Car Cybersecurity: The Gap Still Exists

Automotive Cybersecurity: A Gap Still Exists

Ponemon Institute Survey

Automotive Cybersecurity: The Gap Still Exists

GeneCarterDirectorofProductManagementSecurityInnovation

PeterSamsonVicePresidentandGeneralManagerSecurityInnovation

LarryPonemonChairmanPonemonInstitute

Today’s Speakers

GregRudyDirectorofBusinessDevelopmentINTEGRITYSecurityServicesAGreenHillsCompany

A Few Things…

• A link to the webcast recording and a copy of the slides will be sent to all registrants.

• Submit your questions at any time. They will be addressed at the end of the webcast.

• The Automotive Cyber Security White Paper can be found at https://web.securityinnovation.com/automotive-cybersecurity-gap-still-exists

The State of Automotive Cyber SecurityPeter SamsonVice President and General ManagerSecurity Innovation

F22Raptor

2MillionLoC7MillionLoC 130MillionLoC

Software Complexity787Dreamliner 2016 FordF150

http://www.informationisbeautiful.net/visualizations/million-lines-of-code/

"Perfectionisachieved,notwhenthereisnothingmoretoadd,butwhenthereisnothinglefttotakeaway." AntoinedeSaint-Exupéry

Connected Vehicle Market Growth

$152billion

$141billion

$132billion

$128billion

$98billion

Five-yearEconomicValueNumberofConnectedCars

What Could Go Wrong?TheftTerrorismRevengeMischiefExtortion- RansomwareInsurancefraudEspionageStalkingFeature(de)activationIdentitytheftCounterfeiting

Entry Points for Hackers

InternalDiagnosticPortCD/DVDUSB/SDcardAuxinputCANBusOthernetworksMobilephone

ExternalBluetoothInternetWi-FiKeyfobLIDARDigitalbroadcastsTirePressureMonitorsTaillightDSRC

The Hacker Threat - 2015

ASkyNewsinvestigationfindsthatalmosthalfthe89,000vehiclesbrokenintoinLondonlastyearwerehackedelectronically.



Cybersecurity StandardsHacking protectionData securityHacking mitigation

Privacy standardsTransparencyConsumer choiceMarketing prohibition

Cyber dashboardA window sticker showing how well the car protects the security and privacy of the owner.

Government Takes ActionThe Security and Privacy in Your Car (SPY) Act

And Warns the Public

Digital Millennium Copyright Act

11/2/201605:50PM

Information Sharing and Access Centers

AutomotiveSecurityBestPractices

ü Securitybydesignü Riskassessmentandmanagementü Threatdetectionandprotectionü Incidentresponseü Collaborationwiththirdpartiesü Governanceü Awarenessandtraining

Sponsored by Security Innovation and Integrity Security Services

Automotive Cybersecurity: The Gap Still Exists

LarryPonemonChairmanPonemonInstitute

During August 2016 the Ponemon Institute conducted a cybersecurity survey of more than 500 automotive developers, programmers, engineers, and executives, from automakers (OEMs) and their electronics suppliers.

Introduction

Summary Findings• A growing concern that hackers are actively targeting automobiles.• OEMs are more concerned than their suppliers about automobiles being hacked • The lack of skilled personnel and requirements, and pressure to meet release

dates are the main impediments to secure software development.• Insufficient use of cryptography.• Legacy technology is hindering the ability to make vehicles more secure. • Automakers believe they are not as knowledgeable about secure software

development as other industries. • There is little clarity or consensus regarding a single point of responsibility• On the positive side, there is a small but statistically significant trend toward a

more mature approach to securing vehicles.

