Why are OTA Updates Needed for Intelligent Transport Systems?
a device is robust, trusted, transparent and
traceable.
There are scattered efforts in standard
bodies to address this issue, and the
processor ecosystem is currently making
efforts to standardize code and update
signing methods. But there is also a need to
maintain a holistic view to ensure continuity
of trust throughout the lifecycle of the
transport systems themselves involving
software companies, tier-1s, tiers2s and
OEMs.
Robust
One is used to reading “don’t turn off your
computer while the update is being
performed.” This is not acceptable in an ITS
context, so Electronic Control Units (ECU)
have been offering robust and resilient
updates through proprietary mechanisms.
But this proprietary (siloed) approach is
reaching its limits as software layers become
more interdependent (i.e., an AI driven
ADAS that needs FPGA and software changes
in lock step). As a result of these
dependencies, intra-ECU transactional
updates need to be developed. In the future,
there will be inter-ECU dependencies calling
for system-wide transactional updates. This
requires both standardization of new
interfaces and open source reference
implementations.
Transparent
Application software allows for fine grained
live updates when leveraging frameworks
such as OSGi. 6 Unfortunately, operating
systems and hardware may not allow for fine
grained or less live updates. In one example,
the lack of dynamic, fine grain updates in an
ITS led to a driver stuck on the roadside
because he thought he could update his car
while in a traffic jam. 7 OTA transactions
need update schemes to be perfectly
orchestrated for a seamless deployment of
interdependent components, and there is
currently no solution that can fully
orchestrate such a comprehensive OTA.
Trusted
Trust has always been a driving force for OTA
solutions. To ensure trust, many signatures
are used on software or data. Today, the
multiplication of those signatures and layers
of authority lack industrial scale processes to
fully automate the chain of trust. This
accumulation of hand-crafted integrations
introduces weaknesses by construction. The
security of hand-crafted integrations is
analogous with a glass case wrapped in
chains to protect a diamond—the glass is the
weakest element.
Traceable
Cars are equipped with recorders for future
forensics activities. While necessary, this is
not sufficient as some intra-ECU activities
need to be logged in a non-repudiable way.
For instance, an insurance company may
want to know when an Artificial Intelligence
(AI) model has been received by the car and
what happened in the ECU that controls the
6 See dynamic updates in https://www.osgi.org/developer/benefits-of-using-osgi/
7 https://www.theverge.com/2019/1/31/18205774/nio-ota-update-traffic-china-es8
- 3 -
March 2020