Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Size: px

Start display at page:

Download "Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations"

Beatrix Gilmore
6 years ago
Views:

1 Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

2 Agenda Nexus of Safety and Cybersecurity Separation and Connectivity Trends in Aerospace Cybersecurity Isn t Security Testing Different?

3 Nexus of Safety and Cybersecurity 3

Security as a Safety Issue For LDRA s core markets, Safety and Security can be considered as one: Sicherheit IEC 61508 adopts a risk-based approach introduces safety integrity levels [SILs] for

4 Security as a Safety Issue For LDRA s core markets, Safety and Security can be considered as one: Sicherheit IEC adopts a risk-based approach introduces safety integrity levels [SILs] for specifying the target level of safety integrity for the safety functions to be implemented by the E/E/PE safety-related systems International standard IEC Functional safety of electrical/electronic/programmable electronic safety-related systems ISO provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved International standard ISO Road vehicles Functional safety Part 6: Product development at the software level If your Jeep is driven into a tree by a hacker, that is a SAFETY issue! 4

The Changing Face of Automotive Software Until recently,

function, device specific implementations Isolation has

and practices and processes have relied on that status And

5 The Changing Face of Automotive Software Until recently, automotive embedded application were static, fixed function, device specific implementations Isolation has been a sufficient guarantee of security for many years, and practices and processes have relied on that status And then 5

guarantee of security for many years, and practices and processes have relied on that status

6 The Connected World of the IIoT Until recently, SCADA systems and the devices they controlled had little or no connection to the outside world Isolation has been a sufficient guarantee of security for many years, and practices and processes have relied on that status And then 6

7 And so on Transportation Medical 7

8 How was the Jeep hacked? From Miller & Valasek s paper Remote Exploitation of an Unaltered Passenger Vehicle : Remote Attack Surface The following table is a list of the potential entry points for an attacker. While many people only think of these items in terms of technology, someone with an attacker s mindset considers every piece of technology that interacts with the outside world a potential entry point. In order to access the security critical systems, the hackers needed an entry point, and a vulnerability to get access from that entry point 8

9 How was the Jeep hacked? From Miller & Valasek s paper Remote Exploitation of an Unaltered Passenger Vehicle : there are no CAN bus architectural restrictions, such as the steering being on a physically separate bus. If we can send messages from the head unit, we should be able to send them to every ECU on the CAN bus. This combination of automotive networks (e.g. CAN) and connectivity compromises traditional assumptions 9

10 Separation and Connectivity 10

11 Separation through Hardware Separation of these different domains can be achieved in several different ways This example shows how separation is achieved through hardware in the Tesla Model S SOURCE: 11

So how was the Tesla hacked? https://electrek.

12 So how was the Tesla hacked? This Keen Laboratories hack was the second publicised attack on a Tesla Infotainment system accessed via a vulnerability in the WebKit based browser, and manipulated via a malicious Wi-Fi hotspot Access to the instrument cluster via vulnerabilities in its Linux OS allowed activation of doors, windows, and wipers but provided no access to the safety critical braking system That required them to replace the gateway software with their own.perhaps using a privilege escalation vulnerability highlighted by Rogers and Mahaffey in the earlier attack? -hacked-model-s-teslas-already/ 12

13 How About Separation in Software? 13

14 Scales up to Automotive Virtualization promises both a reduced processor count, and domain separation in one highly configurable package (from Lynx O/S) 14

15 Not just Lynx

16 But No Guarantee As the Tesla example illustrates, separation is important but in isolation it is no guarantee of impenetrability Cyber-security depends on vigilance in every part of the development process, including Least Privilege development principles Secure coding techniques Security focused testing THAT S where LDRA comes in. 16

17 Significant Components in a Security Machine! Safety Dynamic Testing Hardware Security MILS (Least Privilege) Minimization of attack surface Security Hardened OS Boot Image Integrity Verification Domain Separation Secure Coding 17

18 Separation Technologies Separation Technologies have a big part to play. However, they are no silver bullet. The isolation of hypervisor domains is restricted only to the processor implementing the virtualization. Other bus masters in the system, such as DMA engines and Graphics Processing Units (GPUs), can bypass the protections provided by the hypervisor For them to be useful, there needs to be application code communicating BETWEEN the domains And hypervisors themselves are not infallible 18

19 Trends in Aerospace Cybersecurity 19

20 As of Today

21 Aerospace Risk Management Process 21

22 Aerospace Security 22

23 23 Overview of MIL-STD-882E [MIL-STD-882E] identifies the Department of Defense (DoD) Systems Engineering (SE) approach to eliminating hazards, where possible, and minimizing risks where those hazards cannot be eliminated. The standard defines the system safety approach, including security, to be used in mitigating potential software contributions to functional hazards. From the normative text: , System/subsystem specification. The system-level functional and performance requirements, interfaces, adaptation requirements, security and privacy requirements, computer resource requirements, design constraints (including software architecture, data standards, and programming language), software support, precedence requirements, and developmental test requirements for a given system.

24 24 MIL-STD-882E System Safety Process

25 25 MIL-STD-882E Risk Assessment

26 26 MIL-STD-882E Risk Assessment

27 27 MIL-STD-882E Risk Assessment

28 28 MIL-STD-882E Software Assessment

29 SwCl Req. Arch. Des. Code Test ID Test 178C Req. Arch. Des. Code Test ID Test 29 MIL-STD-882E SwCl vs 178C Levels 1 A 2 B 3 C 4 D 5 E Legend: SwCl = Software Control Category Req. = Requirements Analysis Arch. = Architecture Analysis Des. = Design Analysis Code = Code Analysis Test = Safety-Specific Testing ID Test = In-depth Safety-Specific Testing 178C = DO-178C Software Level

30 Project Standards are Critical: Not Just Industry Standards Requirements Standards Safety Functional Software Hardware Design Standards System Software Hardware Coding Standards Software Hardware 30

31 Isn t Security Testing Different? 31

32 Traditional Security Market - Testing Reactive Coding Executable Testing No Guidelines No Risk Mitigation Mostly Agile Not Dependable Not Trustworthy (Malicious Logic) Not Resilient Performance Tests Penetration Tests Load Tests Functional Tests 32

33 Prevention is Better than Cure Proactive Process remains same, additional considerations need to be addressed Coding Testing Executable Security Risk Assessment Drives Security Guidelines Agile/V/Waterfall Code Reviews Functional Tests Structural Coverage (No Malicious Logic) Security Tests Dependable Trustworthy Resilient 33

34 Best Prevention for Safety, Systems & Cybersecurity Convergence- LDRA s PCD Stack for Aerospace

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

The Remote Exploitation of Unaltered Passenger Vehicles Revisited 20 th October 2016 Mark Pitchford, Technical Manager, EMEA Today s hot topic A few years ago, Lynx presentations at events such as this