Upstream’s Contextually Aware Security Architecture

[Transcript]

In this video, we’re going to talk about the architecture that we use in the Upstream C4 Platform to create a contextually aware cybersecurity solution for automotive space. Upstream typically feeds off of multiple data feeds. The first and foremost is the actual vehicles themselves with various application servers that surround them. Typically, every automotive maker and every telematics operator uses their own proprietary data protocol. In order to apply common security rules and policies on this data set, what we do at Upstream is we have to normalize the data into one common universal dictionary that’s relevant for automotive space. The normalization module within the Upstream C4 Platform takes these proprietary data sets and converts them into our universal dictionary. So, for example, if we take a certain OEM start car event, we match that into a generic universal start car message within the Upstream system.

Normalization enable us then to apply common policies that are relevant across multiple customers. Before entering the Upstream system, data is either anonymized in advance by our customers or we can add an anonymization function to the data for stripping any PII information that’s contained within it. If we already receive anonymized data, we’re also verifying the integrity of the data and making sure that there is no PII left behind, and if there is, we’re able to flag that in advance. Now that the data is anonymized and normalized, it’s inputted into the various security engines within the C4 platform.

The first step that we do is we profile the entire connected vehicle service. And the way that we do that is we look at the various components and create a modular approach for that service. We start by looking at the applications that sit typically inside the automotive cloud, like one of the key applications is obviously the telematics application, but then there is also mobile application and down the road as we see more autonomous services, we’ll have things like LIDAR and maps and other types of apps that run in that automotive cloud.

The next profiling that we do is on the vehicles and we look at individual make models of vehicles and we’re able to group them so that we can then apply rules on specific groups of cars. And finally, we are able to profile the individual drivers either at the fleet level or a specific driver level. The profiled data is then being fed into our security engines that actually perform both real-time and non-real-time actions for detection of security violations. So, we typically start with the real-time stateless protocol security engine which actually analyzes the data at the message level. So, in that level, we actually look into individual messages and the payload of every given message that flows between the automotive cloud and the vehicles themselves. Data is then being sent to the stateful security engines that look at data from a streaming analytics perspective.

The security engines start by looking at transactions which are typically sequences of messages either from one source, say the mobile, or multiple sources telematics and mobile. The contextual engine understands the specific context of a vehicle starting with, is the vehicle parked or is it driving? And what are commands and messages that are legal in either state?

The last engine is our behavioral engine which actually takes a look at the various profiles that we created before and understand the overall behaviour of that connected vehicle service from an application vehicle and driver perspective. All four of these security engines leverage machine learning in our cloud-native architecture. The last part of the security architecture is our policy layer, which combines both automated as well as user-defined policies for fine granular control of the operation of the entire connected vehicle service. The Upstream C4 Platform is designed for detection of both known and unknown cyber attacks.

Our policy layer is able to create on the fly automated policies based on machine learning that are automatically ingested into the system and some of them are actually pre-built with the system when its first operational. These automated policies continue to evolve and we’re also able to ingest new policies from either third party sources or from metadata learned from other customers. The customers are then able to create even more granular control by creating user-defined policies that leverage all of these elements that we’ve seen before starting with the profiles all the way to the specific context of the vehicles.

The output of this framework are incidents. Incidents are then being sent to the Security Operations Center or SOC inside the customer environment. The incidents are sent from the Upstream C4 Platform into solutions already being used at the SOC such as workflow or SIEM products. The security analyst within the SOC are then able to implement a playbook based on the severity of the incidents, oftentimes going back to the Upstream UI to perform triage a root cause analysis on the specific incident.

The combination of multiple cybersecurity engines, working in both real-time and non-real-time, with the ability to have automated and user-define policies provides OEMs and connected vehicle fleets and end-to-end solution for cybersecurity.