digital security risks to transport infrastructure - oecd · digital security risks to transport...
TRANSCRIPT
Automated Vehicles
– the good, the bad and the ugly!
Sebastian Rohr, CISA/CISM/CISSP
Digital Security Risks to Transport Infrastructure
Who am I? Sebastian Rohr, CEO of accessec GmbH
08.02.2018 2
• Product- / Production Security• Secure Automotive Networks & Backends
• Chief Security Advisor @ Microsoft• Security Strategy for SME/Corporations
• Started career in (IT-) Security @ Siemens• Security Research @ Fraunhofer SIT
OECD Workshop, Paris
Roadway Security & Safety! My secured castle!
OECD Workshop, Paris
Qu
elle
: Sc
ala
Cas
tle
of
Sirm
ion
e, ©
Mar
tin
Sam
pso
n
Page 3
And now…
2/8/2018 7
© P
ho
torato
r[U
RL=h
ttp://p
ho
torato
r.com
/ph
oto
/56
12
4/califo
rnia-state-ro
ute
-high
way-in
terchan
ge-in
-los-an
geles
OECD Workshop, Paris
Vehicles today are “moving data-centers”– with lots of vulnerable interfaces!
GSM/UMTS/LTE,
WiFi, Bluetooth
Interfaces:
OBD
Tire Pressure Monitoring
EV Charging
Car-2-X Communication
Immobilizer
Remote Keyless Entry
E/E, ECU Security:
Tachograph
ChipTuning
Function Activation
USB
Lightning GPS,DAB,
TMC,RDS
Infotainment
Picture source: https://www.sit.fraunhofer.de/de/automotive-security/Page 8OECD Workshop, Paris
And unfortunately, they are exploited as we speak…
Vehicle hack using a car gadgetYoutube: “Corvette hacked through text message” https://www.youtube.com/watch?v=XdARgh4K0wc
Jeep Cherokee HackYoutube: “Hackers Remotely Kill a Jeep on the Highway—With Me inIt”
Page 9OECD Workshop, Paris
And why is that so?
Page 10
• Absence of incentive for securing the „product“ (car) alone
• Absence investment in security infrastructure of roadways either
• Absence of regulative pressure (who needs security?)
Good example: GDRP!
Lots of awareness created on board level
Significant effort put into protecting data and endusers (finally)
Suggestion:
Move forward to establish international
„minimum security requirements“ for autonomous vehicles
And why is that so?
Page 11
• Absence of incentive for securing the „product“ (car) alone
• Absence investment in security infrastructure of roadways either
• Absence of regulative pressure (who needs security?)
Good example: GDRP!
Lots of awareness created on board level
Significant effort put into protecting data and endusers (finally)
Suggestion:
Move forward to establish international
„minimum security requirements“ for autonomous vehicles
When will we start?
08.02.2018 12
Sebastian Rohr, CISA/CISM/CISSP
CEO & Founder
accessec GmbH
+491715580066
OECD Workshop, Paris