guidelines for vehicle cyber securitys3.amazonaws.com/sdieee/1737-hiro+sdieee+pace... · air plane...

GuidelinesGuidelines for Vehicle Cyber Securityy y

Hiro OnishiAlpine Electronics Research of America, Inc.

honishi@alpine‐la.com@ p

1© 2013 Alpine Electronics, Inc. Not for commercial distribution.

INDEX

1. Cyber‐Physical System Risks

INDEX

2. Vehicle Cyber Risks

‐ Vulnerabilities in maintaining vehicle cyber securityg y y

3. Vehicle Cyber Security Approaches

‐ Risk analysisRisk analysis

‐ Concept of system security

4 Vehicle Cyber Security Guidelines4. Vehicle Cyber Security Guidelines

‐ European project “EVITA”

J (IPA)’ id‐ Japanese agency (IPA)’s guide

‐ SAE committee’s approach

5 S

2

5. Summary

1. Risks for Cyber‐Physical System – Case 1

Davis‐Besse Nuclear Plant, Ohio (Jan. 25, ’03)( , )

16:00: Noticed network slow down

16:50: Safety Parameter Display System (SPDS) crashed

17:13: Plant process computer crashed p p(had analog backup)

Reference: Edward Fok. (Dec. 7, ’11) “ d i C b S i f“Introduction to Cyber Security Issues for

Transportation” [Web seminar]

3


Air plane manipulation (Apr ’13 US)Air plane manipulation (Apr. 13, US)

+ Security consultants pointed out:They were able to manipulate airplane’s navigation systemy p p g ywith android application*.

+ 4 days later, Dept. of Transportation denied the possibility**. Reference:Reference:*: ~ WIRED www.wired.co.uk/news/archive/2013‐04/11/android‐plane‐hijack

**: ~ Information Weekly www.informationweek.com/security/application‐security/faa‐dismisses‐android‐app‐airplane‐takeo/240152838 4


Lodz, Poland(Jan. ’08)

4 light rail trams derailed, 12 people injured

Tool used: Converted television IR remoteTool used: Converted television IR remote

Exploit: Locks, disabling track changes when vehicle presented were not installed

Reference: Edward Fok. (Dec. 7, ’11) “Introduction to Cyber Security Issues for Transportation”

[Web seminar]

Pictures: Courtesy of EUROPICS

5

1. Cyber‐Physical System Risks

C tl “C b h i l t i k ”Currently, “Cyber‐physical system risks” canbe a serious social concern, as it may impact the following:

+ (Nuclear / chemical) plants+ Military facilities and weapons+ Government facilities and systems+ Transportation (Trains, Airplanes, Vehicles, Ships, etc)U ili i (El i id W li )+ Utilities (Electric‐grid, Water‐line, etc)

+ Finance (ATM, Ticket machines, etc)+ Medical / Health related equipment and others+ Medical / Health related equipment and others

6


Vehicles can be targets of cyber attacks becauseVehicles can be targets of cyber attacks, because …

+ Vehicles can be used to inflict serious bodily injury+ Vehicles are high value items+ Vehicles are frequently parked in un‐secured locations+ Vehicle could be targeted for anti social activity ( i )+ Vehicle could be targeted for anti‐social activity (ex. terrorism)

Stop/control massive number of vehicles

Cause massive panic through false information

References:~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11~ I f ti T h l P ti A (A ’11)

Cause massive panic through false information

7

~ Information‐Technology Promotion Agency. (Apr. ’11)“Movements of Vehicle Cyber Security”, (Japanese)


ABSAir Bag

NavigationTelematics

ACC

??V2I communicationV2V communication

Cruise control Car TelephoneNavigation

Emergency call LDW Autonomous driving

electronics based

M d ith t 80 CPU 2 il f blModern cars can come with up to 80 CPUs, 2 miles of cable, several hundred MB of software, and 5 in‐vehicle networks,

“Vehicle” is NO longer just a “Mechanical System”Vehicle is NO longer just a Mechanical System

Reference: A Weimerskirch ‐ ESCRYPT “Security Considerations for Connected Vehicles”

8

Reference: A. Weimerskirch ESCRYPT, Security Considerations for Connected Vehicles , in SAE Government and Industry Meeting, Washington DC, Jan. ’12


Internet

Smart-phone

Hacker

Comp terComputerMusic-player

Virus or malware carried in smart‐phones or music‐players can easily invade automotive electronics

9


Special risks

CASE‐1 CASE‐2

Special risks

Vehicles are only able to communicate externally through mobile phones

Communication for crash‐avoidance

Limited time (100ms order)

Base station

Vehicle

Mobile phone

Vehicle ‐ A

Vehicle ‐ B

10

e c e

2. Cyber Risks for Vehicle

Additi l l biliti d t t /i t t it

VULNERABILITY 1: Limited vehicle external connectivity

Additional vulnerabilities, compared to computer/internet security.

yDifficulty in updating security softwareDifficulty in monitoring automotive electronics status

VULNERABILITY 2: Limited computational performanceVULNERABILITY 2: Limited computational performance, Due to high endurance and long vehicle life‐cycle (10 years)

Vulnerability to compete against hacker’s PC

l i i OEM

Tier ‐ 1

Tier ‐ 2

VULNERABILITY 3: Real‐time operation

VULNERABILITY 4: Vehicle consists of various components/parts.Large industry pyramid from suppliers to OEM

Parts suppliersg y py pp

VULNERABILITY 5: Unpredictable attack scenarios and threats

VULNERABILITY 6: Hazard to drivers and passengers lives

Reference: ~ Information‐Technology Promotion Agency (of Japanese government). (Apr. ’11)“ ’10 report: Movements of Vehicle Cyber‐security”, (Japanese)

~ A. Weimerskirch, “Security Considerations for Connected Vehicles”,

11

in SAE Government and Industry Meeting, Washington DC, Jan. ’12~ P. Kleberger, T. Olovsson and E. Jonsson, "Security aspects of the in‐vehicle network in the connected car“, Intelligent Vehicles Symposium (IV), ’11 IEEE , vol., no., pp.528‐533, 5‐9 Jun. ’11 11


Additional complicated vulnerabilities, compared to computer/internet securitycompared to computer/internet security

Industry expects both ‘proper guidelines’& ‘competitive approaches’.

T d fi id liTo define proper guidelines,well‐defined risk‐analysis is required.

12


Proper security requires well‐defined risk analysis.

Vehicle cyber security is vulnerable, but Risk = Vulnerability

Risk = function (Vulnerability, Hackers’ motivation/skills, Hazard)

Inputs:

Vulnerability: Vulnerability of system security

Hackers’ motivation/skills:Adversary ROI Investment /risk /return

Hazard: Magnitude of hazards, when security is compromised.a a d g , y p

13Reference: ~ D. Etue (SafeNet), web seminar “ Cyber Security in Highly Innovative World”, (Jul, ‘13)


Risk‐analysis: Hackers’ motivations/skillsRisk‐analysis: Hackers motivations/skills

AimsApproachesType Target (potential) Skill

HackerType

Financial

yp g (p )yp

Vehicle, Components/parts

Classic: Steal vehicle, components or parts Individual, Group

Low, Medium

Driver, Acquire driving log or history and physically attack drivers or steal/damage drivers’ MediumIndividual, Financial,

Harm to Driver’s property attack drivers or steal/damage drivers property

MediumGroup

Driver

Harm to individual

Medium,High

Group

Manipulate single or small number of vehicles to cause (severe) accidents

Individual, Group

M i l t l b f ( li )

Harm to individual

New

type

s

Community HighGroup,Organization(i.e. terrorism)

Manipulate large number of (e.g. police) vehicles to cause (severe) accidents and damage to community

Damage to community

+ In general, the person who invents a tool to break securitypossesses a much higher skills than the person who is only using the tool.e.g.: the case of “immobilizer cutter”

References:

+ Inside hackers possess deeper knowledge about the security mechanism.

14

References:~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11~ Information‐Technology Promotion Agency. (Apr. ’11) “Movements of Vehicle Cyber Security”, (Japanese)~ EVITA deliverable D2.3 “Security requirements for automotive on‐board networks based on dark‐side scenarios”(’09) 14


Risk analysis: Hazard assessment ISO 26262( )Risk‐analysis: Hazard assessment‐ ISO‐26262(Automotive Functional Safety)

Sample of hazard assessment – ‘Vehicle center console’

CD/DVD control

FunctionsFunctions ASILASILExposure Controllability Severity

E3 C1 QM

Sample MalfunctionsSample Malfunctions

CD/DVD is not working S1

Rearview camera

Navigation

Emergency Call C3 S3E1 A

AE2 C2 S3Emergency call is not placedat accident

Erroneous guidance,e.g. opposite direction on freeway

When backing up image of rear view

*

Rearview camera(Monitoring)

Air conditionerControl E3 C3 S3

E3 C2 S2 AHeater is not workingduring the winter in Canada

When backing up, image of rear view camera freezes (shows old image)

Turn signal QMC2 S3Shows signal activation in cluster

C

** Power window AE2 C2 S3

Air bag DE4 C3 S3Fault activation during driving

Unwanted window closing

Turn signalIn cluster panel QME1 C2 S3Shows signal activation in cluster,

though actual signal is not working

Reference:*: H Onishi “Approach for Vehicle Cyber Security with Functional Safety Concept“

Air bag DE4 C3 S3Fault activation during driving

15

: H. Onishi, Approach for Vehicle Cyber Security with Functional Safety Concept in SAE World Congress, Detroit, MI, Apr. ’13

**: R. Hamann et al., “ISO 26262 Release Just Ahead: Remaining Problems and Proposals for Solutions" in SAE World Congress, Detroit, MI, Apr. ’11


Concepts of system security

+ 6 security phases should be covered by both process/management

Concepts of system security

and technologies~ CIP(Critical Infrastructure Protection) by NERC(North American Electric Reliability Corporation)*

6 phases6 phases‐ Analysis and Assessment‐ Remediation‐ Indications and Warnings

i i i‐Mitigation‐ Incident Response‐ Reconstitution

+ New concept: “Trustworthy (computing) design” approaches**

Initial design system in consideration of “Security” “Privacy”Initial design system in consideration of Security , Privacy ,“Reliability” and “Business Integrity”. e.g. Brake should be reliable

R f

16

References:*: http://en.wikipedia.org/wiki/Critical_infrastructure_protection**: Craig Mundie (Microsoft CTO and Senior VP), (’02)

4. Vehicle Cyber Security Guidelines

Guidelines samples for cyber‐physical systemsGuidelines samples for cyber‐physical systems

Name ProcessContents

DomainPublisherGuideline

Technology DescriptionName ProcessDomainIEC62443 (Industrial network& system security)

Publisher

Industrial system

Technology Description

Cover broader industrial systems

NISTGuide to Industrial Control

NIST‐800‐61 PC/internet &Industrial system

Handle incidents (including attack analysis, recovery, etc)

Cover broader industrial systems,from management & technical sidesIndustrial systemSystem security

NERC

CIP (Critical Infrastructure Protection) PC/internet &

Industrial system(mainly) (part of)

Cover broader critical infrastructures,Considering, 6 phases (e.g. mitigation, recovery)

from management & technical sides

VehicleEU

‘EVITA’ deliverables

Vehicle information

Outputs from research project

Vehicleagency ‐ IPAinformation security guide

J3061(Cyber security Guidebook for Cyber‐Physical Automotive Systems)** Vehicle

Under development

17References: *: www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

**: www.sae.org/servlets/works/documentHome.do?comtID=TEVEES18&docID=J3061&inputPage=dOcDeTaIlS

y )


European project “EVITA”European project EVITA

Created possible attack‐trees for selected use cases (18 use case for 6 groups).

Attack goal

Attackmethods

Sample of attack tree – ‘Compromise driver’s privacy’

18Reference: ~ EVITA deliverable D2.3 “Security requirements for automotive on‐board networks

based on dark‐side scenarios” (’09)

p p p y



Provide security requirements, based on the identified attack‐trees.

Sample of security requirements – ‘Privacy/confidentiality’…

19

Reference: ~ EVITA deliverable D2.3 “Security requirements for automotive on‐board networks based on dark‐side scenarios” (’09)



Provide reference architecture including HSW(Hardware Security Module)g ( )

+ Development of Hardware Security Modules deployed with ECUs‐ Key protectionT t d ti b‐ Trusted computing base

‐ Secured Storage‐ Cost effective

+ In‐car cryptographic protocols to secure ECU‐ECU and sensor communication

+ Software framework integratingauthentication, encryption &authentication, encryption &access control, etc

20

Reference:~ B. Weyl, et al., “The EVITA Project: Securing the Networked Vehicle” in escar (Dresden, Gemany’11)


Japanese agency (IPA)’s guideJapanese agency (IPA) s guide

+ Covers whole life‐cycle of vehicle (‘Planning’ ~ ‘Disposal’).

+ Covers all players related to vehicle life‐cycle.

Information‐TechnologyPromotion Agency

21Reference: ~ http://www.ipa.go.jp/files/000033402.pdf



Vehicle system model of IPA guidelineCategorized functions in 3 groups




Threats and countermeasures (based on vehicle system model)

: Direct threats thru physical I/O: Indirect threats thru vehicle bus

: Potential effectivetcountermeasures



SAE “Electrical system security ” committee’s approachSAE Electrical system security committee s approach

“Automotive Security Guidelines & Risk Management”y gTaskforce (under “Vehicle Electrical System Security committee”)

+ Creates Cyber security Guidebook+ Creates Cyber security Guidebook for Cyber‐Physical Automotive Systems‐ Complies with Risk Methodology in ISO 26262 Functional Safety Standard ‐ Contains automotive cyber security framework and processes ‐ Evaluates Threat Analysis and Risk Assessment (TARA) methodsFollows simple approach to allow effective implementation‐ Follows simple approach to allow effective implementation across the automotive industry

‐ Contains elements of existing industry security standards‐ Provides definitions, Acronyms and sample templates

+ Expected to be completed by Mid 2014

24

Reference:~ L. Boran (SAE Committee Chair) “ Automotive Cyber‐Security”, esCar (Nov, ’13, Frankfurt, Germany)

5. Summary

Vulnerabilities in vehicle cyber security:‐ Limited vehicle external connectivity‐ Limited computational performanceR l ti ti‐ Real‐time operation

‐ Various components/parts from various suppliers‐ Unpredictable attack scenario and threats‐ Hazard to drivers and passengers livesHazard to drivers and passengers lives

Proper security requires well‐defined risk analysis

Risk depends on ‘hackers’ motivation/skills’, ‘magnitude of hazard’ and ‘vulnerability of security’.

Many guidelines have been issued or are under development for the automotive industryfor the automotive industry.

EVITA(E‐safety vehicle intrusion protected applications) guideline

IPA(Information Promotion Agency) guideline

25

( g y) g

SAE guideline – under development

Thank you for your attention!!

Hiro OnishiAlpine Electronics Research of America, Inc.honishi@alpine‐la.comTel: +1‐310‐783‐7281

Slide design:Mari Hatazawa

h @ l i l

26

mhatazawa@alpine‐la.com

guidelines for vehicle cyber securitys3.amazonaws.com/sdieee/1737-hiro+sdieee+pace... · air plane...

Documents