20160914 eurospi: "automotive security: challenges, standards and solutions"

Automotive Security:Challenges, Standards andSolutions

Alexander Much2016-09-14

CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Automotive Security: Challenges, Standards and Solutions

Agenda

2

• Safety, Security, ?

• Related Standards and Activities

• Solutions

• Summary



Driver´s fears are being fueled by recent news

• a

3

Connected Cars (new opportunitiesfor hackers)

New AutonomousDriving Concepts(and failures)


Opposing Goals?


Connected Car offers new business models for hackers?

• a

4CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.


Autonomous theft?

55CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.


;-)

6

© xkcd.com, https://xkcd.com/1559/


https://xkcd.com/1559/



“Trustworthy Computing” Memo

From: Bill Gates

Sent: Tuesday, January 15, 2002 5:22 PM

To: Microsoft and Subsidiaries: All FTE

Subject: Trustworthy computing

When we face a choice between adding features and resolving

security issues, we need to choose security. We must lead the

industry to a whole new level of Trustworthiness in

computing. […]

Trustworthy Computing is the highest priority for all the

work we are doing. […]

Key aspects include: […] Availability, […] Security, […]

Privacy.

Do we have similar challenges?

7

http://www.wired.com/2002/01/bill-gates-trustworthy-computing/



The Evolution of Car Hacking

88

Increasing digitalization and digital integration

Hypothetical vulnerabilities identified

Regular security breaches with severe damages

Security threats become relevant in practice

SecurityIssues

Source: escrypt


Dependability

9

Important:

• safety != reliability

• safety != security

• safety != availability

The challenge: balancing „ilities“.

Safety << Security!

Must-read paper: „Basic Concepts and Taxonomy of Dependable and Secure Computing“https://www.nasa.gov/pdf/636745main_day_3-algirdas_avizienis.pdf

Also look at: Architecture Tradeoff Method, SEI:

https://resources.sei.cmu.edu/asset_files/TechnicalReport/2000_005_001_13706.pdf

Dependability

Attributes

Security

Availability

Reliability

Safety

Integrity

Maintainability

Threats

Fault

Error

Failure

Means

Prevention

Removal

Forecasting

Tolerance

Documentationhttps://en.wikipedia.org/wiki/Dependability


https://www.nasa.gov/pdf/636745main_day_3-algirdas_avizienis.pdf

https://resources.sei.cmu.edu/asset_files/TechnicalReport/2000_005_001_13706.pdf

https://en.wikipedia.org/wiki/Dependability



Entry Points

10

Internet connection

Bluetooth connection

Wireless key

Tire pressure monitor

Remote start

Remote HVAC

WiFi Hotspot

Car2Infrastructure

Car2Car

eCall



Excursion: Legal

Key quotes for security from 53. Goslaer Verkehrsgerichtstag, 2015-01:

„Zur Klärung von Haftungsansprüchen nach Schadensfällen in jeglichem automatisierten Fahrbetrieb müssen Systemhandlungen und Eingriffe des Fahrers beweissicher (!) dokumentiert werden.“ tamper-resistant black-box (individual ECUs, function and system level)

„Datenschutz und Datensicherheit sowie Transparenz für den Nutzer sind dabei zu gewährleisten.“„Gegen Manipulationen von außen ist entsprechend dem Stand der Technik Vorsorge zu treffen.“ tamper-resistant devices and communication, authenticity, privacy, etc.

On the horizon: the US may mandate such requirements.

11

http://www.deutscher-verkehrsgerichtstag.de/images/empfehlungen_pdf/empfehlungen_53_vgt.pdf



Related Standards and Activities

• NIST, FIPS, etc.

• CERT (coding standards and more)

• ISO 27000 (wikipedia)

• RTCA/DO-326 (avionics)

• IEC 62443 (primarily automation)

• CMMI (Security by Design with CMMI v1.3, from Siemens)

• Microsoft SDL (Security Development Lifecycle)

• EVITA (research project)

• BMW group standard (GS 95014, 2015-02)

• SAE J3061 (to be published on 2015-12-03)

• OpenSAMM (Software Assurance Maturity Model)(4 additional processes, similar to e.g. ISO 15504-10

• … and probably many more

12

https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards

https://en.wikipedia.org/wiki/ISO/IEC_27000

http://cmmiinstitute.com/sites/default/files/resource_asset/Security-by-Design-with-CMMI-for-Development V1.3.pdf

https://www.microsoft.com/en-us/sdl/

http://www.evita-project.org/

http://standards.sae.org/wip/j3061

http://www.opensamm.org/



Excerpt from J3061 activities

• Tailors a security process framework from the ISO 26262 process framework Compatibility of the lifecycle and processes

• Goal-based rather than predictive

• Identifies methods and tools to facilitate the application of the process, e.g.