Sampleresponse Number %

Samplingframe 8,680 100.0%

Totalreturns 590 6.8%

Rejectedorscreenedsurveys 63 0.7%

Finalsample 527 6.1%

Survey Size

Methods

Demographics

HeadcountofCompaniesSurveyed

Demographics

ReportingLinesJobRoles

Demographics

NumberofSoftwareDevelopers DevelopmentResponsibilities

Responses

Perceptions about automotive security

42%

43%

45%

44%

47%

47%

51%

52%

MYCOMPANYMAKESAUTOMOTIVESECURITYAPRIORITY

AUTOMOTIVEDEVELOPMENTTEAMSHAVETHESKILLSNECESSARYTOCOMBATCYBERSECURITYTHREATS

MYORGANIZATIONRECRUITSANDRETAINSEXPERTPERSONNELTOMINIMIZESECURITYRISKSINAUTOMOBILES

HACKERSAREACTIVELYTARGETINGAUTOMOBILES

FY2016 FY2015

AGREE45%DISAGREE

55%

Workers

ISSECURITYAPRIORITYFORYOURCOMPANY?

AGREE61%

DISAGREE39%

Management

AGREE52%UNSURE

28%

DISAGREE20%

AREHACKERTARGETINGCARS?

Organizational Alignment ?

Who is responsible for Security?

23%

17%

18% 11%

12%

19% CIO

CISOPartner

QA

Developer

NoOne!

Perceptions about security practices

26%

44%

45%

43%

44%

24%

39%

43%

47%

49%

MYCOMPANYHASTHEENABLINGTECHNOLOGIESTOENSUREAUTOMOTIVEDEVELOPMENTISSECURE

AUTOMAKERSARENOTASKNOWLEDGEABLEABOUTSECUREPLATFORMDEVELOPMENTASOTHERINDUSTRIESARE

ITWILLBETHENORMFORMYCOMPANYTOPARTICIPATEINOPENDISCLOSUREOFBUGSANDBUGBOUNTYPROGRAMS

MYCOMPANY’SAUTOMOTIVEDEVELOPMENTPROCESSINCLUDESACTIVITIESFORSECURITYREQUIREMENTS,DESIGN,IMPLEMENTATION

ANDTESTING

ENGINEERSANDDEVELOPERSAREADEQUATELYTRAINEDINSECUREARCHITECTUREANDCODINGPRACTICES

FY2016 FY2015

Challenges to securing automobile software

12%

16%

38%

48%

64%

67%

54%

6%

11%

18%

34%

43%

58%

65%

65%

OTHER

TOOEXPENSIVE

ADDSTOOMUCHTIMETOTHESOFTWAREDEVELOPMENTPROCESS

LACKOFFORMALSECURITYREQUIREMENTS

LACKOFDEFINEDCORPORATEAPPLICATIONSECURITYPOLICIES

INSUFFICIENTRESOURCES

LACKOFSKILLEDPERSONNEL

PRESSURETORELEASE

FY2016 FY2015

What methods does your team use to ensure code is secure without vulnerabilities?

65%

48%

41%

27%

25%

24%

23%

3%

63%

50%

36%

0%

27%

24%

25%

10%

AUTOMATEDCODESCANNINGTOOLSDURINGDEVELOPMENT

AUTOMATEDCODESCANNINGTOOLSAFTERRELEASE

MANUALPENETRATIONTESTING

NONEOFTHEABOVE

AUTOMATEDSCANNINGTOOLSUSEDINPRODUCTION

THREATMODELLING/RISKASSESSMENTDURINGDEVELOPMENT

ADHERENCETOSECURECODINGSTANDARDS

OTHER

2016 2015

35% 39%

18% 7% 1%

Verydifficult Difficult Somewhatdifficult Notdifficult Easy

How difficult is it to secure automobiles?

How difficult is it to secure automobiles?

1% 7%

18%

39% 35%

2% 9%

21%

33% 36%

1TO2 3TO4 5TO6 7TO8 9TO10

FY2016 FY2015

Easy Hard

Is it possible to build a near hack proof car?

