【Introduction】Only by ensuring system security from process to product, the full advantages of wBMS technology can be realized. In early conversations with electric vehicle (EV) OEMs, the technical and commercial challenges of wireless battery management systems (wBMS) may seem daunting, but the rewards are too lucrative to ignore. Many of the inherent advantages of wireless connectivity over wired/cable architectures have been demonstrated in countless commercial applications, and BMS is yet another candidate area that clearly wants to ditch the cable.
Figure 1. Electric vehicle using a wireless battery management system (wBMS)
The prospect of lighter, modular, compact EV battery packs – finally free from cumbersome communication wiring harnesses – has been widely embraced. By eliminating up to 90% of the battery pack wiring and 15% of the battery pack volume, the design and size of the complete vehicle is significantly simplified, and the bill of materials (BOM) cost, development complexity and associated manual installation/maintenance efforts are greatly reduced.
What’s more, a single wireless battery design can be easily scaled across a OEM’s entire EV fleet without the need for extensive and costly battery pack wiring harness redesigns for each make and model. With wBMS, depots are free to modify their frame designs without fear of needing to rearrange a lot of BMS wiring within the battery pack.
In the long term, continued reductions in vehicle weight and battery pack size will be critical to extending the range of electric vehicles in the years to come. Therefore, wBMS technology will play an important role in helping automakers improve the range, thereby helping to overcome consumers’ long-standing electric vehicle range anxiety.
Not only is this expected to spur an increase in overall EV market adoption, but it also gives automakers the opportunity to leap into EV market leadership with their ability to achieve long-range battery life. Going forward, this will remain a major differentiator for EV OEMs. For a more detailed description and market analysis of the benefits, see “The Electric Vehicle Wireless Battery Management Revolution Has Begun, with Huge ROI Potential”1.
new safety standard
A number of challenges need to be overcome to deliver on the promise of wBMS. The wireless communication used in wBMS needs to be robust enough to interference when the car is moving, and the system must be safe in all situations. However, a robust and secure design alone may not be enough to fight hardened attackers – this is where system security comes into play.
Such as urban or rural areas), whether someone uses another wireless device in the same frequency band in the car, it will cause the source of interference to change. Reflections within the battery pack can also degrade performance, depending on the material of the battery pack used to encapsulate the cells. The wBMS signal is likely to fluctuate and communications can be disrupted under natural conditions, let alone in the face of malicious attackers.
If the wBMS communication is interrupted for some reason, the car can go back to “safe mode”, reducing performance to allow the driver to take action, or when the wBMS communication is completely lost, the car can safely stop. This can be achieved through proper safety design, considering all possible failure modes in the system, and implementing end-to-end safety mechanisms to deal with random failures of components.
However, the security design did not take into account the possibility that malicious actors could exploit the system for certain purposes, including remote control of the vehicle. During Black Hat 2016, researchers demonstrated this possibility for a car in motion, enabling remote access through a vehicle gateway. Therefore, wireless robustness and fail-safe designs are not enough, security against attacks is also required. The black hat demonstration was a valuable lesson that future wireless systems in cars need to be designed in such a way that they cannot be exploited as another remote entry point. In contrast, conventional wired battery packs do not provide remote access, and to gain access to battery data, hackers need to physically tap into the high-voltage environment in the vehicle.
Additional safety challenges can arise during the life cycle of an EV battery, as shown in Figure 2. Analog Devices’ approach to wBMS design focuses on understanding the different stages an EV battery goes through—from factory delivery, through deployment and maintenance, and finally to the next life or end of life. These usage scenarios define the various functions that the wBMS must support. For example, preventing unauthorized remote access is a consideration during electric vehicle deployment, but more flexible access is required during manufacturing. Another example is during repairs where right-to-repair laws require a way for the owner to resolve a failure of the battery or associated wBMS. This means that software in the wBMS must be supported to be updated in a legal way, and the update mechanism should not compromise the safety of the car when it leaves the pit.
Additionally, EV batteries are sometimes redeployed to the energy sector when they no longer meet EV performance standards. This requires a secure transfer of ownership of EV batteries to the next stage of life. Batteries are devices with no built-in intelligence, so it is the responsibility of the wBMS that accompanies them to implement appropriate safety policies to best serve the EV battery life cycle. Before transitioning to the second life (echelon exploitation), all secrets of the first life must be securely erased.
Analog Devices anticipates these issues and addresses them in accordance with our own core design principles, which are a particular focus on maintaining and enhancing safety integrity from process to product and thorough review. At the same time, ISO/SAE 214342The standard “Road Vehicles: Cybersecurity Engineering” has been officially released in August 2021 after three years of development. It defines a similar exhaustive end-to-end process framework with four levels of network security assurance. Manufacturers and suppliers are rated on a scale of 1 to 4, with 4 representing the highest level of compliance (see Figure 3).
Figure 2. Electric vehicle battery life cycle and its associated wBMS life cycle
Figure 3. ISO/SAE 21434 framework with CAL 4 expectations
Analog Devices’ wBMS approach responds to ISO/SAE 21434 requirements and implements the highest level of inspection and rigor required for safe product development in the automotive industry. For this purpose, Analog Devices has engaged TÜV-NORD, a well-known and trusted certification laboratory, to evaluate our internal development strategies and processes. Our policies and processes have been reviewed and fully compliant with the new standard ISO 21434, as shown in Figure 4.
Figure 4. TÜV-Nord certificate
Rigorous scrutiny from device to network
Following the systematic process of wBMS product design, we perform a Threat Assessment and Risk Analysis (TARA) to clarify the threat profile based on how customers intend to use the product. By understanding what a system is for, and how it is used in various ways over its lifespan, we can determine which critical assets need protection against which potential threats.
There are several options for TARA technology, including the well-known Microsoft STRIDE approach, which models threats by considering six threats represented by the acronym STRIDE: Spoofing (S), Tampering (T), Denial (R), Disclosure ( I), Denial of Service (D) and Privilege Escalation (E). We can then apply it to the different interfaces of the components that make up the wBMS system, as shown in Figure 5. These interfaces are natural pause points in the data and control flow paths that a potential attacker could use to gain unauthorized access to system assets. In this case, by playing the attacker and asking ourselves how relevant each threat is to each interface and why, we can figure out possible attack paths and determine how likely the threat is to occur, and if an attack If successful, the consequences may be severe. We then repeat this thought process at different stages of the lifecycle, as the possible threats and impacts vary depending on the environment the product is in (eg warehouse vs deployment). This information will indicate that certain countermeasures are required.
Take the wireless channel between the wireless cellular monitor and the wBMS manager during deployment as an example, as shown in Figure 5. If the asset is data from a wireless cellular monitor, with concerns about leaking the data value to an eavesdropper, then we may need to encrypt the data as it travels through the wireless channel. If we are concerned about data being tampered with through the channel, then it may be necessary to protect the data with data integrity mechanisms such as message integrity codes. If there is a concern that someone will identify where the data is coming from, then we need a way to authenticate the wireless cellular monitor that communicates with the wBMS manager.
Through this exercise, we were able to identify the key security objectives of the wBMS system, as shown in Figure 6. These goals will require the implementation of mechanisms.
Many times we have to answer the question: “How much are we willing to pay to choose certain mechanisms to achieve specific security goals?” Adding more countermeasures would almost certainly improve the overall security posture of the product, but at a cost would be significant and may cause unnecessary inconvenience to the end consumer using the product. A common strategy is to mitigate the most likely and easiest to deploy threats. More sophisticated attacks tend to target higher-value assets and may require stronger security countermeasures, but this is highly unlikely, so the payoff is not worthwhile if implemented.
Figure 5. Threat surface considerations for wBMS
Figure 6. Security goals of wBMS
For example, in a wBMS, physical tampering of an IC device to gain access to battery data measurements while the vehicle is on the road is highly unlikely, since manipulation of parts of a moving car would require a Trained mechanic with deep knowledge of EV batteries. If an easier path existed, a real-life attacker would likely try such a path. A common type of attack on a networked system is a denial of service (DOS) attack – making a product unavailable to users. You can create a portable wireless jammer to try and jam the wBMS functionality (hard), but you can also deflate the tires (easy).
The step of addressing a risk with an appropriate set of mitigations is called a risk analysis. By measuring the impact and likelihood of the relevant threat before and after the introduction of appropriate countermeasures, we can determine whether residual risk has been reasonably minimized. The end result is that security features are included because they are required and the cost is acceptable to the customer.
TARA for wBMS points to two important aspects of wBMS security: device-level security and wireless network security.
The first rule of any security system is “Keep the keys safe!” That means both on the device and in our global manufacturing operations. Analog Devices’ wBMS device security takes into account hardware, IC, and low-level software on the IC and ensures that the system can safely boot from unalterable memory to a trusted platform for code to run. All software code is authenticated before execution, and any in-field software updates require pre-installed credentials to provide authorization. Once the system is deployed in the vehicle, rollback to a previous (and potentially vulnerable) software version is prohibited. Additionally, the debug port is locked after the system is deployed, eliminating the possibility of unauthorized backdoor access to the system.
Network security is designed to protect wireless communication between the wBMS unit monitoring node and the network manager inside the battery pack enclosure. Security starts with joining the network and the membership of all participating nodes is checked. This prevents random nodes from joining the network, even if they happen to be nearby nodes. Mutual authentication of nodes communicating with the network manager at the application layer will further protect the wireless communication channel so that a man-in-the-middle attacker cannot act as a legitimate node to communicate with the manager, and vice versa. Additionally, to ensure that only the intended recipient has access to the data, AES-based encryption is used to scramble the data, preventing information from leaking to any potential eavesdropper.
Like all security systems, at the heart of security is a set of encryption algorithms and keys. Analog Devices’ wBMS follows NIST-approved guidelines, which means that the chosen algorithm and key size should be consistent with the minimum security strength of 128 bits suitable for data-at-rest protection (e.g. AES-128, SHA-256, EC-256), And use algorithms from well-tested wireless communication standards such as IEEE 802.15.4.
The keys used to secure the device are usually installed during the ADI manufacturing process and never leave the IC device. These keys, which ensure system security, are physically protected by the IC device, preventing unauthorized access, whether in use or not. The Hierarchical Key Framework then protects all application-layer keys as encrypted binary blobs in non-volatile memory, including keys used in network security.
To facilitate mutual authentication of nodes in the network, ADI’s wBMS incorporates a unique public key key pair and a signed public key certificate into each wBMS node during manufacture. With a signed certificate, a node can verify that it is communicating with another legitimate ADI node and a valid network member, and a unique public key key pair is used by the node in a key agreement scheme to establish with another node or a BMS controller Secure communication channel. A benefit of this approach is that wBMS installation is easier and does not require a secure installation environment, as the nodes are set up to handle network security automatically after deployment.
In contrast, past schemes using pre-shared keys to establish secure channels often required a secure installation environment and an installation program to manually write key values for communication endpoints. To simplify and reduce the cost of dealing with key distribution issues, assigning a default public network key to all nodes in the network is often a shortcut that many people take. This often leads to a “one collapse, full plate collapse” disaster, which must be taken as a precaution.
As production scales up, OEMs need to be able to use the same wBMS with different numbers of wireless nodes for different EV platforms and install them in different secure manufacturing or repair locations, we tend to use a distributed key approach to reduce overall encryption complexity of key management.
The full benefits of wBMS technology can only be realized by ensuring safety from the device to the network over the entire life cycle of an EV battery. With this in mind, safety requires a system-level design philosophy, encompassing both process and product.
Analog Devices anticipated the core cybersecurity issues addressed by the ISO/SAE 21434 standard during the draft and incorporated countermeasures in our own wBMS design and development process. We are proud to be one of the first technology suppliers to achieve ISO/SAE 21434 compliance in terms of policies and processes, and our wBMS technology is currently receiving the highest level of cybersecurity assurance.
1Shane O’Mahony. “The revolution in wireless battery management for electric vehicles has begun, with huge potential for return on investment.” Analog Devices, Inc., November 2021.
2ISO/SAE 21434:2021 – Road vehicles. ISO, 2021.
Similar LCD Inverter
World Peace Group launched a DMS solution based on OmniVision products
What do you think of the 48V technical solution for automotive electronics?
Qualcomm and Zhanrui chips jointly launched 5G chip commercialization and entered the “Warring States Era”