Introduction

Wireless access, via Wi-Fi, cellular and satellite, has become an essential business productivity tool in support of many applications. The increased connectivity provided by wireless technology, and also the Internet, raises the stakes for a well thought out network security plan. It is critical to recognize that security strategies must be measured against an ongoing risk assessment, and focused on addressing sensitivities identified. An appropriate level of paranoia is a good thing.

This document describes the steps taken to deliver a secure solution in support of the Netistix® FleetPulse® application. Areas addressed within this document include:

• Vehicle to Vehicle Interface Unit (VIU) interface
• Wi-Fi communications option
• VIU to VIUPoint Authentication Server
• VIUPoint to OverVIU Information Manager
• User to OverVIU Information Manager

IT policies and security methods specific to individual organizations are not addressed in this document.

FleetPulse Overview

The FleetPulse Wireless Fleet Management System combines the collection of comprehensive in-vehicle operational details and subsequent analysis for high value business intelligence. Together, these capabilities provide operations, fleet and repair service operators with the data required to make the best business decisions over a vehicle’s total lifecycle.

Built on standards-based communication architecture, the FleetPulse solution can be deployed as a Web-based or enterprise system with vehicle communications functionality over private Wi-Fi, Metro Wi-Fi, cellular and/or satellite.

Three core components comprise the solution.

Vehicle Interface Unit (VIU)

Selectively extracts key operational data from a vehicle’s engine control unit (ECU), GPS receivers and/ or miscellaneous attached auxiliary devices. The VIU is installed to the on-board diagnostics (OBDII) port in minutes, without compromising vehicle warranties or wiring integrity. Data collected by the VIU can consist of:

• GPS location information correlated to events
• driver/operator activity; reflecting productivity or authorized usage
• critical engine events such as the Check Engine Light/Malfunction Indicator Light (MIL) coming on
• vehicle fuel consumption
• in-depth technical indicators such as misfires, coolant temperature, coolant levels, oxygen sensor status, fuel trim, diagnostic trouble codes and more
• logistical data such as odometer, engine hours, battery voltage, PTO usage and more

VIUPoint Authentication Server

By providing either centralized or distributed wireless network access control and communication management, the VIUPoint Authentication Server controls communication sessions, data acquisition and delivery between authorized VIU devices and the OverVIU Information Manager. The VIUPoint resides on a PC platform and consists of a Netistix-developed application and an integrated software firewall. For security purposes, the hardware consists of two non-bridged Ethernet ports that prevents any end-to-end communication sessions.

The figure below illustrates a deployment scenario where a wireless 802.11 Access Point is used to establish communication to the VIU.

The Access Point may be deployed at a central site(s) OR in fleet yards, fueling depots and vehicle service areas for convenient collection of vehicle data. The Access Point contains an integrated router that is used both as a firewall layer and an endpoint for an IPSEC VPN tunnel.

OverVIU Information Manager

Gathers, analyses and presents data collected by the VIU in actionable format including alarms, reports and data records. OverVIU, a Netistix developed product, resides on commercial servers where it synthesizes and presents vital business and technical information to the various management and technical users of FleetPulse applications. Using the Web services application programming interface (API), OverVIU allows third-party applications and services to access fleet information through standard Web-services protocols. OverVIU and its databases can be enterprise-owned and located, or hosted by Netistix as a Web-based service.

All access to OverVIU is password controlled for each individual user by a flexible set of access rights/ restrictions.

FleetPulse Risk Assessment

The communication between the vehicle and the Netistix VIU is via an SAE-defined communication port. The SAE communication standard includes mechanisms built into the vehicle that prevent instructions being written to vehicle except under well controlled conditions, eliminating the possibility of interference with vehicle operations. Though the VIU can poll a broad set of information from the vehicle, functionality to generate instructions to the vehicle has been consciously restricted to “requests to reset the MIL/ DTCs”.

The data being collected and transmitted in support of Netistix vehicle applications contain details pertinent to the vehicle operating characteristics. The detail contains values attributable to vehicle odometer, engine run time, diagnostic trouble codes and others. Though the data is not typically judged as sensitive, a configuration option exists through configuration profiles to restrict the ability to save selected data, such as speed. Data values are packed in a proprietary format prior to transmission for efficiency and are therefore not recognizable. Additionally, when transmitted the data is sent with no recognizable vehicle association.

The communications from the vehicle to the hosted OverVIU Information Manager most typically transits insecure network facilities, namely cellular, satellite, 802.11b Wi-Fi links and the Internet. The predominant focus of security procedures within Netistix deployments is to ensure that the network as a whole is not exploited as a gateway to protected internal networks.

