspect. For example, when a device external to TCU 510 is violated, TCU 510 invalidates the interface for exchanging messages with the external device to physically break a security violation from the external device. It is also possible to shut off.

  In the above, an example in which the security certificate authority 200 updates the timer of the security monitoring unit 100 has been described, but an interface for the user to intentionally set the timer of the security monitoring unit 100 by an operation is provided. Good. With such a configuration, for example, the timer of the security monitoring unit 100 is set to “0” based on an operation from the user (or a maintenance staff), thereby causing the security monitoring unit 100 to immediately time out. It also makes it possible to protect the desired components.

  In the above, with reference to FIG. 6, as another application example of the security monitoring unit according to the present embodiment, an example in which the security monitoring unit is applied to a vehicle-mounted communication unit (TCU) has been described.

<3.5. Processing>
Subsequently, an example of a flow of a series of processes of the in-vehicle system including the control device to which the security monitoring unit 100 according to the present embodiment is applied will be described.

(When HSM functions as a security certificate authority)
First, an example in which the HSM functions as the security certificate authority 200 will be described with reference to FIGS. 7 to 9. That is, an example of control in a case where the security monitoring unit 100 performs authentication with the HSM, and in accordance with the result of the authentication, the predetermined component is protected by invalidating the CAN communication unit will be described. FIGS. 7 to 9 are flowcharts showing an example of the flow of a series of processes of the in-vehicle system according to the present embodiment, showing an example of control related to enabling and disabling of predetermined devices by the security monitoring unit 100. ing. Note that the HSM monitors whether or not the CPU is violating security, and controls an operation related to authentication with the security monitoring unit 100 according to the result of the monitoring.

  For example, FIG. 7 shows an example of each operation of the HSM operating as the security certificate authority 200 and the CPU. Specifically, a series of processes indicated by reference signs S131 to S135 schematically show the operation of the CPU. In addition, a series of processes indicated by reference signs S101 to S107 schematically show the operation of the HSM.

  For example, the CPU starts operation at a predetermined timing (S131), transmits a CAN message directed to a predetermined component to a CAN communication unit described later (S133), and then temporarily suspends operation (S135). ). The CPU executes the series of processes as described above (that is, the processes indicated by reference signs S131 to S135) sequentially and repeatedly. On the other hand, when the CPU is violated by a malicious program, for example, in the process indicated by reference numeral S133, the malicious message is transmitted from the CPU to the CAN communication unit.

  The HSM sequentially monitors the state related to the security of the CPU (S101). At this time, the HSM responds to the request (challenge) related to the authentication from the security monitoring unit 100 as long as no abnormality in the security is detected in the CPU (S101, YES). A new timer value is set (S103). On the other hand, the HSM rejects the request related to the authentication from the security monitoring unit 100 (for example, restricts the response to the request) when an abnormality in the security is detected in the CPU (S101, NO). Then, the security monitoring unit 100 is timed out (S105).

  The HSM periodically executes a series of processes indicated by reference signs S101 to S105. That is, after executing the series of processes indicated by reference numerals S101 to S105, the HSM waits for a predetermined period (S107), and executes the series of processes again after the period has elapsed.

  Subsequently, a flow of a series of processes of the security monitoring unit 100 will be described with reference to FIG.

  The security monitoring unit 100 generates a challenge for authentication based on a code such as a random number, and transmits the challenge to the HSM (that is, the security certificate authority 200) (S151).

  The security monitoring unit 100 receives a response to the channel from the HSM, and controls the CAN communication unit to be effective (S161) as long as it can be confirmed that the authentication is successful (S153, YES). As a specific example, the security monitoring unit 100 validates the CAN communication unit by transmitting an enable signal to the enable pin of the CAN communication unit.

