From the World Wide Web to the Internet of Things, from communication to autonomous cars, intelligent power grids, and assistance systems for elderly people – the world today relies on being connected, but this comes at the price of greater vulnerability. So how can we protect these complex network infrastructures against cyber-attacks, manipulation, network outages or other critical incidents, and how do we make them more resilient? Resilience is touted a future core feature of networks, as well as a future research field. It is also the subject of a research project led by Professor Christoph Krauß of h_da's Department of Computer Science and funded by the German Research Foundation.

Interview by Astrid Ludwig, 05/01/2023

impact: Professor Krauß, receiving a grant from the German Research Foundation (Deutsche Forschungsgemeinschaft – DFG) is generally still considered a rare honour for universities of applied sciences. Is this also the case for the DFG programme you’re involved in?

Professor Christoph Krauß: Yes, that's true. The DFG⁠ Priority Programme is titled „Resilience in Connected Worlds – Mastering Failures, Overload, Attacks, and the Unexpected (Resilient Worlds). The initial phase of the programme provides funding for twelve research projects and, of everyone involved in the programme, I am indeed the only professor working at a university of applied sciences, while all the other professors teach and research at regular universities. So yes, I am very delighted that our project has been selected.

impact: The name of your project RESURREC stands for "Resilient Safety-Critical Systems through Run-time Risk Assessment, Isolation and Recovery." What is resilience and what is your project about?

Krauß: System resilience addresses reliability, adaptability, fault tolerance and, of course, IT security. The underlying goal of enhancing the resilience of a given network infrastructure is to prevent failures or accidents. Our project deals with cyber security, which aims to protect systems against cyber-attacks that might affect the functional safety of critical systems. These attacks, which can be directed against autonomous vehicles, for example, can have serious consequences, including financial damage, or even danger to life and limb. RESURREC is co-led by myself and Professor Katzenbeisser from the University of Passau, with whom I have enjoyed a good working relationship since his time at TU Darmstadt. Our project will start in February 2023.

impact: As part of your research at h_da, you deal with the risks of hacker attacks on autonomous vehicles, investigating potential loopholes in security concepts and developing appropriate counter strategies. What is unique about this DFG-funded project?

Krauß: DFG funding focuses on basic research, and, in keeping with this, our project takes a broader and more general approach towards protecting safety-critical systems. Autonomous vehicles are one example of this. But our research is just as relevant to many other areas, such as railway control systems, energy grids, or industrial plants. When it comes to cyber security, the challenges are similar everywhere. We want to protect safety-critical systems, as their functionality is extremely important. Our solutions take into account different considerations, such as demands for real-time communication, resource constraints of devices, and the amount of computing power required for sophisticated cryptography. We aim to design our methods and mechanisms to be as application-agnostic as possible.

impact: To what extent are you breaking new ground with this?

Krauß: To date, traditional safety measures have comprised Fault Detection, Isolation and Recovery (FDIR). However, these protect systems against random errors only, rather than targeted attacks. This is where our project comes in. It aims to enhance safety by adding measures against targeted attacks on top of the existing FDIR⁠ elements, applying new methods of cyber security to ultimately improve system resilience. These methods are designed to be more effective at detecting attacks, to assess risk throughout a system's runtime, and limit damage by isolating specific system areas in the event of a cyber-attack. In this event, a system should be able to self-recover enough to maintain its functionality, albeit at reduced performance levels, and in order to prevent failure of the overall system, or other serious consequences.

impact: What is the main focus of your work on this aspect?

Krauß: One focus is to perform a risk assessment of the system under investigation. To date, this is usually only done once during the final development stage before a system is delivered. However, it makes good sense to analyse a system while it's running, for as long as it's running, in order to monitor potential increases in risk. A lot of change is happening here, including on the hacker's side – it's a bit like a game of cat and mouse. For example, potential new vulnerability can arise from software updates. To help detect these vulnerabilities and to shut the door on hackers before they're ready to attack, we need to find a way to monitor systems dynamically and continuously, and we must take the entire system lifecycle into account in doing this. For example, it is essential to delete all cryptographic keys when decommissioning a system. This part of the research is handled by our partners at the University of Passau. Once their risk assessment is complete, it is my job to use their results to find new approaches that will help isolate and restore safety-critical systems.

Prior to launching a remote attack, the researchers typically conduct a thorough physical on-site assessment of the target vehicle via PC. Professor Krauß and his team have on-site access to a range of modern vehicles that they scrutinize for any weak points.

impact: Can you provide an example?

Krauß: Let's say you have a vehicle infotainment system that's connected to a control signal for seat adjustment. If the signal gets hacked or if an error occurs, the driver's seat might jerk forward uncontrollably during travel, potentially causing an accident. One way to isolate this part of the car and mitigate any potential damage is to introduce a dynamic access restriction and to transfer the control privilege for the vehicle's seats from the faulty or hacked component to another control system. The same approach can be applied to power grids: In the event of an attack or error, you could maintain operability by redirecting control privileges and allocating the tasks of the affected component to another local network transformer.

impact: What are some of the key factors to consider here?

Krauß: Major damage is usually limited to cases where attackers manage to hack or hijack multiple areas within a given system. Cryptography is therefore of paramount importance, and access must be limited to authorised parties. To ensure that any control system trying to gain access is actually authorised to do so, authentication must be warranted even when a system is compromised. To achieve this, we're exploring new approaches to cryptographic processes, for example by applying a four-eyes approach to help prevent abuse. Another essential aspect we’re working on is to design mechanisms that will ensure the security of networks over the long term. Anyone looking to operate a system for more than a few years must keep in mind that the cryptography landscape may change significantly throughout the system's lifecycle. So how can we design systems to be interchangeable or prepare them for future challenges such as quantum computing? We need to make them crypto-agile and find solutions that support this.

impact: How significant do you think the risk of hacker attacks will be in the future?

Krauß: We’ve seen a rather spectacular attack on Jeep's Cherokee model, the so-called "Jeep hack", which was conducted by two security researchers after they had previously scrutinized the car for weak spots. Once they had gained remote access to the vehicle, they were able to manipulate its sound and air conditioning systems and even stop the engine. They had obviously had prior physical access to the vehicle, but: once you know a system's vulnerabilities, it’s possible to scale an attack. This means that the attack will not be limited to a single vehicle, but may extend to an entire car fleet or model series, potentially affecting millions of vehicles. There were similar attacks on Tesla last year, where a German hacker was able to retrieve the exact positions of Tesla vehicles via a data interface in the backend of the cars' software, raising privacy concerns. The incident caused quite a stir internationally – such attacks are wake-up calls and highlight the need for further action in this area, which is also the reason for our research efforts.

impact: What car model do you drive?

Krauß: A fairly sophisticated and connected electric car, but most of the time I just ride my bicycle [he laughs]. I think it's important to approach the issue from a differentiated perspective. While connectivity and driver assistance systems may enable attack points for hackers, they also help to increase road safety. Personally, I think the benefits of connected systems outweigh the risks of potential hacker attacks. Our research project aims to provide the very piece of the puzzle that is still missing: we want to equip resilient autonomous vehicle systems with mechanisms that will not only prevent hackers from gaining control over a car's brakes or steering system, but can also steer compromised vehicles to the side of the road and stop them there.