DOT/DHS: Joint Agency Work on Vehicle Cyber Security

Transcription

1 DOT/DHS: Joint Agency Work on Vehicle Cyber Security Principal Investigator (PI): Kevin Harnett DOT-Volpe Center s Advanced Vehicle Technology Division August 16, 2017 The National Transportation Systems Center Advancing transportation innovation for the public good U.S. Department of Transportation Office of the Secretary of Transportation John A. Volpe National Transportation Systems Center Tampa Convention Center Tampa, Florida

2 Agenda Government Vehicles Security Program Telematics Overview Government Vehicles Program Software Engineering Institute (SEI) /CERT OBD-2 Dongle/Telematics Testing Government Vehicles Security Program Telematics Cybersecurity Guidance Development Volpe Center Automotive Cybersecurity R&D Showcase 2

3 DOT s Volpe National Transportation System Center Established in 1970 Part of U.S. Department of Transportation (DOT) Office of Research and Technology Mission: To Improve the nation s transportation system by serving as a center of excellence for informed decision making, anticipating emerging transportation issues, and advancing technical, operational, and institutional innovations Fee-for-service; no direct appropriations 3

4 DOT-Volpe Automotive Cybersecurity R&D Program Overview Joint DOT/DHS Automotive Cybersecurity R&D Program FY Program Tasks FY Program Tasks FY Program Tasks Automotive Cybersecurity Industry Consortium (ACIC) Program Initiation Investigate Government Fleet Cybersecurity Requirements Government Vehicle Cybersecurity Program Support Technical Support for DHS Automotive Cybersecurity R&D Tools and Vehicle Testing Automotive Cybersecurity Best Practices and Guidelines in the Private Sector ACIC Planning Support Pilot Cybersecurity Vulnerability Assessments of Vehicle Telematic Systems Operational ACIC Support Automotive Cybersecurity Tool Showcase Government Vehicle Cybersecurity Procurement Specification Support Commercial Truck Cybersecurity Support 4

5 DHS Cybersecurity for Government Vehicles Security Program Telematics Overview 5

6 Modern Vehicle Architecture 6

7 Government Critical Mission Use First Responder and Law Enforcement vehicles - Rescue, ambulance, police -Must be safe and reliable Undercover Vehicles mission critical -Must be safe and reliable -Blend in not tracked or identified either by emanating too much or by not emanating at all Government Official/Overseas Embassy Vehicles (e.g., "Black SUV") -Must be safe and need to hide Non-Tactical DoD Vehicles General use government vehicles -Vehicles that do not fall into above categories 7

8 General Services Administration (GSA) Telematics Program Telematics The term Telematics refers to a technology that combines telecommunications and information processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO , Federal Vehicle Fleets) Source: General Services Administration (GSA) Office of Fleet Management 8

9 General Services Administration (GSA) Telematics Program Telematics The term Telematics refers to a technology that combines telecommunications and information processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO , Federal Vehicle Fleets) EO 13693: Sustainability into the Next Decade (March 2016) Requirements - By 2017, all agencies should ensure that telematics collects the maximum vehicle diagnostics (fuel consumption, emissions, maintenance, utilization, idling, speed, and location data) at the asset level for acquisitions of new passenger, light duty and medium duty vehicles (where appropriate) Source: General Services Administration (GSA) Office of Fleet Management Executive Order Reporting Requirement GPS Tracking Only GPS Tracking & Vehicle Diagnostics Speed X X Location data X X Idling X X Utilization X X Maintenance X Fuel consumption Emissions (varies by year, manufacturer, make & model) X X 9

10 Government Fleet Management Telematics and Risks Logical Architecture Physical Architecture BCM ECM ENGINE TRANSMISSION C A N B U S CAN BUS CLUSTER LOCKS/ WINDOWS SECURITY Attack Surface Threats Connected to an External Network )) )) OBD DONGLE w/ TELEMATICS BASE STATION Provider Network Interfacing with a Public Network Providers Servers INTERNET accessible by Anyone Anywhere SERVICE CENTER FLEET MANAGER WHO ELSE?? 10

