Data Privacy and Cyber Security Threats to the ... - iara.biz · IARA COLLABORATOR Coordination Partnership - May not require a formal agreement - Information exchanges and coordination

Data Privacy and Cyber Security Threats to the Remarketing Industry

Faye Francy

Executive Director

Automotive Information Sharing and Analysis Center (Auto-ISAC)

Andrea AmicoChair

IARA Privacy and Cybersecurity Initiative

Decrease

Same

Increase

Total

IARA Views: Regulation & Compliance

CFPB Cyber Vehicle PII

My current view is that risk, regulation, and compliance requirements specifically for our industry will…

34%

36%

30% 4% 4%

27% 17%

69% 79%

Survey: role IARA can play

0

10

20

30

40

50

60

70

80R

aise

aw

are

nes

s/e

du

cati

on

on

pri

vacy

ris

ks a

nd

cou

nte

rme

asu

res

Co

mp

ile b

est

pra

ctic

es

Rai

se a

war

en

ess/

ed

uca

tio

n o

ncy

ber

secu

rity

ris

ksan

dco

un

term

eas

ure

s

Ass

ist

me

mb

ers

inn

avig

atin

g th

ere

gula

tory

lan

dsc

ape

Co

op

era

te w

ith

oth

er

ind

ust

ryas

soci

atio

ns

Responses >50%

Hi All,

Please find attached the Weekly Automotive Industry Report covering April 3April 8.

This week’s report includes articles on:Toyota partnering with Microsoft on a new cloud-based division led by the CIO,Intel acquiring a semiconductor manufacturer that builds chips for self-driving cars,Hyundai unveiling its connected vehicle “roadmap,” and,Toyota planning to open a new autonomous vehicle research center in Michigan.

You can find past reports on site.

Please let me know if you have any questions. Have a great weekend.

Josh

Collaborating Across the Automotive Industry

Cybersecurity Threats against our industry

CAR Conference - Las Vegas

Faye Francy

Executive Director

March 7, 2018

Faye Francy Executive Director of Auto-ISAC Member of National Council of ISACs

Past Positions Executive Director of Aviation-ISAC The Boeing Company, Boeing Commercial Airplanes ARINC, Director Forensic / Chief Chemist DC Analyst’s Roundtable Membership Chair InterSec, President and AvSec, Senior Vice President, Owner

Education Bachelor’s of Science, Chemistry & Mathematics Master’s of Science, Forensic Chemistry

Meet the Speaker Auto-ISAC

The Emerging Cybersecurity

Challenge

Significant Changes in Automotive World

Digital Connected Vehicles provide operational efficiencies and risks…

Digital Age Customers demanding connectivity, automation

brings efficiencies

Increased cyber vulnerabilities in connected vehicles

News media, congressional oversight, regulatory demands action

Connected Vehicles Integrated across Systems (SoS) Connectivity provides greater efficiencies and risk

Cyber threats and vulnerabilities growing

Regulation addressed by Best Practices

And autonomy, V2V, V2I coming….

Cocktail

napkin

100M

lines of

code

Transforming through connectivity

Breakthroughs in vehicle

technologies include:

Autonomy Electrification Ridesharing Enhanced consumer experience Predictive maintenance

These breakthroughs require

cyber capabilities for:

Safety Privacy Efficiency

Cybersecurity Challenge

With connectivity comes cyber risk

Entertainment

On-vehicle software and electronics

Convenience &Entertainment

Connected services Partial automation On-vehicle Wi-Fi

Safety, Convenience,& Entertainment

IoT integration On-vehicle commerce V2V, V2I, V2X Full automation

Yesterday

Today

Tomorrow

Physical connection to vehicle required

Limited Vulnerability

Known vulnerabilities Proven remote

attack capability

Demonstrated Threat

Expansive, complex attack surface Motivated, capable adversary Potential impact to safety, privacy, and

quality

Industry-Wide

Risk

As connected features grow, cyber risks multiply

Cybersecurity Challenge

Evolution of the cyber threat

Early Hacks (2010~2014) Recent Hacks (2015-2017)

March, 2010: Fired auto dealer

employee disabled 100 vehicles

via Remote Immobilization

System

May, 2010: UCSD and UW

researchers hacked into

unnamed mid-price sedan

July, 2013: DARPA-

funded researchers

hacked into Ford

Explorer and Toyota

Prius

July 2015: Researchers

hacked GM’s OnStar

Remote Link system to

control vehicle

July 2015: Researchers remotely

hack a Jeep Cherokee while

being driven on a highway

August, 2015: Researchers

demonstrated remotely hacking a

Chevrolet Corvette

August, 2015: Researchers

demonstrated hacking a Tesla

Model S and planting a remote-

access Trojan

August, 2013: Scientists found a

way to steal vehicle key

authentication, Volkswagen

blocked research publication

February 2015:

