Functional Safety and Cyber Security Experiences and Trends

Transcription

1 Functional Safety and Cyber Security Experiences and Trends Vector China Congress, Shanghai, 7. Sep Dr. Christof Ebert, Vector Consulting Services V

2 Welcome Vector Consulting Services Experts for product development, product strategy and IT in critical systems Interim support, such as virtual security and safety officers and interim management Global presence Trainings on Agile, Requirements, Security, Safety, CMMI/SPICE etc. Part of Vector Group with over 1800 employees Automotive Aerospace IT & Finance Digital Transformation Medical Railway

3 Agenda 1. Welcome 2. Safety and Security are Key Risks 3. Risk-Oriented Development 4. Conclusions and Outlook 2/29

4 Safety and Security are Key Risks Vector Client Survey: Security and Safety are Major Challenges 70% 60% 50% 40% 30% 20% 10% Mid-term challenges Complexity Management Security and Safety Connectivity Distributed Development Governance and Compliance Innovative Products Digital Transformation Efficiency and Cost 0% Others Short-term challenges 0% 10% 20% 30% 40% 50% 60% 70% Vector Client Survey Details: Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 100% due to 3 answers per question. Strong validity with >4% response rate of 1500 recipients from different industries worldwide. 3/29

5 Safety and Security are Key Risks Challenge: Security and Safety Increasing complexity of functions Interactive services and connectivity Rising liability risks with cyber security and safety Quantity: Boost in number of systems Maturity: Inefficient processes and tools Quality: Lack of experts Fuel injection Anti-lock brakes Gearbox control Traction control CAN Anti lock brakes Fuel injection Hybrid powertrain Electronic stability control Active body control Emergency call Electric power steering FLEXRAY Engine /gearbox control Traction control Electric powertrain Adaptive cruise control Lane assistant Stop-/start automatic Emergency break assist Head-up display Electronic brake control Tele diagnostics Online Software Updates AUTOSAR Hybrid powertrain Electronic stability control Active body control Mobility services Autonomous driving Brake-by-wire Steer-by-wire Connectivity, Vehicle2X Cloud computing 5G mobile communication Fuel-cell technology Laser-sourced lighting 3D displays Gesture HMI Ethernet/IP backbone Electric powertrain Adaptive cruise control Lane assistant Stop-/start automatic Emergency break assist Head-up display Electronic brake control Remote diagnostics AUTOSAR... Time 4/29

6 Safety and Security are Key Risks Automotive E/E Trends Mobility: From driving to multi-modal mobility services and sharing culture Business Models: From incumbent tiered supply-chain to flexible new players from IT industry E/E architecture: From distributed electronic controllers to standardized three-tier architecture IT architecture: From proprietary building blocks to open IT systems with off-the-shelf components and adaptive SOA. Development lifecycle: From the classic V model with rather heavy release cycles to agile DevOps-like approach. Governance: From encapsulated safety-critical functions to interwoven quality assurance for liability, safety, cyber security, privacy. Culture: From R&D vs. IT separation to convergence. Competences: From automotive embedded electronics to IT as a core competence of all engineers. Details: IEEE Software May 2017 (Vector Guest Edited) 5/29

7 Safety and Security are Key Risks Automotive Trends Impact Safety and Security 1. Powertrain Energy efficiency Unintended speed change 2. Driver Assistance Autonomous driving Signal confusion 3. Connectivity Always connected Sudden Driver distraction 6/29

8 Safety and Security are Key Risks Vector Was First to Address Automotive Cyber Security First presentation on automotive security in 2007 came from Vector: Automotive Security: A Threat with an End? 7/29

9 Safety and Security are Key Risks History Repeats Itself Unless We Learn From It 1980s: IT Systems were Complex Distributed Software Intensive Perceived as secure Then came the Morris worm 2016: Automotive Systems are Then Complex Distributed Software Intensive Perceived as secure A 100% perfect solution is not possible. Advanced risk assessment and mitigation is the order of the day. 8/29

10 Safety and Security are Key Risks Connectivity + Complexity = Cyber Attacks OEM Suppliers ITS Operator Eavesdropping, Data leakage Command injection, data corruption, back doors OBD Man in the DSRC middle attacks 4G LTE Physical attacks, Sensor confusion Trojans, Ransomware Password attacks Rogue clients, Public malware Clouds Application vulnerabilities Service Provider 9/29

11 Safety and Security are Key Risks Combined Safety and Security Need Holistic Systems Engineering Functional Safety Cyber Security Privacy Goal: Protect health Risk: Accident Governance: ISO etc. Methods: HARA, FTA, FMEA, Fail operational, Redundancy, Goal: Protect assets Risk: Attack, exploits Governance: ISO etc. Methods: TARA, Cryptography, ID/IP, Key management, Goal: Protect personal data Risk: Data breach Governance: Privacy laws Methods: TARA, Cryptography, Explicit consent, Liability Risk management Holistic systems engineering 10/29

