security and safety - vector · pdf fileand win a training or book ... functional safety and...

26
V1.0 | 2017-12-11 Dr. Christof Ebert, Vector Consulting Services Functional Safety and Cyber-Security – Experiences and Trends

Upload: phamque

Post on 14-Feb-2018

220 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

V1.0 | 2017-12-11

Dr. Christof Ebert, Vector Consulting Services

Functional Safety and Cyber-Security – Experiences and Trends

Page 2: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Experts for product development,product strategy and IT in critical systems

Interim support, such as virtual security and safety officers and interim management

Global presence

Trainings on Agile, Requirements, Security, Safety, CMMI/SPICE etc.

Part of Vector Group with over 2000 employees

www.vector.com/consulting

Vector Consulting ServicesWelcome

Railway

IT & Finance

Automotive

Aerospace

DigitalTransformation

Medical

2/26

Page 3: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Vector Client Survey: Security and Safety are Major ChallengesWelcome

Vector recommendation: Efficiently implement safety and security

Automotive magic triangle

Join 2018 survey now and win a training or book

www.vector.com/trends-surveyM

id-t

erm

cha

lleng

es

Short-term challenges

Vector Client Survey 2017. Details: www.vector.com/trends. Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 100% due to 3 answers per question. Strong validity with >4% response rate of 1500 recipients from different industries worldwide.

Innovative Products

Others

Connectivity

Distributed Development

Efficiencyand Cost

Digital Transformation

Governance and Compliance

ComplexityManagement

Securityand Safety

0%

10%

20%

30%

40%

50%

60%

70%

0% 10% 20% 30% 40% 50% 60% 70%

3/26

Page 4: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

1. Welcome

2. Safety needs Security

3. Risk-Oriented Development

4. Practical Guidance and Vector Experiences

5. Conclusions

Agenda

4/26

Page 5: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

4G LTE

OBD DSRC

SuppliersOEM

Public Clouds

Service Provider

ITS Operator

ACES (Autonomy, Connectivity, Efficiency, Services)Safety needs Security

Security will be the major liability risk in the future.Average security breach is detected in of 70% cases by third party – after 8 months.

Cyber-Attacks

Password attacks

Application vulnerabilities

Rogue clients, malware

Man in the middle attacks

Eavesdropping, Data leakage

Command injection, data corruption,

back doors

Physical attacks,Sensor confusion

Trojans,Ransomware

5/26

Page 6: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

1. Welcome

2. Safety needs Security

3. Risk-Oriented Development

4. Practical Guidance and Vector Experiences

5. Conclusions

Agenda

6/26

Page 7: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Combined Safety and Security Need Holistic Systems EngineeringRisk-Oriented Development

Functional Safety

Goal: Protect health

Risk: External hazards

Governance: ISO 26262 etc.

Methods:

HARA, FTA, FMEA, …

Fail operational, …

Redundancy, …

Liability Risk management Holistic systems engineering

Cyber-Security

Goal: Protect assets

Risk: Internal threats

Governance: ISO 27001 etc.

Methods:

TARA, …

Cryptography, ID/IP, …

Key management, …

Privacy

Goal: Protect personality

Risk: Data threats

Governance: Privacy laws

Methods:

TARA,…

Cryptography,…

Explicit consent, …

7/26

Page 8: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Standards Demand Risk-Oriented ApproachRisk-Oriented Development

Functional Safety (IEC 61508, ISO 26262)

Hazard and risk analysis Functions and risk mitigation Safety engineering

ISO 26262 ed.2 will not comprehensively address security, but include shared methods, such as TARA

architecture methods data formats & functionality

+ Security (ISO 27001, ISO 15408, ISO 21434, SAE J3061)

Security and Safety are interactingand demand holistic systems engineering

Threat and risk analysis Abuse, misuse, confuse cases Security engineering

Safety Goals and

Requirements

Functional and Technical

Safety-Concept

Op. Scenarios, Hazard, Risk Assessment

Safety Implemen-

tation

Safety Validation

Safety Case, Certification,

Approval

Safety Verification

Assets, Threats and Risk

Assessment

Security Goals and

Requirements

Technical Security Concept

Security Implemen-

tation

Security Validation

Security Case, Audit,

Compliance

Security Verification

Safety Management

after SOP

Security Management

in POS

For (re) liable and efficient ramp-up connect security to safety governance8/26

Page 9: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

State of the Art: Functional SafetyRisk-Oriented Development

Relevance of ISO 26262 is basically understood

1. Driving Situations OEM

2. Hazards OEM

3. Risks and Safety Integrity Level OEM

4. Safety Goals Safety Requirements OEM

5. Technical Safety Concept OEM/Tier1

6. Safety requirements on ECU level OEM/Tier1

7. Software Safety Requirements Tier1/Vector

Functional safety can be efficiently achieved on the basis of mature development processes

9/26

Page 10: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Security demands are growing fast Connectivity and open channels allow security attacks Exploits will persist beyond “zero-day” because so far no

OTA governance Safety-critical systems connected to potentially unsecure

bus systems

Vector recommendations Extend hazard analysis with threat analysis and automotive

attack models Reuse existing safety artefacts to ensure robust safety case Define tailored security protection for safety-critical

systems Encrypt entire bus communication, e.g. AUTOSAR Protect ECUs with secure boot and HW-defined security Completely separate infotainment and HU

State of the Art: Cyber-SecurityRisk-Oriented Development

Do not copy paste standards because it increases overheads and complexity10/26

Page 11: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Functional Safety and Cyber-Security Demand Risk-Oriented DevelopmentRisk-Oriented Development

Risk = Severity of harmful event × Probability of occurrence

Prob

abili

ty

Severity

acceptable risk

inacceptablerisk

Risk-oriented engineering means to intelligently mitigate the residual risks

Asset Attack Threat

Attack Potential Security Goal

is performed

against is reduced by

requirescauses

has value for

Threat Agent(e.g. hacker)

Stakeholders(e.g., driver, OEM)

has

Security Engineering

is achieved by

11/26

Page 12: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

1. Welcome

2. Safety needs Security

3. Risk-Oriented Development

4. Practical Guidance and Vector Experiences

5. Conclusions

Agenda

12/26

Page 13: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Concept of Combined Threat/Hazard Analysis and Risk AssessmentPractical Guidance and Vector Experiences

Consider specific automotive assets derived from CIAAG (Confidentiality, Integrity, Authenticity, Availability, Governance) scheme

Assets Threat-Model & Risks Measures Concept for

Solution Verification

Example: Identified threats

Safety

Injuries because of malfunctioning Passive Entry

Financial

Extra cost due to call-back and law-suits

Operational Performance Car cannot be started, doors cannot be opened

Privacy/Legislation

Theft of personal data

Specific automotive asset categories

Privacy,Legislation,Governance

e.g. private data

Operational Performance

e.g. Drivingexperience

Finance

e.g. Liability, brand image

Safety

e.g. Vehicle functions

13/26

Page 14: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Tools for Safety and SecurityPractical Guidance and Vector Experiences

Customer Benefits Efficient

implementation of cybersecurity and functional safety

Full Life-Cycle support from requirements to concept, design, test and after-sales

Traceability and governance

Support for heterogeneous environments

Package offering for consulting, e.g. Vector SafetyCheck or Vector SecurityCheck

Continuous Safety Case

Vector SecurityCheck

PREEvision Safety support

14/26

Page 15: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Case Study Powertrain: Threats and HazardsPractical Guidance and Vector Experiences

Change Gears

During driving on high speed (Highway) the gear is changing to a higher gear thus reducing acceleration when it is needed during overtaking

S3/E4/C3 C

Adjust speed Speed is unintentionally increased during normal operation in cruise control while driving in a city

S3/E3/C1 C

Function Hazard S/E/C ASIL

Adjust Speed

Velocity

Throttle pedal,Engine control Lock/Unlock

Change GearsTransmission

ASIL C

Throttle

Safety Item

ASIL C

Relate identified security threats to safety hazard analysis

15/26

Page 16: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Case Study Powertrain: From TARA to Technical Safety/Security ConceptPractical Guidance and Vector Experiences

Elements of functional architecture

Sec

urity

goa

l and

der

ived

fu

nctio

nal s

ecur

ity r

eq.

Allo

catio

n of

req

. to

ar

chite

ctur

e el

emen

ts

2

1 3ID Level Security Goal ID Requirement

Upd

ate

sw c

omm

and

Auth

entic

ity a

nd

Inte

grity

of s

w u

pdat

e

(Signa

ture

)

sw u

pdat

e

Prev

ent u

naut

horiz

ed

upda

te

Inst

all s

w in

ECU

sw s

tora

ge (e

.g. f

lash

mem

ory)

. . . .

FSR 1The authenticity and integrity of the user_command signal during reading and transmission shall be assured. x x

FSR 2The authenticity and integrity of the authenticity signal during reading and transmission shall be assured. x x

FSR 3The authenticity and integrity of the sw_update during reading and transmission shall be assured. x x x

FSR 4It shall be assured that the signal allow_update generated from the input signals is calculated correctly.

x x x x

FSR 5The authenticity and integrity of the allow_update signal during transmission shall be assured. x x

FSR 6It shall be assured that the signal change_sw generated from the input signals is calculated correctly.

x x

FSR 7

If an error with regards to authenticity and integrity during reading, transmission or calculation of signals or the actuator status occurs, the system will not install the sw update.

x x x x x x

Security Goal Functional Security Requirement Entities of Functional Security ArchitectureInputs Function Blocks

SG05 High

It shall be prevented that unauthentic software is installed on vehicle ECUs.

Transform technical security concept to security requirements.Handle security requirements exactly like functional requirements.

16/26

Page 17: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Case Study Powertrain: Separate ConcernsPractical Guidance and Vector Experiences

Connectivity Gateway

CU

Instrument Cluster DSRC 4G

LTE

Laptop

WiFI

Smart-phone

Central Gateway

ADAS DC

Smart Charging

Powertrain DC

Chassis DC

Body DC

Head Unit

Diagnostic Interface (OBD evolution)

Firewall

Key Infrastructure

Secure On Board Comm.

Secure Off Board Comm.

ID / IP

Monitoring / Logging

Hypervisor

Crypto Primitives Download Manager

Secure Flash/Boot

Secure Synchronized Time Manager

Incrementally harden your E/E and IT functions, architectures and components.17/26

Page 18: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Design Use programming rules such as MISRA-C Avoid injectable code Enforce high cryptographic strength Assign least privileges to any function Static and dynamic code analysis

Test Encryption cracker, vulnerability scanner Network traffic analyzer, stress tester, interface scanner Layered fuzzing testing

Life Hacking Penetration testing Governance and social engineering attacks

Security by Design: Implementation, Verification and ValidationPractical Guidance and Vector Experiences

Test for the unknown. Run automatic regression tests with each delivery.18/26

Page 19: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

After Sales

Consider Risk-oriented Development throughout the life-cyclePractical Guidance and Vector Experiences

Begin with the end in mind: After Sales Support needs early development decisions:

Resilience, fail operational strategies, alert center, repair/OTA, governance

Assets, Threats and Risk Assessment

Security Goals and Requirements

Technical Security Concept

Security Implemen-tation

Test Security Mechanisms

Security Validation

Security Case, Audit, Compliance

Security Verification

19/26

Page 20: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Game Changer: OTA Facilitates Security Across the Life-cyclePractical Guidance and Vector Experiences

There is no security without continuous Over the Air (OTA) update strategy

OEM Side Update Process

20/26

Page 21: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

1. Welcome

2. Safety needs Security

3. Risk-Oriented Development

4. Practical Guidance and Vector Experiences

5. Conclusions

Agenda

21/26

Page 22: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Risk-Oriented Development Must Cover the Entire Life-CycleConclusions

Systematic safety and security engineering Scaleable incident monitoring and response Multiple modes of operation (normal, attack, emergency, fail operational, fail safe, etc.)

Safety hazards

and security threats

Safety / Security by design

Development

Secured supply chain

Production

Incident responseand upgrades

Operations

Secure provisioningand governance

Services

22/26

Page 23: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Safety and Security demands a thorough culture change Build necessary competences for safety and security Do not simply copy-paste elements from current standards Enforce strong governance end-to-end

Risk-oriented development is the order of the day Apply systems engineering for safety and cyber-security Systematically use professional tools, such as PREEvision and CANoe Close known vulnerabilities as soon as possible, preferably with OTA Audit your suppliers and achieve a holistic perspective on risks and solutions Use the hacker’s view for security risks, and not that of developer or safety expert

Safety and Security MatterConclusions

To know your enemy, you have to become your enemy. (Sun Tzu, The Art of War)

In other words: Think like a Criminal and preemptively act as an Engineer.

SafetySecurity

23/26

Page 24: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Vector Offers Comprehensive Portfolio for Cyber-Security and Functional SafetyConclusions

Vector Cyber-Security and Safety Solutions

Security and Safety Consulting

Trainings

SecurityCheck, SafetyCheck, Virtual Safety Manager, Virtual Security Manager

AUTOSAR Basic Software:

MICROSAR Safe

Tools for Design, Test and Lifecycle support:

PREEvision

DaVinci

CANoe

CANdela and Indigo

Engineering Services for Safety and Security

HW based Security

24/26

Page 25: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Mobility: From driving to multi-modal mobility services and sharing culture

Business Models: From incumbent tiered supply-chain to flexible new players from IT industry

E/E architecture: From distributed electronic controllers to standardized three-tier architecture

IT architecture: From proprietary building blocks to open IT systems with off-the-shelf components and adaptive SOA.

Development lifecycle: From the classic V model with rather heavy release cycles to agile DevOps-like approach.

Governance: From encapsulated safety-critical functions to interwoven quality assurance for liability, safety, cyber-security, privacy.

Culture: From R&D vs. IT separation to convergence.

Competences: From automotive embedded electronics to IT as a core competence of all engineers.

Further Information: Vector White Papers on Automotive E/E TrendsConclusions

Contact Vector for white papers, technical benchmarks and consulting

Source: IEEE Software May 2017 (Vector Guest Edited)www.vector.com/consulting-mediacenter

25/26

Page 26: Security and Safety - Vector · PDF fileand win a training or book ... Functional Safety and Cyber-Security Demand Risk-Oriented Development ... Network traffic analyzer,

© 2017. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2017-12-11

Thank you for your attention.For more information please contact us.

Passion. Partner. Value.

Vector Consulting Serviceswww.vector.com/[email protected]: +49 711 80670-0