Researchers from German

Automobile Association

unlocked BMW doors

February 2015: DARPA’s

Dan Kaufman demonstrates

vehicle hacking to CBS

January 2015: Hacker hacks a

Toyota Tundra via OBD2 dongle

November 2014:

Researchers hacked a car

with Zubie device

January 2012: Start the

CyberAuto Challenge

July 2012: Anonymous video

showed keyless BMW hacked

February 2016:

Researcher discloses

Nissan Leaf vulnerability

July 2016: Researchers

expanded findings on 2015

Jeep Cherokee hack

February 2017:

Kaspersky Labs

discloses connected

vehicle mobile app

vulnerabilities

May 2017: Ransomware

reportedly shuts down 2

OEMs’ mfg. operations

Cybersecurity Challenge

Today’s Trending Threats

Vulnerabilities

Mobile Apps• Mobile apps used to control car

features are proliferating and may expose user data or vehicle functions if not properly secured

OBDII Dongles• Although the OBDII port

requires proximity to exploit, it provides access to the relatively insecure, safety critical CAN Bus.

Real-World Exploits

Car Theft• Key fob hacks (e.g. replay attacks) allow attackers to

unlock cars using commercially available devices• Attackers reportedly stole PII from an OEM’s IT system

and used it to locate, unlock, and steal targeted vehicles

What are we seeing in the wild today?

Service Disruption PII/Payment Info Theft Physical Destruction Remote Control Manufacturing Disruption

=+Vehicle Cyber Attack

Criminal

Hacktivist

Nation State

?

State of the Threat

Auto-ISAC Overview

Why an ISAC?

Information Sharing and Analysis Center (ISAC)

Organizations must act

individually to manage

cyber risk…

Internal

Investment

External

Investment

…one company’s detection is

another company’s prevention

Identify emerging threats and vulnerabilities earlier

Pool limited resources to better fight your adaptive adversary

Share incident intelligence to act more quickly

Proactively shape industry-wide best practices

Protect overall trust in innovation across the industry

Build resiliency across industry

Protect Detect

Respond Enhance

State of the Threat

Auto-ISAC Introduction

Mission Scope

Serve as an unbiased information broker to provide a central point of coordination and communication for the global

automotive industry through the analysis and sharing of trusted and timely cyber threat information.

Light- and heavy-duty vehicles, commercial vehicle fleets and carriers. Currently, we are focused on product cyber

security, and anticipate expanding into manufacturing and IT cyber related to the vehicle.

What We Do

Community Development

Workshops, exercises, all hands, summits and town halls

Intel Sharing

Data curation across intel feeds, submissions and research

Analysis

Validation, context and recommendations

Best Practices

Development, dissemination and maintenance

Partnerships

Industry, academia, vendors, researchers and government

Community Development

Workshops, exercises, all hands, summits and town halls

Overview

Serve as an unbiased information broker

Increase the timeliness and quality of information shared

Conduct threat analyses for contextual, relevant, and actionable information

Maintain agility and flexibility to adapt to change

Specific Goals Five Cornerstones

1. Submission Anonymity

2. Authenticated Sharing of Information

3. Industry Owned and Operated

4. Limitation on Use of Information

5. Compliance with all U.S. Legal Requirements and Antitrust Laws

Governance

How we operate / Governance

Task Forces & Working Groups Operations Team

Board of DirectorsOEM Members* and Affiliate Advisory Board Chairman and Vice

Chairman

Executive Committee

Executive Director

Standing Committees

Information SharingMembership

& Benefits

Finance& Audit

Chairman Vice Chairman Treasurer Secretary AAB Chairman

*OEMs with >100M in global annual revenue.

Affiliate Advisory Board (AAB)Gold and Platinum non-OEM Members

Third Party Services (e.g.

legal)

Support Staff

Program Ops Manager

NominatingBest Practices

SummitAnalyst Community

Supplier Affinity Group

Commercial Vehicle Affinity Group

Governance

Spotlight: Intel Sharing & Analysis

Contributors ResultsIntelligence

OEMs

Suppliers

Vendors

Government

Other ISACs

Efficiently identify threatsby supplementing internal intelligence with

external sources

Detect vulnerabilities fasterwith cross-industry vulnerability information

sharing

Types of Information• Vulnerabilities

• Threat feeds

• Research

• Best practices

• Intelligence

• Trends

• Forecasts

• Data feeds

Auto-ISAC AnalysisValidation

Analysis

Impact assessment

Pattern identificationAcademia & Research

Key Takeaway: A diversity of information sources is what drives value of

our intel sharing and analysis capabilities.

