Risk Based Security. Automotive Safety & Security, 30. Mai 2017 Christof Ebert and Dominik Lieckfeldt, Vector Consulting Services V1.

Transcription

1 Risk Based Secrity Atomotive Safety & Secrity, 30. Mai 2017 Christof Ebert and Dominik Lieckfeldt, Vector Conslting Services V

2 Agenda Motivation Risk-based approach to Cybersecrity Conslsion 2/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

3 Motivation The Challenge of Increasing Fnctionality Increasing nmber and complexity of fnctions More and more distribted development Rising safety, secrity and network reqirements Electronic fel injection Anti-lock brakes Gearbox control Traction control CAN Anti lock brakes Electronic fel injection Hybrid powertrain Electronic stability control Active body control Emergency call Electric power steering FLEXRAY Gearbox control Traction control CAN bs Electric powertrain Adaptive crise control Lane Assistant Stop-/Start atomatic Emergency Break Assist Head-p Display Electronic Brake Control Telediagnostics Online Software Updates AUTOSAR Hybrid powertrain Electronic stability control Active body control Car2Car, Car2X Clod Compting 5G mobile commnication Fel-cell technology Atonomos driving Brake-by-wire Steer-by-wire Secrity & safety Laser-sorced lighting 3D displays Gestre HMI Ethernet/IP backbone Electric powertrain Adaptive crise control Lane Assistant Stop-/Start atomatic Emergency Break Assist Head-p Display Electronic Brake Control Telediagnostics AUTOSAR / Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

4 Motivation Connectivity + Complexity = Cyber Attacks OEM Sppliers ITS Operator Eavesdropping, Data leakage Command injection, data corrption, back doors OBD Man in the middle attacks DSRC 4G LTE Physical attacks, Sensor confsion Password attacks Roge clients, malware Pblic Clods Application vlnerabilities Service Provider 4/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

5 Motivation Many different attack vectors to be regarded OEM Sppliers ITS Operator Attack Vector E/E Network OBD DSRC 4G LTE Pblic Clods Service Provider 5/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

6 Motivation Why do we need to care abot Cybersecrity Fnctional Safety Cyber Secrity Privacy Goal: Protect health Risk: Accident Governance: ISO Methods: HARA, FTA, FMEA, Fail operational, Redndancy, Goal: Protect assets Risk: Attack, exploits Governance: ISO etc. Methods: TARA, Cryptography, IDIP, Key management, Goal: Protect personal data Risk: Data breach Governance: Privacy laws Methods: TARA, Cryptography, Explicit consent, 6/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

7 Motivation Featre Example: Experiences from developer s daily life Key (RF antenna) Safety Item Passive Entry/ Lock/Unlock Steering Colmn Lock Bolt Velocity QM Passive Start ASIL D? Doors lock Fnction Hazard S/E/C ASIL Passive Entry After starting from standstill a nearby second key opens the car from remote by accident. Doors are nlocked and opened nintentionally. Car cold open and hit pedestrian on low speed. S2/E3/C1 QM Steering Colmn Lock Dring driving on high speed (Highway) steering colmn is locked and vehicle crashes in safety fence S3/E4/C3 D Steering Colmn Lock Person nearby is locking steering colmn from remote whereby the vehicle is on medim speed. S3/??/C3?? Fnctional safety methods do not cover secrity isses. An atomotive standard is missing. 7/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

8 Motivation Different Threats Demand Holistic Systems Engineering Fnctional Safety Cyber Secrity Privacy Goal: Protect health Risk: Accident Governance: ISO Methods: HARA, FTA, FMEA, Fail operational, Redndancy, Goal: Protect assets Risk: Attack, exploits Governance: ISO etc. Methods: TARA, Cryptography, IDIP, Key management, Goal: Protect personal data Risk: Data breach Governance: Privacy laws Methods: TARA, Cryptography, Explicit consent, Liability Risk management Holistic systems engineering 8/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

9 Agenda Motivation Risk-based approach to Cybersecrity Conslsion 9/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