17%

55%

28% 19%

47%

34%

YES NO UNSURE

FY2016 FY2015

Challenges to Securing Automobiles

11%

16%

38%

48%

54%

67%

18%

34%

43%

65%

65%

TOOEXPENSIVE

ADDSTOOMUCHTIME

LACKOFREQUIREMENTS

LACKOFCOMPANYPOLICY

PRESSURETORELEASE

LACKOFSKILLEDPEOPLE

2016 2015

“PickTop3challenges”

CaveatsThere are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are automotive application development process. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.

Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

©2016INTEGRITYSecurityServices- Confidential Slide36

expertsinend-to-endembeddedsecurity

Car Cybersecurity: The Gap Still Exists

Gregory RudyDirector of Business Development

Driving Forward

©2016INTEGRITYSecurityServices,Inc- Confidential Slide37

ThreatActors

q Whoarethesehackers?§ Individuals(significanttime,variedexpertise,limited$&capability)§ Corporate(moderatetime,highexpertise,moderate$&capability)§ Universities(moderatetime&$,highexpertise,highcapability)§ Terrorists(moderatetime,variedexpertise,moderate$&capability)§ Nationstates(significanttime,highexpertise,high$&capability)

q HackingGoals§ Fameandnotoriety§ Economicgain– e.g.,unlockhiddenfunctionality;accessIP/content§ Terrorism- e.g.,disruptacityatrushhour;removefleetfromservice

q Hackingconsequences§ Branddamage– lossofcustomerconfidenceinproducts/systems§ Liability§ Economicloss


Standards:ISO26262Safety

UsingISO26262≠ Securityinyourdesign

q IfyoudesigntoISO26262forsafety,otherconsiderationsmustbetakentoachievelevelsofsystemsecurity§ SecureBoot§ DeviceAuthentication§ SoftwareAuthentication§ FIPS140-2Cryptography§ UseofproductsthatadheretoandarecertifiedtohighEvaluationAssuranceLevels(EAL)byBSIand/orCommonCriteria

§ Andmore….


ECUSecurityArchitectureDesign

q Manyarelookingintherearviewmirrorto“solve”currentandfuturevehiclesecurityproblems§ FocusonITenterprise-stylesolutionofperimetersecurity

• “AllweneedisafirewallandIDS”• Networksegmentation• SSLtothecloud

o Improper/outdatedcryptoo Poorauthentication

q “Theconceptofperimetercontrolisintotalcrisis”–DanGeer,CISOofIn-Q-Tel

Totallyintegrated,

15%

Partiallyintegrated,

34%

Addedon,47%

Unsure,4%

Doesyourcompanyintegratesecurityarchitecturedesignintothedevelopmentprocess?


ECUSecurityArchitectureDesign

q Embeddedspaceisfundamentallydifferent

§ Constrainedenvironments

§ WelldefinedfunctionalityonmostECUs• InfotainmentistheoutlierduetoAndroid/IOSsupport&passengerdevice/applicationinterface.

§ Wecandomuchbetterbydesigningforthisenvironment!

§ Defenseindepthisstillrequiredandattainable!

©2016INTEGRITYSecurityServices,Inc.- Confidential Slide41

RetrofittingSecurityisHardtoDo


FirstSteps- UnderstandtheTask

q Identifycriticalassetsthatrequireprotectionandtheirlifetimes§ Intellectualproperty,goldfirmwareimages/bitstreams,software/featureupdates,secrets(keys),

identities§ ECUsfieldedfor20– 30years

q Understandtheattacksurfacesthatcanbeexploitedtorecover/modifythecriticalassets§ Application&implementationdependent§ Allremoteandlocalconnectivitypoints

• Wireless(BT,WiFi,Cellular,GPS,etc.)&wired(USB,Ethernet,CAN,DVD,OBD-II,etc)§ PhysicalanalysisofECUinternals