Validate risk analysiswith reliable industry-level findings and best

practicesAuto-ISAC Portal• Intel reports

• Trend analysis & dashboards

• Wiki pages

Governance

Spotlight: Best Practices

Demonstrate the industry's proactive

collaboration to protect consumer safety through

vehicle cyber security

Our Objective

Define best practices for securing the

vehicle ecosystem, and provide

guidance to implement them

Our Method

Our Outputs

Executive

Summary

High-level document

defining Key Cyber

Functions and

Best Practices.

Currently available on our

website.

Best Practice

Guides

Implementation guide on each

Cyber Function. These guides will

be developed by our Working Group over time.

Incident Response

Collaboration & Engagement

Governance

Risk Management

Security by Design

Threat Detection & Protection

Training & Awareness

Members Contribute to Each Guide

Public Release after Time Period via our Website.

What We Do

Strategic Partnership Programs

INNOVATOR

Paid Partnership

- Annual investment and contractual

agreement

- Commitment to engage in Auto-ISAC

activities (see next slide)

NAVIGATOR

Support Partnership

- Provides guidance and support

- Annual definition of activity

commitments and expected outcomes

(see next slide)

Solutions Providers

For-profit companies that sell cybersecurity-related connected vehicle products & services.

Examples: Hacker ONE, SANS

Associations+

Industry associations and others who want to support and invest in the Auto-ISAC activities.

Examples: Auto Alliance, ATA. IARA

COLLABORATOR

Coordination Partnership

- May not require a formal agreement

- Information exchanges and coordination

activities

Community

Government, academia, research, non-profit orgs with complementary missions to Auto-ISAC.

Examples: NCI, DHS, NHTSA

Not eligible for membership?

Auto-ISAC encourages individuals / organizations to participate on monthly Community Calls and contribute demos, research, white papers, etc. We are also formalizing three partnership programs:

Partnership

Strategic Partnership Programs

Research

Some partners share white papers and research projects—on threats & vulnerabilities—with our members.

Webinars

We are open to partners presenting at our Community Town Halls, with audience including members & beyond.

Branding on the Auto-ISAC Website

Partner names and/or logos will be featured on the Auto-ISAC public-facing website.

Community Town Halls

We invite you to monthly calls featuring experts across the connected vehicle ecosystem.Member Discounts

Some partners promote discounts or special offers for services (e.g. conferences, software licenses).

Other

We are open to other types of in-kind support (e.g. training, infrastructure support) based on your expertise.

Intel Sharing

Some partners submit relevant data, insights and papers addressing threats against the automotive industry.

Annual Executive Call

Our executives will host a call once a year for all Members and partners to present our strategic goals and priorities.

Summit Booth Priority

Partners will receive priority booth selection at future Auto-ISAC Summits.

Access to Auto-ISAC Reports

Our partners receive Auto-ISAC TLP Green/White reports and special reports at Auto-ISAC’s discretion.

Ac

tivities

Be

nefits

Future Plans

Auto-ISAC successes

Educated key congressional, regulatory

and media stakeholders on our work

Conducting lunch-and-learn with our

Board of Directors and Affiliate Advisory

Board, featuring key partner insights and

research

Monthly Community Calls to create a

forum for engaging non-Members and

encourage vehicle cyber information

exchange

Established a Strategic Partner Program

to engage solutions providers, trade

associations, government, academia,

security researchers, etc.

Established 2 factor secure Portal January

2016, with continued increases in reports

and discussion board topics

F2F Analyst Workshops and Table Top

Exercises, bringing together over 40

analysts from member companies to share

information and learn together.