  On the other hand, when the response to the channel is not received from the HSM and the authentication fails (S153, NO), the security monitoring unit 100 waits for a predetermined period (S155) unless timeout occurs (S157, NO). , And waits for a response from the HSM again (S153). Then, the security monitoring unit 100 continues to be in a state where it can not receive the response from the HSM, and when it times out as a result (S 157, YES), controls the CAN communication unit to be invalidated (S 159). As a specific example, the security monitoring unit 100 invalidates the CAN communication unit by transmitting a disable signal to the enable pin of the CAN communication unit.

  The security monitoring unit 100 periodically executes a series of processes indicated by reference numerals S151 to S161. That is, after executing the series of processes indicated by the reference symbols S151 to S161, the security monitoring unit 100 waits for a predetermined period (S163), and executes the series of processes again after the period has elapsed.

  Subsequently, a flow of a series of processing of the CAN communication unit will be described with reference to FIG.

  The CAN communication unit receives a CAN message from the CPU (S171). At this time, when the CAN communication unit is activated (S173, YES), the CAN communication unit transmits the received CAN message to the destination component (S175). On the other hand, when the CAN communication unit is invalidated based on the control from the security monitoring unit 100 (S173, NO), the CAN message from the CPU transmitted to the CAN communication unit is ignored. (S177).

  As described above, referring to FIGS. 7 to 9, the security monitoring unit 100 according to the present embodiment invalidates the CAN communication unit according to the result of the authentication with the security certificate authority 200, and the predetermined component can be obtained. An example of control in the case of protection has been described.

(When the remote OEM server functions as a security certificate authority)
Subsequently, an example of the case where the remote OEM server functions as the security certificate authority 200 will be described with reference to FIGS. That is, an example of control in the case where the security monitoring unit 100 performs authentication with the OEM server and in accordance with the result of the authentication, the predetermined component is protected by invalidating the CAN communication unit will be described. 10 to 12 are flowcharts showing another example of the flow of a series of processes of the on-vehicle system according to the present embodiment.

  For example, FIG. 10 shows an example of the operation of the security monitoring unit 100. In the example illustrated in FIG. 10, the security monitoring unit 100 generates a challenge range by encrypting a code such as a random number and an identification expression (ID) for identifying a self confidence, and transmits the challenge to the CPU ( S211). The corresponding range is transmitted to an external OEM server via the CPU. Then, the security monitoring unit 100 performs authentication with the OEM server by receiving a response to the challenge from the external OEM server via the CPU (S213). The subsequent processes (that is, the processes indicated by reference signs S215 to S223) are the same as the processes indicated by reference signs S155 to S163 in the example shown in FIG.

  Subsequently, an example of the flow of a series of processing of the CPU will be described with reference to FIG. In the present description, the CPU is described as individually controlling the operation of each of the first hardware and the second hardware.

  The CPU starts operation at a predetermined timing (S231). In the example illustrated in FIGS. 10 to 12, the CPU mediates transmission and reception of data between the security monitoring unit 100 and the OEM server (S233). That is, when the CPU receives a challenge addressed to the OEM server from the security monitoring unit 100, the CPU transmits the challenge to the OEM server. Further, when the CPU receives a response to the challenge from the OEM server, the CPU may transfer the response to the security monitoring unit 100.

  Also, the CPU controls the operation of the first hardware and the second hardware (S235, S237). As a specific example, the CPU transmits a message or a signal to each of the first hardware and the second hardware to transmit the message or the signal to each of the first hardware and the second hardware. The operation may be controlled.

  Then, when the CPU finishes the execution of each of the above processes, the CPU temporarily suspends the operation (S239). The CPU sequentially repeats the series of processes described above (that is, the processes indicated by reference signs S231 to S239).

  Subsequently, an example of the flow of a series of processes of the OEM server functioning as the security certificate authority 200 will be described with reference to FIG. Note that, in this description, the OEM server determines the presence or absence of the security risk individually for each of the first hardware and the second hardware, and the first hardware and the second hardware, respectively. The timer value shall be set individually for the control of.

  As shown in FIG. 12, the OEM server receives, from the security monitoring unit 100, the challenge range generated by the security monitoring unit 100 as a request for authentication (S251). At this time, the OEM server may extract the identification information of the security monitoring unit 100 included in the challenge by decrypting the challenge based on the corresponding key information.

  Next, the OEM server checks whether a security failure related to control of the first hardware has not been reported (S253). At this time, the OEM server may check the presence or absence of the report of the failure by making an inquiry to the IDS, the security monitoring system, and the like. At this time, the OEM server may narrow down related information by making the above-mentioned inquiry by specifying the identification information acquired from the security monitoring unit 100. If no failure is reported regarding the control of the first hardware (S253, NO), the OEM server sets a new timer value for the control of the first hardware (S257). On the other hand, when the failure related to the control of the first hardware is reported (S253, YES), the OEM server requests the authentication from the security monitoring unit 100 for the control of the first hardware. Refuse (S255). In this case, in the security monitoring unit 100, a timer related to control of the operation of the first hardware will time out. That is, in this case, the security monitoring unit 100 invalidates the interface by, for example, sending the disable signal to the interface for the first hardware to receive a signal from the CPU.

  Similarly, the OEM server checks whether a security failure related to control of the second hardware has not been reported (S259). If no failure is reported for the control of the second hardware (S 259, NO), the OEM server sets a new timer value for control of the second hardware (S 263). On the other hand, when the failure related to the control of the second hardware is reported (S259, YES), the OEM server requests the authentication from the security monitoring unit 100 for the control of the second hardware. Refuse (S261). In this case, in the security monitoring unit 100, a timer related to control of the operation of the second hardware will time out. That is, in this case, the security monitoring unit 100 invalidates the interface by, for example, sending a disable signal to the interface for the second hardware to receive a signal from the CPU.

  Then, the OEM server generates a response to the challenge from the security monitoring unit 100 based on the result of the determination regarding the first hardware and the second hardware described above, and transmits the response to the security monitoring unit 100. To do (S265).

  The OEM server sequentially and repeatedly executes the series of processes as described above (that is, the processes indicated by reference signs S251 to S265).

  In the above, with reference to FIGS. 10 to 12, an example in which the remote OEM server functions as the security certificate authority 200 has been described.

<< 4. End >>
As described above, in the on-vehicle system according to the present embodiment, the security monitoring unit (Security Watchdog) controls the component with respect to the control device such as the ECU via a predetermined interface such as a CPU and the like. Are provided independently. Based on such a configuration, the security monitoring unit performs authentication with the security certificate authority, and controls (for example, restricts) access to the component via the interface according to the result of the authentication. . At this time, the security monitoring unit may physically restrict access to the component by invalidating the interface. In addition, the security monitoring unit may include a timer, and may limit access to the component when the acquisition of the response related to the authentication from the security certificate authority fails and the timer times out.

  As described above, according to the technology according to the present embodiment, when an abnormality (for example, an abnormality in security) occurs in some of the devices of the in-vehicle system, access to the component to be protected is physically performed. Restrict to This makes it possible to isolate the component to be protected from the compromised device and to protect the component from malicious attacks that exploit the device. Also, because access to the component to be protected is physically shielded, for example, even if a malicious program such as a worm enters the in-vehicle network, the program accesses the component by software bypass. It will be difficult to do.

  Thus, by applying the technology according to the present disclosure, even if a failure occurs in some devices (for example, CPU and microcontroller) in the in-vehicle network, the devices are temporarily or permanently shut down. It is possible to effectively deactivate some modules without. Thus, for example, even when a serious security incident occurs, the manufacturer can diagnose or repair the device instead of replacing the device such as the ECU. That is, by applying the technology according to the present disclosure, even when a security problem occurs, it is possible to take various measures against the problem than in the past, and thus, select a more preferable measure. It also becomes possible.