‒ Attack trees

‒ Penetration testing

‒ TARA methods (Thread And Risk Analysis)

• Published on 2015-12-03 with a webcast:“The World’s First Standard on Automotive Cybersecurity.”

13

https://event.webcasts.com/starthere.jsp?ei=1080592



Safety & Security: Process Model

Coordination needed between safety and security experts in relevant phases.

Key capability: systems engineering.

Safety & Security are system aspects (“emerging properties”, “speciality engineering”).

14

© Bosch, S. Kriso, M. Ihle, „Automotive Security im Kontext der Funktionalen Sicherheit“,VDI / VW Gemeinschaftstagung „Automotive Security“, 2015-10-21



The “System”

Defining the system boundaries is complex in development as well as during operations.

Systems are dynamic: assumptions made during development may be false during operations.

15

© Nancy Leveson, Engineering a Safer World (free download)

https://mitpress.mit.edu/books/engineering-safer-world



Extension of the Life-Cycle

• Automotive SPICE strongly focuses on development.

• ISO 15504:2006 contains OPE.1 – Operational use, 5 base practices.IMHO: rarely used.

• ISO 26262:2011 part 7 chapter 6: “operation, service and decommissioning”.3 pages, fairly abstract.

• Security needs constant field monitoring of all stakeholders:

‒ Safety: a “static” hazard model

‒ Security: a “dynamic” threat model

• Security leads to a higher frequency of updates:maintainability, changeability is a key factor

• Incidents will happen => security is only mastered with a plan for response!

16



OTA & Quality: A “Warning”

• OTA offers many opportunities, including business models, etc.

• OTA will fundamentally change how we look at function deployment.

• OTA partially lowers SOP “pressure”:

“we’ll add / fix it later”

• Easy updates have lead to crappy software in other domains.

• The SPICE community needs to be aware of this fact!

17



Example: Microsoft SDL

• Core Security Training

• Establish Security and Privacy Requirements

• Create Quality Gates / Bug Bars

• Perform Security and Privacy Risk Assessments

• Establish Design Requirements

• Attack Surface Analysis / Reduction

• Use Threat Modeling

• Use Approved Tools

18

• Deprecate Unsafe Functions

• Perform Static Analysis

• Perform Dynamic Analysis

• Fuzz Testing

• Attack Surface Review

• Create an Incident Response Plan

• Conduct Final Security Review

• Certify Release and Archive

• Execute Incident Response Plan



Example: OpenSAMM

19



Example: SAE J3061

20

Potential Communications Paths During the Product Development (software level) Activities



Secure System Layers

21

Secure Environment

Secure External Comm.

& Interfaces

Secure Network

Segmentation

Secure OnBoard

Communication

Secure Platform

Secure Boot

Secure Hardware Element

Secure Update / Diagnostics

- Applications

- Flashware

Separation / Isolation

- Memory Protection

- Scheduling Policies

- Access Control

AUTOSAR SecOC

Ethernet Security

Domain Separation

Trust Zones

IDS/ADS

Firewall

Secure External Channels

- TLS

Secure Logging Agent

Secure Backend Infrastructure



Possible Solutions (from Os side)

22

Core PartitioningPure Autosar

Hypervisor

App App

Core 1

ECU

Core 2

AUTOSARPerformance

Platform

App App

Core 1

ECU

Core 2

AUTOSAR

Performance Platform

App App

Core 1

ECU

Core 2

AUTOSAR

Hypervisor


App App

Core 1

ECU

Core 2

Microcontroller Partitioning


App App

Micro 1

ECU

Micro 2

AUTOSAR

Pure Performance



Reference Architecture for Safe & Secure Platform

23

OS(opt.)

Bootloader / Flasher

ECUECU

Ethernet, FlexRay, CAN, LIN

OS

RTE

Applications

AUTOSAR

HardwareHardware Security Module (HSM)

CSM CryHSM

SecOC

Application Bootloader/Flasher

Authentication

SW signatureverification

Anti theft

SW as a product

Milage prot.

Secure Boot

Intrusion Det.

EB Software



Summary (and opinion)

Processes & standards:Standardization for security similar to ISO 26262 is needed, which forms a consensus in the automotive domain.

Safety, security, reliability are system aspects that need to be balanced. They are all part of the “quality” of the product.

We need assessors who are technical experts of the systems they assess. “Simple” process and document checking won’t be enough.

The SPICE community needs to co-ordinate specialty engineering audits.

Systems engineering needs to be established within organizations.

24

Contact [email protected]


http://www.elektrobit.com/

mailto:[email protected]