The Internet of Things on AWS – Official Blog
Securing the future of mobility: UNECE WP.29 and AWS IoT for connected vehicle cybersecurity
Introduction
As the automotive industry races towards a future of connected and autonomous vehicles, cybersecurity has emerged as a critical concern. With vehicles becoming increasingly reliant on software, sensors, and connectivity, they also become potential targets for cyberattacks. Recognizing this challenge, the United Nations Economic Commission for Europe (UNECE) has introduced the World Forum for Harmonization of Vehicle Regulations (WP.29), which includes groundbreaking regulations on cybersecurity and software updates for connected vehicles.
UNECE WP.29 Overview
The United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations (WP.29) is a global forum that aims to harmonize vehicle regulations among countries. It has developed a set of cybersecurity regulations and guidelines for the automotive industry, known as UNECE WP.29.
These regulations cover various aspects of cybersecurity for connected vehicles, such as:
- Risk management
- Secure software updates
- Secure communication
- Incident response
- Testing and assessment
These regulations, specifically UN Regulation No. 155 on Cybersecurity and UN Regulation No. 156 on Software Updates, are set to reshape the automotive landscape. They mandate that manufacturers implement comprehensive Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS) throughout the vehicle lifecycle. This shift necessitates a robust, scalable, and secure IoT infrastructure – a need that Amazon Web Services (AWS) IoT is well-positioned to address.
Why it’s important: As mandated by the UNECE Regulation No. 155 on Automotive Cybersecurity, effective from July 2024, all vehicles produced by OEMs across the 54 countries, including EU members, the UK, Japan, and South Korea, must adhere to the stringent cybersecurity requirements outlined by the WP.29 World Forum for Harmonization of Vehicle Regulations. This regulation aims to ensure the cybersecurity of connected vehicles and protect against potential cyber threats, which could have severe consequences such as operational disruptions, data breaches, and safety risks.
AWS IoT Overview
AWS IoT provides a suite of services that help automotive companies meet and exceed the requirements of UNECE WP.29. These capabilities align with WP.29’s focus on secure communication channels and the principle of “security by design.”
- Device Connectivity and Messaging: AWS IoT Core supports protocols like MQTT and X.509 certificates for secure device authentication.
- Device Management: AWS IoT Device Management offers onboarding, organization, monitoring, remote management, and OTA updates, crucial for maintaining software security per UN Regulation No. 156.
- Security Monitoring: AWS IoT Device Defender monitors vehicles for unusual behavior, triggering alerts for deviations, supporting the risk assessment and incident response mandated by UN Regulation No. 155.
- Data Processing and Analytics: Amazon Kinesis Data Analytics stream aids in understanding vehicle behavior and user patterns to identify security threats and vulnerabilities across the fleet.
Architecture Overview
The architecture uses AWS IoT Core for connectivity and authentication of connected vehicles. AWS IoT Jobs, part of AWS IoT Device Management, manages software update deployments and remote operations, including scheduling, retrying, and status reporting. AWS IoT Device Defender audits and monitors vehicle anomalies, while AWS IoT Rules directs data to Amazon Kinesis Data Streams for real-time analytics.
Figure 1.0 Connected vehicle conforming to WP.29 with AWS Services
Prerequisites
- Follow Get Started with AWS IoT workshop and setup AWS Development environment, or you can use your own EC2 development environment setup and run through the walkthrough.
- An Amazon Simple Storage Service (Amazon S3) artifacts bucket with versioning enabled to store our test application.
- Connected vehicle to AWS IoT Core as a thing. For this post, we will use a virtual simulated connected vehicle by installing the AWS IoT Device Client software on an Amazon Elastic Compute Cloud (Amazon EC2) instance. The getting started with AWS IoT workshop, provides detailed guidance on setting up a virtual simulated IoT device.
Walkthrough
In this walkthrough, we’ll setup a simulated connected vehicle, perform OTA, proactively monitor the behaviour of the vehicle, and apply analytics to vehicle data. We will use AWS IoT and other AWS services to demonstrate the capability to meet WP.29 requirements.
By following earlier prerequisites, you should have an AWS Cloud9 environment, which we will use to setup our simulated connected vehicle and connect to AWS IoT.
Create AWS IoT Connected Vehicle (AWS Console)
Step 1: Create a simulated connected vehicle (AWS IoT Thing)
- Open AWS IoT Core console.
- In the navigation pane, under Manage, choose All devices
- Select Things
- Select Create things, choose Create single thing
- Select thing name: SimulatedConnectedVehicle
- Select Create things, choose Create single thing
Figure 1.1: Create AWS IoT Thing
For device certificate we will use recommended option (see Figure 1.2).
Figure 1.2: Device certificate selection
Step 2: Create and attach policy to AWS IoT Thing
- In Attach Policy section, choose Create policy
- Give policy name wp29TestPolicy, choose JSON
- Replacing JSON content from below
- Make sure to update your region, your-account-id
- Select Create and complete policy creation
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect",
"iot:Subscribe",
"iot:Receive",
"iot:Publish"
],
"Resource": [
"arn:aws:iot:eu-west-1:your-account-id:client/SimulatedConnectedVehicle",
"arn:aws:iot:eu-west-1:your-account-id:thing/SimulatedConnectedVehicle",
"arn:aws:iot:eu-west-1:your-account-id:topic/*",
"arn:aws:iot:eu-west-1:your-account-id:topicfilter/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:DescribeJob",
"iot:CreateJob",
"iot:UpdateJob",
"iot:DeleteJob",
"iot:CancelJob",
"iot:StartNextPendingJobExecution",
"iot:DescribeJobExecution",
"iot:UpdateJobExecution",
"iot:DeleteJobExecution"
],
"Resource": [
"arn:aws:iot:eu-west-1:your-account-id:job/*",
"arn:aws:iot:eu-west-1:your-account-id:thing/SimulatedConnectedVehicle",
"arn:aws:iot:eu-west-1:your-account-id:jobexecution/*"
]
}
]
}
Step 3: Attach policy to our connected vehicle thing
Once we have completed creation of policy in the previous step, we can now attach this policy to our thing and select Create thing. (see Figure 1.3)
Figure 1.3: Attach policy to the thing
Step 4: Download device certificates and keys
From Download prompt download (see figure 1.4).
- Device certificate
- Public key file
- Private key file
- Amazon Root CA
Figure 1.4: Download certificates and keys
Keep these credentials safe as we will use these to connect our SimulatedConnectedVehicle to AWS IoT and upload to your AWS Development environment (created above).
Step 5: Install AWS IoT device client
Follow the AWS IoT device client workshop section and install device client by following the steps detailed here. Make sure to use the credentials created in earlier step of the blog and when asked for Specify thing name (Also used as Client ID): use the thing name we created earlier SimulatedConnectedVehicle.
Over-the-air (OTA) update remote operation
In the modern world of interconnected devices, keeping firmware up-to-date is critical for security, performance, and functionality. Over-the-air (OTA) updates provide a seamless way to update devices remotely, ensuring that they always run the latest software without requiring physical access.
Let’s look at how to use AWS IoT Device Management Jobs to perform OTA updates that can update connected vehicle firmware.
Let’s follow through the steps outlined in this workshop and see how easy and efficient it is to carry out remote operations to AWS IoT Core connected devices since Jobs provides AWS managed templates for typical remote actions.
You can also create your own custom Jobs procedure and walkthrough by following steps outlined here.
Proactive security monitoring: ensuring safety and compliance in connected vehicles.
Using AWS IoT Device Defender allows us to establish continuous security monitoring, thereby enhancing overall security. This service can detect anomalies, such as an increase in messages sent and received (indicating a “chatty” device), frequent connection attempts by vehicles, or rapid and frequent disconnects. These anomalies prompt triggers, enabling proactive responses to potential security threats. This approach not only supports ongoing risk assessments but also aligns with the rigorous standards outlined in UN Regulation No. 155.
Follow through steps outlined in this workshop, to see how we can use AWS IoT Device Defender to achieve proactive security monitoring and auditing.
Streaming data analytics: Using Amazon Kinesis Data Analytics (with Apache Flink)
Data analytics with Amazon Kinesis Data Analytics stream is crucial for understanding vehicle behaviours and user patterns. By analyzing this data, we can identify emerging trends and patterns across the vehicle fleet, enabling more informed decision-making and improved overall performance.
Let’s setup AWS IoT Rules to fan out data into Amazon Kinesis Data Analytics.
Step 1: Modify AWS IoT device client configuration
We will modify the AWS IoT device client configuration to include publish-on-change. This feature will trigger a publish action every time we write data to the designated publish file (/home/ubuntu/workshop_dc/pubfile.txt).
AWS IoT device client will pick this change and send it across to AWS IoT Core as a topic “/topic/workshop/dc/pub”.
Run the following command to edit the configuration file:
sudo vim /etc/.aws-iot-device-client/aws-iot-device-client.conf
then add following:
“publish-on-change”: true
Configuration of your samples section should look like the following with “Publish-on-change” added:
Figure 1.5: AWS IoT device client configuration change
Step 2: Restart AWS IoT Device Client
Once you have modified the configuration by adding publish on change in the earlier step, we will restart AWS IoT Device Client.
Run the following command to restart:
sudo systemctl restart aws-iot-device-client
Step 3: Vehicle data simulation
Let’s setup the connected vehicle simulation data generator and stream to AWS IoT Core. We will create the file (vehicle_data_generator.py) and run this to constantly stream random data which will contain vehicle status, DTCs (Diagnostic Trouble Codes), location, driver behaviour, and battery status.
Run the following command to setup the file and download the code:
cd /home/ubuntu/workshop_dc
vim vehicle_data_generator.py
Enter the following code in the file (vehicle_data_generator.py):
import json
import time
import random
import logging
from datetime import datetime, timezone
from pathlib import Path
# Set up logging
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
logger = logging.getLogger(__name__)
# File path
FILE_PATH = Path("/home/ubuntu/workshop_dc/pubfile.txt")
def generate_vehicle_status():
return {
"vehicleId": "VIN123456789",
"timestamp": datetime.now(timezone.utc).isoformat(),
"status": {
"ignition": random.choice(["ON", "OFF"]),
"speed": round(random.uniform(0, 120), 1),
"fuelLevel": round(random.uniform(0, 100), 1),
"batteryLevel": round(random.uniform(0, 100), 1),
"odometer": round(random.uniform(0, 100000), 1),
"engineTemp": round(random.uniform(70, 110), 1),
"tirePressure": {
"frontLeft": round(random.uniform(30, 35), 1),
"frontRight": round(random.uniform(30, 35), 1),
"rearLeft": round(random.uniform(30, 35), 1),
"rearRight": round(random.uniform(30, 35), 1)
}
}
}
def generate_dtcs():
return {
"vehicleId": "VIN987654321",
"timestamp": datetime.now(timezone.utc).isoformat(),
"dtcs": [
{
"code": "P0" + str(random.randint(100, 999)),
"description": "Random DTC Description",
"severity": random.choice(["WARNING", "CRITICAL", "INFO"])
}
]
}
def generate_location():
return {
"vehicleId": "VIN246813579",
"timestamp": datetime.now(timezone.utc).isoformat(),
"location": {
"latitude": round(random.uniform(30, 45), 4),
"longitude": round(random.uniform(-125, -70), 4),
"altitude": round(random.uniform(0, 1000), 1),
"heading": round(random.uniform(0, 359), 1),
"speed": round(random.uniform(0, 120), 1)
}
}
def generate_driver_behavior():
return {
"vehicleId": "VIN135792468",
"timestamp": datetime.now(timezone.utc).isoformat(),
"driverBehavior": {
"harshAccelerations": random.randint(0, 5),
"harshBraking": random.randint(0, 5),
"speedingEvents": random.randint(0, 10),
"averageSpeed": round(random.uniform(40, 80), 1),
"idlingTime": random.randint(0, 600),
"fuelEfficiency": round(random.uniform(20, 40), 1)
}
}
def generate_battery_status():
return {
"vehicleId": "VIN753951456",
"timestamp": datetime.now(timezone.utc).isoformat(),
"batteryStatus": {
"stateOfCharge": round(random.uniform(0, 100), 1),
"range": round(random.uniform(0, 300), 1),
"chargingStatus": random.choice(["CHARGING", "NOT_CHARGING"]),
"voltage": round(random.uniform(350, 400), 1),
"current": round(random.uniform(-200, 200), 1),
"temperature": round(random.uniform(20, 40), 1),
"healthStatus": random.choice(["GOOD", "FAIR", "POOR"])
}
}
def write_to_file(data):
try:
# Ensure the directory exists
FILE_PATH.parent.mkdir(parents=True, exist_ok=True)
# Write the data to the file
with FILE_PATH.open('w') as f:
json.dump(data, f)
logger.info(f"Successfully wrote data to {FILE_PATH}")
except PermissionError:
logger.error(f"Permission denied when trying to write to {FILE_PATH}")
except IOError as e:
logger.error(f"I/O error occurred when writing to {FILE_PATH}: {e}")
except Exception as e:
logger.error(f"Unexpected error occurred when writing to {FILE_PATH}: {e}")
def main():
generators = [
generate_vehicle_status,
generate_dtcs,
generate_location,
generate_driver_behavior,
generate_battery_status
]
while True:
try:
data = random.choice(generators)()
write_to_file(data)
time.sleep(10)
except KeyboardInterrupt:
logger.info("Script terminated by user")
break
except Exception as e:
logger.error(f"An unexpected error occurred: {e}")
time.sleep(10) # Wait before retrying
if __name__ == "__main__":
try:
main()
except Exception as e:
logger.critical(f"Critical error occurred: {e}")
Once you have copied over the code (or file) then run the code using the following command:
python3 vehicle_data_generator.py
Upon a successful run you will see:
INFO – Successfully wrote data to /home/ubuntu/workshop_dc/pubfile.txt
In AWS IoT Core console, navigate to:
- Test
- MQTT test client
- Subscribe to topic: /topic/workshop/dc/pub
- MQTT test client
You should see the stream of data arriving; this is same data we will use for analytics.
Figure 1.6: MQTT topic showing data arriving into AWS IoT Core
Step 4: Create AWS IoT Rule
Once we know we have data arriving into AWS IoT Core, we can setup AWS IoT Rules to route data into our AWS analytics service for BI purposes.
- Navigate to AWS IoT Core console
- In the navigation pane, under Manage, choose Message routing
- Select Rules
- Select Create rule
- Select Rules
Give appropriate Rule name and Rule description and Select Next (See figure 1.7).
Figure 1.7: Create AWS IoT Rule
In the Configure SQL statement section, enter the following SQL statement as below and Select Next:
SELECT * FROM '/topic/workshop/dc/pub'
In Attach rule actions section, Select Kinesis stream and create the following:
Action 1
- Select and create Stream with name: simulatedVehicleData
- Partition key: ${newuuid()}
- Select and create IAM role: simulatedVehicleRole
Error action
- Select Republish to AWS IoT topic: /topic/workshop/dc/streamError
- For IAM role, Select simulatedVehicleRole
Once complete proceed and Select Create.
Figure 1.8: AWS IoT Rules actions
Step 5: Review streaming data in Amazon Kinesis Data Streams with AWS managed Apache Flink and Apache Zeppelin
At this stage we will have data streaming into our Amazon Kinesis Data Streams (simulatedVehicleData). Navigate to Amazon Kinesis Data Streams in the console and select our stream (see Figure 1.9)
Figure 1.9: Simulated vehicle data stream
Select Data analytics tab, select I agree, and select create (see figure 2.0)
Figure 2.0: Create Apache Flink Studio notebook
Once the studio notebook is created, we should be able to select and view our streaming data (see Figure 2.1).
Figure 2.1: Streamed data view
Now we should be able to create a visualization for our streaming data.
Cleaning up
To avoid unwanted charges, delete the main CloudFormation template (not the nested stacks), Amazon EC2 instance (if you created for development), Amazon S3 bucket (if you created new one for this blog), IoT thing and associated policy, Kinesis Data Stream (including AWS managed Apache Flink and Apache Zeppelin).
Conclusion
The UNECE WP.29 regulations represent a significant step towards ensuring the cybersecurity of connected vehicles. They challenge the automotive industry to embed security into every aspect of vehicle design, production, and operation. AWS IoT services offer a comprehensive, scalable, and secure foundation to meet these challenges.
The future of connected and autonomous mobility demands a seamless integration of stringent regulations, such as UNECE WP.29, with innovative technologies. AWS IoT offers services to achieve this collaboration effectively. This integration goes beyond mere compliance; it’s about building consumer trust and ensuring safety in an increasingly interconnected world. By proactively addressing cybersecurity concerns, we’re not only safeguarding individual vehicles but also securing the very foundation of future mobility.
Related links
- Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system
- AWS IoT Zero Trust workshop
About the Authors
Syed Rehan Syed Rehan is a Senior Cybersecurity Product Manager at Amazon Web Services (AWS), operating within the AWS IoT Security organization. As a published book author on AWS IoT, Machine Learning, and Cybersecurity, he brings extensive expertise to his global role. Syed serves a diverse customer base, collaborating with security specialists, CISOs, developers, and security decision-makers to promote the adoption of AWS Security services and solutions.With in-depth knowledge of cybersecurity, machine learning, artificial intelligence, IoT, and cloud technologies, Syed assists customers ranging from startups to large enterprises. He enables them to construct secure IoT, ML, and AI-based solutions within the AWS environment. |