Data Privacy and Cyber Security Threats to the Remarketing Industry Faye Francy Executive Director Automotive Information Sharing and Analysis Center (Auto-ISAC) Andrea Amico Chair IARA Privacy and Cybersecurity Initiative
Data Privacy and Cyber Security Threats to the Remarketing Industry
Faye Francy
Executive Director
Automotive Information Sharing and Analysis Center (Auto-ISAC)
Andrea AmicoChair
IARA Privacy and Cybersecurity Initiative
Decrease
Same
Increase
Total
IARA Views: Regulation & Compliance
CFPB Cyber Vehicle PII
My current view is that risk, regulation, and compliance requirements specifically for our industry will…
34%
36%
30% 4% 4%
27% 17%
69% 79%
Survey: role IARA can play
0
10
20
30
40
50
60
70
80R
aise
aw
are
nes
s/e
du
cati
on
on
pri
vacy
ris
ks a
nd
cou
nte
rme
asu
res
Co
mp
ile b
est
pra
ctic
es
Rai
se a
war
en
ess/
ed
uca
tio
n o
ncy
ber
secu
rity
ris
ksan
dco
un
term
eas
ure
s
Ass
ist
me
mb
ers
inn
avig
atin
g th
ere
gula
tory
lan
dsc
ape
Co
op
era
te w
ith
oth
er
ind
ust
ryas
soci
atio
ns
Responses >50%
Hi All,
Please find attached the Weekly Automotive Industry Report covering April 3April 8.
This week’s report includes articles on:Toyota partnering with Microsoft on a new cloud-based division led by the CIO,Intel acquiring a semiconductor manufacturer that builds chips for self-driving cars,Hyundai unveiling its connected vehicle “roadmap,” and,Toyota planning to open a new autonomous vehicle research center in Michigan.
You can find past reports on site.
Please let me know if you have any questions. Have a great weekend.
Josh
Collaborating Across the Automotive Industry
Cybersecurity Threats against our industry
CAR Conference - Las Vegas
Faye Francy
Executive Director
March 7, 2018
Faye Francy Executive Director of Auto-ISAC Member of National Council of ISACs
Past Positions Executive Director of Aviation-ISAC The Boeing Company, Boeing Commercial Airplanes ARINC, Director Forensic / Chief Chemist DC Analyst’s Roundtable Membership Chair InterSec, President and AvSec, Senior Vice President, Owner
Education Bachelor’s of Science, Chemistry & Mathematics Master’s of Science, Forensic Chemistry
Meet the Speaker Auto-ISAC
Significant Changes in Automotive World
Digital Connected Vehicles provide operational efficiencies and risks…
Digital Age Customers demanding connectivity, automation
brings efficiencies
Increased cyber vulnerabilities in connected vehicles
News media, congressional oversight, regulatory demands action
Connected Vehicles Integrated across Systems (SoS) Connectivity provides greater efficiencies and risk
Cyber threats and vulnerabilities growing
Regulation addressed by Best Practices
And autonomy, V2V, V2I coming….
Cocktail
napkin
100M
lines of
code
Transforming through connectivity
Breakthroughs in vehicle
technologies include:
Autonomy Electrification Ridesharing Enhanced consumer experience Predictive maintenance
These breakthroughs require
cyber capabilities for:
Safety Privacy Efficiency
Cybersecurity Challenge
With connectivity comes cyber risk
Entertainment
On-vehicle software and electronics
Convenience &Entertainment
Connected services Partial automation On-vehicle Wi-Fi
Safety, Convenience,& Entertainment
IoT integration On-vehicle commerce V2V, V2I, V2X Full automation
Yesterday
Today
Tomorrow
Physical connection to vehicle required
Limited Vulnerability
Known vulnerabilities Proven remote
attack capability
Demonstrated Threat
Expansive, complex attack surface Motivated, capable adversary Potential impact to safety, privacy, and
quality
Industry-Wide
Risk
As connected features grow, cyber risks multiply
Cybersecurity Challenge
Evolution of the cyber threat
Early Hacks (2010~2014) Recent Hacks (2015-2017)
March, 2010: Fired auto dealer
employee disabled 100 vehicles
via Remote Immobilization
System
May, 2010: UCSD and UW
researchers hacked into
unnamed mid-price sedan
July, 2013: DARPA-
funded researchers
hacked into Ford
Explorer and Toyota
Prius
July 2015: Researchers
hacked GM’s OnStar
Remote Link system to
control vehicle
July 2015: Researchers remotely