  The configuration described above is merely an example, and the configuration of the in-vehicle system according to an embodiment of the present disclosure is not necessarily limited. As a specific example, as described above, the position of the configuration responsible for the function of the security certificate authority 200 is not particularly limited. For example, the security certificate authority 200 may be similarly provided in the device in which the security monitoring unit 100 is provided. Also, the security certificate authority 200 may be provided outside the device in which the security monitoring unit 100 is provided. At this time, the security certificate authority 200 may be provided in a remote server. Also, as another example, the security certificate authority 200 may be provided in an apparatus different from the apparatus provided with the security monitoring unit 100 in the in-vehicle network. As a specific example, in the example shown in FIG. 4, in the case where the security monitoring unit 100 is provided in the ADAS 430, the gateway 410 may play the role of the security certificate authority 200 (that is, the gateway 410 has a security certificate authority 200 may be provided).

  Also, the provision mode of the configuration corresponding to the security monitoring unit 100 is not limited. For example, as an example mentioned above, you may be provided as a part of apparatuses, such as ECU, GW, and TCU. Also, as another example, the security monitoring unit 100 may be provided as a unit (for example, a chip) configured to be attachable to and detachable from an apparatus such as an ECU, a GW, or a TCU. In this case, the configuration corresponding to the unit corresponds to an example of the “control device”.

  Although the preferred embodiments of the present invention have been described in detail with reference to the accompanying drawings, the present invention is not limited to such examples. It is obvious that those skilled in the art to which the present invention belongs can conceive of various changes or modifications within the scope of the technical idea described in the claims. Of course, it is understood that these also fall within the technical scope of the present invention.

DESCRIPTION OF SYMBOLS 10 control network 20 network 30 networks 50 50a 50h control device 100 security monitoring unit 101 encryption engine 111 authentication processing unit 113 control unit 103 code generation unit 105 communication interface 107 timer 109 general-purpose input / output unit 200 security certificate authority 311 main control Section 313 Detector 315 Actuator driver 317 Communication interface 331 Actuator 340 In-vehicle network 350 Internet 360 Network 410 Gateway 411 Main microcontroller 414 Controller 415 Memory 416a, 416b Communication section 417 Enable pin 440 Steering column 450 Brake 460 Infotainment 470 Air conditioner 480 Cross-sectional tool 490 light 510 TCU
511 to 515 communication unit 540 infrastructure 550, 560, 570 network

Claims (14)

An authentication processing unit (111) that performs authentication with the security certificate authority according to a predetermined condition;
A control unit (113) that is provided independently of a unit that controls a component connected to an in-vehicle network via a predetermined interface, and controls access to the component via the interface according to the result of the authentication. )When,
And a control device.   The control device according to claim 1, wherein the control unit (113) restricts access to the component via the interface when the authentication fails.   The control device according to claim 2, wherein the control unit (113) restricts access to the component via the interface when acquisition of a response related to the authentication from the security certificate authority fails. A code generation unit (103) for generating a code for authentication;
The authentication processing unit performs authentication with the security certificate authority based on the code.
The control device according to any one of claims 1 to 3.   The control device according to claim 4, wherein the authentication is authentication based on a challenge and response method using the code.   The control device according to any one of claims 1 to 5, wherein the control unit (113) controls access to the component via the interface according to a lapse of a set period.   The control device according to claim 6, wherein the period is set by the security certificate authority.   The control device according to any one of claims 1 to 7, comprising the security certificate authority (200).   The control device according to any one of claims 1 to 7, wherein the authentication processing unit (111) performs the authentication of a predetermined network with the security certificate authority.   The control device according to claim 9, wherein the predetermined network is a network in a vehicle in which the control device is held.   The control device according to claim 9, wherein the predetermined network includes a network for accessing the outside of a vehicle in which the control device is held. The control device is a device that controls access among a plurality of networks,
The control unit (113) restricts, according to the result of the authentication, access to a network to be protected among the plurality of networks from another network different from the network. The control device according to any one of the above.   The control device according to claim 12, wherein the network to be protected is an in-vehicle network in which information related to the operation of a vehicle in which the control device is held is transmitted and received. A computer provided independently of a unit that controls components connected to the in-vehicle network via a predetermined interface,
Performing authentication with a security certificate authority according to predetermined conditions;
Controlling access to the component via the interface according to the result of the authentication;
Control methods, including: