automotive cyber security -...
TRANSCRIPT
Nov. 24th, 2016 I 1 Property of Valeo
Nov. 24th, 2016
Automotive Cyber Security Impacts on vehicle development and life
Speaker: Jérôme DERN Duration: ½ hours
Nov. 24th, 2016 I 2 Property of Valeo
Speaker Jérôme DERN Cyber Security Leader for Valeo CDA Senior Expert +33 1 48 84 56 85 [email protected] @jeromedern https://fr.linkedin.com/in/jeromede
Nov. 24th, 2016 I 4 Property of Valeo
Cars’ CyberSecurity Introduction
What devices are subject to CS?
IoT: Home appliance, health products, security products Servers: Cloud, Personal & Enterprise servers OS Kernels: all connected computers or ECUs Smart Phone & Apps: Car Apps Embedded software: Car ECUs
But also
ECUs indirectly connected to internet Like ECUs connected to Gateways
Nov. 24th, 2016 I 5 Property of Valeo
Cars’ CyberSecurity Introduction
What devices are subject to CS?
IoT: Home appliance, health products, security products Servers: Cloud, Personal & Enterprise servers OS Kernels: all connected computers or ECUs Smart Phone & Apps: Car Apps Embedded software: Car ECUs
But also
ECUs indirectly connected to internet Like ECUs connected to Gateways
Nov. 24th, 2016 I 6 Property of Valeo
Cars’ CyberSecurity Introduction
What devices are subject to CS?
IoT: Home appliance, health products, security products Servers: Cloud, Personal & Enterprise servers OS Kernels: all connected computers or ECUs Smart Phone & Apps: Car Apps Embedded software: Car ECUs
But also
ECUs indirectly connected to internet Like ECUs connected to Gateways
Nov. 24th, 2016 I 7 Property of Valeo
Cars’ CyberSecurity Introduction
What devices are subject to CS?
IoT: Home appliance, health products, security products Servers: Cloud, Personal & Enterprise servers OS Kernels: all connected computers or ECUs Smart Phone & Apps: Car Apps Embedded software: Car ECUs
But also
ECUs indirectly connected to internet Like ECUs connected to Gateways
Nov. 24th, 2016 I 8 Property of Valeo
Cars’ CyberSecurity Introduction
What devices are subject to CS?
IoT: Home appliance, health products, security products Servers: Cloud, Personal & Enterprise servers OS Kernels: all connected computers or ECUs Smart Phone & Apps: Car Apps Embedded software: Car ECUs
But also
ECUs indirectly connected to internet Like ECUs connected to Gateways
Nov. 24th, 2016 I 9 Property of Valeo
Cars’ CyberSecurity Introduction
What devices are subject to CS?
IoT: Home appliance, health products, security products Servers: Cloud, Personal & Enterprise servers OS Kernels: all connected computers or ECUs Smart Phone & Apps: Car Apps Embedded software: Car ECUs
But also
ECUs indirectly connected to internet Like ECUs connected to Gateways
Nov. 24th, 2016 I 10 Property of Valeo
Cars’ CyberSecurity Connected Car Threat Vectors
• OBDII • USB
• SD Card reader • CD reader
• CAN • Ethernet
• JTAG
•Cloud services •OTA •V2x
•Maps •Traffic information
•Infotainment
• Relay attack • Side channel leak
• Camera blinding/destroying • Sensor spoofing
• Component attack • Counterfeit components
Nov. 24th, 2016 I 11 Property of Valeo
Automotive Cyber Security Context
What are attacker motivations & ROI?
69% of attacks are related to money
Untargeted attacks stops after 9 days of trying
Highly targeted attacks, or nation-state have no clear limits
Regarding cars
Need money, time and knowledge
Risks
Nov. 24th, 2016 I 12 Property of Valeo
Automotive Cyber Security Context
Why Vehicles are targets for Cyber Attacks?
High Value items. Mostly parked in unsecured areas. Easy access to ECU‘s (Spare parts). Easy to compromise the content for paid feature activation (no update protection). Taking entire control over vehicles or group of vehicles is interesting for some groups (hacktivists, terrorism)
Risks
Nov. 24th, 2016 I 13 Property of Valeo
Automotive Cyber Security Context
What are the risks?