12 Agenda 1. Welcome 2. Safety and Security are Key Risks 3. Risk-Oriented Development 4. Conclusions and Outlook 11/29

13 Risk-Oriented Development Standards Demand Risk-Oriented Approach Functional Safety (IEC 61508, ISO 26262) Assets, Threats and Risk Assessment Op. Scenarios, Hazard, Risk Assessment Safety Management after SOP Security Management in POS Hazard and risk analysis Functions and risk mitigation Safety engineering ISO ed.2 will not comprehensively address security, but will refer to and include shared methods, such as TARA Security Goals and Requirements Technical Security Concept Security Implementation Safety Goals and Requirements Functional and Technical Safety- Concept Safety Implementation Safety Case, Certification, Approval Safety Validation Safety Verification Security Case, Audit, Compliance Security Validation Security Verification + Security architecture (ISO 27001, ISO 15408, ISO 21434, SAE J3061) methods Threat data formats and risk & analysis functionality Abuse, misuse, confuse cases Security engineering Security and Safety are interacting and demand holistic systems engineering For fast start connect security with safety 12/29

14 Risk-Oriented Development Functional Safety and Cyber Security Risk based approach Risk = Severity of harmful event Probability of occurrence inacceptable risk Probability acceptable risk Severity Risk-oriented engineering means to intelligently mitigate the residual risk. It does not mean to copy paste standards and thus further increase complexity 13/29

15 Risk-Oriented Development State of the Art: Functional Safety Functional safety with ISO is digested Vector Consulting support on all levels for OEM and Tier1 1. Driving Situations OEM 2. Hazards OEM 3. Risks and Safety Integrity Level OEM 4. Safety Goals Safety Requirements OEM 5. Technical Safety Concept OEM/Tier1 6. Safety requirements on ECU level OEM/Tier1 7. Software Safety Requirements Tier1/Vector ISO ed.2 will demand more consistency and enhancements on safety related methodologies 14/29

16 Risk-Oriented Development State of the Art: Cyber Security Security demands growing fast Connectivity and open channels allow security attacks Exploits will persist beyond zero-day because so far no OTA governance Safety-critical systems connected to potentially unsecure bus systems Build security engineering on top of existing safety Extend hazard analysis with threat analysis and automotive attack models Reuse existing safety artefacts to ensure robust safety case Define tailored security protection for safety-critical systems Encrypt entire bus communication, e.g. AUTOSAR Protect ECUs with secure boot and HW-defined security Completely separate infotainment and HU There is no safety without security 15/29

17 Risk-Oriented Development Concept of Combined Threat/Hazard Analysis and Risk Assessment Assets Threat-Model & Risks Measures Concept for Solution Verification General automotive asset categories Example: Identified threats Safety Safety - Vehicle functions 1 Injuries because of malfunctioning Passive Entry Financial Privacy / Legislati on -Private data -ECU SW Operational Performance Finance -Brand Image 2 Loss of annual sales due to damage to brand image Operational Performance Doors locked Privacy/Legislation 3 Theft of private data -Driving performance Security considers a larger scope of threats compared with Safety. 16/29

18 Risk-Oriented Development Case Study Powertrain: Threats and Hazards Throttle pedal, Engine control Safety Item Adjust Speed Lock/Unlock Change Gears Transmission Velocity ASIL C ASIL C Throttle Function Hazard S/E/C ASIL Adjust speed Speed is unintentionally increased during normal operation in cruise control while driving in a city S3/E3/C1 C Change Gears During driving on high speed (Highway) the gear is changing to a higher gear thus reducing acceleration when it is needed during overtaking S3/E4/C3 C Unlike Safety where we work with probabilities, Security threats always have a probability of 1 for exploits and attacks. 17/29

19 Risk-Oriented Development Case Study Powertrain: From TARA to Technical Safety/Security Concept 2 Elements of functional architecture 1 Security goal and derived functional security req. Security Goal Functional Security Requirement Entities of Functional Security Architecture ID Level Security Goal ID Requirement Inputs Function Blocks SG05 High It shall be prevented that unauthentic software is installed on vehicle ECUs. The authenticity and integrity of the user_command signal during reading FSR 1 and transmission shall be assured. The authenticity and integrity of the authenticity signal during reading and FSR 2 transmission shall be assured. The authenticity and integrity of the sw_update during reading and FSR 3 transmission shall be assured. FSR 4 FSR 5 FSR 6 FSR 7 It shall be assured that the signal allow_update generated from the input signals is calculated correctly. The authenticity and integrity of the allow_update signal during transmission shall be assured. It shall be assured that the signal change_sw generated from the input signals is calculated correctly. If an error with regards to authenticity and integrity during reading, transmission or calculation of signals or the actuator status occurs, the system will not install the sw update. Update sw command Authenticity and Integrity of sw update (Signature) sw update Prevent unauthorized update Install sw in ECU sw storage (e.g. flash memory).... x x x x x x x x x x x x x x x x x x x x x 3 Allocation of req. to architecture elements Transform technical security concept to security requirements. Handle security requirements exactly like functional requirements. 18/29