FirstSteps

q Understandthedifficultyofexploitingtheattacksurfaces§ CananattackeranalyzeoneECUtorecoveranassetthatcancompromisea

largenumberofvehicles?§ Canover-the-airmessagesbesenttoarbitraryvehicles?§ Cantheservicenetworkbeusedtoinjectspecificdata?

q Examinethelikelihoodofexploitation§ Alocalphysicalattackthatcompromisesasinglevehicleisfarless

interestingthanonethatcompromisesmany§ Remoteattacksaretheholygrail§ Anation-statecanbeverypatientandpersistent

q Don’tassumeproprietaryimplementationswillprotectyou!§ ArroganceandignorancecaneachdestroyyourECU


HolisticViewAcrossAllDomainsisRequired

Product Security Domain

Manufacturing Security Domain

Operations Security Domain

- Hardware - Firmware- OS- Applications

- Contract Manufacturing- Chip Providers- Board Providers- Test Houses- ISVs

- Updates- Feature Control- Content Mgmt- Users - Administrators- Hackers

Security Must Exist in All Domains

44

Totallyintegrated,

11%

Partiallyintegrated,

29%Addedon,55%

Unsure,5%

Doesyourcompanyintegratethesecurityarchitecture,includingtheentiresupply

chainandpartnernetwork?


ECUCryptographicBoundary

q FIPS140-2requiresallhardware,softwareandfirmwareimplementingcryptographicfunctionsincludingalgorithmsandkeygenerationbecontainedwithinadefinedcryptographicboundary

q Reliableandseparatefromuntrustedsoftwareq Beginswithahardwarerootoftrust

§ SecureBootSupport§ RandomNumberGeneration§ SecureKeyStorage§ CryptographicAcceleration§ Anti-Tamperprotection 0%

10%

20%

30%

40%

50%

60%

Secureboot Encryptedcommunication

Endpointauthentication

Encrypteddatainstorage

Whichofthefollowingsystemsecurityfeaturesdoesyourcompanycurrently

use?Selectallthatapply


DefenseinDepth

HardwareRootofTrust

SoftwareCrypto

SecureBoot

SecurityProtocols

SeparationDesign

RemoteUpdates

EstablishaTrustedPlatform

Securesecurecommunication

Minimizesoftwaredefectrisk


TodaysComplexSupplyChains

Headquarters

ManufacturingSites

3rd Parties

StrategicPartners


InfrastructureRequirement

SecurityInfrastructuresMust

q Signsoftwareimagesq GenerateKeysandCertificatesq Injectsensitivematerialq Rootkeyprotection

q DeviceAuthentication

q RemoteManagement

q SoftwareUpdates

CriticalConsiderations:§ DistributedSupplyChains

§ MultipleProducts§ PartnerAccess§ High-Availability

§ ChangingAlgorithms


EnterpriseSecurityInfrastructure

Zeroexposuredistributionoftrustassetsacrossglobalsupplychains


Don’tbeAfraidtoAsk…

q ThispresentationonlycoversafewofthearchitecturedesignissuesforECUs§ “Cryptographicprotocolsandtheirimplementations…they’revery

hardtogetright.”– StevenBellovin,professor,ColumbiaUniversity

q Honestlyassessyourteamsexpertiseintheseareas§ Securedesign&implementation,supplychainsecurity,postsale

security

q DieboldgotitALLwrongintheirvotingmachines

q ReachouttoanexpertgroupsuchasINTEGRITYSecurityServicestohelpyousoyourECUsecurityiscorrectfromthestart§ Savedesigntime– moreeyesontheproblem,thebetter!§ Secureyoursupplychain§ Preventrecalls§ Protectrevenue&brand

Q&A

Thank you!Learn more about our automotive services:https://www.securityinnovation.com/solutions/auto-industry-security

Download the whitepaper: https://web.securityinnovation.com/automotive-cybersecurity-gap-still-exists

https://www.securityinnovation.com/solutions/auto-industry-security

https://web.securityinnovation.com/automotive-cybersecurity-gap-still-exists