Functional Safety and Cyber-Security Experiences and Trends

Transcription

1 Functional Safety and Cyber-Security Experiences and Trends Dr. Christof Ebert, Vector Consulting Services V

2 Welcome Vector Consulting Services Experts for product development, product strategy and IT in critical systems Interim support, such as virtual security and safety officers and interim management Global presence Trainings on Agile, Requirements, Security, Safety, CMMI/SPICE etc. Part of Vector Group with over 2000 employees Automotive Aerospace IT & Finance Digital Transformation Medical Railway 2/26

3 Welcome Vector Client Survey: Security and Safety are Major Challenges 70% 60% 50% 40% 30% 20% 10% 0% Mid-term challenges Complexity Management Security and Safety Connectivity Distributed Development Others Governance and Compliance Automotive magic triangle Innovative Products Digital Transformation Efficiency and Cost Short-term challenges 0% 10% 20% 30% 40% 50% 60% 70% Join 2018 survey now and win a training or book Vector Client Survey Details: Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 100% due to 3 answers per question. Strong validity with >4% response rate of 1500 recipients from different industries worldwide. Vector recommendation: Efficiently implement safety and security 3/26

4 Agenda 1. Welcome 2. Safety needs Security 3. Risk-Oriented Development 4. Practical Guidance and Vector Experiences 5. Conclusions 4/26

5 Safety needs Security ACES (Autonomy, Connectivity, Efficiency, Services) Cyber-Attacks OEM Eavesdropping, Data leakage Suppliers ITS Operator Command injection, data corruption, back doors OBD Man in the DSRC middle attacks 4G LTE Physical attacks, Sensor confusion Trojans, Ransomware Password attacks Rogue clients, malware Public Clouds Application vulnerabilities Service Provider Security will be the major liability risk in the future. Average security breach is detected in of 70% cases by third party after 8 months. 5/26

6 Agenda 1. Welcome 2. Safety needs Security 3. Risk-Oriented Development 4. Practical Guidance and Vector Experiences 5. Conclusions 6/26

7 Risk-Oriented Development Combined Safety and Security Need Holistic Systems Engineering Functional Safety Cyber-Security Privacy Goal: Protect health Risk: External hazards Governance: ISO etc. Methods: HARA, FTA, FMEA, Fail operational, Redundancy, Goal: Protect assets Risk: Internal threats Governance: ISO etc. Methods: TARA, Cryptography, ID/IP, Key management, Goal: Protect personality Risk: Data threats Governance: Privacy laws Methods: TARA, Cryptography, Explicit consent, Liability Risk management Holistic systems engineering 7/26

8 Risk-Oriented Development Standards Demand Risk-Oriented Approach Functional Safety (IEC 61508, ISO 26262) Hazard and risk analysis Functions and risk mitigation Safety engineering ISO ed.2 will not comprehensively address security, but include shared methods, such as TARA Assets, Threats and Risk Assessment Security Goals and Requirements Technical Security Concept Security Implementation Op. Scenarios, Hazard, Risk Assessment Safety Goals and Requirements Functional and Technical Safety- Concept Safety Implementation Safety Case, Certification, Approval Safety Validation Safety Verification Safety Management after SOP Security Case, Audit, Compliance Security Validation Security Verification Security Management in POS + Security (ISO architecture 27001, ISO 15408, ISO 21434, SAE J3061) methods Threat data formats and risk & analysis functionality Abuse, misuse, confuse cases Security engineering Security and Safety are interacting and demand holistic systems engineering For (re) liable and efficient ramp-up connect security to safety governance 8/26

9 Risk-Oriented Development State of the Art: Functional Safety Relevance of ISO is basically understood 1. Driving Situations OEM 2. Hazards OEM 3. Risks and Safety Integrity Level OEM 4. Safety Goals Safety Requirements OEM 5. Technical Safety Concept OEM/Tier1 6. Safety requirements on ECU level OEM/Tier1 7. Software Safety Requirements Tier1/Vector Functional safety can be efficiently achieved on the basis of mature development processes 9/26

