guidelines for vehicle cyber securitys3.amazonaws.com/sdieee/1737-hiro+sdieee+pace... · air plane...
TRANSCRIPT
GuidelinesGuidelines for Vehicle Cyber Securityy y
Hiro OnishiAlpine Electronics Research of America, Inc.
honishi@alpine‐la.com@ p
1© 2013 Alpine Electronics, Inc. Not for commercial distribution.
INDEX
1. Cyber‐Physical System Risks
INDEX
2. Vehicle Cyber Risks
‐ Vulnerabilities in maintaining vehicle cyber securityg y y
3. Vehicle Cyber Security Approaches
‐ Risk analysisRisk analysis
‐ Concept of system security
4 Vehicle Cyber Security Guidelines4. Vehicle Cyber Security Guidelines
‐ European project “EVITA”
J (IPA)’ id‐ Japanese agency (IPA)’s guide
‐ SAE committee’s approach
5 S
2
5. Summary
1. Risks for Cyber‐Physical System – Case 1
Davis‐Besse Nuclear Plant, Ohio (Jan. 25, ’03)( , )
16:00: Noticed network slow down
16:50: Safety Parameter Display System (SPDS) crashed
17:13: Plant process computer crashed p p(had analog backup)
Reference: Edward Fok. (Dec. 7, ’11) “ d i C b S i f“Introduction to Cyber Security Issues for
Transportation” [Web seminar]
3
1. Risks for Cyber‐Physical System – Case 2
Air plane manipulation (Apr ’13 US)Air plane manipulation (Apr. 13, US)
+ Security consultants pointed out:They were able to manipulate airplane’s navigation systemy p p g ywith android application*.
+ 4 days later, Dept. of Transportation denied the possibility**. Reference:Reference:*: ~ WIRED www.wired.co.uk/news/archive/2013‐04/11/android‐plane‐hijack
**: ~ Information Weekly www.informationweek.com/security/application‐security/faa‐dismisses‐android‐app‐airplane‐takeo/240152838 4
1. Risks for Cyber‐Physical System – Case 3
Lodz, Poland(Jan. ’08)
4 light rail trams derailed, 12 people injured
Tool used: Converted television IR remoteTool used: Converted television IR remote
Exploit: Locks, disabling track changes when vehicle presented were not installed
Reference: Edward Fok. (Dec. 7, ’11) “Introduction to Cyber Security Issues for Transportation”
[Web seminar]
Pictures: Courtesy of EUROPICS
5
1. Cyber‐Physical System Risks
C tl “C b h i l t i k ”Currently, “Cyber‐physical system risks” canbe a serious social concern, as it may impact the following:
+ (Nuclear / chemical) plants+ Military facilities and weapons+ Government facilities and systems+ Transportation (Trains, Airplanes, Vehicles, Ships, etc)U ili i (El i id W li )+ Utilities (Electric‐grid, Water‐line, etc)
+ Finance (ATM, Ticket machines, etc)+ Medical / Health related equipment and others+ Medical / Health related equipment and others
6
2. Vehicle Cyber Risks
Vehicles can be targets of cyber attacks becauseVehicles can be targets of cyber attacks, because …
+ Vehicles can be used to inflict serious bodily injury+ Vehicles are high value items+ Vehicles are frequently parked in un‐secured locations+ Vehicle could be targeted for anti social activity ( i )+ Vehicle could be targeted for anti‐social activity (ex. terrorism)
Stop/control massive number of vehicles
Cause massive panic through false information
References:~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11~ I f ti T h l P ti A (A ’11)
Cause massive panic through false information
7
~ Information‐Technology Promotion Agency. (Apr. ’11)“Movements of Vehicle Cyber Security”, (Japanese)
2. Vehicle Cyber Risks
ABSAir Bag
NavigationTelematics
ACC
??V2I communicationV2V communication
Cruise control Car TelephoneNavigation
Emergency call LDW Autonomous driving
electronics based
M d ith t 80 CPU 2 il f blModern cars can come with up to 80 CPUs, 2 miles of cable, several hundred MB of software, and 5 in‐vehicle networks,
“Vehicle” is NO longer just a “Mechanical System”Vehicle is NO longer just a Mechanical System
Reference: A Weimerskirch ‐ ESCRYPT “Security Considerations for Connected Vehicles”
8
Reference: A. Weimerskirch ESCRYPT, Security Considerations for Connected Vehicles , in SAE Government and Industry Meeting, Washington DC, Jan. ’12
2. Vehicle Cyber Risks
Internet
Smart-phone
Hacker
Comp terComputerMusic-player
Virus or malware carried in smart‐phones or music‐players can easily invade automotive electronics
9
2. Vehicle Cyber Risks
Special risks
CASE‐1 CASE‐2
Special risks
Vehicles are only able to communicate externally through mobile phones
Communication for crash‐avoidance
Limited time (100ms order)
Base station
Vehicle
Mobile phone
Vehicle ‐ A
Vehicle ‐ B
10
e c e
2. Cyber Risks for Vehicle
Additi l l biliti d t t /i t t it
VULNERABILITY 1: Limited vehicle external connectivity
Additional vulnerabilities, compared to computer/internet security.
yDifficulty in updating security softwareDifficulty in monitoring automotive electronics status
VULNERABILITY 2: Limited computational performanceVULNERABILITY 2: Limited computational performance, Due to high endurance and long vehicle life‐cycle (10 years)
Vulnerability to compete against hacker’s PC
l i i OEM
Tier ‐ 1
Tier ‐ 2
VULNERABILITY 3: Real‐time operation
VULNERABILITY 4: Vehicle consists of various components/parts.Large industry pyramid from suppliers to OEM
Parts suppliersg y py pp
VULNERABILITY 5: Unpredictable attack scenarios and threats
VULNERABILITY 6: Hazard to drivers and passengers lives
Reference: ~ Information‐Technology Promotion Agency (of Japanese government). (Apr. ’11)“ ’10 report: Movements of Vehicle Cyber‐security”, (Japanese)
~ A. Weimerskirch, “Security Considerations for Connected Vehicles”,
11
in SAE Government and Industry Meeting, Washington DC, Jan. ’12~ P. Kleberger, T. Olovsson and E. Jonsson, "Security aspects of the in‐vehicle network in the connected car“, Intelligent Vehicles Symposium (IV), ’11 IEEE , vol., no., pp.528‐533, 5‐9 Jun. ’11 11
3. Vehicle Cyber Security Approaches
Additional complicated vulnerabilities, compared to computer/internet securitycompared to computer/internet security
Industry expects both ‘proper guidelines’& ‘competitive approaches’.
T d fi id liTo define proper guidelines,well‐defined risk‐analysis is required.
12
3. Vehicle Cyber Security Approaches
Proper security requires well‐defined risk analysis.
Vehicle cyber security is vulnerable, but Risk = Vulnerability
Risk = function (Vulnerability, Hackers’ motivation/skills, Hazard)
Inputs:
Vulnerability: Vulnerability of system security
Hackers’ motivation/skills:Adversary ROI Investment /risk /return
Hazard: Magnitude of hazards, when security is compromised.a a d g , y p
13Reference: ~ D. Etue (SafeNet), web seminar “ Cyber Security in Highly Innovative World”, (Jul, ‘13)
3. Vehicle Cyber Security Approaches
Risk‐analysis: Hackers’ motivations/skillsRisk‐analysis: Hackers motivations/skills
AimsApproachesType Target (potential) Skill
HackerType
Financial
yp g (p )yp
Vehicle, Components/parts
Classic: Steal vehicle, components or parts Individual, Group
Low, Medium
Driver, Acquire driving log or history and physically attack drivers or steal/damage drivers’ MediumIndividual, Financial,
Harm to Driver’s property attack drivers or steal/damage drivers property
MediumGroup
Driver
Harm to individual
Medium,High
Group
Manipulate single or small number of vehicles to cause (severe) accidents
Individual, Group
M i l t l b f ( li )
Harm to individual
New
type
s
Community HighGroup,Organization(i.e. terrorism)
Manipulate large number of (e.g. police) vehicles to cause (severe) accidents and damage to community
Damage to community
+ In general, the person who invents a tool to break securitypossesses a much higher skills than the person who is only using the tool.e.g.: the case of “immobilizer cutter”
References:
+ Inside hackers possess deeper knowledge about the security mechanism.