Joyriding 40 people were killed in England in 2004/2005 as a part of aggravated vehicle taking
Stealing valuables In 2011, insurance companies claimed that 8000 car owners in Norway had experienced and reported a car break-in
Stealing the whole car Not a good idea because of automated plate reading: systems can read up to 3000 plate per hours Car can be stored immediately in a truck or container
Risks
Nov. 24th, 2016 I 14 Property of Valeo
Automotive Cyber Security Context
Stealing whole car for pieces Selling all parts separately Replacing part with serial numbers by used parts with legitimate numbers In Norway in 2011 and 2012, 187 cars were stolen but only 21% of cases were solved
Unauthorized product modifications Deactivation of security feature, Activation of paid features for free, Hide criminal or illegal activities, …
Risks
Nov. 24th, 2016 I 15 Property of Valeo
Automotive Cyber Security Context
Remote surveillance of individuals GPS: previous destinations, current location, current destination Cloud: billing, credit card, data, owner information Audio using onboard mics GSM: SMS, data, triangulation, voice calls Car data access: speed, oil, mileage, TPMS, driving style & behavior, driving time, DTCs
Attacks on infrastructure & cars (V2x) Attractive target for terrorism Stop/control massive number of vehicles Cause massive panic through false information
Risks
Nov. 24th, 2016 I 16 Property of Valeo
Automotive Cyber Security Context Risks
1,E+00 1,E+01 1,E+02 1,E+03 1,E+04 1,E+05 1,E+06 1,E+07 1,E+08 1,E+09 1,E+10
Space shuttle Boeing 777 Ford Taurus 2012
Today cars Mouse DNA All Google services
Number of lines (log scale)
Car industry is facing a high risk
Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
Nov. 24th, 2016 I 17 Property of Valeo
Automotive Cyber Security Context Risks
Basic attacker L1
Internet connection & vulnerability
Sophisticated Attacker L2
Asset value, identity, difficulty
Cybercrime L3
Internal/Ext. asset value, IP
Nation-state L4
Country, asset value, IP
Amusement, Experimentation,
Nuisance
Money, Renown, Ideology
Money, Crime,
Extortion
Espionage, Economic Intelligence
Cyber warfare
Ris
k
Resources/ Sophistication
$-$$$
$-$$$$
$-$$$$$
$-$$
Moore’s law applies also to CS context
More computational resources
Easier Knowledge sharing
Nov. 24th, 2016 I 18 Property of Valeo
Automotive Cyber Security Context Car hacking, state of the art
Nov. 24th, 2016 I 19 Property of Valeo
Automotive Cyber Security Context
Car Attacks Only known serious attacks are white hat’s This does not mean that no other attacks succeed One doubt in the case of a US journalist Today main known attacks are
Webtech plus hack case, 2010 GM Impala using OnStar hack, 2010-2011 Ford Escape, Toyota Prius: 2013 BMW ConnectedDrive, January 2015 GM OnStar hack, July 2015 Chrysler Jeep Cherokee: July 2015 Tesla Model S, August 2015 Nissan LEAF, Troy Hunt, February 2016
Car hacking, state of the art
Nov. 24th, 2016 I 20 Property of Valeo
Automotive CyberSecurity
Attack allows remote command for
Air conditioner, Door locks, Windscreen wiper, Engine, Steering wheel, Transmission, Braking system, Tracing GPS route on a map
Chrysler Jeep Cherokee
Nov. 24th, 2016 I 21 Property of Valeo
Automotive CyberSecurity
Remote command can command A specific vehicle All Jeep Cherokee!
Software correction Available 9 month later Needed to be downloaded and stored into USB key Does all cars’ owner have done it?