hack a Jeep Cherokee while
being driven on a highway
August, 2015: Researchers
demonstrated remotely hacking a
Chevrolet Corvette
August, 2015: Researchers
demonstrated hacking a Tesla
Model S and planting a remote-
access Trojan
August, 2013: Scientists found a
way to steal vehicle key
authentication, Volkswagen
blocked research publication
February 2015:
Researchers from German
Automobile Association
unlocked BMW doors
February 2015: DARPA’s
Dan Kaufman demonstrates
vehicle hacking to CBS
January 2015: Hacker hacks a
Toyota Tundra via OBD2 dongle
November 2014:
Researchers hacked a car
with Zubie device
January 2012: Start the
CyberAuto Challenge
July 2012: Anonymous video
showed keyless BMW hacked
February 2016:
Researcher discloses
Nissan Leaf vulnerability
July 2016: Researchers
expanded findings on 2015
Jeep Cherokee hack
February 2017:
Kaspersky Labs
discloses connected
vehicle mobile app
vulnerabilities
May 2017: Ransomware
reportedly shuts down 2
OEMs’ mfg. operations
Cybersecurity Challenge
Today’s Trending Threats
Vulnerabilities
Mobile Apps• Mobile apps used to control car
features are proliferating and may expose user data or vehicle functions if not properly secured
OBDII Dongles• Although the OBDII port
requires proximity to exploit, it provides access to the relatively insecure, safety critical CAN Bus.
Real-World Exploits
Car Theft• Key fob hacks (e.g. replay attacks) allow attackers to
unlock cars using commercially available devices• Attackers reportedly stole PII from an OEM’s IT system
and used it to locate, unlock, and steal targeted vehicles
What are we seeing in the wild today?
Service Disruption PII/Payment Info Theft Physical Destruction Remote Control Manufacturing Disruption
=+Vehicle Cyber Attack
Criminal
Hacktivist
Nation State
?
State of the Threat
Why an ISAC?
Information Sharing and Analysis Center (ISAC)
Organizations must act
individually to manage
cyber risk…
Internal
Investment
External
Investment
…one company’s detection is
another company’s prevention
Identify emerging threats and vulnerabilities earlier
Pool limited resources to better fight your adaptive adversary
Share incident intelligence to act more quickly
Proactively shape industry-wide best practices
Protect overall trust in innovation across the industry
Build resiliency across industry
Protect Detect
Respond Enhance
State of the Threat
Auto-ISAC Introduction
Mission Scope
Serve as an unbiased information broker to provide a central point of coordination and communication for the global
automotive industry through the analysis and sharing of trusted and timely cyber threat information.
Light- and heavy-duty vehicles, commercial vehicle fleets and carriers. Currently, we are focused on product cyber
security, and anticipate expanding into manufacturing and IT cyber related to the vehicle.
What We Do
Community Development
Workshops, exercises, all hands, summits and town halls
Intel Sharing
Data curation across intel feeds, submissions and research
Analysis
Validation, context and recommendations
Best Practices
Development, dissemination and maintenance
Partnerships
Industry, academia, vendors, researchers and government
Community Development
Workshops, exercises, all hands, summits and town halls
Overview
Serve as an unbiased information broker
Increase the timeliness and quality of information shared
Conduct threat analyses for contextual, relevant, and actionable information
Maintain agility and flexibility to adapt to change
Specific Goals Five Cornerstones
1. Submission Anonymity
2. Authenticated Sharing of Information
3. Industry Owned and Operated
4. Limitation on Use of Information
5. Compliance with all U.S. Legal Requirements and Antitrust Laws
Governance
How we operate / Governance
Task Forces & Working Groups Operations Team
Board of DirectorsOEM Members* and Affiliate Advisory Board Chairman and Vice
Chairman
Executive Committee
Executive Director
Standing Committees
Information SharingMembership
& Benefits
Finance& Audit
Chairman Vice Chairman Treasurer Secretary AAB Chairman
*OEMs with >100M in global annual revenue.