Published 3 Best Practice Guides on

Incident Response, Collaboration &

Engagement, and Governance

Signed a Cooperative Research and

Development Agreement (CRADA) with

DHS to share intelligence

Accomplishments

Focused Intelligence Information/Briefings

Cybersecurity intelligence sharing

Vulnerability resolution

Member to Member Sharing

Distribute Information Gathering Costs across the Sector

Non-attribution and Anonymity of Submissions

Information source for the entire organization

Risk mitigation for automotive industry

Comparative advantage in risk mitigation

Security and Resiliency

Auto-ISAC Benefits

Securing Across the Auto Industry

Benefits

Strategic Navigation

Building a Roadmap to Protect Automotive Industry

Culture of Security Embedded Network Security Requirements Training & Awareness / New Skills

Institutionalize Incident Responses Threat Response and Recovery Public – Private Information Sharing and Analysis Forensics Analysis Capabilities

Design-in Cyber Requirements Value Chain Visibility/Traceability Lifecycle Cyber Management Shift to Risk Management

Navigation

A Framework for Cybersecurity

Establish common cybersecurity best practices for automotive

Establish a cybersecurity culture

Understand the threat

Understand the risk

Communicate the threats and assure situational awareness

Provide incident response

Strengthen the defensive system

Define design principles

Define operational principles

Conduct necessary research and development

Ensure that private sector, government and partners work together

Resiliency Across the Global Automotive Industry

The Value of Membership

Find and fix issues faster

Time is money, especially in cyber.

Members receive verified, timely cyber

threat, vulnerability, and remediation

information.

Maintain a trusted brand

Customers demand safety and privacy.

OEMs demand secure components from

suppliers. Joining the ISAC

demonstrates a commitment to

protecting vehicles, services and,

ultimately, drivers.

Stay ahead of regulation –

develop a unified voice

Uniting on the cyber challenge, and

maintaining clear channels with global

government bodies, helps inform and shape

legislation.

Enhance capabilities

Our community is a trusted forum to share

insights and learn from one another. Formal

activities —like exercises and workshops—

and informal relationship-building cultivate this

trust.

Education and Awareness

Collaboration and Cooperation

Value

PII Study Results

1026

40 4411

1812

36

40

29

103927

48

10

Not reported

System present, info not found

System present, personal info confirmed

Phone/BT GPS/Nav Garage Telem(OEM)

% of sample

At least 50% of sampled

vehicles have Nav or BT

Personal Information

System missing

Oppose launchingthis feature

Not opposelaunching this

feature (e.g. does…

Endorse adopting thefeature and beinginvolved (potential…

IARA Views: what about PII?

57%

33%

9%

9%

39%

17%

17%

19%

PII wipe tracking with Auto-IMS PII wiping program

(C:5%)

A researcher […] found a major privacy issue where call histories, contacts, text messages, email messages, and even directory listings from mobile phones that had been synchronized with the car, were being stored persistently on the infotainment unit in plain text.Mobile operating systems like Android and iOS go to great lengths to protect such data by restricting which applications have access to it or by allowing users to encrypt their devices. All that security could be undone if people pair their devices over Bluetooth with an infotainment system.Executing code on the car’s infotainment unit was extremely easy by connecting a USB flash drive with specially crafted scripts. The system automatically picked up those files and executed them with full administrative privileges.The researchers declined to disclose the car make or model [but] they mentioned that the car was made by a Japanese manufacturer.

What is missing?

Typical car has 30-60 hardware “buttons”(there are 48 in this picture)

1

2

3

4

Lock screen!

Future cars need DFA + encryption

4 5 6

1 2 3

7 8 9

0

ABC DEF

JLK MNOGHI

TUV WXYZPQRS

X OK

Emergency Valet

Welcome back, Jon

Not Jon? Change profile

+Add

Alex Jordan

Enter PIN

• Dual Factor Authentication (e.g. via PIN) prevents unauthorized access

• Multiple PIN failure locks/resets device

• Personal data is encrypted

Problems to overcome:• Typically 30 min of tech labor• Manual too long, or not

available, or incomplete, or wrong,…

• OBD2 OEM tools too expensive and slow

• Aftermarket OBD2 break the warranty

Pragmatic solution needs to be:• Inexpensive for consignors• Efficient for dealers, auctions,

and other service providers• Tracking and reporting by VIN• Continuously up to date

One solutionNow available on the Google Play store (iOS version in development)• Open Google Play on your android

device• Type “Privacy4Cars”• Download the free beta version (this

is a consumer version)• We have APIs and a SDK so we can

integrate into your apps or processes• More makes, models, years, and

trims updated daily• Would love your feedback!

Faye Francy

Executive Director

Automotive Information Sharing and Analysis Center (Auto-ISAC)

[email protected]

www.automotiveisac.com

Andrea Amico

President

Jack Cooper Logistics, LLC

[email protected]

www.jackcooperlogistics.com

Contact us