11 DHS Cybersecurity for Government Vehicles Program Software Engineering Institute (SEI)/CERT OBD-2 Dongle Testing 11

12 SEI/CERT OBD-2 Device Testing Configuration WiFi Access Point Ettus Research Software-Defined Radio Power Supply Linux laptop with OpenBTS SIM cards Bus Pirate Device Under Test Android Phones 12

13 SEI/CERT OBD-2 Device Testing Configuration (cont d) WiFi Access Point Ettus Research Software-Defined Radio Power Supply Linux laptop with OpenBTS SIM cards Bus Pirate Device Under Test Android Phones 13

14 Software Engineering Institute (SEI) /CERT OBD-2 Device Tests Development / un-configured device (Tested Q1 2016) Accepted unauthenticated admin commands via SMS Could load our own, trojaned firmware Unauthenticated Internet services No encryption in transit Production device (Tested Q1 2017) SMS disabled Can no longer force download of trojaned firmware Internet service appropriately firewalled Remaining risks Inherent cellular vulnerabilities Still no encryption in transit (Man-in-the-middle) 14

15 SEI/CERT: OBD-2 Device Tests Methodology Report Explains risks and potential impacts of security problems in OBD-II devices Describes a repeatable methodology for testing the devices for the most common security problems and misconfigurations Technical appendices detail how to perform some of the specialized testing and what equipment is needed Firmware Updates Wireless Security 15

16 DHS Cybersecurity for Government Vehicles Security Program Telematics Cybersecurity Guidance Development 16

17 Cybersecurity Primer for Fleet Managers o Fleet Management Information System (FMIS) is an Information System All Federal Information Systems require Federal Information Security Management Act (FISMA) compliance FISMA requires compliance with NIST standards o Multiple components to the system Vehicle Telematics Communications Management System Database o Primary responsibility is to protect Government personnel, property, and data 17

18 FISMA Compliance / NIST Guidance o Each Federal Agency Fleet Manager (FM) requires assessments using NIST guidance NIST SP * for guidance on security control implementation 18 Control families each related to policy, process, technical controls Access Control (AC) Audit & accountability (AU) Identification & Authentication (IA) Incidence Response (IR) Personnel Security (PS) Risk Assessment (RA) Awareness & Training (AT) Maintenance (MA) System & Service acquisition (SA) Security Assessment & Authorization (CA) Media Protection (MP) System & Communication Protection (SC) Configuration Management (CM) Physical & Environmental Protection (PE) *NIST Special Publication , Security and Privacy Controls for Federal Information Systems and Organizations, Rev 4 (April 2013). System & Information Integrity (SI) Contingency Planning (CP) Planning (PL) Program Management (PM) 18

19 FISMA Compliance / NIST Guidance o Each Federal Agency Fleet Manager (FM) requires risk assessments using NIST guidance NIST SP for guidance on security control implementation 13 Control Families selected 19

20 FISMA Compliance / NIST Guidance ID FAMILY CONTROLS SELECTED AC Access Control AC-6 - Least Privilege AC-14 - Permitted actions Without Identification or Authentication AC-17 - Remote access AC-18 - Wireless access AU Audit and accountability AU-2 - Audit Events CA Security Assessment and Authorization CA-6 - Security Authorization CA-8 - Penetration Testing CM Configuration Management CM-7 - Least Functionality IA Identification and Authentication IA-3 - Device Identification and Authentication IA-7 - Cryptographic Module Authentication IR Incidence Response IR-1 - Incident Response Policy and Procedures MA Maintenance MA-2 - Controlled Maintenance PL Planning PL-2 - System Security Plan PL-8 - Information Security Architecture PS Personnel Security PS-7 - Third-party Personnel Security RA Risk Assessment RA-3 - Risk Assessment RA-5 - Vulnerability Scanning SA System and Service acquisition SA-11 - Developer Security Testing and Evaluation SA-12 Supply Chain Protection SC System and Communications Protection SC-2 - Application Partitioning SC-7 - Boundary Protection SC-13 - Cryptographic Protection SC-23 - Session Authenticity SC-28 - Protection Of Information At Rest SC-39 - Process Isolation SI System and Information Integrity SI-2 - Flaw Remediation SI-3 - Malicious Code Protection SI-5 - Security Alerts, Advisories, And Directives SI-7 - Software, Firmware, and Information Integrity SI-10 - Information Input Validation SI-16 - Memory Protection 20

21 FISMA Compliance / NIST Guidance ( Firmware Updates Controls) ID FAMILY CONTROLS SELECTED AC Access Control AC-6 - Least Privilege AC-14 - Permitted actions Without Identification or Authentication AC-17 - Remote access AC-18 - Wireless access AU Audit and accountability AU-2 - Audit Events CA Security Assessment and Authorization CA-6 - Security Authorization CA-8 - Penetration Testing CM Configuration Management CM-7 - Least Functionality IA Identification and Authentication IA-3 - Device Identification and Authentication IA-7 - Cryptographic Module Authentication IR Incidence Response IR-1 - Incident Response Policy and Procedures MA Maintenance MA-2 - Controlled Maintenance PL Planning PL-2 - System Security Plan PL-8 - Information Security Architecture PS Personnel Security PS-7 - Third-party Personnel Security RA Risk Assessment RA-3 - Risk Assessment RA-5 - Vulnerability Scanning SA System and Service acquisition SA-11 - Developer Security Testing and Evaluation SA-12 Supply Chain Protection SC System and Communications Protection SC-2 - Application Partitioning SC-7 - Boundary Protection SC-13 - Cryptographic Protection SC-23 - Session Authenticity SC-28 - Protection Of Information At Rest SC-39 - Process Isolation SI System and Information Integrity SI-2 - Flaw Remediation SI-3 - Malicious Code Protection SI-5 - Security Alerts, Advisories, And Directives SI-7 - Software, Firmware, and Information Integrity SI-10 - Information Input Validation SI-16 - Memory Protection Example Firmware Update Controls 21

22 FISMA Compliance / NIST Guidance ( Wireless Security Controls) ID FAMILY CONTROLS SELECTED AC access Control AC-6 - Least Privilege AC-14 - Permitted actions Without Identification or Authentication AC-17 - Remote access AC-18 - Wireless access AU Audit and accountability AU-2 - Audit Events CA Security Assessment and Authorization CA-6 - Security Authorization CA-8 - Penetration Testing CM Configuration Management CM-7 - Least Functionality IA Identification and Authentication IA-3 - Device Identification and Authentication IA-7 - Cryptographic Module Authentication IR Incidence Response IR-1 - Incident Response Policy and Procedures MA Maintenance MA-2 - Controlled Maintenance PL Planning PL-2 - System Security Plan PL-8 - Information Security Architecture PS Personnel Security PS-7 - Third-party Personnel Security RA Risk Assessment RA-3 - Risk Assessment RA-5 - Vulnerability Scanning SA System and Service acquisition SA-11 - Developer Security Testing and Evaluation SA-12 Supply Chain Protection SC System and Communications Protection SC-2 - Application Partitioning SC-7 - Boundary Protection SC-13 - Cryptographic Protection SC-23 - Session Authenticity SC-28 - Protection Of Information At Rest SC-39 - Process Isolation SI System and Information Integrity SI-2 - Flaw Remediation SI-3 - Malicious Code Protection SI-5 - Security Alerts, Advisories, And Directives SI-7 - Software, Firmware, and Information Integrity SI-10 - Information Input Validation SI-16 - Memory Protection Example Wireless Security Controls 22

23 Telematics Recommendation Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to: o Protect Communications Between Devices/Systems It is recommended that encryption be implemented to protect all communications external to a device o Protect Firmware on Devices/Systems It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of firmware to the device 23