Chrysler Jeep Cherokee
Nov. 24th, 2016 I 23 Property of Valeo
Automotive CyberSecurity
Security impact the whole car life
Specification Risk analysis Define Security Functional Requirement Allocate and refine them to engineering domains
Security Development Life-Cycle
Nov. 24th, 2016 I 24 Property of Valeo
Automotive CyberSecurity
Add new design principles Favor simplicity Do not expect Expert Users Trust with reluctance Limit the privilege to what is really needed Validate all inputs Promote privacy Compartmentalize Defend in Depth (DiD) Monitor & trace
Security Development Life-Cycle
Nov. 24th, 2016 I 25 Property of Valeo
Automotive CyberSecurity
Implementation Implement SFR Security coding rules and static analysis Open Source detection tool Vulnerability Analysis tools Security code reviews
Security Development Life-Cycle
Nov. 24th, 2016 I 26 Property of Valeo
Automotive CyberSecurity
Testing Risk-based security testing Fuzzing testing Attack patterns Penetration testing
Security Development Life-Cycle
Nov. 24th, 2016 I 27 Property of Valeo
Automotive CyberSecurity
Cloud Security Smart Phone Apps Security Factory Security Repair shop Security Maintenance / Incident response Decommissioning
Security Development Life-Cycle
Nov. 24th, 2016 I 30 Property of Valeo
Automotive CyberSecurity
Safety
Ensuring a state of a system that does not cause harm to life, property, or environment.
Security
Ensuring the state of a system that does not allow exploitation of vulnerabilities to lead to losses, such as financial, operational, privacy, or safety losses
Security is not Safety
Nov. 24th, 2016 I 31 Property of Valeo
Automotive CyberSecurity
A safety-critical system is also cybersecurity-critical
A security critical system may not be safety-critical
Privacy Operational Regulatory Financial
Security is not Safety
Security
Safety
Nov. 24th, 2016 I 32 Property of Valeo
Automotive CyberSecurity
Security process matches partially safety process
Hazard analysis and risk assessment Replaced by Threat Analysis and Risk Assessment (TARA) TARA is more difficult to address due to intentional, malicious, and planned actions
Safety use statistics, experience, system and components’ knowledge
Security considers additional factors: time, Expertise, knowledge, opportunity, equipment, and attack intensity
Security is not Safety
Nov. 24th, 2016 I 33 Property of Valeo
Automotive CyberSecurity
Security process matches partially safety
Safety goals leads to safety requirements Security objectives leads to security requirements
Safety risks are stable over time Security risks increase over time Security Updates are needed
Fault Tree Analysis (FTA) Attack Tree Analysis (ATA)
Security is not Safety
Nov. 24th, 2016 I 34 Property of Valeo
Automotive CyberSecurity
Security process matches partially safety
Detailed Hazard analysis Vulnerability analysis
Static code analysis used to find functionality related bugs
Static code analysis used to find vulnerabilities
Correct code from a safety perspective May still be have vulnerabilities
Security is not Safety
Nov. 24th, 2016 I 35 Property of Valeo
Automotive CyberSecurity
Security process matches partially safety
System safety fault injection tests Penetration testing
Safety tests can guarantee requirement coverage Security tests are always insufficient to guarantee security
Safety may conflict with Cybersecurity in some cases
Security is not Safety
Nov. 24th, 2016 I 36 Property of Valeo
Automotive CyberSecurity
Security process matches partially safety
Security has a broader scope Communication mechanisms and synchronizations between Safety and Security are needed Safety teams and Security teams can be merged or separated
It is better to separate them with strong communications channels and synchronizations points
Security is not Safety
Nov. 24th, 2016 I 37 Property of Valeo
Automotive CyberSecurity Security is not Safety
Identify Hazards
Risk Analysis
Safety Concept
Add Counter-Measures
Risk is Suppressed
Wait for Security
Risk Analysis
Security Concept
Add Counter-Measures
Risk is acceptable
Wait for Safety
Identify Threat
Evolving Context
Static
≠ Increase with
time
Standardized by ISO
≠ Not
Standardized
Nov. 24th, 2016 I 39 Property of Valeo
Automotive CyberSecurity
No real Automotive CS norms exist SAE provide J3061: CyberSecurity Guidebook for Cyber-Physical Vehicle Systems Actively waiting an ISO norm that will kick off in October 21th
Norms