ECU domains
An ECU domain is a grouping of ECUs that collaborate to achieve a common vehicle-level function, such as propulsion control or active braking. Such a grouping improves the efficiency of communication by limiting communication messages to the ECUs that are most co-dependent, thus reducing network congestion caused by non-domain-related messages. As the vehicle architecture evolves, ECU domains may be arranged in different configurations (as we will see in the last section of this chapter). For now, our focus is on understanding the various ECUs that are typically found in a standard vehicle architecture.
Note
The following list of ECUs is meant to be representative of ECUs found in vehicles rather than a comprehensive one with the aim of highlighting the security relevance of each.. Some ECU names can change as OEMs differ in the way they partition vehicle functions across different control units.
Fuel-based powertrain domain
The fuel-based powertrain domain is responsible for producing power in an internal combustion engine (ICE) and transmitting it to the wheels. An attacker who can gain access to any ECU in the powertrain domain may be able to affect the vehicle’s longitudinal motion, which has an obvious safety impact. However, the more common attack target of this domain is engine tuning to illegally increase performance, which has the side effect of increasing vehicle emissions.
Engine control module (ECM)
A vehicle engine’s performance is precisely regulated by the ECM, which pulls data from sensors layered throughout the engine. Among the control functions of the ECM are the engine starting procedure, spark plug ignition, fuel injection, and the cooling process.
Transmission control module (TCM)
The TCM uses different gear ratios to convert a fixed engine speed and torque into a variable driving speed and torque in automatic transmission vehicles. The TCM determines when to shift gears to optimize the vehicle’s performance, balancing factors such as fuel efficiency, power, and engine protection. This is based on a variety of input data, such as engine speed (RPM), vehicle speed, throttle position, and load on the vehicle.
Electric drive powertrain domain
This domain is responsible for battery charging and managing and distributing electric power to the motors, as well as the other electronics that require varying power levels. Like the fuel-based powertrain domain, protecting this domain against security breaches is essential to prevent several hazards, such as erratic vehicle motion control and unsafe battery management. The latter is a unique problem for electric vehicles with the potential to cause catastrophic thermal events if the batteries are not operated safely.
Battery management system (BMS)
The BMS’s primary function is to manage the state of charge (SoC) and state of health (SoH) of the battery pack by controlling the charging and discharging of the battery cells. It also monitors the battery pack’s status for hazardous conditions such as overheating or high current events to ensure fail-safe action is taken before it leads to a catastrophic failure.
Onboard charger
The onboard charger’s primary role is to convert the AC power provided by the electric vehicle supply equipment (EVSE) into DC power, which can then be used to charge the vehicle’s battery pack. This involves controlling the rate of charging to ensure the battery is charged safely and efficiently.
Additionally, it provides communication between the EVSE and the vehicle’s charging system. This is done using a power-line communication protocol, which allows data to be sent over the electrical power lines. This can be used to negotiate the charging rate based on factors such as the vehicle’s current state of charge, the capacity of the EVSE, and the temperature of the battery [8].
DC-AC converter
In electric vehicles, the high-voltage DC-AC converter, also known as the inverter, converts DC output from the battery pack to AC power for the electric motor(s).
Powertrain electronic control unit (PECU)
This ECU manages the speed and acceleration of the electric motors by controlling the supplied voltage frequency and magnitude.
Chassis safety control domain
The chassis safety control domain encompasses a variety of ECUs and in-vehicle sensors with a clear focus on active and passive safety management. Since the ECUs in this domain are responsible for vehicle safety, it can be argued that this domain is at the top of the list for security professionals regarding what needs to be protected against cyberattacks.
Electronic braking control module (EBCM)
The EBCM is a specialized module that supplies brake pressure to the wheels to achieve several active safety functions, such as ABS, ESC, and automatic emergency braking.
Airbag control module
As a passive safety system, airbags protect occupants from bodily harm in the case of a collision by inflating the airbags through controlled explosions of the squibs embedded in the airbag.
Electronic power steering (EPS)
The EPS is responsible for providing electronic steering assistance to the driver through the actuation of steering motors. The EPS can provide several enhanced driver assistance features, such as lane departure warnings and lane correction.
Advanced driver assistance (ADAS) control module
While several ADAS functions can be integrated within the EBCM and EPS, a dedicated ECU is common in more modern vehicles to achieve higher levels of autonomy.
This module can command the ECM, EBCM, and EPS to control engine torque and apply braking and steering based on the situation at hand. It integrates inputs from multiple sensors, which makes it possible for the ADAS ECU to perform autonomy functions such as automated parking and autonomous highway driving, to name a few.
Interior cabin domain
The interior cabin domain encompasses the comfort features expected from a modern vehicle. At first glance, this domain may seem less critical for security. On the contrary, due to its ability to control physical security, this domain is among the most targeted by attackers today as a breach of this domain translates to vehicle break-in and theft.
Body control module (BCM)
The BCM manages the remote keyless entry and access to the vehicle’s interior. Additionally, it can control seat positions and power windows, light controls, and windshield wipers.
Climate control module (CCM)
The primary function of the CCM is to provide heating and cooling of the cabin. It typically heats the air with a heater core and cools the air with an evaporator and a refrigerant that absorbs heat from the cabin’s air.
Infotainment and connectivity domain
The vehicle functions that engage the driver through the human-machine interface (HMI) are usually grouped in the infotainment domain. ECUs in this domain include the vehicle’s head unit, the central console, as well as the driver-facing instrument cluster. You have probably guessed by now that this domain is also security-critical due to the rich user interfaces it offers.
In-vehicle infotainment (IVI)
The IVI offers entertainment and information delivery to drivers and passengers. The IVI system accepts user input through touchscreens and physical controls and serves the occupants with audio, video, and navigation data. In some cases, the instrument cluster can be integrated with the IVI to provide the driver with a digital display of vehicle information such as speed, fuel level, and more. IVI systems enable vehicle occupants to connect their phones through Bluetooth and USB, making them an attractive target for attackers.
Telematics control unit (TCU)
The TCU is the primary remote access point to the vehicle and therefore is considered high on the list of security-critical ECUs. Among its features are the reception of GPS signals and providing connectivity through cellular and Wi-Fi communication to facilitate OTA updates, as well as the transmission of remote messages such as telemetry data and emergency assistance requests.
Cross-domain
The interconnection of all domains can be viewed as its own domain whose primary objective is providing reliable communication across the previously mentioned domains when message exchange is needed.
Central gateway (CGW)
While some vehicles may rely on individual ECUs to act as gateways between two or more vehicle subsystems, a more common trend is to dedicate a single gateway ECU to perform this function. When a CGW is used, it behaves as an in-vehicle router by allowing ECUs from different network segments to communicate with one another. The CGW translates data across different network systems, such as CAN to CAN, CAN to Ethernet, and CAN to LIN. Due to its access to all vehicle domains, the CGW can play an important role in security by segmenting the network architecture and dropping unwanted traffic.
Discussion point 7
Can you think of some unique assets of the CGW? Hint: Network filter rules are one such asset.
Now that we have explored the different ECUs and ECU domains, it’s time to dive into the networking technologies that enable them to exchange information.