No Safety without Security Ed Adams, Security Innovation Neil Lakomiak, Underwriters Laboratories Doug Pluta, Cisco Conference: April 6-7, 2016 Exhibit Hall: April 6-8, 2016 Sands Expo, Las Vegas, NV
No Safety without Security
Ed Adams, Security InnovationNeil Lakomiak, Underwriters Laboratories
Doug Pluta, Cisco
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
IoT is vulnerable
Software runs the world (even hardware)
What enables IoT?
F22 RaptorS-Class Mercedes
1.7 MillionLines of Code
6.5M MillionLines of Code
100 MillionLines of Code
IoT Reality CheckSoftware Runs the World in the Oddest of Places
787 Dreamliner
and100 ECUs
5 Networks2 miles of cable
10+ Operating Systems50% of total cost
The scope of safety is evolving from discrete products to systems of products and software
From This…….
To This…….
No Safety without SecurityParallels & Paradigm Shifts for Physical Security
Underwriters Laboratories (UL)
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
Products will no longer remain static
The NeedLike testing hardware, similar approaches are needed to evaluate the security of software
• Testable
• Comparable
• Transparent
• Repeatable
• Measureable
Operational Security-Home IoTHow Cisco Identifies Home IoT Threats
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
No Safety Without Security• Internet-based home security ecosystems are not secure
• Physical systems – Cameras & locks • IP-based systems – Internet-based control through apps and the cloud
• Mitigating safety issues with both systems is critical• Digital hacks occur through the internet but can also be instigated when hackers gain physical
access to devices• Users must understand the well-documented vulnerabilities of both their home gateways and IoT
devices and implement the most critical security options
• Unending number of potential threats• Need a better understanding of hacker motivations• Mitigation can be helped through technology but onus will always be on the end user
Home IoT Device Hacks
OpSec• Technology is being developed to assist end users with network
posture assurance, device and network intrusion protection and firewall features (Unified Threat Managers)
• OpSec adds proactive investigation, analysis and operational mitigation to any security technology we deploy
• Use of open source intelligence (OSINT), dark web and Human Intelligence (HUMINT) activities allows OpSec to identify vulnerabilities and threats proactively
• Technology can be a curative, but only when users and manufacturers take the threats seriously and act to protect networks and devices
New risks and Challenges – Connected Car
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
Connected Car Market
Source: HIS Automotive
Vulnerable? Let me Count the Ways
Between vehicles:V2VV2I
Wireless
Internal:DVDUSBSDAuxODBCAN BusHSMBEthernetTouchscreen
External:BluetoothODB DongleInternetDealer Diagnostics WiFiKey fobTPMSPower plug
Application Security Practicesin the Automotive Industry
Agree DisagreeMy company makes secure software a priority 61% 39%Hackers are actively targeting automobiles 64% 36%Automakers know less about security than others 61% 39%
It is possible to build a nearly hack-proof car 28% 72%My company has automobile security experts 64% 36%Software should be updated over the air 46% 54%
July 2015 survey524 respondents OEM = 234 Tier 1 = 163 Tier 2 = 137
36%33%
21%
9%
2%
Very difficultDifficultSomewhat difficult
Not difficultEasy
How difficult is it to secure automotive applications ?
The Hacker Threat
New Hacks
A Sky News investigation finds that almost half the 89,000 vehicles broken into in London last year were hacked electronically.
• 35,000 US road deaths, and 3,800,000 injuries
• Fatalities and injuries = $300B/year
• Congestion = $230B/year
• Leading cause of death, people aged 15-34 in US
Let’s Talk About Traffic Safety
Technology EvolutionPassive Active Proactive
• V2V wireless communications for “always on” warning
• 300 meter range using 802.11p wireless protocol• IEEE, ETSI, and SAE standards
• Over 6,000,000 crashes, 35,000 road deaths, and 3,000,000 injuries
• US fatalities and injuries = $300B/year
• Congestion = $230B/year
• Leading cause of death, people aged 15-34 in US
V2V
V2I
State of Automotive Safety
How could technology possibly help?
Connected Cars:Putting our Theory to Test
• Basic Safety Message:• All equipped vehicles broadcast 10 times/second• Here I am; Here’s my speed & direction; Brake
status; (plus…??)• On board logic detects hazards and alerts driver
• Communications are V2X• Vehicle-to-vehicle• Vehicle-to-infrastructure• Vehicle-to-RSE (road-side equipment)• Vehicle-to-AMD (after-market device)• VRUs (vulnerable road users)