Network Design and Product Elements

Netistix’s solution design is based on the fundamental premise that FleetPulse and each associated product element sit outside the secure customer network, protected by firewalls. The product elements and solution implementation builds in multiple layers of security features designed to protect against unauthorized access to the network.

VIU to 802.11 Access Point Communications (Option)

The VIU detects broadcasts from the Wireless Receiver. The internal VIU wireless module sends a packet containing up to three separate sets of identification criteria, including an encryption identifier. The three identifiers are:

• MAC address
• Organization service identifier
• Encryption key

If security matches are found, the internal VIU wireless module is then authenticated by the wireless access point, which establishes a connection to the VIUPoint, through a router/ firewall and within an IPSEC VPN tunnel.

MAC Layer Authentication and Access Control

Media access control (MAC) addresses are hard coded into IP components within the VIUs. MAC addresses of any IP devices are similarly hard coded and rarely change. MAC address filtering allows you to restrict access to only those Netistix VIU devices that have been defined on the Access Point. This is a first step for networks to control the users that will be allowed access.

Organizational Service Identifier

The organization service identifier is a configurable identification that occurs between end devices, such as the Netistix VIU and the wireless receiver. The mechanism is designed to allow clients that are configured with the same identifier to communicate. From a security point of view this acts as a single shared password between base stations and clients.

WEP Encryption

It is recognized that WEP is not a truly secure encryption method and only forms one layer of security control.

The VIUs and the wireless receiver specify a shared 128-bit key to encrypt and decrypt the data. Each wireless module in the Netistix VIU and customer Access Points must be configured with the same key. Netistix makes it a practice to limit specific encryption keys to only the VIUs and the wireless receivers that justify a common association. This limits the possibility that an encryption key setting is leaked, having a broad impact.

Though technically feasible to a motivated cracker, it takes the reception of several million packets to crack WEP. But knowing the vulnerability, this encryption should be relied upon only as a privacy mechanism to stop casual eavesdropping and less than persistent attacks and is augmented with other security mechanisms.

Cellular Modem Connections

A wireless PPP session between the VIU modem and an Internet gateway is established.

The end-to-end PPP session acts as a tunnel for the VIU to VIUPoint Authentication Server. It is through this tunnel that a secure session between the VIU and VIUPoint is established.

VIU to VIUPoint Communications

Having been authenticated by the wireless receiver, the VIU then sends an announcement packet containing a unique hardware serial number and message identifiers available for transfer. The VIUPoint then verifies the validity of the unique hardware serial number and confirms with a system-specific message registry whether data upload requests are valid.

1. The VIUPoint then requests specific (outstanding) messages from the VIU, based on the message registry.
2. The VIU then transmits requested messages to the VIUPoint.
3. The VIUPoint stores those messages in its database.
4. The VIUPoint then goes through a process that validates the integrity of the data and then moves the data to a separate database, for eventual upload to the OverVIU.

Netistix Device Level Authentication and Access Control

The Netistix VIU is encoded with a unique serial number, which is used as another layer of authentication for access control. This authentication responsibility is delegated to the VIUPoint Authentication Server. Since this is not associated with any public communication protocol there is limited access to serial numbers, halting casual intrusion efforts.

Netistix VIUPoint Authentication Server

The Netistix VIUPoint, in part, serves as a data cache providing store and forward functionality for vehicle-based application data. The architecture consists of two non-bridged IP stacks, structured so a through-path communication channel cannot be established. The end-to-end system employs a specific information poll request structure, which triggers the transmission of cached data, so that only requested data records in a precise data format can be received.

1. No data other than the predefined values and formats can be accepted or stored within the VIUPoint.
2. The VIUPoint contains its own firewall to prevent access from unauthorized systems.
3. The VIUPoint is password protected.

VIUPoint to OverVIU Communications

1. If a network connection is available, the VIUPoint sends an announcement packet to the OverVIU, identifying itself with an “I’m alive” announcement, and, if there is specific data available, the fact that the data is ready for upload.
2. The OverVIU then validates that the VIUPoint is an authorized agent and requests the data.
3. The VIUPoint then forwards data as requested to the OverVIU.
4. The OverVIU upon inspection of the messages received updates the message registry and passes the updates to all VIUPoints to which the VIU(s) are associated.
5. The VIUPoint cannot “push” data to the OverVIU Information Manager.

Netistix OverVIU Information Manager

1. The OverVIU only accepts data that it requests (as part of the poll request / acknowledgement architecture) and data that subscribes to a very specific data format used by Netistix.
2. The OverVIU is always deployed with a firewall.
3. The OverVIU has password-protected access with very specific user rights and restrictions.

Back to the FleetPulse product page