US 9173100

US Patent 9173100: On Board Vehicle Network Security

Title: On board vehicle network security

Current Assignee: AutoConnect Holdings LLC

Inventors: Christopher P. Ricci

Filing Date: March 14, 2013

Issue Date: October 27, 2015

Abstract:
A vehicle is disclosed that includes a microprocessor executable network controller. The network controller is operable to at least one of (a) isolate one or more other on board computational components in a vehicular wireless network not affected by a security breach event from a computational component affected by the security breach event and (b) isolate an on board computational component in the vehicular wireless network and affected by the security breach event from the one or more other on board computational components not affected by the security breach event. A corresponding method and non-transient, tangible computer readable medium are also disclosed.

Plain-Language Overview of Independent Claims:

Independent Claim 1 (System Claim):
This claim describes a vehicle that includes a network controller which is essentially a computer program running on a microprocessor. This network controller has the ability to do one or both of the following when a security breach occurs:

1. Separate healthy computational parts of the vehicle's wireless network from a part that has been compromised by a security breach.
2. Separate a compromised computational part from the healthy computational parts of the vehicle's wireless network.
   The security breach could be anything from a virus or malware to unauthorized access, a denial-of-service attack, or identity theft, among other possibilities. The network controller can receive alerts about such breaches from various sources within the vehicle's network, like a firewall or a network node. The healthy or compromised computational components could include various vehicle systems such as sensors, processing modules, or critical and non-critical devices. The network controller can analyze the security breach by looking at past behavior or comparing it to known attack patterns. The isolation can be achieved by denying wireless network access to external devices or by enabling specific security measures like encryption, hiding the network's name (SSID), filtering devices by their unique MAC addresses, or using specific security protocols (e.g., WPA2).

Independent Claim 9 (Method Claim):
This claim describes a method for securing a vehicle's network during a security breach. The method involves a network controller (a microprocessor executing instructions) performing one or both of the following actions:

1. Isolating one or more computational components within the vehicle's wireless network that are not affected by a security breach from a computational component that is affected.
2. Isolating a computational component within the vehicle's wireless network that is affected by a security breach from one or more computational components that are not affected.
   Similar to the system claim, the security breach can be various types of cyberattacks. The network controller can receive warning signals from different network security tools. The unaffected or affected components can be any of the vehicle's sensors, modules, or devices. The isolation process can involve analyzing the breach by comparing historical data to known attack patterns and can be implemented by denying wireless access to external devices or by activating specific critical communication security mechanisms, such as various encryption and access control protocols.

Independent Claim 17 (Computer-Readable Medium Claim):
This claim covers a non-transient, tangible computer-readable medium (like a memory chip or hard drive) that contains instructions for a microprocessor executable network controller onboard a vehicle. When these instructions are carried out, the network controller performs the same isolation actions described in the system and method claims:

1. Isolating one or more unaffected computational components in the vehicular wireless network from an affected computational component.
2. Isolating an affected computational component from one or more unaffected computational components in the vehicular wireless network.
   The types of security breaches and the computational components involved are consistent with the other claims. The network controller's ability to receive warning signals, analyze the breach, and effectuate isolation using security mechanisms (e.g., denying external access, encryption, MAC filtering) are also encompassed by the instructions stored on this computer-readable medium.