20 Risk-Oriented Development Security by Design: Separate Concerns Diagnostic Interface Instrument Cluster Head Unit DSRC 4G LTE Powertrain DC Chassis DC Central Gateway Connectivity Gateway CU Laptop Body DC Tablet Smartphone ADAS DC Smart Charging Firewall Key Infrastructure Crypto Primitives Monitoring / Logging Hypervisor ID / IP Secure On Board Comm. Secure Off Board Comm. Download Manager Secure Flash/Boot Secure Synchronized Time Manager Incrementally harden your E/E and IT functions, architectures and components. Commit to a roadmap with budget and competences. 19/29

21 Risk-Oriented Development Implementation, Verification and Validation Design Use programming rules such as MISRA-C Avoid injectable code Enforce high cryptographic strength Assign least privileges to any function Static and dynamic code analysis Test Encryption cracker, vulnerability scanner Network traffic analyzer, stress tester, interface scanner Layered fuzzing testing Life Hacking Penetration testing Governance and social engineering attacks Test for the unknown. Run automatic regression tests with each delivery. 20/29

22 Risk-Oriented Development Game Changer: OTA Facilitates Security Across the Life-cycle Over the Air (OTA) Updates: Problem and solution at the same time. 21/29

23 Risk-Oriented Development Conclusion: Apply Different Techniques Across Your Life-Cycle Security Techniques Cost Benefit Quick Wins Vector SafetyCheck and Vector SecurityCheck for initial risk assessment Low Medium and implementation guidance Role of Virtual Security Manager Medium High Safety and Security Training and compliance audits Low High Technology Secure boot, communication, storage High High Secure run-time (e.g. CFI, DFI, MACs) High High IDS/IPS, Firewall with adjusted policies Medium-High Medium Process and Governance Development for safety and security Medium-High High Test strategy, e.g. Fuzz Testing, Penetration Testing etc. High Medium Secure Key Management High Medium Security task force and response team (internal or virtual) Medium High 22/29

24 Agenda 1. Welcome 2. Safety and Security are Key Risks 3. Risk-Oriented Development 4. Conclusions and Outlook 23/29

25 Conclusions and Outlook Risk-Oriented Development Must Cover the Entire Life-Cycle Secure by design Secure provisioning Development Services Internal threats Secure supply chain Secure monitoring External threats Production Operations Systematic safety and security engineering Scaleable monitoring Multiple mode of operation (normal, attack, emergency, fail operatoinal, fail safe, etc.) 24/29

26 Conclusions and Outlook Integrated Safety and Security Engineering Assets and Attack Potentials Threat and Risk Assessment Security Goals Features and Operation Scenarios Hazard and Risk Assessment Safety Goals Safety Case Validate Safety Assumptions Security Case Validate Security Assumptions Security Architecture Functional Safety-Concept Test Safety Mechanisms Test Security Mechanisms & Penetration Tests Technical Security Concept Technical Safety-Concept Verify Safety Mechanisms Verify Security Mechanisms Implement. of Security Mechanisms Implement. of Safety Mechanisms Safety Analysis Security Analysis Safety Activity Secure Implementation of Nominal Functions Security Activity Similar to Safety, Security needs to be an integrated part of the development process. Build security upon existing safety governance. 25/29

27 Conclusions and Outlook Safety and Security Matter Safety and Security demands a thorough culture change Build necessary competences for safety and security Do not simply copy-paste elements from current standards Enforce strong governance end-to-end Security Safety Risk-oriented development is the order of the day Apply systems engineering for safety and cyber security Systematically use professional tools, such as PREEvision and CANoe Close known vulnerabilities as soon as possible, preferably with OTA Audit your suppliers and achieve a holistic perspective on risks and solutions Use the hacker s view for security risks, and not that of developer or safety expert To know your enemy, you have to become your enemy. (Sun Tzu, The Art of War) In other words: Think like a Criminal and preemptively act as an Engineer. 26/29

28 Conclusions and Outlook Vector Offers a Comprehensive Portfolio for Cyber Security and Functional Safety Vector Cyber Security and Safety Solutions Security and Safety Consulting AUTOSAR Basic Software HW based Security Tools (PLM with PREEvision, Architecture, Test, Diagnosis etc.) Engineering Services for Safety and Security 27/29

29 Conclusions and Outlook More Information Annual Vector Security Symposium 12. October 2017 in Stuttgart With all major OEMs and Tier-1 suppliers Trainings and Media Free Cyber-Security Webinar (1 hour, continuously updated) Free Functional Safety Webinar (1 hour, continuously updated) In-house trainings tailored to your needs are worldwide available Vector White Papers 28/29

30 Thank you for your attention. For more information please contact us. Passion. Partner. Value. Vector Consulting Services Phone: