Entering the new era of wireless battery management system (WBMs), safety is the first priority
Time:2022-09-14
Views:1547
Author: Lei poo, director of system architecture of Electric Transport Department of ADI automotive business unit
Only by ensuring system security from process to product can all the advantages of WBMs technology be reflected.
In the early conversations with electric vehicle (EV) manufacturers, the technical and commercial challenges of wireless battery management system (WBMs) seem daunting, but the rewards are very rich and can not be ignored. Many inherent advantages of wireless connection over wired / cable architecture have been proven in countless commercial applications, and BMS is another candidate field that explicitly wants to abandon cables.
Figure 1. Electric vehicle using wireless battery management system (WBMs)
The prospect of a lighter, modular, compact electric vehicle battery pack - eventually getting rid of the cumbersome communication wiring harness - has been widely accepted. By eliminating up to 90% of the battery pack wiring and 15% of the battery pack volume, the design and size of the whole vehicle are significantly simplified, and the bill of materials (BOM) cost, development complexity and related manual installation / maintenance work are also greatly reduced.
More importantly, the single wireless battery design can be easily extended in the whole EV fleet of the car factory without extensive and costly battery harness redesign for each brand and model. With WBMs, car manufacturers can freely modify their frame design without worrying about the need to rearrange a large number of BMS wiring in the battery pack.
In the long run, the continuous reduction of vehicle weight and battery pack size is crucial for extending the range of electric vehicles in the next few years. Therefore, WBMs technology will play an important role in helping car manufacturers improve their endurance, and thus help consumers overcome their long-term anxiety about electric vehicle mileage.
This is not only expected to stimulate the improvement of the overall market adoption rate of electric vehicles, but also give car manufacturers the opportunity to leap into the leading position in the electric vehicle market by virtue of their long-range ability. Looking forward to the future, this will still be a major differentiation factor for electric vehicle manufacturers. For more detailed description of advantages and market analysis, please refer to "the revolution of wireless battery management of electric vehicles has begun, and the potential for return on investment is huge".
New safety standards
Many challenges need to be overcome in order to fulfill the promise of WBMs. When the vehicle is running, the wireless communication used in the WBMs needs to be sufficiently stable against interference, and the system must be safe under all circumstances. However, stable and secure design alone may not be enough to fight against stubborn attackers - this is where system security comes into play.
The location of the vehicle (such as urban or rural areas) and whether someone uses another wireless device of the same frequency band in the vehicle will cause the interference source to change. Reflection within the battery pack can also degrade performance, depending on the battery pack material used to encapsulate the battery. The WBMs signal is likely to fluctuate, and communication may be damaged under natural conditions, let alone face malicious attackers.
If the WBMs communication is interrupted for some reason, the car can return to the "safe mode", reduce the performance to allow the driver to take action, or when the WBMs communication is completely lost, the car can stop safely. This can be achieved through appropriate safety design, considering all possible failure modes in the system, and implementing an end-to-end safety mechanism to deal with random failures of components.
However, the security design does not consider the possibility of malicious actors using the system to achieve certain purposes, including remote control of vehicles. During the black hat conference in 2016, researchers demonstrated this possibility to a moving car, and realized remote access through the vehicle gateway. Therefore, only wireless stability and fault safety design are not enough, but also need to resist attacks. The black hat demonstration is a valuable lesson that shows that future wireless systems in cars need to be designed in a way that they cannot be utilized as another remote entry point. In contrast, conventional wired battery packs do not provide remote access. To gain access to battery data, hackers need to physically access the high-voltage environment in the vehicle.
In the whole life cycle of electric vehicle batteries, there may also be other safety challenges, as shown in Figure 2. ADI‘s WBMs design method focuses on understanding the different stages of electric vehicle batteries - from delivery to deployment and maintenance, and finally to the next life or end of life. These usage scenarios define various functions that WBMs must support. For example, preventing unauthorized remote access is a consideration during the deployment of electric vehicles, but more flexible access is needed during the manufacturing process. Another example is that during maintenance, the repair right law requires that a way be provided for the vehicle owner to solve the failure of the battery or related WBMs. This means that the software in the WBMs must be supported to be updated in a legal manner, and when the vehicle leaves the maintenance station, the update mechanism should not damage the safety of the vehicle.
Figure 2. Battery life cycle of electric vehicles and its related WBMs life cycle
In addition, when EV Batteries no longer meet EV performance standards, these batteries are sometimes redeployed to the energy sector. This requires the safe transfer of ownership of electric vehicle batteries to the next life stage. The battery is a device without built-in intelligence, so the responsibility of the accompanying WBMs is to implement appropriate safety strategies to best serve the battery life cycle of electric vehicles. Before transitioning to the second life (echelon utilization), all secrets of the first life must be safely erased.
ADI foresees these problems and solves them in accordance with its core design principles (i.e. paying special attention to maintaining and enhancing the safety integrity of processes to products and conducting detailed reviews). At the same time, the ISO / SAE 21434 standard "road vehicles: network security engineering" has been officially released in August 2021 after three years of development. It defines a similar exhaustive end-to-end process framework, and the network security assurance is divided into four levels. Car manufacturers and suppliers are scored on a scale of 1 to 4, and 4 represents the highest level of compliance (see Figure 3).
Figure 3. ISO / SAE 21434 framework and cal 4 expectations
ADI‘s WBMs method responds to the requirements of ISO / SAE 21434 and implements the highest level of inspection and rigor required for the development of safety products in the automotive industry. To this end, ADI hired t Ü v-nord, a famous trusted certification laboratory, to evaluate its internal development strategies and processes. After review, ADI‘s strategy and process fully conform to the new standard ISO 21434, as shown in Figure 4.
Figure 4. T Ü v-nord certificate
Rigorous
After the systematic process of WBMs product design, threat assessment and risk analysis (Tara) can be performed to clarify the threat profile according to the way the customer intends to use the product. By understanding the purpose of the system and various ways of use during its life cycle, we can determine which key assets need to be protected against which potential threats.
After the systematic process of WBMs product design, threat assessment and risk analysis (Tara) can be performed to clarify the threat profile according to the way the customer intends to use the product. By understanding the purpose of the system and various ways of use during its life cycle, we can determine which key assets need to be protected against which potential threats.
Tara technology has many options, including the well-known Microsoft stride method, which models threats by considering the six threats represented by the acronym stride: Deception (s), tampering (T), denial (R), information disclosure (I), denial of service (d) and privilege elevation (E). ADI applies it to the different interfaces that make up the WBMs system components, as shown in Figure 5. These interfaces are natural pause points on the path of data and control flow, which may be used by potential attackers to gain unauthorized access to system assets. In this case, by acting as an attacker and asking yourself how and why each threat is related to each interface, you can find out the possible attack path, determine the possibility of the threat, and determine how serious the consequences might be if the attack succeeds. Then, repeat this thinking process at different stages of the life cycle, because the possible threats and impacts vary according to the environment in which the product is located (such as warehouse and deployment). This information will indicate that some countermeasures are required.
Take the wireless channel between the wireless cellular monitor and the WBMs manager during deployment as an example, as shown in Fig. 5. If the asset is data from a wireless cellular monitor, and it is worried that the data value will be leaked to eavesdroppers, it may be necessary to encrypt the data when it passes through the wireless channel. If you are worried that the data will be tampered with through the channel, you may need to protect the data by using data integrity mechanisms (such as message integrity codes). If you are worried that someone will recognize where the data comes from, you need a method to authenticate the wireless cellular monitor that communicates with the WBMs manager.
Figure 5. Threat surface considerations of WBMs
Through this exercise, you can identify the key safety objectives of the WBMs system, as shown in Figure 6. These objectives will require the implementation of mechanisms.
Figure 6. Safety objectives of WBMs
Many times, we have to answer the question: "how much are we willing to pay when we choose certain mechanisms to achieve specific security goals?" If more countermeasures are added, the overall safety situation of the product will almost certainly be improved, but the price will be very high, and it may cause unnecessary trouble to the end consumers who use the product. A common strategy is to mitigate the most likely and easiest to deploy threats. More complex attacks often target higher value assets, which may require stronger security countermeasures, but this is highly unlikely to happen, so if implemented, the return is not cost-effective.
For example, in WBMs, when the vehicle is driving on the road, it is extremely unlikely to physically tamper with IC devices to obtain access to battery data measurement, because it requires a well-trained mechanic with a deep understanding of electric vehicle batteries to operate on the components of a moving vehicle. If there are easier ways, real-life attackers may try. A common type of attack on a network system is a denial of service (DOS) attack, which makes users unable to use the product. You can create a portable wireless jammer to try to interfere with the WBMs function (difficult), but you can also deflate the tire (easy).
The process of dealing with risks by using a set of appropriate mitigation measures is called risk analysis. By measuring the impact and possibility of relevant threats before and after the introduction of appropriate countermeasures, it can be determined whether the residual risk has been reasonably minimized. The final result is that the security features are included because they are necessary and the cost is acceptable to customers.
Tara of WBMs points to two important aspects of WBMs security: device level security and wireless network security.
The first rule of any security system is "maintain key security!" This means that this is true both in devices and in the global manufacturing business. ADI‘s WBMs device security considers the hardware, IC and the underlying software on IC, and ensures that the system can be safely booted from the unalterable memory to the trusted platform for running code. All software codes must be authenticated before execution, and any on-site software update requires pre installed credentials to provide authorization. After the system is deployed into the vehicle, rollback to the previous (and possibly vulnerable) software version is prohibited. In addition, after the system is deployed, the debugging port must be locked, so as to eliminate the possibility of accessing the system through unauthorized back doors.
The network security aims to protect the wireless communication between the WBMs unit monitoring node and the network manager in the battery pack case. Security starts from joining the network, and the membership of all participating nodes must be checked. This prevents random nodes from joining the network, even if they happen to be nearby nodes. Mutual authentication of nodes communicating with the network manager in the application layer will further protect the wireless communication channel, so that man in the middle attackers cannot act as legitimate nodes to communicate with the manager, and vice versa. In addition, in order to ensure that only the target receiver can access the data, AES based encryption is used to disrupt the data and prevent information from leaking to any potential eavesdropper.
Protection key
Like all security systems, the core of security is a set of encryption algorithms and keys. ADI‘s WBMs follows NIST approved guidelines, which means that the selected algorithm and key size should be consistent with the minimum security strength of 128 bits suitable for static data protection (e.g., AES-128, SHA-256, ec-256), and use algorithms in fully tested wireless communication standards (e.g., IEEE 802.15.4).
The key used to secure the device is usually installed in the ADI manufacturing process and never leaves the IC device. These keys to ensure the security of the system are physically protected by IC devices, and unauthorized access will be blocked whether in use or not. Then, the layered key framework saves all application layer keys as encrypted binary large objects (blobs) in nonvolatile memory for protection, including those used in network security.
In order to facilitate mutual authentication among nodes in the network, ADI‘s WBMs places a unique public key pair and a signed public key certificate into each WBMs node during manufacturing. By signing the certificate, the node can verify that it is communicating with another legal ADI node and a valid network member, and the unique public key pair is used by the node in the key protocol scheme to establish a secure communication channel with another node or BMS controller. One advantage of this method is that the WBMs installation is easier, and there is no need for a secure installation environment, because nodes are set to automatically handle network security after deployment.
In contrast, the previous scheme of establishing a secure channel using a pre shared key usually required a secure installation environment and an installer to manually write the key value of the communication endpoint. In order to simplify and reduce the cost of handling the key distribution problem, assigning a default public network key to all nodes in the network is usually a shortcut adopted by many people. This often leads to the disaster of "one crash, the whole crash", which must be taken as a warning.
With the expansion of production scale, car manufacturers need to be able to use the same WBMs with different numbers of wireless nodes for different electric vehicle platforms and install them in different safe manufacturing or maintenance sites. ADI tends to use distributed key methods to reduce the complexity of overall key management.
conclusion
Only by ensuring the security from devices to networks in the whole life cycle of electric vehicle batteries can all the advantages of WBMs technology be realized. In view of this, safety requires a system level design concept covering processes and products.
ADI anticipates the core network security problems solved by ISO / SAE 21434 standard during the draft period, and adopts relevant countermeasures in the design and development process of WBMs. At present, ADI is one of the first technology suppliers to achieve ISO / SAE 21434 compliance in terms of policies and processes, and ADI WBMs technology is receiving the highest network security level certification.
Disclaimer: This article is transferred from other platforms and does not represent the views and positions of this site. If there is any infringement or objection, please contact us to delete it. thank you! |