24 Telematics Recommendation Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to: o Protect Communications Between Devices/Systems It is recommended that encryption be implemented to protect all communications external to a device o Protect Firmware on Devices/Systems It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of firmware to the device o Protect Action of Devices/Systems It is recommended that implementation of the principle of least privilege is implemented on all devices o Protect Integrity of Devices/Systems It is recommended that manufacturers and/or maintainers of devices institute a *vulnerability response program for receiving, implementing, and addressing vulnerabilities discovered or reported in their products * ISO/IEC 29147:2014 Information technology -- Security techniques -- Vulnerability Disclosure) ISO/IEC 30111:2013 (Information technology -- Security techniques -- Vulnerability Handling Processes) 24

25 Example Telematics Cybersecurity Risk Assessment Questionnaire Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to: o Protect Communications Between Devices/Systems It is recommended that encryption be implemented to protect all communications external to a device o o o Protect Firmware on Devices/Systems It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of firmware to the device Protect Action of Devices/Systems It is recommended that implementation of the principle of least privilege is implemented on all devices Protect Integrity of Devices/Systems It is recommended that manufacturers and/or maintainers of devices institute a vulnerability response program for receiving, implementing, and addressing vulnerabilities discovered or reported in their products 25

26 HEAVENS Risk Assessment Process Healing Vulnerabilities to Enhance Software Security and Safety (HEAVENS) is an attackercentric type of risk analysis tool utilizing STRIDE* threat definitions to correlate threats with security attributes * Microsoft s Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DOS) and Elevation of Privileges (STRIDE): 26

27 Available Documents Telematics Cybersecurity Primer for Agencies (June 2017) Telematics Cybersecurity Primer for Agencies Risk Assessment Questionnaire (June 2017) HEAVANS Risk Model and Program Deliverables (April 2016) 27

28 Volpe Center Automotive Cybersecurity R&D Showcase 28

29 DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016) Federal Programs and Labs Vehicle Cybersecurity Workshop (October 18) - Workshop for federally-funded Automotive Cybersecurity Programs (e.g. DHS, NHTSA, DARPA, Army/TARDEC, NIST, TC/DRDC, etc.) and Federal Laboratories (e.g. DOE, DoD, Federally-funded Research and Development Centers-FFRDCs, etc.) Bring together Federally Funded stakeholders to share information about and collaborate on ongoing and future Government projects in Automotive Cybersecurity Minimize duplication of efforts in Federal Automotive Cybersecurity R&D Workshop Report (available on request for Federal or Federal Contractor staff only) 29

30 Federal Programs and Labs Vehicle Cybersecurity Workshop - Conclusions Need for continued collaboration between federal laboratories Government Vehicles Telematics Cybersecurity Workshop (to be held in DC on December 13 th 2017) Feasibility study of virtual test vehicles and test benches

31 DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016) Cont d Open Source Automotive Cybersecurity Research Tool Forum (October 19-20) Many automotive cybersecurity Open Source Software (OSS) research tools are in development. Tools support areas: new hardware interfaces, discovery, injection, sniffing, reverse engineering, fuzzing, software defined radio (SDR) and simulation. Forum goals: Demonstrate the current state of the art in automotive cybersecurity tools on real automobiles Foster researcher-to-researcher relationships Share knowledge about cybersecurity research issues and automation challenges Incentivize increased academic and security researcher interest in automotive cybersecurity Connect tool developers with collaborators, end users, and potential funding sources Workshop Report (available on request) 31

32 Open Source Automotive Cybersecurity Research Tool Forum - Conclusions Virtual workbenches are needed due to limited vehicle access A growing proliferation of open source tools Open source tools are getting more powerful and sophisticated Open source software/hardware significantly lowers the entry barrier for researchers User as developer model creates positive feedback loop 32

33 Open Source Automotive Cybersecurity Research Tool Forum Next Steps Development of an Open Source OS Tools Portal for use by Government researchers, and academia Continuation of the Automotive Cybersecurity R&D Showcase type of event with more hands on activities (e.g. academia training classes) Continued outreach to the open source community 33

34 Questions 34

35 Contact Information Chase Garwood Program Manager Department of Homeland Security Science and Technology (S&T) HSARPA Cybersecurity Division (CSD) Phone: Kevin Harnett Cybersecurity Program Manager U.S. Department of Transportation Office of Research and Technology John A. Volpe National Transportation Systems Center (Volpe Center) Phone: