Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Automotive Cybersecurity: The Gap Still Exists

570 Aufrufe

Veröffentlicht am

Ponemon Institute Survey; The Hacker Threat

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Automotive Cybersecurity: The Gap Still Exists

  1. 1. Automotive Cybersecurity: A Gap Still Exists Ponemon Institute Survey Automotive Cybersecurity: The Gap Still Exists
  2. 2. Gene Carter Director of Product Management Security Innovation Peter Samson Vice President and General Manager Security Innovation Larry Ponemon Chairman Ponemon Institute Today’s Speakers Greg Rudy Director of Business Development INTEGRITY Security Services A Green Hills Company
  3. 3. A Few Things… • A link to the webcast recording and a copy of the slides will be sent to all registrants. • Submit your questions at any time. They will be addressed at the end of the webcast. • The Automotive Cyber Security White Paper can be found at https://web.securityinnovation.com/automotive-cybersecurity- gap-still-exists
  4. 4. The State of Automotive Cyber Security Peter Samson Vice President and General Manager Security Innovation
  5. 5. F22 Raptor 2 Million LoC7 Million LoC 130 Million LoC Software Complexity 787 Dreamliner 2016 Ford F150 http://www.informationisbeautiful.net/visualizations/million-lines-of-code/ "Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away." Antoine de Saint-Exupéry
  6. 6. Connected Vehicle Market Growth $152 billion $141 billion $132 billion $128 billion $98 billion Five-year Economic ValueNumber of Connected Cars
  7. 7. What Could Go Wrong? Theft Terrorism Revenge Mischief Extortion - Ransomware Insurance fraud Espionage Stalking Feature (de)activation Identity theft Counterfeiting
  8. 8. Entry Points for Hackers Internal Diagnostic Port CD/DVD USB/SD card Aux input CAN Bus Other networks Mobile phone External Bluetooth Internet Wi-Fi Key fob LIDAR Digital broadcasts Tire Pressure Monitors Tail light DSRC
  9. 9. The Hacker Threat - 2015 A Sky News investigation finds that almost half the 89,000 vehicles broken into in London last year were hacked electronically.
  10. 10. The Hacker Threat - 2016
  11. 11. The Hacker Threat - 2016
  12. 12. Cybersecurity Standards Hacking protection Data security Hacking mitigation Privacy standards Transparency Consumer choice Marketing prohibition Cyber dashboard A window sticker showing how well the car protects the security and privacy of the owner. Government Takes Action The Security and Privacy in Your Car (SPY) Act
  13. 13. And Warns the Public
  14. 14. Digital Millennium Copyright Act 11/2/2016 05:50 PM
  15. 15. Information Sharing and Access Centers Automotive Security Best Practices  Security by design  Risk assessment and management  Threat detection and protection  Incident response  Collaboration with third parties  Governance  Awareness and training
  16. 16. Sponsored by Security Innovation and Integrity Security Services Automotive Cybersecurity: The Gap Still Exists Larry Ponemon Chairman Ponemon Institute
  17. 17. During August 2016 the Ponemon Institute conducted a cybersecurity survey of more than 500 automotive developers, programmers, engineers, and executives, from automakers (OEMs) and their electronics suppliers. Introduction
  18. 18. Summary Findings • A growing concern that hackers are actively targeting automobiles. • OEMs are more concerned than their suppliers about automobiles being hacked • The lack of skilled personnel and requirements, and pressure to meet release dates are the main impediments to secure software development. • Insufficient use of cryptography. • Legacy technology is hindering the ability to make vehicles more secure. • Automakers believe they are not as knowledgeable about secure software development as other industries. • There is little clarity or consensus regarding a single point of responsibility • On the positive side, there is a small but statistically significant trend toward a more mature approach to securing vehicles.
  19. 19. Sample response Number % Sampling frame 8,680 100.0% Total returns 590 6.8% Rejected or screened surveys 63 0.7% Final sample 527 6.1% Survey Size
  20. 20. Methods
  21. 21. Demographics Headcount of Companies Surveyed
  22. 22. Demographics Reporting LinesJob Roles
  23. 23. Demographics Number of Software Developers Development Responsibilities
  24. 24. Responses
  25. 25. Perceptions about automotive security 42% 43% 45% 44% 47% 47% 51% 52% MY COMPANY MAKES AUTOMOTIVE SECURITY A PRIORITY AUTOMOTIVE DEVELOPMENT TEAMS HAVE THE SKILLS NECESSARY TO COMBAT CYBERSECURITY THREATS MY ORGANIZATION RECRUITS AND RETAINS EXPERT PERSONNEL TO MINIMIZE SECURITY RISKS IN AUTOMOBILES HACKERS ARE ACTIVELY TARGETING AUTOMOBILES FY 2016 FY 2015
  26. 26. AGREE 45%DISAGREE 55% Workers IS SECURITY A PRIORITY FOR YOUR COMPANY? AGREE 61% DISAGREE 39% Management AGREE 52%UNSURE 28% DISAGREE 20% ARE HACKER TARGETING CARS? Organizational Alignment ?
  27. 27. Who is responsible for Security? 23% 17% 18% 11% 12% 19% CIO CISO Partner QA Developer No One!
  28. 28. Perceptions about security practices 26% 44% 45% 43% 44% 24% 39% 43% 47% 49% MY COMPANY HAS THE ENABLING TECHNOLOGIES TO ENSURE AUTOMOTIVE DEVELOPMENT IS SECURE AUTOMAKERS ARE NOT AS KNOWLEDGEABLE ABOUT SECURE PLATFORM DEVELOPMENT AS OTHER INDUSTRIES ARE IT WILL BE THE NORM FOR MY COMPANY TO PARTICIPATE IN OPEN DISCLOSURE OF BUGS AND BUG BOUNTY PROGRAMS MY COMPANY’S AUTOMOTIVE DEVELOPMENT PROCESS INCLUDES ACTIVITIES FOR SECURITY REQUIREMENTS, DESIGN, IMPLEMENTATION AND TESTING ENGINEERS AND DEVELOPERS ARE ADEQUATELY TRAINED IN SECURE ARCHITECTURE AND CODING PRACTICES FY 2016 FY 2015
  29. 29. Challenges to securing automobile software 12% 16% 38% 48% 64% 67% 54% 6% 11% 18% 34% 43% 58% 65% 65% OTHER TOO EXPENSIVE ADDS TOO MUCH TIME TO THE SOFTWARE DEVELOPMENT PROCESS LACK OF FORMAL SECURITY REQUIREMENTS LACK OF DEFINED CORPORATE APPLICATION SECURITY POLICIES INSUFFICIENT RESOURCES LACK OF SKILLED PERSONNEL PRESSURE TO RELEASE FY 2016 FY 2015
  30. 30. What methods does your team use to ensure code is secure without vulnerabilities? 65% 48% 41% 27% 25% 24% 23% 3% 63% 50% 36% 0% 27% 24% 25% 10% AUTOMATED CODE SCANNING TOOLS DURING DEVELOPMENT AUTOMATED CODE SCANNING TOOLS AFTER RELEASE MANUAL PENETRATION TESTING NONE OF THE ABOVE AUTOMATED SCANNING TOOLS USED IN PRODUCTION THREAT MODELLING/RISK ASSESSMENT DURING DEVELOPMENT ADHERENCE TO SECURE CODING STANDARDS OTHER 2016 2015
  31. 31. 35% 39% 18% 7% 1% Very difficult Difficult Somewhat difficult Not difficult Easy How difficult is it to secure automobiles?
  32. 32. How difficult is it to secure automobiles? 1% 7% 18% 39% 35% 2% 9% 21% 33% 36% 1 TO 2 3 TO 4 5 TO 6 7 TO 8 9 TO 10 FY 2016 FY 2015 Easy Hard
  33. 33. Is it possible to build a near hack proof car? 17% 55% 28% 19% 47% 34% YES NO UNSURE FY 2016 FY 2015
  34. 34. Challenges to Securing Automobiles 11% 16% 38% 48% 54% 67% 18% 34% 43% 65% 65% TOO EXPENSIVE ADDS TOO MUCH TIME LACK OF REQUIREMENTS LACK OF COMPANY POLICY PRESSURE TO RELEASE LACK OF SKILLED PEOPLE 2016 2015 “Pick Top 3 challenges”
  35. 35. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are automotive application development process. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.
  36. 36. © 2016 INTEGRITY Security Services - Confidential Slide 36 experts in end-to-end embedded security Car Cybersecurity: The Gap Still Exists Gregory Rudy Director of Business Development Driving Forward
  37. 37. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 37 Threat Actors  Who are these hackers?  Individuals (significant time, varied expertise, limited $ & capability)  Corporate (moderate time, high expertise, moderate $ & capability)  Universities (moderate time & $, high expertise, high capability)  Terrorists (moderate time, varied expertise, moderate $ & capability)  Nation states (significant time, high expertise, high $ & capability)  Hacking Goals  Fame and notoriety  Economic gain – e.g., unlock hidden functionality; access IP/content  Terrorism - e.g., disrupt a city at rush hour; remove fleet from service  Hacking consequences  Brand damage – loss of customer confidence in products/systems  Liability  Economic loss
  38. 38. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 38 Standards: ISO 26262 Safety Using ISO 26262 ≠ Security in your design  If you design to ISO 26262 for safety, other considerations must be taken to achieve levels of system security  Secure Boot  Device Authentication  Software Authentication  FIPS 140-2 Cryptography  Use of products that adhere to and are certified to high Evaluation Assurance Levels (EAL) by BSI and/or Common Criteria  And more….
  39. 39. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 39 ECU Security Architecture Design  Many are looking in the rear view mirror to “solve” current and future vehicle security problems  Focus on IT enterprise-style solution of perimeter security • “All we need is a firewall and IDS” • Network segmentation • SSL to the cloud o Improper/outdated crypto o Poor authentication  “The concept of perimeter control is in total crisis” – Dan Geer, CISO of In-Q-Tel Totally integrated, 15% Partially integrated, 34% Added on, 47% Unsure, 4% Does your company integrate security architecture design into the development process?
  40. 40. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 40 ECU Security Architecture Design  Embedded space is fundamentally different  Constrained environments  Well defined functionality on most ECUs • Infotainment is the outlier due to Android/IOS support & passenger device/application interface.  We can do much better by designing for this environment!  Defense in depth is still required and attainable!
  41. 41. © 2016 INTEGRITY Security Services, Inc. - Confidential Slide 41 Retrofitting Security is Hard to Do
  42. 42. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 42 First Steps - Understand the Task  Identify critical assets that require protection and their lifetimes  Intellectual property, gold firmware images/bitstreams, software/feature updates, secrets (keys), identities  ECUs fielded for 20 – 30 years  Understand the attack surfaces that can be exploited to recover/modify the critical assets  Application & implementation dependent  All remote and local connectivity points • Wireless (BT, WiFi, Cellular, GPS, etc.) & wired (USB, Ethernet, CAN, DVD, OBD-II, etc)  Physical analysis of ECU internals
  43. 43. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 43 First Steps  Understand the difficulty of exploiting the attack surfaces  Can an attacker analyze one ECU to recover an asset that can compromise a large number of vehicles?  Can over-the-air messages be sent to arbitrary vehicles?  Can the service network be used to inject specific data?  Examine the likelihood of exploitation  A local physical attack that compromises a single vehicle is far less interesting than one that compromises many  Remote attacks are the holy grail  A nation-state can be very patient and persistent  Don’t assume proprietary implementations will protect you!  Arrogance and ignorance can each destroy your ECU
  44. 44. © 2016 INTEGRITY Security Services, Inc. - Confidential Slide 44 Holistic View Across All Domains is Required Product Security Domain Manufacturing Security Domain Operations Security Domain - Hardware - Firmware - OS - Applications - Contract Manufacturing - Chip Providers - Board Providers - Test Houses - ISVs - Updates - Feature Control - Content Mgmt - Users - Administrators - Hackers Security Must Exist in All Domains 44 Totally integrated, 11% Partially integrated, 29%Added on, 55% Unsure, 5% Does your company integrate the security architecture, including the entire supply chain and partner network?
  45. 45. © 2016 INTEGRITY Security Services, Inc. - Confidential Slide 45 ECU Cryptographic Boundary  FIPS 140-2 requires all hardware, software and firmware implementing cryptographic functions including algorithms and key generation be contained within a defined cryptographic boundary  Reliable and separate from untrusted software  Begins with a hardware root of trust  Secure Boot Support  Random Number Generation  Secure Key Storage  Cryptographic Acceleration  Anti-Tamper protection 0% 10% 20% 30% 40% 50% 60% Secure boot Encrypted communication Endpoint authentication Encrypted data in storage Which of the following system security features does your company currently use? Select all that apply
  46. 46. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 46 Defense in Depth Hardware Root of Trust Software Crypto Secure Boot Security Protocols Separation Design Remote Updates Establish a Trusted Platform Secure secure communication Minimize software defect risk
  47. 47. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 47 Todays Complex Supply Chains Headquarters Manufacturing Sites 3rd Parties Strategic Partners
  48. 48. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 48 Infrastructure Requirement Security Infrastructures Must  Sign software images  Generate Keys and Certificates  Inject sensitive material  Root key protection  Device Authentication  Remote Management  Software Updates Critical Considerations:  Distributed Supply Chains  Multiple Products  Partner Access  High-Availability  Changing Algorithms
  49. 49. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 49 Enterprise Security Infrastructure Zero exposure distribution of trust assets across global supply chains
  50. 50. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 50 Don’t be Afraid to Ask…  This presentation only covers a few of the architecture design issues for ECUs  “Cryptographic protocols and their implementations …they’re very hard to get right.” – Steven Bellovin, professor, Columbia University  Honestly assess your teams expertise in these areas  Secure design & implementation, supply chain security, post sale security  Diebold got it ALL wrong in their voting machines  Reach out to an expert group such as INTEGRITY Security Services to help you so your ECU security is correct from the start  Save design time – more eyes on the problem, the better!  Secure your supply chain  Prevent recalls  Protect revenue & brand
  51. 51. Q&A
  52. 52. Thank you!

×