The document discusses the evolution and current state of cybersecurity in the automotive and operational technology sectors, highlighting the convergence of IT and OT, as well as the emergence of connected vehicles. It outlines various cyber threats, attack vectors, and the importance of security measures such as secured network architecture and incident response teams. Additionally, it emphasizes the need for organizations to address cybersecurity challenges proactively and invest in layered defense strategies to protect against potential attacks.

1. April 23rd, 2020

2. “Prediction is very difficult,
especially if it’s about the future”
Niels Bohr
2

3. • Emerged in the 1950s and 60s
• Became interconnected over the past
50 years
• Many cyber-events on a daily basis
HISTORY
• Emerged from electro-mechanical
control devices to PLCs (Programable
Logic Controllers)
• Large networks control critical
infrastructure: Smart cities, power
grids, water plants, gas/oil pipes,
hospitals, data centers, building
management, manufacturing plants,
etc.
• IT/OT convergence and
interconnectivity
• Emerged from electro-mechanical
control devices to ECUs (Electronic
Control Units)
• Network controls the full vehicle
• Connected ECUs, connected car and
V2X
• Lots of wireless interconnected
devices
IT ICS/SCADA AUTOMOTIVE
3

4. “Those who fail to learn from history
are condemned to repeat it.”
Winston Churchill
IT (Information Technology) networks
OT (Operational Technology) –
ICS (Industrial Control Systems) /
SCADA (Supervisory Control and Data Acquisition)
Automotive
4

5. • Changed from air-gapped to
connected decades ago
• Highly dynamic, chaotic and
unpredictable
• Very powerful computers
SYSTEM CHARACTERISTICS
• Many still air-gapped but IT/OT
convergence is here
• Static, deterministic and predictable
behavior
• Relatively low computing power,
especially at the PLC level
• Connected car is here and numbers
will only increase
• Static, deterministic and predictive
behavior
• Very low computing power but
gradually increasing
• Very sensitive to price
IT ICS/SCADA AUTOMOTIVE
5

6. • High bandwidth Ethernet LAN and
WAN
• Wireless over Wi-Fi and Cellular
• IP as network protocol
• Numerous application layer protocols
• Highly interconnected networks, over
public internet, multi-site, remote
and mobile access
CONNECTIVITY
• Slow evolving networking, some still
using serial protocols
• Remarkable move towards Ethernet
and IP
• Counted application layer protocols
(Modbus, DNP3, Profinet,
IEC 101/104, IEC 61850, etc.)
• Dominant CANbus; FlexRay, LIN and
MOST – to be gradually replaced by
automotive Ethernet and IP
• Wi-Fi, Bluetooth, TPMS, key fobs,
cellular, etc. wireless
• IVI, Telematics, OBD – connected
vehicle
• Connected automated driving, V2X
and ITS 5G/G5 as a major evolution
IT ICS/SCADA AUTOMOTIVE
6

7. • 1972 Bob Thomas and later Ray
Tomlinson first worm
• Since then many: Snowden,
WannaCry, NotPetya and many more
DECISIVE INCIDENT
• 2010 Stuxnet disabling Iranian
nuclear plant centrifuges
• 2015 Ukraine power grid shutdown
• 2017 European wastewater
treatment plant
• 2018 Saudi Arabia petrochemical
plant
• ... and more, some unpublished
• Only recent white hat cases
• Jeep Cherokee
• No real fatal or damaging event
occurred (yet)
IT ICS/SCADA AUTOMOTIVE
7

8. • Mainly opportunistic (like phishing)
but also targeted attacks
• Started as head-on attacks
• Various threat actors
• Many attack surfaces
• Currently a complex, multi-phase,
multi-technology process including
network, server, applications, human,
physical etc.
ATTACK VECTOR AND KILL CHAIN
• Targeted and strategic attacks
• Long infiltrations, lateral movement and
incubation
• Legacy equipment (PLC, HMI, SCADA
server) with no cyber-security
protection (but improvement trends)
• Small but extending attack surfaces
• Mainly state or terror organizations
actors
• Very complex process
• Most likely triggered as part of a major
conflict between states, terror
organizations, etc.
• Common attacks like ransomware
possible. Several implication in case of
a major conflict between states, terror
organizations, etc.
• Long infiltration process
• Attack can be developed and drilled
on car make and model
• Legacy equipment (ECUs) with no
cyber-security protection. New
designs to include some security.
• Attack surfaces rapidly extending
• Relatively complex process
IT ICS/SCADA AUTOMOTIVE
8

9. • Protecting data - privacy
• Authentication, encryption, firewall,
proxy, filtering, antivirus, anti-spam,
deception, network design,
segregation, secured software
development cycle, penetration tests,
education, CISO, SIEM, SOC, CERT,
etc.
IMPACT AND INDUSTRY RESPONSE
• Safety and reliability – protecting
lives and property
• Security overlay on existing network
• Secured network design, secured
PLCs, IDS/IPS, industrial endpoint
protection
• Safety and reliability – protecting
lives and property
• Aftermarket add-on appliances
• Line-fit secured network design
hardened ECUs, IDS/IPS,
authentication, encryption, etc.
IT ICS/SCADA AUTOMOTIVE
9

10. “Without standards,
there can be
no improvement.”
Taiichi Ohno
Toyota
10

11. • Well covered organizationally:
sectorial, national, global coverage.
• Rules, guides, regulations, laws, etc.
• i.e. EU GDPR (General Data
Protection Regulation)
STANDARDS AND REGULATIONS
• Initial action commenced in
recent years
• US NERC (North American
Electric Reliability Corporation)
CIP (Critical Infrastructure
Protection)
• EU ENSA (European Union
Agency for Cybersecurity) NIS
(Network and Infrastructure
System) directive 2016/1148
• Lagging behind and too many unharmonized
standards developing
• IATF 16949 technical specification quality
management system for automotive products
• ISO 26262 Functional safety (ASIL-A/B/C/D)
• ENISA Good practices for security of Smart Cars
• ISO/SAE 21434 (Cybersecurity) Road Vehicles
• A-SPICE Automotive Software Process
Improvement & Capability Determination
• UNECE WP.29 Approval of vehicles with regards
to cyber security
• US SPY Car Study Act of 2017 (draft)
• JASPAR Cybersecurity Technical WG
IT ICS/SCADA AUTOMOTIVE
11

12. • Many global, national and private
groups and tools
• Well evolved and lots of information
sharing
THREAT INTELLIGENCE
• Still evolving but active
• MITRE CVE (Common Vulnerabilities
and Exposures) with thousands of
entries
• First steps
• AutoISAC (Automotive Information
Sharing and Analysis Center)
established
IT ICS/SCADA AUTOMOTIVE
12

13. • Part of all network devices
• Implemented from the planning and
design phases throughout the entire
lifecycle
• Include multiple means such as NIDS,
HIDS, VLANs, FW, EDR, VPNs, NATs,
etc.
• Education and awareness
• Resource usage increase over time
• 3-5 years lifecycle
SECURITY INSTALLATION
• For existing installations, overlay
security with IT and OT dedicated
solutions
• Most of the new installation
planned with some security means
ahead of time
• Long way to go but advancing
• Resource usage increase over time
• 7-10+ years lifecycle
• For aftermarket some IDS and IPS
solutions exists and will raise with
awareness
• For new models line-fit some
growing considerations, secured
design, network architecture,
secured GW, ECU hardening, IDS/IPS
are in the process.
• Slow advance
• Limited resources and usage
increase to specified range
• Vehicle-life length operation
IT ICS/SCADA AUTOMOTIVE
13

14. • Common well established process
• Automatically or controlled from the
internet
DISPATCHING SOFTWARE AND SECURITY UPDATES
• Regarded as a nightmare by
engineering and operations
personnel
• Some equipment extremely ancient
(PLCs more than 15 years old,
computers running Windows 95, XP,
etc.)
• Requires extensive testing and
many months to implement
• Fear of use as a potential means of
injecting malware
• In recent years has become more
frequent
• Complex and costly procedure
• For legacy, unconnected cars, viable
through diagnostics and implies
callback for hot fixes
• For connected cars, done OTA
(Over-The-Air)
• Fear of be used as a potential
means of injecting malware
• Must not increase load over
specified range
IT ICS/SCADA AUTOMOTIVE
14

15. HOST/NETWORK IDS/IPS
15
Intrusion
Detection
Function
Targeted
Asset
Attacker
Storage
Host
Attacker
Storage
Host
Targeted
Asset
Intrusion
Prevention
Function
• Logging is main function of ID system.
• Typically log resources are high (network, storage, CPU…).
• Defence is second to insight and intelligence.
• Typically log resources are low.
• Defence is immediately applied („real-time“) for known and
precisely identified attacks.
Targeted
Asset
Attacker
Storage
Host
Intrusion
Prevention
Host
Host-based
Intrusion Detection
Host-based
Intrusion Prevention
Network-based
Intrusion Prevention
Intrusion
Detection
Host
Targeted
Asset
Attacker
Storage
gets copy
Host
Network-based
Intrusion Detection
Both technologies rely on regularly receiving updates in order to identify new attacks by new characteristic patterns.

16. • Protect the individual device
• Human administrator
• Detailed detection log
• Prevention at wire speed
• False positive to be avoided
• False negative close to 0
• Baseline not practical
• Selective deep content inspection for
superior results
DETECTION VS. PREVENTION CONSIDERATIONS
• Protect the individual device
• Human administrator (kind of…)
• Detailed detection log
• Prevention while preserving all
other function e.g. safety
• False positive shall be avoided!
• False negative close to 0
• Baseline as cornerstone
• Narrow view good enough for
surveillance
• Fleet or individual car protection
• No human administrator in vehicle
• Detection with 0 impact on vehicle
• Prevention preserving all other
functions and safety at all costs
• False positive shall be avoided at all
costs!!!
• False negative close to 0
• Precise baseline a must
• Sensor fusion (in-vehicle and V2X
generated) with deep content
inspection for misbehavior detection
that can have safety critical impact
IT ICS/SCADA AUTOMOTIVE
16

17. • Combination of all solutions network
wide, servers, desktops, laptops,
mobile, etc.
• Assumption is that the enemy is
everywhere including among us, a
360 degrees approach is employed.
• From the edge of the network, all the
way through switches, firewalls,
reverse proxies, application layer
gateways, IDS/IPS, EDR (Endpoint
Detection and Response)
• Covers a large set of protocols and
interaction models
NETWORK VS. HOST IDS/IPS + ENDPOINT PROTECTOIN
• Mainly network IDS due to legacy
equipment and industry being very
conservative
• Covers a limited number of
protocols (Modbus, DNP3, etc.)
• Initially passive network IDS tapping to
CANbus or listening to Ethernet mirror
port
• Gradually moving to a combination of
network IPS together with ECU and
domain controller security - measures
such as hardening, secure boot/load,
host IPS, end point protection, etc.
• Growing number of protocols -
SOME/IP, DoIP, UDPnm, AVB (802.1Qav,
802.1SA, SRP, etc.), AVTP (IEEE 1733,
IEEE 1722, RTP, etc.), V2X, etc. Some are
dynamic such as SOA SOME/IP SD,
DHCP and APIPA for DoIP, etc.
IT ICS/SCADA AUTOMOTIVE
17

18. • Signature-based detection as main
base with frequent updates; baseline
for anomaly detection is not practical
• Secured by design is a basis for
building a multi layer, diversified,
evolving and adapting protection
architecture
ANOMALIES DETECTION VS. SIGNATURES DETECTION
SECURED BY DESIGN
• Anomaly detection since baseline is
easy to create and protects against
zero-day attacks. Signature database
update somewhat complex.
• Security mainly as an add-on to
existing large legacy installations.
New sites with security design in
mind.
• Anomaly detection since baseline is
easy to create and protects against
zero-day attacks. Signature database
update infrequent and complex.
• Secured by design is a cornerstone
for new vehicles. Multi layer,
defense-in-depth approach:
• Embedded in ECUs (hardening,
secure boot/load, HSM/TPM, etc.)
• Network (segregation, VLANs, etc.)
• Dedicated components such as FW,
network/host IDS/IPS, etc.
IT ICS/SCADA AUTOMOTIVE
18
Confidential, Property of Arilou

19. • Well established SOCs (Security
Operations Centers) separate from
the NOC (Network Operations
Center)
• Equipped with SIEM (Security
Information and Event Management)
• Common reporting protocols –
Syslog, SNMP, etc.
• Well trained CERT-IR (Cyber Event
Response Team – Incident Response)
personnel
• 3rd party MSSP (Managed Security
Service Provider) available
REPORTING, MONITORING, SURVEILLANCE AND RESPONSE
• First steps
• In many cases part of the
operations center
• Weak CERT if any
• Some MSSP available
• TBD…..
• Through telematics systems
• Facilitated by separate cellular
connection. 5G in vehicle node
IT ICS/SCADA AUTOMOTIVE
Confidential, Property of Arilou
19

20. • Chips are manufactured and software
products are integrated into
commercial products and installed on
customer premises
ECOSYSTEM AND SUPPLY CHAIN
• Chips are manufactured and
software products are integrated
into commercial products and
installed on customer premises
• OEMs specify requirements
• Tier 3 manufactures individual
components and supplies tier 2
• Tier 2 manufactures integrated sub-
modules for tier 1 manufacturers
• Tier 1 manufacturers integrate full
modules to OEM specifications
• OEMs integrate modules into
vehicles
IT ICS/SCADA AUTOMOTIVE
Confidential, Property of Arilou
20

21. • CISO (Chief Information Security
Officer)
• CIO (Chief Information Officer)
• CDO (Chief Digital Officer)
• Ministerial responsibility CEO (Chief
Executive Officer)
ACCOUNTABILITY
• CISO/CIO?
• VP Engineering?
• CEO?
• TBD
• CEO (and the CISO afterwards) will
carry the burden in case of an
incident with impacts of liability
IT ICS/SCADA AUTOMOTIVE
Confidential, Property of Arilou
21

22. “If I have seen further than
others, it is by standing on
the shoulders of giants.”
Isaac Newton
22

23. • Continuing race between attackers
and defenders
• Awareness established and is further
on the rise in the industry
• Regulation active with ever more
vigorous control
• Larger funds spent by organizations
• Different solutions IPS requirements
much higher than IDS
THE FUTURE
• Slow moving but picking up speed
• Low awareness with some increase
in the past few years
• Regulators starting to act, mainly in
advanced and threatened countries
• Large funds invested in startups in
this field
• Investment is slow but there is a
steady acceleration process
• Conservative industry prefers IDS
over IDS
• Lagging behind
• Awareness has started to build, but
only in recent years. No fatal event
yet.
• Standardization and regulation has
begun to increase but will lead to
minimal expenses by OEMs
• Some substantial investment in
recent years
• Will accelerate in the near future
due to regulation (~2023-2024)
• Eventually IPS will be used with very
high caution
IT ICS/SCADA AUTOMOTIVE
Confidential, Property of Arilou
23

24. 1. OEMs and Tier 1s must address the cyber-security challenge sooner rather than later!
2. An integrated and multi-layered, defense-in-depth solution
that includes a combination of:
a. Secured network architecture
b. Good endpoint protection
c. IDS (later also IPS)
3. Well trained SOC with a CERT-IR ready to take action if needed
For more information please see the full blog series on our web site https://ariloutech.com/news/
TAKE HOME MESSAGE
Confidential, Property of Arilou
24

25. 25
THREAT DETECTION
• CANbus Parallel Intrusion Protection System (PIPS)
• CANbus software IDS/IPS
• Ethernet software IDS/IPS
CANpression - CANbus traffic compression
CANtication - CANbus message authentication
Arilou is an automotive, in-vehicle, cyber-security solution
provider with longest track record of installed, working systems.
We are part of the NNG Group, a global automotive software
house, developing solutions that provide convenience,
personalization, and peace of mind.
WHAT CAN WE DO FOR YOU?
Confidential, Property of Arilou

26. 26