10 Risk-Oriented Development State of the Art: Cyber-Security Security demands are growing fast Connectivity and open channels allow security attacks Exploits will persist beyond zero-day because so far no OTA governance Safety-critical systems connected to potentially unsecure bus systems Vector recommendations Extend hazard analysis with threat analysis and automotive attack models Reuse existing safety artefacts to ensure robust safety case Define tailored security protection for safety-critical systems Encrypt entire bus communication, e.g. AUTOSAR Protect ECUs with secure boot and HW-defined security Completely separate infotainment and HU Do not copy paste standards because it increases overheads and complexity 10/26

11 Risk-Oriented Development Functional Safety and Cyber-Security Demand Risk-Oriented Development Risk = Severity of harmful event Probability of occurrence Probability acceptable risk Severity inacceptable risk Asset Attack Threat is causes performed requires against is reduced by has value for Attack Potential Security Goal Stakeholders (e.g., driver, OEM) has Threat Agent (e.g. hacker) is achieved by Security Engineering Risk-oriented engineering means to intelligently mitigate the residual risks 11/26

12 Agenda 1. Welcome 2. Safety needs Security 3. Risk-Oriented Development 4. Practical Guidance and Vector Experiences 5. Conclusions 12/26

13 Practical Guidance and Vector Experiences Concept of Combined Threat/Hazard Analysis and Risk Assessment Assets Threat-Model & Risks Measures Concept for Solution Verification Specific automotive asset categories Example: Identified threats Privacy, Legislation, Governance e.g. private data Safety e.g. Vehicle functions Operational Performance Finance e.g. Liability, brand image Safety Injuries because of malfunctioning Passive Entry Financial Extra cost due to call-back and law-suits Operational Performance Car cannot be started, doors cannot be opened e.g. Driving experience Privacy/Legislation Theft of personal data Consider specific automotive assets derived from CIAAG (Confidentiality, Integrity, Authenticity, Availability, Governance) scheme 13/26

14 Practical Guidance and Vector Experiences Tools for Safety and Security Customer Benefits Efficient implementation of cybersecurity and functional safety Full Life-Cycle support from requirements to concept, design, test and after-sales Traceability and governance Support for heterogeneous environments Package offering for consulting, e.g. Vector SafetyCheck or Vector SecurityCheck Vector SecurityCheck Continuous Safety Case PREEvision Safety support 14/26

15 Practical Guidance and Vector Experiences Case Study Powertrain: Threats and Hazards Throttle pedal, Engine control Safety Item Adjust Speed Lock/Unlock Change Gears Transmission Velocity ASIL C ASIL C Throttle Function Hazard S/E/C ASIL Adjust speed Speed is unintentionally increased during normal operation in cruise control while driving in a city S3/E3/C1 C Change Gears During driving on high speed (Highway) the gear is changing to a higher gear thus reducing acceleration when it is needed during overtaking S3/E4/C3 C Relate identified security threats to safety hazard analysis 15/26

16 Practical Guidance and Vector Experiences Case Study Powertrain: From TARA to Technical Safety/Security Concept 2 Elements of functional architecture 1 Security goal and derived functional security req. Security Goal Functional Security Requirement Entities of Functional Security Architecture ID Level Security Goal ID Requirement Inputs Function Blocks SG05 High It shall be prevented that unauthentic software is installed on vehicle ECUs. The authenticity and integrity of the user_command signal during reading FSR 1 and transmission shall be assured. The authenticity and integrity of the authenticity signal during reading and FSR 2 transmission shall be assured. The authenticity and integrity of the sw_update during reading and FSR 3 transmission shall be assured. FSR 4 FSR 5 FSR 6 FSR 7 It shall be assured that the signal allow_update generated from the input signals is calculated correctly. The authenticity and integrity of the allow_update signal during transmission shall be assured. It shall be assured that the signal change_sw generated from the input signals is calculated correctly. If an error with regards to authenticity and integrity during reading, transmission or calculation of signals or the actuator status occurs, the system will not install the sw update. Update sw command Authenticity and Integrity of sw update (Signature) sw update Prevent unauthorized update Install sw in ECU sw storage (e.g. flash memory).... x x x x x x x x x x x x x x x x x x x x x 3 Allocation of req. to architecture elements Transform technical security concept to security requirements. Handle security requirements exactly like functional requirements. 16/26

