outlook on cybersecurity and safety - umtri.umich.edu · outlook on cybersecurity and safety the...
TRANSCRIPT
Outlook on Cybersecurity and SafetyThe Future of Automotive Safety
April 4th, 2018
Bill Hass ([email protected])
2
Who Lear is: Electrical Product Portfolio
3
Outline
I. Introduction
II. Looking Back…
III. Where We Are Today.
IV.What’s Ahead and Beyond >>>
Looking Back…
5
Safety and Security
• In the recent past, safety and security were disjoint domains in automotive.
• Assumption was that vehicle networks are not connected to outside world.
o Physical access was the only security measure.
▪ “An attacker can just snip brake lines anyway…”
Safety Security
Automotive
Sources: • Brady Holt, https://commons.wikimedia.org/wiki/File:IIHS_crash_test_dummy_in_Hyundai_Tucson.jpg• iStock
6
Long History of Automotive Theft and Fraud
• Hot-wire to bypass ignition switch.
• Smash and grab to bypass locks.
• Electronics and security measures make attacks more sophisticated...
o Theft protection and odometer manipulation are the target of organized crime, with million dollar investments to overcome security mechanisms.
Sources: • http://www.cbc.ca/news/business/marketplace-electronic-car-theft-1.3515106• http://www.ebay.com
7
Safety Critical Systems Under Attack
Sources: • http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-
insecure/ • https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/• https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/ • http://www.cbsnews.com/news/car-hacked-on-60-minutes/ • https://www.wired.com/2016/08/researchers-hack-big-rig-truck-hijack-accelerator-brakes/
Several Highly Publicized Automotive Hacks
2015 2016 2016
20152015
Where We Are Today.
9
Safety and Security
• With connectivity and electronics, security is becoming more and more important.
• Safety and security are no longer disjoint areas of an automobile.
• Safety clearly depends on security.
Safety
Automotive
Security
Sources: • https://autowise.com/just-like-jets-infiniti-q50-rocks-steer-wire-system/• http://www.ipwatchdog.com/2015/06/18/wireless-induction-charging-is-coming-to-electric-vehicles/id=58756/
10
• Automotive product cybersecurity will become increasingly important.
• Automotive threat sophistication is low compared to internet hacks, but that will change over time.
• Automotive industry understands that investments are required now to beat the curve.
Importance of Cybersecurity
Systems will become more complex and threats will become more sophisticated.
11
Cybersecurity ComponentsSecure Internal & External Communications
1 Block access to vehicle networks (Firewall)
2 Isolate security sensitive ECUs via gateway
3 Authenticate and/or encrypt comm.
Protect Computing Platform
2 Secure boot and hypervisor
3Secure environment &
integrity monitoring
1 Secure microcontroller (e.g. HSM)
Remote Updates and Analytics
2 Cloud-based analytics
3 OTA security updates
1 Record and maintain history
Monitor Vehicle Network and ECUs
3 Plausibility checks of content
2 Anomaly detection & prevention of in-vehicle network
1 Monitor and protect ECU computing platforms
Development Process
3
Secure development processes
2 Threat analysis & penetration testing
1
Industry standards (e.g. SAE J3061)
Information Sharing
2 Incident response
3 Monitoring throughout product lifecycle
1 Auto-ISAC and information monitoring
12
Safety and Security Processes
• Safety is more mature than cybersecurity.
o Overall process – Requirement tracking, component and system analysis.
• Security benefits from safety’s maturity.
o Piggy-back on requirement tracking systems.
o Utilize the safety process functions for vulnerability management and risk assessments.
o HARA used as input to TARA
• Standardization – Can cybersecurity be standardized?
(Hazard Analysis and Risk Assessment)
13
Safety and Security Processes
• Safety is more mature than cybersecurity.
o Overall process – Requirement tracking, component and system analysis.
• Security benefits from safety’s maturity.
o Piggy-back on requirement tracking systems.
o Utilize the safety process functions for vulnerability management and risk assessments.
o HARA used as input to TARA
• Standardization – Can cybersecurity be standardized?
(Threat Analysis and Risk Assessment)
Vulnerabilities
Exploits
Attacker Goals
Security Mitigations
Security Concept Security
14
Cybersecurity ComponentsSecure Internal & External Communications
1 Block access to vehicle networks (Firewall)
2 Isolate security sensitive ECUs via gateway
3 Authenticate and/or encrypt comm.
Protect Computing Platform
2 Secure boot and hypervisor
3Secure environment &
integrity monitoring
1 Secure microcontroller (e.g. HSM)
Remote Updates and Analytics
2 Cloud-based analytics
3 OTA security updates
1 Record and maintain history
Monitor Vehicle Network and ECUs
3 Plausibility checks of content
2 Anomaly detection & prevention of in-vehicle network
1 Monitor and protect ECU computing platforms
Development Process
3
Secure development processes
2 Threat analysis & penetration testing
1
Industry standards (e.g. SAE J3061)
Information Sharing
2 Incident response
3 Monitoring throughout product lifecycle
1 Auto-ISAC and information monitoring
15
Dynamic Firewall and Hypervisor
Wireless Communication
Security Operation Center (Cloud-based)
ECU MonitorCommunication
ControllerNetwork ADS
ECU1 ECU2 ECUn
Electronic Control Unit
Monitor
Electronic Control Unit
Monitor
Electronic Control Unit
Monitor
OTASOFTWARE
ECU
SC
ON
NEC
TED
GA
TEW
AY
OFF
-VEH
ICLE
Lear Security Architecture
ON
-VEH
ICLE
SECURITYREPORT
Monitoring the Vehicle
• Modules in vehicle run local monitors
o Network monitor
o ECU monitor
o Content monitor
• Run analysis in cloud
• Update softwareContinously monitor,
update, and improve
defensive capabilities
What’s Ahead and Beyond >>>
17
Safety & Security
• Safety and security will continue to converge.
• Safety needs security, and security needs safety.
• Safety systems and security systems will be designed more closely.
Automotive
Safety Security
Sources: • https://www.theverge.com/2016/5/19/11711890/uber-first-image-self-driving-car-pittsburgh-ford-fusion• http://fortune.com/2016/06/07/autonomous-car-sales-ihs/
18
Leveraging Safety
• Safety systems deployed today with mechanisms to safely handle safety critical events (e.g. software corruption, loss of network, hardware degradation)
• Self-healing, resilient security architectures rely on safety mechanisms to respond to cyberattacks locally. TCU
OBD-II
CGWPowertrainComfort
SOC, OTA, OEM, etc.
19
Leveraging Safety
• Safety systems deployed today with mechanisms to safely handle safety critical events (e.g. software corruption, loss of network, hardware degradation)
• Self-healing, resilient security architectures rely on safety mechanisms to respond to cyberattacks locally. TCU
OBD-II
CGWPowertrainComfort
SOC, OTA, OEM, etc.
20
Leveraging Safety
• Safety systems deployed today with mechanisms to safely handle safety critical events (e.g. software corruption, loss of network, hardware degradation)
• Self-healing, resilient security architectures rely on safety mechanisms to respond to cyberattacks locally. TCU
OBD-II
CGWPowertrainComfort
SOC, OTA, OEM, etc.
21
Co-Designing Safety and Security
• New safety technologies must be designed with security and vice versa.
• Safe designs will produce security requirements while secure designs will produce safety requirements.
o Tesla’s “Autopilot”
o Driver fatigue
o V2X
o Platooning
o Machine vision
o Fully-autonomous
o AUTOSAR
Complexity is the enemy of security.
22
Conclusions
• Cybersecurity threat sophistication will increase over time.
• Automotive safety and security is already converging.
• Lessons learned from more mature safety are making adoption of security easier.
• Safety and security will continue to find synergies and bear significant importance in the production of a vehicle.
• Security can’t exist without safety and safety can’t exist without security.