14
References:~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11~ Information‐Technology Promotion Agency. (Apr. ’11) “Movements of Vehicle Cyber Security”, (Japanese)~ EVITA deliverable D2.3 “Security requirements for automotive on‐board networks based on dark‐side scenarios”(’09) 14
3. Vehicle Cyber Security Approaches
Risk analysis: Hazard assessment ISO 26262( )Risk‐analysis: Hazard assessment‐ ISO‐26262(Automotive Functional Safety)
Sample of hazard assessment – ‘Vehicle center console’
CD/DVD control
FunctionsFunctions ASILASILExposure Controllability Severity
E3 C1 QM
Sample MalfunctionsSample Malfunctions
CD/DVD is not working S1
Rearview camera
Navigation
Emergency Call C3 S3E1 A
AE2 C2 S3Emergency call is not placedat accident
Erroneous guidance,e.g. opposite direction on freeway
When backing up image of rear view
*
Rearview camera(Monitoring)
Air conditionerControl E3 C3 S3
E3 C2 S2 AHeater is not workingduring the winter in Canada
When backing up, image of rear view camera freezes (shows old image)
Turn signal QMC2 S3Shows signal activation in cluster
C
** Power window AE2 C2 S3
Air bag DE4 C3 S3Fault activation during driving
Unwanted window closing
Turn signalIn cluster panel QME1 C2 S3Shows signal activation in cluster,
though actual signal is not working
Reference:*: H Onishi “Approach for Vehicle Cyber Security with Functional Safety Concept“
Air bag DE4 C3 S3Fault activation during driving
15
: H. Onishi, Approach for Vehicle Cyber Security with Functional Safety Concept in SAE World Congress, Detroit, MI, Apr. ’13
**: R. Hamann et al., “ISO 26262 Release Just Ahead: Remaining Problems and Proposals for Solutions" in SAE World Congress, Detroit, MI, Apr. ’11
3. Vehicle Cyber Security Approaches
Concepts of system security
+ 6 security phases should be covered by both process/management
Concepts of system security
and technologies~ CIP(Critical Infrastructure Protection) by NERC(North American Electric Reliability Corporation)*
6 phases6 phases‐ Analysis and Assessment‐ Remediation‐ Indications and Warnings
i i i‐Mitigation‐ Incident Response‐ Reconstitution
+ New concept: “Trustworthy (computing) design” approaches**
Initial design system in consideration of “Security” “Privacy”Initial design system in consideration of Security , Privacy ,“Reliability” and “Business Integrity”. e.g. Brake should be reliable
R f
16
References:*: http://en.wikipedia.org/wiki/Critical_infrastructure_protection**: Craig Mundie (Microsoft CTO and Senior VP), (’02)
4. Vehicle Cyber Security Guidelines
Guidelines samples for cyber‐physical systemsGuidelines samples for cyber‐physical systems
Name ProcessContents
DomainPublisherGuideline
Technology DescriptionName ProcessDomainIEC62443 (Industrial network& system security)
Publisher
Industrial system
Technology Description
Cover broader industrial systems
NISTGuide to Industrial Control
NIST‐800‐61 PC/internet &Industrial system
Handle incidents (including attack analysis, recovery, etc)
Cover broader industrial systems,from management & technical sidesIndustrial systemSystem security
NERC
CIP (Critical Infrastructure Protection) PC/internet &
Industrial system(mainly) (part of)
Cover broader critical infrastructures,Considering, 6 phases (e.g. mitigation, recovery)
from management & technical sides
VehicleEU
‘EVITA’ deliverables
Vehicle information
Outputs from research project
Vehicleagency ‐ IPAinformation security guide
J3061(Cyber security Guidebook for Cyber‐Physical Automotive Systems)** Vehicle
Under development
17References: *: www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
**: www.sae.org/servlets/works/documentHome.do?comtID=TEVEES18&docID=J3061&inputPage=dOcDeTaIlS
y )
4. Vehicle Cyber Security Guidelines
European project “EVITA”European project EVITA
Created possible attack‐trees for selected use cases (18 use case for 6 groups).
Attack goal
Attackmethods
Sample of attack tree – ‘Compromise driver’s privacy’
18Reference: ~ EVITA deliverable D2.3 “Security requirements for automotive on‐board networks
based on dark‐side scenarios” (’09)
p p p y
4. Vehicle Cyber Security Guidelines
European project “EVITA”European project EVITA
Provide security requirements, based on the identified attack‐trees.
Sample of security requirements – ‘Privacy/confidentiality’…
19
Reference: ~ EVITA deliverable D2.3 “Security requirements for automotive on‐board networks based on dark‐side scenarios” (’09)
4. Vehicle Cyber Security Guidelines
European project “EVITA”European project EVITA
Provide reference architecture including HSW(Hardware Security Module)g ( )
+ Development of Hardware Security Modules deployed with ECUs‐ Key protectionT t d ti b‐ Trusted computing base
‐ Secured Storage‐ Cost effective
+ In‐car cryptographic protocols to secure ECU‐ECU and sensor communication
+ Software framework integratingauthentication, encryption &authentication, encryption &access control, etc
20
Reference:~ B. Weyl, et al., “The EVITA Project: Securing the Networked Vehicle” in escar (Dresden, Gemany’11)
4. Vehicle Cyber Security Guidelines
Japanese agency (IPA)’s guideJapanese agency (IPA) s guide
+ Covers whole life‐cycle of vehicle (‘Planning’ ~ ‘Disposal’).
+ Covers all players related to vehicle life‐cycle.
Information‐TechnologyPromotion Agency
21Reference: ~ http://www.ipa.go.jp/files/000033402.pdf
4. Vehicle Cyber Security Guidelines
Japanese agency (IPA)’s guideJapanese agency (IPA) s guide
Vehicle system model of IPA guidelineCategorized functions in 3 groups
22Reference: ~ http://www.ipa.go.jp/files/000033402.pdf
4. Vehicle Cyber Security Guidelines
Japanese agency (IPA)’s guideJapanese agency (IPA) s guide
Threats and countermeasures (based on vehicle system model)
: Direct threats thru physical I/O: Indirect threats thru vehicle bus
: Potential effectivetcountermeasures
23Reference: ~ http://www.ipa.go.jp/files/000033402.pdf
4. Vehicle Cyber Security Guidelines
SAE “Electrical system security ” committee’s approachSAE Electrical system security committee s approach
“Automotive Security Guidelines & Risk Management”y gTaskforce (under “Vehicle Electrical System Security committee”)
+ Creates Cyber security Guidebook+ Creates Cyber security Guidebook for Cyber‐Physical Automotive Systems‐ Complies with Risk Methodology in ISO 26262 Functional Safety Standard ‐ Contains automotive cyber security framework and processes ‐ Evaluates Threat Analysis and Risk Assessment (TARA) methodsFollows simple approach to allow effective implementation‐ Follows simple approach to allow effective implementation across the automotive industry
‐ Contains elements of existing industry security standards‐ Provides definitions, Acronyms and sample templates
+ Expected to be completed by Mid 2014
24
Reference:~ L. Boran (SAE Committee Chair) “ Automotive Cyber‐Security”, esCar (Nov, ’13, Frankfurt, Germany)
5. Summary
Vulnerabilities in vehicle cyber security:‐ Limited vehicle external connectivity‐ Limited computational performanceR l ti ti‐ Real‐time operation
‐ Various components/parts from various suppliers‐ Unpredictable attack scenario and threats‐ Hazard to drivers and passengers livesHazard to drivers and passengers lives
Proper security requires well‐defined risk analysis
Risk depends on ‘hackers’ motivation/skills’, ‘magnitude of hazard’ and ‘vulnerability of security’.
Many guidelines have been issued or are under development for the automotive industryfor the automotive industry.
EVITA(E‐safety vehicle intrusion protected applications) guideline
IPA(Information Promotion Agency) guideline
25
( g y) g
SAE guideline – under development
Thank you for your attention!!
Hiro OnishiAlpine Electronics Research of America, Inc.honishi@alpine‐la.comTel: +1‐310‐783‐7281
Slide design:Mari Hatazawa
h @ l i l
26
mhatazawa@alpine‐la.com