20160914 eurospi: "automotive security: challenges, standards and solutions"
TRANSCRIPT
Automotive Security:Challenges, Standards andSolutions
Alexander Much2016-09-14
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Agenda
2
• Safety, Security, ?
• Related Standards and Activities
• Solutions
• Summary
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Driver´s fears are being fueled by recent news
• a
3
Connected Cars (new opportunitiesfor hackers)
New AutonomousDriving Concepts(and failures)
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Opposing Goals?
Automotive Security: Challenges, Standards and Solutions
Connected Car offers new business models for hackers?
• a
4CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Autonomous theft?
55CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
;-)
6
© xkcd.com, https://xkcd.com/1559/
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
“Trustworthy Computing” Memo
From: Bill Gates
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
When we face a choice between adding features and resolving
security issues, we need to choose security. We must lead the
industry to a whole new level of Trustworthiness in
computing. […]
Trustworthy Computing is the highest priority for all the
work we are doing. […]
Key aspects include: […] Availability, […] Security, […]
Privacy.
Do we have similar challenges?
7
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
The Evolution of Car Hacking
88
Increasing digitalization and digital integration
Hypothetical vulnerabilities identified
Regular security breaches with severe damages
Security threats become relevant in practice
SecurityIssues
Source: escrypt
Automotive Security: Challenges, Standards and Solutions
Dependability
9
Important:
• safety != reliability
• safety != security
• safety != availability
The challenge: balancing „ilities“.
Safety << Security!
Must-read paper: „Basic Concepts and Taxonomy of Dependable and Secure Computing“https://www.nasa.gov/pdf/636745main_day_3-algirdas_avizienis.pdf
Also look at: Architecture Tradeoff Method, SEI:
https://resources.sei.cmu.edu/asset_files/TechnicalReport/2000_005_001_13706.pdf
Dependability
Attributes
Security
Availability
Reliability
Safety
Integrity
Maintainability
Threats
Fault
Error
Failure
Means
Prevention
Removal
Forecasting
Tolerance
Documentationhttps://en.wikipedia.org/wiki/Dependability
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Entry Points
10
Internet connection
Bluetooth connection
Wireless key
Tire pressure monitor
Remote start
Remote HVAC
WiFi Hotspot
Car2Infrastructure
Car2Car
eCall
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Excursion: Legal
Key quotes for security from 53. Goslaer Verkehrsgerichtstag, 2015-01:
„Zur Klärung von Haftungsansprüchen nach Schadensfällen in jeglichem automatisierten Fahrbetrieb müssen Systemhandlungen und Eingriffe des Fahrers beweissicher (!) dokumentiert werden.“ tamper-resistant black-box (individual ECUs, function and system level)
„Datenschutz und Datensicherheit sowie Transparenz für den Nutzer sind dabei zu gewährleisten.“„Gegen Manipulationen von außen ist entsprechend dem Stand der Technik Vorsorge zu treffen.“ tamper-resistant devices and communication, authenticity, privacy, etc.
On the horizon: the US may mandate such requirements.
11
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Related Standards and Activities
• NIST, FIPS, etc.
• CERT (coding standards and more)
• ISO 27000 (wikipedia)
• RTCA/DO-326 (avionics)
• IEC 62443 (primarily automation)
• CMMI (Security by Design with CMMI v1.3, from Siemens)
• Microsoft SDL (Security Development Lifecycle)
• EVITA (research project)
• BMW group standard (GS 95014, 2015-02)
• SAE J3061 (to be published on 2015-12-03)
• OpenSAMM (Software Assurance Maturity Model)(4 additional processes, similar to e.g. ISO 15504-10
• … and probably many more
12
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Excerpt from J3061 activities
• Tailors a security process framework from the ISO 26262 process framework Compatibility of the lifecycle and processes
• Goal-based rather than predictive
• Identifies methods and tools to facilitate the application of the process, e.g.
‒ Attack trees
‒ Penetration testing
‒ TARA methods (Thread And Risk Analysis)
• Published on 2015-12-03 with a webcast:“The World’s First Standard on Automotive Cybersecurity.”
13
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Safety & Security: Process Model
Coordination needed between safety and security experts in relevant phases.
Key capability: systems engineering.
Safety & Security are system aspects (“emerging properties”, “speciality engineering”).
14
© Bosch, S. Kriso, M. Ihle, „Automotive Security im Kontext der Funktionalen Sicherheit“,VDI / VW Gemeinschaftstagung „Automotive Security“, 2015-10-21
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
The “System”
Defining the system boundaries is complex in development as well as during operations.
Systems are dynamic: assumptions made during development may be false during operations.
15
© Nancy Leveson, Engineering a Safer World (free download)
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Extension of the Life-Cycle
• Automotive SPICE strongly focuses on development.
• ISO 15504:2006 contains OPE.1 – Operational use, 5 base practices.IMHO: rarely used.
• ISO 26262:2011 part 7 chapter 6: “operation, service and decommissioning”.3 pages, fairly abstract.
• Security needs constant field monitoring of all stakeholders:
‒ Safety: a “static” hazard model
‒ Security: a “dynamic” threat model
• Security leads to a higher frequency of updates:maintainability, changeability is a key factor
• Incidents will happen => security is only mastered with a plan for response!
16
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
OTA & Quality: A “Warning”
• OTA offers many opportunities, including business models, etc.
• OTA will fundamentally change how we look at function deployment.
• OTA partially lowers SOP “pressure”:
“we’ll add / fix it later”
• Easy updates have lead to crappy software in other domains.
• The SPICE community needs to be aware of this fact!
17
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Example: Microsoft SDL
• Core Security Training
• Establish Security and Privacy Requirements
• Create Quality Gates / Bug Bars
• Perform Security and Privacy Risk Assessments
• Establish Design Requirements
• Attack Surface Analysis / Reduction
• Use Threat Modeling
• Use Approved Tools
18
• Deprecate Unsafe Functions
• Perform Static Analysis
• Perform Dynamic Analysis
• Fuzz Testing
• Attack Surface Review
• Create an Incident Response Plan
• Conduct Final Security Review
• Certify Release and Archive
• Execute Incident Response Plan
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Example: OpenSAMM
19
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Example: SAE J3061
20
Potential Communications Paths During the Product Development (software level) Activities
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Secure System Layers
21
Secure Environment
Secure External Comm.
& Interfaces
Secure Network
Segmentation
Secure OnBoard
Communication
Secure Platform
Secure Boot
Secure Hardware Element
Secure Update / Diagnostics
- Applications
- Flashware
Separation / Isolation
- Memory Protection
- Scheduling Policies
- Access Control
AUTOSAR SecOC
Ethernet Security
Domain Separation
Trust Zones
IDS/ADS
Firewall
Secure External Channels
- TLS
Secure Logging Agent
Secure Backend Infrastructure
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Possible Solutions (from Os side)
22
Core PartitioningPure Autosar
Hypervisor
App App
Core 1
ECU
Core 2
AUTOSARPerformance
Platform
App App
Core 1
ECU
Core 2
AUTOSAR
Performance Platform
App App
Core 1
ECU
Core 2
AUTOSAR
Hypervisor
Performance Platform
App App
Core 1
ECU
Core 2
Microcontroller Partitioning
Performance Platform
App App
Micro 1
ECU
Micro 2
AUTOSAR
Pure Performance
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Reference Architecture for Safe & Secure Platform
23
OS(opt.)
Bootloader / Flasher
ECUECU
Ethernet, FlexRay, CAN, LIN
OS
RTE
Applications
AUTOSAR
HardwareHardware Security Module (HSM)
CSM CryHSM
SecOC
Application Bootloader/Flasher
Authentication
SW signatureverification
Anti theft
SW as a product
Milage prot.
Secure Boot
Intrusion Det.
EB Software
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Security: Challenges, Standards and Solutions
Summary (and opinion)
Processes & standards:Standardization for security similar to ISO 26262 is needed, which forms a consensus in the automotive domain.
Safety, security, reliability are system aspects that need to be balanced. They are all part of the “quality” of the product.
We need assessors who are technical experts of the systems they assess. “Simple” process and document checking won’t be enough.
The SPICE community needs to co-ordinate specialty engineering audits.
Systems engineering needs to be established within organizations.
24
Contact [email protected]
CC SSE Much | 2016-09-14 | EuroAsiaSPI 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.