Affiliate Advisory Board (AAB)Gold and Platinum non-OEM Members
Third Party Services (e.g.
legal)
Support Staff
Program Ops Manager
NominatingBest Practices
SummitAnalyst Community
Supplier Affinity Group
Commercial Vehicle Affinity Group
Governance
Spotlight: Intel Sharing & Analysis
Contributors ResultsIntelligence
OEMs
Suppliers
Vendors
Government
Other ISACs
Efficiently identify threatsby supplementing internal intelligence with
external sources
Detect vulnerabilities fasterwith cross-industry vulnerability information
sharing
Types of Information• Vulnerabilities
• Threat feeds
• Research
• Best practices
• Intelligence
• Trends
• Forecasts
• Data feeds
Auto-ISAC AnalysisValidation
Analysis
Impact assessment
Pattern identificationAcademia & Research
Key Takeaway: A diversity of information sources is what drives value of
our intel sharing and analysis capabilities.
Validate risk analysiswith reliable industry-level findings and best
practicesAuto-ISAC Portal• Intel reports
• Trend analysis & dashboards
• Wiki pages
Governance
Spotlight: Best Practices
Demonstrate the industry's proactive
collaboration to protect consumer safety through
vehicle cyber security
Our Objective
Define best practices for securing the
vehicle ecosystem, and provide
guidance to implement them
Our Method
Our Outputs
Executive
Summary
High-level document
defining Key Cyber
Functions and
Best Practices.
Currently available on our
website.
Best Practice
Guides
Implementation guide on each
Cyber Function. These guides will
be developed by our Working Group over time.
Incident Response
Collaboration & Engagement
Governance
Risk Management
Security by Design
Threat Detection & Protection
Training & Awareness
Members Contribute to Each Guide
Public Release after Time Period via our Website.
What We Do
Strategic Partnership Programs
INNOVATOR
Paid Partnership
- Annual investment and contractual
agreement
- Commitment to engage in Auto-ISAC
activities (see next slide)
NAVIGATOR
Support Partnership
- Provides guidance and support
- Annual definition of activity
commitments and expected outcomes
(see next slide)
Solutions Providers
For-profit companies that sell cybersecurity-related connected vehicle products & services.
Examples: Hacker ONE, SANS
Associations+
Industry associations and others who want to support and invest in the Auto-ISAC activities.
Examples: Auto Alliance, ATA. IARA
COLLABORATOR
Coordination Partnership
- May not require a formal agreement
- Information exchanges and coordination
activities
Community
Government, academia, research, non-profit orgs with complementary missions to Auto-ISAC.
Examples: NCI, DHS, NHTSA
Not eligible for membership?
Auto-ISAC encourages individuals / organizations to participate on monthly Community Calls and contribute demos, research, white papers, etc. We are also formalizing three partnership programs:
Partnership
Strategic Partnership Programs
Research
Some partners share white papers and research projects—on threats & vulnerabilities—with our members.
Webinars
We are open to partners presenting at our Community Town Halls, with audience including members & beyond.
Branding on the Auto-ISAC Website
Partner names and/or logos will be featured on the Auto-ISAC public-facing website.
Community Town Halls
We invite you to monthly calls featuring experts across the connected vehicle ecosystem.Member Discounts
Some partners promote discounts or special offers for services (e.g. conferences, software licenses).
Other
We are open to other types of in-kind support (e.g. training, infrastructure support) based on your expertise.
Intel Sharing
Some partners submit relevant data, insights and papers addressing threats against the automotive industry.
Annual Executive Call
Our executives will host a call once a year for all Members and partners to present our strategic goals and priorities.
Summit Booth Priority
Partners will receive priority booth selection at future Auto-ISAC Summits.
Access to Auto-ISAC Reports
Our partners receive Auto-ISAC TLP Green/White reports and special reports at Auto-ISAC’s discretion.
Ac
tivities
Be
nefits
Future Plans
Auto-ISAC successes
Educated key congressional, regulatory
and media stakeholders on our work
Conducting lunch-and-learn with our
Board of Directors and Affiliate Advisory
Board, featuring key partner insights and
research
Monthly Community Calls to create a
forum for engaging non-Members and
encourage vehicle cyber information
exchange
Established a Strategic Partner Program
to engage solutions providers, trade
associations, government, academia,
security researchers, etc.
Established 2 factor secure Portal January
2016, with continued increases in reports
and discussion board topics
F2F Analyst Workshops and Table Top
Exercises, bringing together over 40
analysts from member companies to share
information and learn together.
