©2013 Copyright Southwest Research Institute®

Southwest Research Institute® San Antonio, Texas

©2013 Copyright Southwest Research Institute®

Southwest Research Institute

Embedded Systems Security for Automotive

October 3, 2013

©2013 Copyright Southwest Research Institute®

2

Southwest Research Institute(SwRI)

•Nonprofit

•Independent

•Applied R&D

•11 TechnicalDivisions

•Serving Auto Industry since 1947

Benefiting government, industry, and the public through innovative science and technology

http://swri.org

©2013 Copyright Southwest Research Institute®

Organizational Characteristics

•Applied Research & Development

•Fiscally Stable

•Serve Government, Industry, and the Public

•Technological & Scientific Breadth

•Multidisciplinary Capability

•Internal Research Encouraged–Foster Development of New Technologies

–Investigate New Applications of Existing Technologies

3

©2013 Copyright Southwest Research Institute®

Operational Values and Traditions

•Project and Client-Needs Focused

•Commitment to Delivering on Every Project

•Confidentiality Emphasized–Commercial Clients

Low Profile

Unique approach to Intellectual Property and Patent Rights

–Government Clients

Excellent Reputation for Implementation of Security

Two-time winner of James S. Cogswell Outstanding Industrial Security Achievement

Award

4

©2013 Copyright Southwest Research Institute®

Automation and Data Systems Division

•One of 11 Technical Divisions at SwRI•Division Overview

–165 Total Staff

–Computer Science, Electrical & Computer Engineering, Physics, Mechanical Engineering, Industrial Engineering

•Three Business Areas–Intelligent Systems Department

–Manufacturing Systems Department

–Communications & Embedded Systems Department

•Quality Processes–SEI/CMMI Level 5

5

©2013 Copyright Southwest Research Institute®

Embedded System Security Capabilities

6

©2013 Copyright Southwest Research Institute®

Embedded Security Group

• Staff– Multi-disciplinary– Continuous training– Security clearances– Leverage diverse subject

matter experts at SwRI as needed

• Laboratory Facilities– Dedicated secure labs– Specialized facilities

• automotive test track• vehicle-sized anechoic chamber• dynamometers

– Extensive laboratory test and analysis equipment

7

• Business Areas

– Automotive Security– Smart Grid Security– Industrial Control

Systems & SCADA– Oil & Gas– Railway Security– Mobile Device Security– Medical Device Security

Specializing in cyber-physical systems security

©2013 Copyright Southwest Research Institute®

Example Projects

•Research–Example: Vehicle Malware DetectionCAN analysis and reverse engineeringPerformed vehicle security analysisDeveloped automotive Tool for Reverse

Engineering, Analysis and Detection – autoTREAD™

Developed anomaly detection techniques

•Design and Development–Example: Secure ECUSecure CommunicationsDeveloped SolutionUtilized in Next-Gen Products

•Penetration Testing–Infotainment systems–Vehicle radios

8

©2013 Copyright Southwest Research Institute®

SwRI is Proposing Creation of the

Automotive Consortium for Embedded Security (ACES)

9

©2013 Copyright Southwest Research Institute®

10

Headlines

©2013 Copyright Southwest Research Institute®

11

Current SwRI Automotive Consortia –

SwRI Has Extensive Experience in Establishing Effective Automotive Consortia

©2013 Copyright Southwest Research Institute®

Automotive Consortium for Embedded Security™

• Perform high-risk/high reward pre-competitive R&D

• Serve as independent verification and validation entity

• Develop understanding of industry problems and quantify risks

• Monitor and share threats & industry research

• Keep abreast and provide input for emerging safety and security standards

• Provide members with relevant and actionable results

12

Providing pre-competitive research in automotive embedded systems security to protect the safety, reliability, brand image, trade secrets,

and customer privacy on members' future products

http://aces.swri.org

©2013 Copyright Southwest Research Institute®

Potential Projects

• Research– CAN Bus Anomaly / Malware Detection

– CAN Authentication

– ECU Firmware Tamper Protection

– Secure ECU Firmware Update

– Autonomous Vehicle

• Independent Verification and Validation– Vetting of Security Threats

– Validation of Emerging Security Research & Solutions

• Identify Problems and Quantify Risks– Detailed Risk Assessments

• Standards and Specifications– Development of Security Standards & Specifications

– Work with OEMs and Suppliers to Develop Common Requirements 13

©2013 Copyright Southwest Research Institute®

Benefits

• ROI: Shared funding to solve basic problems for entire membership

• Early access and license to all technology and data from ACES-funded research

• Access and license to related SwRI internally-funded research (including automotive anomaly detection)

• Opportunity to interact with other OEMs and suppliers to develop future automotive security strategies

• Opportunity to advocate for specific security objectives and directions

14

©2013 Copyright Southwest Research Institute®

ACES Information Meeting

• Aimed at potential automotive industry members

• Purpose: – Introduce ACES structure / objectives for

industry feedback / discussion

• Date: October 23, 2013• Location: Sterling Heights, MI

15

©2013 Copyright Southwest Research Institute®

Questions?

16

Mark Brooksmbrooks@swri.org+1 (210) 522-3727Southwest Research Institute6220 Culebra Rd.San Antonio, TX 78238United States

http://aces.swri.org