17 Practical Guidance and Vector Experiences Case Study Powertrain: Separate Concerns Diagnostic Interface (OBD evolution) Instrument Cluster Head Unit DSRC 4G LTE Powertrain DC Chassis DC Central Gateway Connectivity Gateway CU Laptop Body DC WiFI Smartphone ADAS DC Smart Charging Firewall Key Infrastructure Crypto Primitives Monitoring / Logging Hypervisor ID / IP Secure On Board Comm. Secure Off Board Comm. Download Manager Secure Flash/Boot Secure Synchronized Time Manager Incrementally harden your E/E and IT functions, architectures and components. 17/26

18 Practical Guidance and Vector Experiences Security by Design: Implementation, Verification and Validation Design Use programming rules such as MISRA-C Avoid injectable code Enforce high cryptographic strength Assign least privileges to any function Static and dynamic code analysis Test Encryption cracker, vulnerability scanner Network traffic analyzer, stress tester, interface scanner Layered fuzzing testing Life Hacking Penetration testing Governance and social engineering attacks Test for the unknown. Run automatic regression tests with each delivery. 18/26

19 Practical Guidance and Vector Experiences Consider Risk-oriented Development throughout the life-cycle Assets, Threats and Risk Assessment Security Case, Audit, Compliance After Sales Security Goals and Requirements Security Validation Technical Security Concept Test Security Mechanisms Security Implementation Security Verification Begin with the end in mind: After Sales Support needs early development decisions: Resilience, fail operational strategies, alert center, repair/ota, governance 19/26

20 Practical Guidance and Vector Experiences Game Changer: OTA Facilitates Security Across the Life-cycle OEM Side Update Process There is no security without continuous Over the Air (OTA) update strategy 20/26

21 Agenda 1. Welcome 2. Safety needs Security 3. Risk-Oriented Development 4. Practical Guidance and Vector Experiences 5. Conclusions 21/26

22 Conclusions Risk-Oriented Development Must Cover the Entire Life-Cycle Safety / Security by design Secure provisioning and governance Safety hazards and security threats Development Secured supply chain Services Incident response and upgrades Production Operations Systematic safety and security engineering Scaleable incident monitoring and response Multiple modes of operation (normal, attack, emergency, fail operational, fail safe, etc.) 22/26

23 Conclusions Safety and Security Matter Safety and Security demands a thorough culture change Build necessary competences for safety and security Do not simply copy-paste elements from current standards Enforce strong governance end-to-end Security Safety Risk-oriented development is the order of the day Apply systems engineering for safety and cyber-security Systematically use professional tools, such as PREEvision and CANoe Close known vulnerabilities as soon as possible, preferably with OTA Audit your suppliers and achieve a holistic perspective on risks and solutions Use the hacker s view for security risks, and not that of developer or safety expert To know your enemy, you have to become your enemy. (Sun Tzu, The Art of War) In other words: Think like a Criminal and preemptively act as an Engineer. 23/26

24 Conclusions Vector Offers Comprehensive Portfolio for Cyber-Security and Functional Safety Vector Cyber-Security and Safety Solutions Security and Safety Consulting Trainings SecurityCheck, SafetyCheck, Virtual Safety Manager, Virtual Security Manager AUTOSAR Basic Software: MICROSAR Safe HW based Security Tools for Design, Test and Lifecycle support: PREEvision DaVinci CANoe CANdela and Indigo Engineering Services for Safety and Security 24/26

25 Conclusions Further Information: Vector White Papers on Automotive E/E Trends Mobility: From driving to multi-modal mobility services and sharing culture Business Models: From incumbent tiered supply-chain to flexible new players from IT industry E/E architecture: From distributed electronic controllers to standardized three-tier architecture IT architecture: From proprietary building blocks to open IT systems with off-the-shelf components and adaptive SOA. Development lifecycle: From the classic V model with rather heavy release cycles to agile DevOps-like approach. Governance: From encapsulated safety-critical functions to interwoven quality assurance for liability, safety, cyber-security, privacy. Culture: From R&D vs. IT separation to convergence. Competences: From automotive embedded electronics to IT as a core competence of all engineers. Source: IEEE Software May 2017 (Vector Guest Edited) Contact Vector for white papers, technical benchmarks and consulting 25/26

26 Thank you for your attention. For more information please contact us. Passion. Partner. Value. Vector Consulting Services Phone: