Automotive Cybersecurity: A Gap Still Exists Ponemon Institute Survey Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: A Gap Still Exists
Ponemon Institute Survey
Automotive Cybersecurity: The Gap Still Exists
GeneCarterDirectorofProductManagementSecurityInnovation
PeterSamsonVicePresidentandGeneralManagerSecurityInnovation
LarryPonemonChairmanPonemonInstitute
Today’s Speakers
GregRudyDirectorofBusinessDevelopmentINTEGRITYSecurityServicesAGreenHillsCompany
A Few Things…
• A link to the webcast recording and a copy of the slides will be sent to all registrants.
• Submit your questions at any time. They will be addressed at the end of the webcast.
• The Automotive Cyber Security White Paper can be found at https://web.securityinnovation.com/automotive-cybersecurity-gap-still-exists
The State of Automotive Cyber SecurityPeter SamsonVice President and General ManagerSecurity Innovation
F22Raptor
2MillionLoC7MillionLoC 130MillionLoC
Software Complexity787Dreamliner 2016 FordF150
http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
"Perfectionisachieved,notwhenthereisnothingmoretoadd,butwhenthereisnothinglefttotakeaway." AntoinedeSaint-Exupéry
Connected Vehicle Market Growth
$152billion
$141billion
$132billion
$128billion
$98billion
Five-yearEconomicValueNumberofConnectedCars
What Could Go Wrong?TheftTerrorismRevengeMischiefExtortion- RansomwareInsurancefraudEspionageStalkingFeature(de)activationIdentitytheftCounterfeiting
Entry Points for Hackers
InternalDiagnosticPortCD/DVDUSB/SDcardAuxinputCANBusOthernetworksMobilephone
ExternalBluetoothInternetWi-FiKeyfobLIDARDigitalbroadcastsTirePressureMonitorsTaillightDSRC
The Hacker Threat - 2015
ASkyNewsinvestigationfindsthatalmosthalfthe89,000vehiclesbrokenintoinLondonlastyearwerehackedelectronically.
The Hacker Threat - 2016
The Hacker Threat - 2016
Cybersecurity StandardsHacking protectionData securityHacking mitigation
Privacy standardsTransparencyConsumer choiceMarketing prohibition
Cyber dashboardA window sticker showing how well the car protects the security and privacy of the owner.
Government Takes ActionThe Security and Privacy in Your Car (SPY) Act
And Warns the Public
Digital Millennium Copyright Act
11/2/201605:50PM
Information Sharing and Access Centers
AutomotiveSecurityBestPractices
ü Securitybydesignü Riskassessmentandmanagementü Threatdetectionandprotectionü Incidentresponseü Collaborationwiththirdpartiesü Governanceü Awarenessandtraining
Sponsored by Security Innovation and Integrity Security Services
Automotive Cybersecurity: The Gap Still Exists
LarryPonemonChairmanPonemonInstitute
During August 2016 the Ponemon Institute conducted a cybersecurity survey of more than 500 automotive developers, programmers, engineers, and executives, from automakers (OEMs) and their electronics suppliers.
Introduction
Summary Findings• A growing concern that hackers are actively targeting automobiles.• OEMs are more concerned than their suppliers about automobiles being hacked • The lack of skilled personnel and requirements, and pressure to meet release
dates are the main impediments to secure software development.• Insufficient use of cryptography.• Legacy technology is hindering the ability to make vehicles more secure. • Automakers believe they are not as knowledgeable about secure software
development as other industries. • There is little clarity or consensus regarding a single point of responsibility• On the positive side, there is a small but statistically significant trend toward a
more mature approach to securing vehicles.
Sampleresponse Number %
Samplingframe 8,680 100.0%
Totalreturns 590 6.8%
Rejectedorscreenedsurveys 63 0.7%
Finalsample 527 6.1%
Survey Size
Methods
Demographics
HeadcountofCompaniesSurveyed
Demographics
ReportingLinesJobRoles
Demographics
NumberofSoftwareDevelopers DevelopmentResponsibilities
Responses
Perceptions about automotive security
42%
43%
45%
44%
47%
47%
51%
52%
MYCOMPANYMAKESAUTOMOTIVESECURITYAPRIORITY
AUTOMOTIVEDEVELOPMENTTEAMSHAVETHESKILLSNECESSARYTOCOMBATCYBERSECURITYTHREATS
MYORGANIZATIONRECRUITSANDRETAINSEXPERTPERSONNELTOMINIMIZESECURITYRISKSINAUTOMOBILES
HACKERSAREACTIVELYTARGETINGAUTOMOBILES
FY2016 FY2015
AGREE45%DISAGREE
55%
Workers
ISSECURITYAPRIORITYFORYOURCOMPANY?
AGREE61%
DISAGREE39%
Management
AGREE52%UNSURE
28%
DISAGREE20%
AREHACKERTARGETINGCARS?
Organizational Alignment ?
Who is responsible for Security?
23%
17%
18% 11%
12%
19% CIO
CISOPartner
QA
Developer
NoOne!
Perceptions about security practices
26%
44%
45%
43%
44%
24%
39%
43%
47%
49%
MYCOMPANYHASTHEENABLINGTECHNOLOGIESTOENSUREAUTOMOTIVEDEVELOPMENTISSECURE
AUTOMAKERSARENOTASKNOWLEDGEABLEABOUTSECUREPLATFORMDEVELOPMENTASOTHERINDUSTRIESARE
ITWILLBETHENORMFORMYCOMPANYTOPARTICIPATEINOPENDISCLOSUREOFBUGSANDBUGBOUNTYPROGRAMS
MYCOMPANY’SAUTOMOTIVEDEVELOPMENTPROCESSINCLUDESACTIVITIESFORSECURITYREQUIREMENTS,DESIGN,IMPLEMENTATION
ANDTESTING
ENGINEERSANDDEVELOPERSAREADEQUATELYTRAINEDINSECUREARCHITECTUREANDCODINGPRACTICES
FY2016 FY2015
Challenges to securing automobile software
12%
16%
38%
48%
64%
67%
54%
6%
11%
18%
34%
43%
58%
65%
65%
OTHER
TOOEXPENSIVE
ADDSTOOMUCHTIMETOTHESOFTWAREDEVELOPMENTPROCESS
LACKOFFORMALSECURITYREQUIREMENTS
LACKOFDEFINEDCORPORATEAPPLICATIONSECURITYPOLICIES
INSUFFICIENTRESOURCES
LACKOFSKILLEDPERSONNEL
PRESSURETORELEASE
FY2016 FY2015
What methods does your team use to ensure code is secure without vulnerabilities?
65%
48%
41%
27%
25%
24%
23%
3%
63%
50%
36%
0%
27%
24%
25%
10%
AUTOMATEDCODESCANNINGTOOLSDURINGDEVELOPMENT
AUTOMATEDCODESCANNINGTOOLSAFTERRELEASE
MANUALPENETRATIONTESTING
NONEOFTHEABOVE
AUTOMATEDSCANNINGTOOLSUSEDINPRODUCTION
THREATMODELLING/RISKASSESSMENTDURINGDEVELOPMENT
ADHERENCETOSECURECODINGSTANDARDS
OTHER
2016 2015
35% 39%
18% 7% 1%
Verydifficult Difficult Somewhatdifficult Notdifficult Easy
How difficult is it to secure automobiles?
How difficult is it to secure automobiles?
1% 7%
18%
39% 35%
2% 9%
21%
33% 36%
1TO2 3TO4 5TO6 7TO8 9TO10
FY2016 FY2015
Easy Hard
Is it possible to build a near hack proof car?
17%
55%
28% 19%
47%
34%
YES NO UNSURE
FY2016 FY2015
Challenges to Securing Automobiles
11%
16%
38%
48%
54%
67%
18%
34%
43%
65%
65%
TOOEXPENSIVE
ADDSTOOMUCHTIME
LACKOFREQUIREMENTS
LACKOFCOMPANYPOLICY
PRESSURETORELEASE
LACKOFSKILLEDPEOPLE
2016 2015
“PickTop3challenges”
CaveatsThere are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are automotive application development process. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.
©2016INTEGRITYSecurityServices- Confidential Slide36
expertsinend-to-endembeddedsecurity
Car Cybersecurity: The Gap Still Exists
Gregory RudyDirector of Business Development
Driving Forward
©2016INTEGRITYSecurityServices,Inc- Confidential Slide37
ThreatActors
q Whoarethesehackers?§ Individuals(significanttime,variedexpertise,limited$&capability)§ Corporate(moderatetime,highexpertise,moderate$&capability)§ Universities(moderatetime&$,highexpertise,highcapability)§ Terrorists(moderatetime,variedexpertise,moderate$&capability)§ Nationstates(significanttime,highexpertise,high$&capability)
q HackingGoals§ Fameandnotoriety§ Economicgain– e.g.,unlockhiddenfunctionality;accessIP/content§ Terrorism- e.g.,disruptacityatrushhour;removefleetfromservice
q Hackingconsequences§ Branddamage– lossofcustomerconfidenceinproducts/systems§ Liability§ Economicloss
©2016INTEGRITYSecurityServices,Inc- Confidential Slide38
Standards:ISO26262Safety
UsingISO26262≠ Securityinyourdesign
q IfyoudesigntoISO26262forsafety,otherconsiderationsmustbetakentoachievelevelsofsystemsecurity§ SecureBoot§ DeviceAuthentication§ SoftwareAuthentication§ FIPS140-2Cryptography§ UseofproductsthatadheretoandarecertifiedtohighEvaluationAssuranceLevels(EAL)byBSIand/orCommonCriteria
§ Andmore….
©2016INTEGRITYSecurityServices,Inc- Confidential Slide39
ECUSecurityArchitectureDesign
q Manyarelookingintherearviewmirrorto“solve”currentandfuturevehiclesecurityproblems§ FocusonITenterprise-stylesolutionofperimetersecurity
• “AllweneedisafirewallandIDS”• Networksegmentation• SSLtothecloud
o Improper/outdatedcryptoo Poorauthentication
q “Theconceptofperimetercontrolisintotalcrisis”–DanGeer,CISOofIn-Q-Tel
Totallyintegrated,
15%
Partiallyintegrated,
34%
Addedon,47%
Unsure,4%
Doesyourcompanyintegratesecurityarchitecturedesignintothedevelopmentprocess?
©2016INTEGRITYSecurityServices,Inc- Confidential Slide40
ECUSecurityArchitectureDesign
q Embeddedspaceisfundamentallydifferent
§ Constrainedenvironments
§ WelldefinedfunctionalityonmostECUs• InfotainmentistheoutlierduetoAndroid/IOSsupport&passengerdevice/applicationinterface.
§ Wecandomuchbetterbydesigningforthisenvironment!
§ Defenseindepthisstillrequiredandattainable!
©2016INTEGRITYSecurityServices,Inc.- Confidential Slide41
RetrofittingSecurityisHardtoDo
©2016INTEGRITYSecurityServices,Inc- Confidential Slide42
FirstSteps- UnderstandtheTask
q Identifycriticalassetsthatrequireprotectionandtheirlifetimes§ Intellectualproperty,goldfirmwareimages/bitstreams,software/featureupdates,secrets(keys),
identities§ ECUsfieldedfor20– 30years
q Understandtheattacksurfacesthatcanbeexploitedtorecover/modifythecriticalassets§ Application&implementationdependent§ Allremoteandlocalconnectivitypoints
• Wireless(BT,WiFi,Cellular,GPS,etc.)&wired(USB,Ethernet,CAN,DVD,OBD-II,etc)§ PhysicalanalysisofECUinternals
©2016INTEGRITYSecurityServices,Inc- Confidential Slide43
FirstSteps
q Understandthedifficultyofexploitingtheattacksurfaces§ CananattackeranalyzeoneECUtorecoveranassetthatcancompromisea
largenumberofvehicles?§ Canover-the-airmessagesbesenttoarbitraryvehicles?§ Cantheservicenetworkbeusedtoinjectspecificdata?
q Examinethelikelihoodofexploitation§ Alocalphysicalattackthatcompromisesasinglevehicleisfarless
interestingthanonethatcompromisesmany§ Remoteattacksaretheholygrail§ Anation-statecanbeverypatientandpersistent
q Don’tassumeproprietaryimplementationswillprotectyou!§ ArroganceandignorancecaneachdestroyyourECU
©2016INTEGRITYSecurityServices,Inc.- Confidential Slide44
HolisticViewAcrossAllDomainsisRequired
Product Security Domain
Manufacturing Security Domain
Operations Security Domain
- Hardware - Firmware- OS- Applications
- Contract Manufacturing- Chip Providers- Board Providers- Test Houses- ISVs
- Updates- Feature Control- Content Mgmt- Users - Administrators- Hackers
Security Must Exist in All Domains
44
Totallyintegrated,
11%
Partiallyintegrated,
29%Addedon,55%
Unsure,5%
Doesyourcompanyintegratethesecurityarchitecture,includingtheentiresupply
chainandpartnernetwork?
©2016INTEGRITYSecurityServices,Inc.- Confidential Slide45
ECUCryptographicBoundary
q FIPS140-2requiresallhardware,softwareandfirmwareimplementingcryptographicfunctionsincludingalgorithmsandkeygenerationbecontainedwithinadefinedcryptographicboundary
q Reliableandseparatefromuntrustedsoftwareq Beginswithahardwarerootoftrust
§ SecureBootSupport§ RandomNumberGeneration§ SecureKeyStorage§ CryptographicAcceleration§ Anti-Tamperprotection 0%
10%
20%
30%
40%
50%
60%
Secureboot Encryptedcommunication
Endpointauthentication
Encrypteddatainstorage
Whichofthefollowingsystemsecurityfeaturesdoesyourcompanycurrently
use?Selectallthatapply
©2016INTEGRITYSecurityServices,Inc- Confidential Slide46
DefenseinDepth
HardwareRootofTrust
SoftwareCrypto
SecureBoot
SecurityProtocols
SeparationDesign
RemoteUpdates
EstablishaTrustedPlatform
Securesecurecommunication
Minimizesoftwaredefectrisk
©2016INTEGRITYSecurityServices,Inc- Confidential Slide47
TodaysComplexSupplyChains
Headquarters
ManufacturingSites
3rd Parties
StrategicPartners
©2016INTEGRITYSecurityServices,Inc- Confidential Slide48
InfrastructureRequirement
SecurityInfrastructuresMust
q Signsoftwareimagesq GenerateKeysandCertificatesq Injectsensitivematerialq Rootkeyprotection
q DeviceAuthentication
q RemoteManagement
q SoftwareUpdates
CriticalConsiderations:§ DistributedSupplyChains
§ MultipleProducts§ PartnerAccess§ High-Availability
§ ChangingAlgorithms
©2016INTEGRITYSecurityServices,Inc- Confidential Slide49
EnterpriseSecurityInfrastructure
Zeroexposuredistributionoftrustassetsacrossglobalsupplychains
©2016INTEGRITYSecurityServices,Inc- Confidential Slide50
Don’tbeAfraidtoAsk…
q ThispresentationonlycoversafewofthearchitecturedesignissuesforECUs§ “Cryptographicprotocolsandtheirimplementations…they’revery
hardtogetright.”– StevenBellovin,professor,ColumbiaUniversity
q Honestlyassessyourteamsexpertiseintheseareas§ Securedesign&implementation,supplychainsecurity,postsale
security
q DieboldgotitALLwrongintheirvotingmachines
q ReachouttoanexpertgroupsuchasINTEGRITYSecurityServicestohelpyousoyourECUsecurityiscorrectfromthestart§ Savedesigntime– moreeyesontheproblem,thebetter!§ Secureyoursupplychain§ Preventrecalls§ Protectrevenue&brand
Q&A
Thank you!Learn more about our automotive services:https://www.securityinnovation.com/solutions/auto-industry-security
Download the whitepaper: https://web.securityinnovation.com/automotive-cybersecurity-gap-still-exists