Published 3 Best Practice Guides on
Incident Response, Collaboration &
Engagement, and Governance
Signed a Cooperative Research and
Development Agreement (CRADA) with
DHS to share intelligence
Accomplishments
Focused Intelligence Information/Briefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Securing Across the Auto Industry
Benefits
Strategic Navigation
Building a Roadmap to Protect Automotive Industry
Culture of Security Embedded Network Security Requirements Training & Awareness / New Skills
Institutionalize Incident Responses Threat Response and Recovery Public – Private Information Sharing and Analysis Forensics Analysis Capabilities
Design-in Cyber Requirements Value Chain Visibility/Traceability Lifecycle Cyber Management Shift to Risk Management
Navigation
A Framework for Cybersecurity
Establish common cybersecurity best practices for automotive
Establish a cybersecurity culture
Understand the threat
Understand the risk
Communicate the threats and assure situational awareness
Provide incident response
Strengthen the defensive system
Define design principles
Define operational principles
Conduct necessary research and development
Ensure that private sector, government and partners work together
Resiliency Across the Global Automotive Industry
The Value of Membership
Find and fix issues faster
Time is money, especially in cyber.
Members receive verified, timely cyber
threat, vulnerability, and remediation
information.
Maintain a trusted brand
Customers demand safety and privacy.
OEMs demand secure components from
suppliers. Joining the ISAC
demonstrates a commitment to
protecting vehicles, services and,
ultimately, drivers.
Stay ahead of regulation –
develop a unified voice
Uniting on the cyber challenge, and
maintaining clear channels with global
government bodies, helps inform and shape
legislation.
Enhance capabilities
Our community is a trusted forum to share
insights and learn from one another. Formal
activities —like exercises and workshops—
and informal relationship-building cultivate this
trust.
Education and Awareness
Collaboration and Cooperation
Value
PII Study Results
1026
40 4411
1812
36
40
29
103927
48
10
Not reported
System present, info not found
System present, personal info confirmed
Phone/BT GPS/Nav Garage Telem(OEM)
% of sample
At least 50% of sampled
vehicles have Nav or BT
Personal Information
System missing
Oppose launchingthis feature
Not opposelaunching this
feature (e.g. does…
Endorse adopting thefeature and beinginvolved (potential…
IARA Views: what about PII?
57%
33%
9%
9%
39%
17%
17%
19%
PII wipe tracking with Auto-IMS PII wiping program
(C:5%)
A researcher […] found a major privacy issue where call histories, contacts, text messages, email messages, and even directory listings from mobile phones that had been synchronized with the car, were being stored persistently on the infotainment unit in plain text.Mobile operating systems like Android and iOS go to great lengths to protect such data by restricting which applications have access to it or by allowing users to encrypt their devices. All that security could be undone if people pair their devices over Bluetooth with an infotainment system.Executing code on the car’s infotainment unit was extremely easy by connecting a USB flash drive with specially crafted scripts. The system automatically picked up those files and executed them with full administrative privileges.The researchers declined to disclose the car make or model [but] they mentioned that the car was made by a Japanese manufacturer.
What is missing?
Typical car has 30-60 hardware “buttons”(there are 48 in this picture)
1
2
3
4
Lock screen!
Future cars need DFA + encryption
4 5 6
1 2 3
7 8 9
0
ABC DEF
JLK MNOGHI
TUV WXYZPQRS
X OK
Emergency Valet
Welcome back, Jon
Not Jon? Change profile
+Add
Alex Jordan
Enter PIN
• Dual Factor Authentication (e.g. via PIN) prevents unauthorized access
• Multiple PIN failure locks/resets device
• Personal data is encrypted
Problems to overcome:• Typically 30 min of tech labor• Manual too long, or not
available, or incomplete, or wrong,…
• OBD2 OEM tools too expensive and slow
• Aftermarket OBD2 break the warranty
Pragmatic solution needs to be:• Inexpensive for consignors• Efficient for dealers, auctions,
and other service providers• Tracking and reporting by VIN• Continuously up to date
One solutionNow available on the Google Play store (iOS version in development)• Open Google Play on your android
device• Type “Privacy4Cars”• Download the free beta version (this
is a consumer version)• We have APIs and a SDK so we can
integrate into your apps or processes• More makes, models, years, and
trims updated daily• Would love your feedback!
Faye Francy
Executive Director
Automotive Information Sharing and Analysis Center (Auto-ISAC)
www.automotiveisac.com
Andrea Amico
President
Jack Cooper Logistics, LLC
www.jackcooperlogistics.com
Contact us