Will Future Vehicles Be Secure?
There is active work within the automotive community to build security into the future connected and highly autonomous vehicles and several organizations are working on cybersecurity standards. Is it going to be enough to secure future vehicles?
Join me to explore the intricacies of securing cyber-physical systems. Challenge the notion that today's tools and best practices are enough to protect connected vehicles and transportation infrastructure. Finally, discover what the industry can do to take security research to the next level and ensure a safe, secure future of transportation.
In the last few years there have been increasing interest in security of modern vehicles with several high profile demonstrations of controlling breaking and steering of a vehicle remotely across large distances. A modern vehicle already consists of up to 100 ECUs and has 100 million lines of code and the complexity is only expected to increase. There have already been suggestions that we will see 300 million lines of code in a vehicle in 5 years. With the growth in complexity we will also see growth of the attack surface. Comparing to other digital or digitized industries such as datacenters, PC, mobile, Industrial Control Systems, automobiles have not yet been actively exploited, however vulnerabilities already have bene demonstrated by security researchers and when that happens such vulnerabilities quickly get weaponized opening door to consistent exploits. With the vehicles that weigh several tons and move such proposition is very scary and there is pressing need to advance security technology to prevent malicious actors from endangering human life.
Learning Outcomes:
Understand vehicle ECU and network architecture and challenges securing Highly Automated and Connected Vehicles
Describe modern end-to-end security architecture for connected vehicles
Understand evolution of the future security technologies
2. Agenda
• What is a connected vehicle, and why is it hard to
secure?
• What is Functional Safety?
• Can we secure vehicles?
• Summary
2
3. The Interconnected Car
Components associated with physical
control of the vehicle
Components associated with safety
Components associated with
entertainment and convenience
Image credit: Mercedes-Benz
Museum (as cited in Computer History
Museum, 2011)
3
Huge Complexity
• Up to 100 million lines of code and going
to 300, of it 30 million for the
multimedia system (Android OS has about 15
million lines of code, Modern Fighter Jet has about 25,
Windows has close to 40, LHC has 50)
• Up to 100 ECUs, 25 - 200
microprocessors
Recent high-end luxury car
• ECU connections: 10 for FlexRay, 73 for
CAN and 61 for LIN
• Base vehicles employ 1,376 wires with a
total length of 2,474 meters. A fully
optioned vehicle requires 2,385 wires,
with a total length of 4,293 meters (2.66
miles).
• 100 motors in the interior
5. Connected Infrastructure
5
V2V
Ad-Hock Network
Radio Data System (RDS)
GPS
Uni-directional Communication
Bi-directional Communication
Trusted Network (e.g. Repair Shop)
Internet Backbone
Automotive Company
Application Center
Access Point (AP)
Local ServiceAP
Mobile Devices
Untrusted Network
Local Service
Open AP
Road Side Unit (RSU)
ISP
BS
BS
ISP
ISP
3rd Party
Application Center
Electric Chargers
11. Agenda
• What is a connected vehicle, and why is it hard to
secure?
• What is Functional Safety?
• Can we secure vehicles?
• Summary
11
12. Toyota Unintended Acceleration
12
• Toyota Lexus ES 350 sedan Reached 100
mph+
• 911 Emergency Phone Call from passenger
during event.
• All 4 occupants killed in crash.
• Toyota data on infotainment software
shows an expected one “major bug” for
every 30 coding rule violations. [Kawana
2004]
Source: Prof. Phil Koopman. A Case Study of Toyota Unintended
Acceleration and Software Safety
13. What is Functional Safety?
13
• IEC 61508: The part of the overall safety related to the equipment under
control (EUC) that depends on the correct functioning of the safety-related
system in response to its inputs
• ISO 26262: Absence of unreasonable risk due to hazards caused by
malfunctioning behavior of E/E systems
• ISO 25119: A system ta performs in a way that does nto present an
unreasonable risk or injury to operators and bystanders
Are you Able to Provide the
EVIDENCE
that Risks have been Minimized?
14. ISO 26262 Adaptation of IEC 61508
14
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
Nuclear
IEC 61511
Process Industry
ISO 26262
Road Vehicles
IEC 62061
Machinery
ISO 13849-1
Machine Safety
ISO 25119
Tractors…
ISO 26262 is “State of the Art” For Automotive
15. How E/E Systems Fail?
15
Random Failures: “Usually a permanent or transient failure due to a system component loss of functionality –
hardware related
Systematic Failures: “Usually due to a design fault, wrong specification, not fit for purpose , error in software
program, ...
Technical Safety MeasuresProcess – Methods – Organization
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Avoid Systematic Faults Control of
Systematic Failures
Control of
Random Failures
In OperationBefore Delivery
Implement Correctly Detect and React
18. Agenda
• What is a connected vehicle, and why is it hard to
secure?
• What is Functional Safety?
• Can we secure vehicles?
• Summary
18
19. What is Security?
19
Security covers all the processes and mechanisms by which digital equipment, information and
services are protected from unintended or unauthorized access, change or destruction.
Wikipedia
Existing Definition, also used by NIST
1999 National Academies study “Trust in Cyberspace”
Security research during the past few decades has been based on formal policy models that focus on
protecting information from unauthorized access by specifying which users should have access to data
or other system objects. It is time to challenge this paradigm of “absolute security” and move toward a
model built on three axioms of insecurity:
1. insecurity exists;
2. insecurity cannot be destroyed; and
3. insecurity can be moved around’.
22. Automotive Security Standards
22
2. SAE J3061—Cybersecurity Guidebook for Cyber-Physical Vehicle
Systems
a) Enumerate all attack surfaces and conduct threat analysis
b) Reduce attack surface
c) Harden hardware and software
d) Security testing (penetration, fuzzing, and more)
1. SAE J3101—Hardware-Protected Security for Ground Vehicle
Applications
a) Secure boot
b) Secure storage
c) Secure execution environment
d) Other hardware capabilities…
e) OTA, authentication, detection, recovery mechanisms …
23. Example: Security analysis
23
Threat
Security Goal
Asset
Owner Attacker Malicious Action
Attack Potential
Point of Attack
Potential for attack on
Potential with risk of
Has a value for Has
Potential for
execution
Risk is reduced
by
Is performed at
Credit: Vector
24. Example: Incoming Message Integrity
24
Message Received
Integrity Check
Sender
Authentication
Authorization
Message Consumed by an App
CRC MAC/Signature
Source Address
Plausibility Checks
Source Access
ACL
Safety Security
25. Example: Lane Departure Analysis
25
Function: Corrective steering
intervention
Asset: Protect assistance
function from manipulation
Hazard analysis Threat analysis
Requirements for safety Requirements for security
New functions with added value and with manageable risk
System:
Lane departure warning
assistant
26. Common Security Requirements
26
1. Auditing and logging
2. Authentication and authorization
3. Session management
4. Input validation and output encoding
5. Exception management
6. Cryptography and integrity
7. Data at rest
8. Data in motion
9. Configuration management
10. Incidence response and patching
Together, these formulate the end-to-end security architecture for the product and thus should be considered alongside
one another—not in isolation. Also, each of the categories has many sub-topics within it. For example, under authentication
and authorization there are aspects of discretionary access controls and mandatory access controls to consider. Security
policies for the product are an outcome of the implementation decisions made during development across these nine
categories.
27. Defense in Depth
Fast cryptographic performance
Device identification
Isolated execution
(Message) Authentication
Virtualization
Hardware security services that can be used by applications
Platform boot integrity and Chain of Trust
Secure Storage (keys and data)
Secure Communication
Secure Debug
Tamper detection and protection from side channel attacks
Hardware security building blocks
Over-the Air Updates
IDPS / Anomaly Detection
Network enforcement
Certificate Management Services
Antimalware and remote monitoring
Biometrics
Software and Services
Security features in the silicon, for example Memory Scrambling,
Execution Prevention, etc.
Defense in Depth
HardwareRootofTrust
Analog security monitoring under the CPU
27
V2X antenna
Mobile Devices
ISP
BS
BS
Occupant safety
Surround sensors
Brake control system
Electric power steering
CAN bus
GPS
28. Hardware Security Building Blocks
28
1. Secure boot
2. Secure Storage
3. Trusted Execution Environment (HSM)
4. Cryptographic Acceleration
5. Key Generation
6. Secure Clock
7. Monotonic Counters
8. True RNG
9. Unique Device ID
10.Secure Debug
11.Physical Tamper Detection and Protection
Against Side-Channel Attacks
Defense in Depth
• Platform boot integrity and chain of trust
• Secure storage (keys and data)
• Secure communication
• Secure debug
• Tamper detection and protection from side
channel attacks
Hardware security building blocks
29. Why do you need HW Security?
29
Basic Cryptography Key Management Miscellaneous
Secure Hash (SHA2, SHA3) Key Derivation Function (KDF) Compression/Decompression
Message Authentication Code (CMAC,
HMAC, GMAC)
Generation
Verification
Secure Key and Certificate Storage
Access Management
Import/Export Services
Generation
Update
Checksum
Signatures
Generation
Verification
Key exchange protocols
Random Number Generation
Encryption/Decryption
Symmetric (CBC, CTR)
Asymmetric
ECC (P-256, NIST, SEC2, Brainpool)
Secure Clock
Time stamping
Validity check for key data
30. Agenda
• What is a connected vehicle, and why is it hard to
secure?
• What is Functional Safety?
• Can we secure vehicles?
• Summary
30
31. 31
1. Interactive computing.
2. Time sharing.
3. User authentication.
4. File sharing via
hierarchical file systems.
5. Prototypes of ‘computer
utilities’.
Emerging
concerns
1. Access controls
2. Passwords
3. Supervisor state
Security
Technologies
1960s
1. Packet networks
(ARPANET)
2. Local networks (LANs)
3. Communication secrecy
and authentication
4. Object-oriented design
5. Multilevel security
6. Mathematical models of
security
7. Provably secure systems
1. Public key cryptography
2. Cryptographic protocols
3. Cryptographic hashes
4. Security verification
1. Adoption of TCP/IP
protocols for the
Internet
2. Exponential growth of
Internet
3. Proliferation of PCs and
workstations
4. Client-server model for
network services
5. Viruses, worms, Trojans,
and other forms of
malware
6. Buffer overflow attacks
1. Malware detection
(antivirus)
2. Intrusion detection
3. Firewalls
1. World Wide Web
2. Browsers
3. Commercial
transactions
4. Data repositories and
breaches
5. Portable apps and
scripts
6. Internet fraud
7. Web-based attacks
8. Social engineering and
phishing attacks
9. Peer-to-peer (P2P)
Networks
1. Virtual private networks
(VPNs)
2. Public-key
infrastructure (PKI)
3. Secure web connections
(SSL/TLS)
4. Biometrics
5. 2-factor authentication
6. Confinement (virtual
machines, sandboxes)
1. Botnets
2. Denial-of-service attacks
3. Wireless networks
4. Cloud platforms
5. Massive data breaches
6. Ransomware
7. Malicious adware
8. Internet of things
9. Surveillance
10. Cyber warfare
1. Secure coding and
development processes
2. Threat intelligence and
sharing
3. Adware blocking
4. Denial-of-service
mitigation
5. WiFi security
1970s 1980s 1990s 2000s
32. 32
1980 1985 1990 1995 2000 2005
Source: escrypt
Increasing digitalization and
digital integration
Security
Escalation:
Hypothetical vulnerabilities
identified
Security threats become
relevant in practice
Regular security breaches
with severe damages
ICS-CERT
(2008)
20152010 2020
???
CAESS
(2010)
GSM Interface
Exploit (2015)
Stuxnet and Duqu
(2010/11)
German Steel
Plant (2014)
AS/1 Card
Cracking (2009)
IMSI Catcher,
NSA iBanking
(2014)
Cabir, Premium
SMS Fraud (2008)
DOS via SMS
DoCaMo (2008)
I Love You
(2010)
Heart Bleed
(2014)
Sasser
(2004)
Melissa
(1999)
Michelangelo
(1992)
Leandro
(1993)
Brain
(1986)
F. Cohen
(1981)
Confliker
(2008)
NSA, PRISM
Reign
(2014)
SQL Slammer
(2003)
Code Red
(2001)
Morris Worm
(1988)
Tribe Flood DDOS
(1998)
CCC BTX Hack
(1984)
Creeper
(1971)
33. 33
Emerging
concerns
Security
Technologies
Attacks against Cyber-Physical Systems (CPS):
1. Autonomous vehicles
2. Smart communities
3. Aviation and transportation
4. Robots
5. Drones
6. Infrastructure
1. Self-adaptive Systems which can evaluate and modify their own
behavior to improve efficiency, and which can self-heal.
2. Multi-agent Systems, a loosely coupled network of software
agents that interact to solve problems, are resilient and
partition tolerant.
3. Artificial Intelligence (Genetic Algorithms)
2010/2020s
In information technology, self-healing describes any device or system that has the ability to perceive that it is not operating correctly and,
without human intervention, make the necessary adjustments to restore itself to normal operation. IBM, for example, is working on an autonomic
computing initiative that the company defines as providing products that are self-configuring, self-optimizing, and self-protecting - as well as self-
healing. For all of these characteristics together, IBM uses the term "self-managing."
34. When safety and security are interlinked
34
The fundamental meaning of quality in relation to a system is that
the system provides the functions expected of it.
reliability
resilience
survivability
performance
safety
security
privacy
dependability
When safety and security are interlinked, this classic definition is extended to include the meaning that
the system does not provide any other functions that are not expected of it
– because of failure, human error, equipment malfunction or malicious attack.
Editor's Notes
The interconnected components include the vehicle’s engine management system, brake controller, airbags, seatbelt pre-tensioners, door locks, gauge cluster, sound system, CD changer, seat controls, communications system, telematics unit, and more.
Running throughout the vehicle is a network of wires on which sensor data and vehicle control commands transit back and forth.
Also visible are several long rectangular boxes that represent controllers. These controllers are responsible for issuing commands to the different vehicular components based on the inputs they receive, either in the form of sensor data or commands from the vehicle operator.
Provides an automotive safety lifecycle
Supports the tailoring of the lifecycle as needed
Provides an automotive-specific risk-based approach for the determination of Automotive Safety Integrity Levels (ASILs)
Uses ASILs to specify requirements to avoid unreasonable risk
Provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved
Provides requirements for supplier relations
Every 30 years there is a new wave of things that computers do. Around 1950 they began to model events in the world (simulation), and around 1980 to connect people (communication). Since 2010 they have begun to engage with the physical world in a non-trivial way (embodiment – giving them bodies).
Butler Lampson, Microsoft Research
Cybersecurity Is Harder Than Building Bridges
References
Anti-Phishing Working Group. 2015. Phishing Activity Trends Report 1st-3rd Quarters 2015: Unifying the Global Response to Cybercrime. https://docs.apwg.org/reports/apwg_trends_report_q1-q3_2015.pdf
American Society of Civil Engineers. 2013. 2013 Report Card for America’s Infrastructure. http://ascelibrary.org/doi/pdf/10.1061/9780784478837 Website:http://www.infrastructurereportcard.org/a/#p/home
Briscoe, B., A. Odlyzko, and B. Tilly. 2006. Metcalfe’s law is wrong. IEEE Spectrum (posted July 1). http://www.spectrum.ieee.org/jul06/4109
Cohen, F. 1985. Computer viruses. PhD dissertation, University of Southern California, 1986. http://all.net/books/Dissertation.pdf
The Center for Strategic and International Studies and McAfee. 2014. Net Losses: Estimating the Global Cost of Cybercrime.http://www.mcafee.com/hk/resources/reports/rp-economic-impact-cybercrime2.pdf
CVE Details. 2015. Top 50 products by total number of “distinct” vulnerabilities in 2015. https://www.cvedetails.com/top-50-products.php?year=2015
Denning, P. J. 2016. Fifty years of operating systems. Communications of the ACM 59(3):30–32.
Howard, M., and S. Lipner. 2006. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices). Redmond, WA: Microsoft Press.
Jardine, E. 2015. Global Cyberspace Is Safer Than You Think: Real Trends in Cybercrime. Centre for International Governance Innovation and Chatham House.https://www.cigionline.org/sites/default/files/no16_web_1.pdf
Lampson, B. 2015. Perspectives on protection and security. Lecture, SOSP History Day, Monterey, California, October 4, 2015.http://dl.acm.org/citation.cfm?doid=2830903.2830905
Lemos, R. 2015. Pre-installed Android malware raises security risks in supply chain. eWeek September 1. http://www.eweek.com/security/pre-installed-android-malware-raises-security-risks-in-supply-chain.html
Netmarketshare. 2015. Desktop operating system market share. Accessed 1/22/16. https://www.netmarketshare.com/operating-system-market-share.aspx
Olenick, D. 2015. Companies leaving known vulnerabilities unchecked for 120 days: Kenna. SC Magazine September 30.http://www.scmagazine.com/companies-leaving-known-vulnerabilities-unchecked-for-120-days-kenna/article/441746/
Prevoty, Inc. 2015. The Impact of Security on Application Development: 2015 Survey Report. http://info.prevoty.com/impact-of-security-on-agile-development-report
SANS Institute. 2015. CIS Critical Security Controls for Effective Cyber Defense. https://www.sans.org/critical-security-controls/
Shephard, D. 2015. 84 fascinating and scary IT security statistics. Micro Focus March 16. https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/
Tehan, R. 2015. Cybersecurity: Data, Statistics, and Glossaries.Congressional Research Service Report R43310.https://www.fas.org/sgp/crs/misc/R43310.pdf
Wilshusen, G. C. 2015. Information security: cyber threats and data breaches illustrate need for stronger controls across federal agencies.Testimony before the Subcommittees on Research and Technology and Oversight, Committee on Science, Space, and Technology, House of Representatives. United States Government Accountability Office, GAO-15-758T. http://www.gao.gov/assets/680/671253.pdf
http://www.americanscientist.org/issues/pub/cybersecurity-is-harder-than-building-bridges/1