10 Probability Risk-based approach to Cybersecrity Fnctional safety & Cyber secrity Risk based approach Risk = Severity of harmfl event Probability of occrrence inacceptable risk acceptable risk Severity The prpose of development measres is to redce the residal risk (cased by new featres) to an acceptable level. 10/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

11 Risk-based approach to Cybersecrity Concept of Threat Analysis and Risk Assessment (TARA) Assets Threat-Model & Risks Measres Concept for Soltion Verification General atomotive asset categories Example: Identified threats Safety Safety - Vehicle fnctions 1 Injries becase of malfnctioning Passive Entry Financial Privacy / Legislati on - Private data -ECU SW Operational Performance Finance - Brand Image 2 Loss of annal sales de to damage to brand image Operational Performance Doors locked Privacy/Legislation 3 Theft of private data - Driving performance Secrity considers a larger scope of threats compared with Safety. 11/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

12 Risk-based approach to Cybersecrity Detailed Steps for TARA Assets Threat-Model & Risks Measres Concept for Soltion Verification Asset/Fnction Secrity Attack Threat Risk Asset 1 Attack-type 1 Threat 1 EAL (Evalation Assrance Levels ) Fnction 1 Attack-type 2 Threat 2 ASIL Asset/ Fnction Passive entry Attack Threat Threat-Level (e.g. Expertise, Eqipment) Athenticity: Attacker nlocks the vehicle doors. Athenticity: Attacker nlocks the vehicle doors. Athenticity: Attacker nlocks the doors of many vehicles. Vehicle doors are nlocked and vehicle is stolen. Vehicle doors are opened at high speed. Vehicle crashes into opposing traffic. Vehicle doors are nlocked and many vehicles are stolen. Impact-Level (e.g. Financial, Privacy, Safety) Risk level High High Medim Very High Very High Very High Medim Very High High / Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

13 No. Variant Asset ID Threat ID Expertise Window of Opportnity Knowledge Eqipment Threat level Safety Financial Operational Privacy Impact Level SG ID Risk-based approach to Cybersecrity TARA Tool from Real World CIAAG Confidentiality, Integrity, Availability, Athenticity, Governance Reslting Secrity Goals Maximm (Safety, Financial) Asset / Vehicle Fnction CIA Hazard / Threat Secrity level Secrity Goal 1 Platform (TBC) Ast 2 Braking to A prevent collision Tht-1 Driver crashes into preceding car. Passengers in both cars are severly wonded or killed. Expert Medim Sensitive Bespokes Low Lifethreatening or fatal injries Low High No impact Critical Medim SG1 If reqested the brakes shall be activated 2 Platform (TBC) Ast 2 Braking to I prevent collision Tht-2 Braking althogh not athorized, e.g. > 10 km/h Expert Medim Sensitive Bespokes Low Severe and life threatening injries High High No impact Critical High SG2 Unathorized braking shall be avoided. 3 Platform (TBC) Ast 1 IPR of fnctions C Tht-3 RCTA fnction becomes pblic knowledge Expert High Pblic Bespokes Medim No injries High No impact No impact Critical High SG3 RCTA fnction shall remain secret. 13/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

14 Risk-based approach to Cybersecrity Secrity Architectre Design Assets, Threats and Risk Assessment Secrity Case, Adit, Compliance Secrity Goals and Secrity Concept Secrity Validation Technical Secrity Concept Test Secrity Mechanisms Secrity Implementation Secrity Verification Secrity Concept: 1. Refinement of Secrity Goals to Fnctional Secrity Reqirements (FSeR) 2. Allocation of FSeR to the first level of system architectre Technical Secrity Concept: 1. Refinement of system architectre to technical component level (SW/HW components) 2. Technical Secrity Reqirements (TSeR) are refined ot of the Secrity Concept 14/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

15 Risk-based approach to Cybersecrity Secrity Architectre Design Assets, Threats and Risk Assessment Secrity Case, Adit, Compliance Secrity Goals and Secrity Concept Secrity Validation Technical Secrity Concept Test Secrity Mechanisms Verification of: Secrity Concept Technical Secrity Concept Secrity Implementation Secrity Verification Peer Reviews Attack Trees as System Vlnerability Analysis 15/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

16 Risk-based approach to Cybersecrity Derive Appropriate Secrity Mechanisms Prevent Detect Forensic Critical High Medim Low (+) + + QM O O + O: No recommendation for or against approach +: Approach is recommended for secrity level ++: Approach is highly recommended for secrity level 16/26 Examples Network/process/ information separation Encryption, digital signatres Key management Access control Firewall Intrsion prevention systems (IPS) Examples Intrsion detection systems (IDS) Monitoring Examples Logging Secrity isse knowledge base Analysis and investigation of digital evidence Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

17 Risk-based approach to Cybersecrity Secrity Engineering Assets, Threats and Risk Assessment Secrity Management in POS Secrity Goals and Reqirements Secrity Case, Adit, Compliance Technical Secrity Concept Secrity Validation Secrity Implementation Secrity Verification 17/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

18 Risk-based approach to Cybersecrity Implement Secrity by Design: Verification and Validation Tools Static / dynamic code analyzer Encryption cracker Vlnerability scanner Network traffic analyzer / stress tester Hardware debgger Interface scanner Exploit tester Layered fzzing tester Life Hacking Penetration testing Attack schemes Governance and social engineering attacks Test for the known and for the nknown. Ensre atomatic regression tests are rnning with each delivery. 18/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

19 Risk-based approach to Cybersecrity Secrity By Design: What will happen to After Sales Services? Assets, Threats and Risk Assessment Secrity Case, Adit, Compliance? Secrity Goals and Reqirements Secrity Validation Technical Secrity Concept Test Secrity Mechanisms Secrity Implementation Secrity Verification Major difference between secrity & safety: Risk-management dring vehicle lifetime. 19/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

20 Risk-based approach to Cybersecrity Game Changer: Deploy Secrity for Service & Operations: OTA Over the Air (OTA) Update: This featre opens the gate for a big nmber of threats and is a soltion at same time. 20/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

21 Agenda Motivation Risk-based approach to Cybersecrity Conslsion 21/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

22 Conslsion Atomotive Cyber Secrity Secrity demands a thorogh cltre change Advance a cyber secrity cltre across fnctions Enforce strong governance end-to-end, not jst encryption and key management Risk based secrity is the order of the day Apply systems engineering for safety and cyber secrity Systematically se professional tools sch as Threat Analysis and Risk Assessment (TARA), vlnerability analysis, secre by design methods, hacking invitations, and varios penetration testing Close known vlnerabilities as soon as possible ( OTA) Adit yor sppliers and achieve a holistic perspective on risks and soltions It needs the ability to think like a Criminal and preemptively act as an Engineer 22/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

23 Conslsion Vector Cyber Secrity is Defined by Three Levers Digitization Atomotive and IT indstries increasingly converge. Software and IT are the major market driver in atomotive. IT departments and atomotive E/E mst collaborate. Attacks Critical systems are by definition insecre. A 100% secrity soltion is not possible. Advanced risk assessment and mitigation is the order of the day. Governance Abse, misse and confse cases will make it to the headlines. Especially if safety and privacy are impacted. Systematic secrity engineering needs a thorogh cltre change. Vector proposition: Bridging best practices from IT and engineering Holistic systems Engineering for Secrity and Safety Vector proposition: Risk based secrity assessment and engineering AUTOSAR software, HW based secrity, engineering services Vector proposition: Secrity cltre: Competences, organization, process Secre by design: Infrastrctres, methods, tools 23/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

24 Conslsion Vector Cyber Secrity Portfolio Secrity Soltions Conslting Vector Secrity Check, Secrity Engineering, Software AUTOSAR, Re-programming ECUs, OTA, Smart Charging Tools Test, Diagnosis, Trainings and media Training Atomotive Cyber Secrity Stttgart, Te. 5. Jl In-hose trainings tailored to yor needs available worldwide Free white papers 24/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

25 Conslsion Qestions? 25/ Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V

26 Thank yo for yor attention. For more information please contact s. Vector Conslting Services Yor Partner in Achieving Engineering Excellence Phone Fax Vector Conslting Services GmbH. All rights reserved. Any distribtion or copying is sbject to prior written approval by Vector. V