Applying Cybersecurity Processes to

Autonomous VehiclesEmbedded Systems Security Group

5/2/2017 1

Agenda• Identify the problem• Review the challenges• Applying risk assessment techniques• Security infusion to design process• Conclusions/Wrap-up• Questions/Contact

5/2/2017 2

What’s the Problem?• Problem?

o How to apply conventional penetration testing methods to autonomous vehicle technology?

• Why address it now?o Autonomous Technology is transitioning out of the lab and into the streets.o Proactively address security to avoid “patching in” later.

• What can we do right now?o Generate discussiono Evaluate sensorso Develop requirementso Influence vendors

5/2/2017 3

Types of Challenges

5/2/2017 4

• Experimental - Just trying to make it worko Focused on meeting basic performanceo Security seen as hindrance to prototypingo Operating in controlled environmento “Worry about it later”

• Garbage In = Garbage Outo Sensor data only as good as the sourceo Making assumptions about sensor performance based on limited testingo Sensor perception, sensitivity, and ranges highly variable

Types of Challenges

5/2/2017 5

• Fusing data sources is difficulto Different units, manufacturers, librarieso Correlating objects between sensor typeso Response magnitude may vary for materials/shapes

• Each sensor from a different manufacturero Sometimes a sensor is a composition from even more supplierso Technology layering and abstraction results in compounding corner cases

Types of Challenges

5/2/2017 6

• Each sensor an embedded systemo Limited insight into the systemo Firmware updateso Debug ports, flash memory, configuration fileso Network interfaces and protocolso Variety of interface libraries both Open Source and proprietary

• Constantly evolving sensor set (Next-best-thingitus)o Look,<Company name> just released a new sensor with better <property>!o Likely different than previous sensor or different manufacturero Start security assessment all over again

Other Industries• Dedicated Short Range Communications (802.11p)

o DSRC motivated by federal infrastructureo Active standards developmento Built with security in mindo Not evolution technologyo A few ongoing pilot programs

• Maybe security assessments should be included?

• Military Applicationso Big budgets for securityo Platforms tend to have high physical securityo Small Numbers (relative to auto industry)o Strict revision controlo See TARDEC VICTORY Program

5/2/2017 7

SwRI Developed Automated Tactical Vehicle

What Can We Do?• Approach the problems from multiple angles:

1. Involve In-House security resources (pen test, security policy, etc…)• Seek advice from existing In-House resources• Leverage institutional knowledge and experiences with other systems

2. Engage with suppliers early3. Integrate product lifecycle security4. Identify avenues for exchanging and managing identified issues5. Perform regular assessments6. Integrate external assessments and replicate results in-house7. Monitor Hacker state of the art

• Attend conferences• Review hacks or reports of other sensors• Many manufactures use similar tech

5/2/2017 8

Supplier Communication• Engage with vendor security team (if available)• Some vendors more aware than others• Some will be non traditional automotive suppliers• Establish POC on both sides for relaying:

o Sending/receiving security findingso Design or process changeso Technology that may be shared across multiple platforms

• Consider hosting vulnerability reporting database

5/2/2017 9

Lifecycle Security

5/2/2017 10

Secure Over-the-Air

Update

Penetration Testing

Secure Code Practices

Coding Analysis

Sensor Security

Secure Interface Design

Risk ModelingAsset Tracking

ISO 26262/J3061 Process:

Security RequirementsDevelopment

Sensors Assessment• Start evaluations of essential sensors

o LIDAR, Radar, Vision, etc…o Subject models to security testingo Model and track vulnerabilities

• “Smart” Sensors o Typically contain embedded systemso Firmware images and onboard flasho Debugging portso Variety of on-sensor functionso Networking capabilities (Ethernet, CAN)

• Typically “development friendly”o Well documented & publicly availableo Configuration and demo applicationso Sensors getting cheaper

• The result: Hackers Playground

5/2/2017 11

Packet structure for a popular LIDAR

System Assessment• Will become more difficult as system matures

o Need to track libraries used to develop systemo Version control of multiple systemso Securing communications between modules

• Strict interface controlo Data flow between user controls and safety criticalo Autonomy Kit <-> Passenger Interfaceo System safety hypervisor

• Computer Vision o Demonstrated system classification manipulation

5/2/2017 12

Manipulated Computer vision Recognition [2]

Outside Assessments• Work with outside teams for better coverage

o Request procedures & equipment lists not just findingso Replicate in-houseo Build up assessment arsenalo Expand intuitional knowledge

5/2/2017 13

Conclusion• Involve In-House security resources

o Seek advice from existing In-House resources

• Engage with suppliers early• Integrate product lifecycle security

o Identify avenues for exchanging and managing identified issues

• Perform regular assessments• Integrate external assessments

o Replicate results in-houseo Request Procedures/Equipment/Sourceo Feed findings back into development process

• Monitor Hacker state of the art

145/2/2017

Questions/Contact

5/2/2017 15

Daniel ZajacDaniel.Zajac@SwRI.org

(210) 522-4293Senior Research Engineer

Edward CainEdward.Cain@SwRI.org

(210) 522-2417Research Analyst

References:[1] https://media.blackhat.com/bh-dc-11/Havelt-Oliveira/BlackHat_DC_2011_Havelt_Hacking_Fast_Lane-wp.pdf[2] http://news.cornell.edu/stories/2015/03/images-fool-computer-vision-raise-security-concerns