Upstream’s Contextually Aware Security Architecture


VP of Products


In this video, we’re going to talk about the architecture that we use in the Upstream C4 Platform to create a contextually aware cybersecurity solution for automotive space. Upstream typically feeds off of multiple data feeds. The first and foremost is the actual vehicles themselves with various application servers that surround them. Typically, every automotive maker and every telematics operator uses their own proprietary data protocol. In order to apply common security rules and policies on this data set, what we do at Upstream is we have to normalize the data into one common universal dictionary that’s relevant for automotive space. The normalization module within the Upstream C4 Platform takes these proprietary data sets and converts them into our universal dictionary. So, for example, if we take a certain OEM start car event, we match that into a generic universal start car message within the Upstream system.

Normalization enable us then to apply common policies that are relevant across multiple customers. Before entering the Upstream system, data is either anonymized in advance by our customers or we can add an anonymization function to the data for stripping any PII information that’s contained within it. If we already receive anonymized data, we’re also verifying the integrity of the data and making sure that there is no PII left behind, and if there is, we’re able to flag that in advance. Now that the data is anonymized and normalized, it’s inputted into the various security engines within the C4 platform.

The first step that we do is we profile the entire connected vehicle service. And the way that we do that is we look at the various components and create a modular approach for that service. We start by looking at the applications that sit typically inside the automotive cloud, like one of the key applications is obviously the telematics application, but then there is also mobile application and down the road as we see more autonomous services, we’ll have things like LIDAR and maps and other types of apps that run in that automotive cloud.

The next profiling that we do is on the vehicles and we look at individual make models of vehicles and we’re able to group them so that we can then apply rules on specific groups of cars. And finally, we are able to profile the individual drivers either at the fleet level or a specific driver level. The profiled data is then being fed into our security engines that actually perform both real-time and non-real-time actions for detection of security violations. So, we typically start with the real-time stateless protocol security engine which actually analyzes the data at the message level. So, in that level, we actually look into individual messages and the payload of every given message that flows between the automotive cloud and the vehicles themselves. Data is then being sent to the stateful security engines that look at data from a streaming analytics perspective.

The security engines start by looking at transactions which are typically sequences of messages either from one source, say the mobile, or multiple sources telematics and mobile. The contextual engine understands the specific context of a vehicle starting with, is the vehicle parked or is it driving? And what are commands and messages that are legal in either state?

The last engine is our behavioral engine which actually takes a look at the various profiles that we created before and understand the overall behaviour of that connected vehicle service from an application vehicle and driver perspective. All four of these security engines leverage machine learning in our cloud-native architecture. The last part of the security architecture is our policy layer, which combines both automated as well as user-defined policies for fine granular control of the operation of the entire connected vehicle service. The Upstream C4 Platform is designed for detection of both known and unknown cyber attacks.

Our policy layer is able to create on the fly automated policies based on machine learning that are automatically ingested into the system and some of them are actually pre-built with the system when its first operational. These automated policies continue to evolve and we’re also able to ingest new policies from either third party sources or from metadata learned from other customers. The customers are then able to create even more granular control by creating user-defined policies that leverage all of these elements that we’ve seen before starting with the profiles all the way to the specific context of the vehicles.

The output of this framework are incidents. Incidents are then being sent to the Security Operations Center or SOC inside the customer environment. The incidents are sent from the Upstream C4 Platform into solutions already being used at the SOC such as workflow or SIEM products. The security analyst within the SOC are then able to implement a playbook based on the severity of the incidents, oftentimes going back to the Upstream UI to perform triage a root cause analysis on the specific incident.

The combination of multiple cybersecurity engines, working in both real-time and non-real-time, with the ability to have automated and user-define policies provides OEMs and connected vehicle fleets and end-to-end solution for cybersecurity.

Newsletter Icon

to our newsletter

Sign up to receive updates delivered to your inbox

By clicking Subscribe, I agree to the use of my personal data in accordance with Privacy Policy. Upstream will not sell, trade, lease, or rent your personal data to third parties.

Protecting Electric Vehicles: Modern Cybersecurity Solutions and the Road to Revenue

There is much to enjoy in the performance of electric vehicles and advanced features of electric vehicles, yet each connected capability such as GPS, mobile…

More Details

Protecting Commercial Vehicles: Continuous Operation and Uptime Amidst Cybersecurity Threats

Read about how a multi-layered cloud-based approach can protect today’s commercial vehicles while streamlining data processes.

More Details

Cybersecurity for Connected Vehicles: From Cost Centre to Value Centre

OEMs are relying on their connected vehicles to drive them from “Car Co’s” to “Tech Co’s”.

More Details

Upstream Detects a Critical Vulnerability in Linux-Based Head Units

Read about how Upstream’s AutoThreat® Intelligence team works to hunt threats that are hiding in the surface, deep, and dark web- allowing you to meet…

More Details

What is Upstream’s AutoThreat® Intelligence?

Upstream’s AutoThreat® Intelligence is the automotive industry’s leading cyber threat intelligence and risk assessment solution. It is purpose-built to collect, analyze, and leverage automotive t

More Details

How AutoThreat® Supports Automotive Cybersecurity

AutoThreat’s® automotive-focused analysts scour the surface, deep, and dark web for incidents that matter most to the automotive ecosystem. Together, our researchers combine both manual…

More Details