Security Challenges with ITS : A law enforcement view

Transcription

1 Security Challenges with ITS : A law enforcement view Central Observatory for Intelligent Transportation Systems FRENCH MINISTRY OF INTERIOR GENDARMERIE NATIONALE Colonel Franck MARESCAL franck.marescal@gendarmerie.interieur.gouv.fr

2 French Central Observatory for the intelligent transportation systems : What For? A better understanding and mastering of the intelligent transport systems will facilitate the work of the gendarmerie missions in these areas : Road safety : to reduce accidents Public safety : to fight against crime (serious offences, robbery) Judiciary police : obtaining digital evidence Risk Prevention : promote cyber security

3 Major risks with ITS Main issue P3

4 CHALLENGES : What about the threat STATEMENTS : 1/ so many computer or system security breaches 2/ modern cars are today the most complex systems on the planet 3/ hackers capabilities : more and more organised (hacker community), motivation for money (conduct business), increasing skill (exchange information). Lessons we have learned from cyber criminals is not to under estimate their abilities to mount cyber attack project P4

5 CHALLENGES : Increasing vulnerabilities : attack surfaces overview Garage diagnostic suitcase cellular network Inside the car Automaker data centre Digital Audio Broadcasting WIFI (V2X) Connected watch USB port Bluetooth OBD-II CAN network RFID RFID key Smart key sensor ECU/JTAG port -wheel- phone chip Smartphone Electric charger port P5

6 CHALLENGES - demo Live connection to a car through an OBD plug device P6

7 Security risks : CHALLENGES : Risk assessment : hackers motivating factors - Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver) - Terrorism 1 : kill people during a car crash - Terrorism 2 : battering ram car programming by his owner P7

8 Risk assessment : hackers motivating factors Security risks : - Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver) - Terrorism 1 : kill people during a car crash - Terrorism 2 : battering ram car programming by his owner Privacy risks : - personal data stolen - way as you drive - phone tapping - video surveillance - localisation P8

9 Risk assessment : hackers motivating factors Security risks : - Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver) - Terrorism 1 : kill people during a car crash - Terrorism 2 : battering ram car programming by his owner Privacy risks : - personal data stolen - way as you drive - phone tapping - video surveillance - localisation Others (financial) : - Vehicle theft (organised crime) : tampering remote key (Mouse Jacking). - Ransom (car is out of order for a while) - carmakers stock-market manipulation P9

10 Risks Consideration Declaration of Amsterdam - Ministers of Transports April 2016 Cooperation in the filed of connected and automated vehicle : It's essential to ensure security of vehicle : trust model and certification policies should be developed to prevent risks and support cybersecurity March 17, 2016 : Alert Number I PSA Motor Vehicles Increasingly Vulnerable to Remote Exploits P 10

11 Car cyber security guidelines SAE J3061 Guidelines (january 2016) : Cybersecurity guidebook for cyber-physical vehicles systems ISO is progress C-ITS platform (European Commission) WG5 security Recommendations/actions : report (january 2016) CaRSEC expert Group within ENISA (march 2016) (European Union Agency for Network and Information Security) 3 topics : - Evaluate current standards and initiatives ; - Towards a shared vision on cyber security for smart car in the EU ; - Ensuring the security of embedded systems coming from new actors to the car industry P 11

12 ENISA recommendations : december 2015 European Union Agency for Network and Information Security P 12

13 How is automotive cybersecurity organised? Recommendations US-DOT NHTSA FTC DARPA Provide advice : - suppliers - national commission for data protection - national homologation unit - industry federation SAE EC-DGMOVE J3061 C-ITS platform WG5 Universities ENISA CaRSEC expert Group ERTRAC NIST ITU-T Observers : Consumers Road association Insurers Carmakers G7 ITS Provide cyber expertise : - IT & sec. compagnies - laboratories & institutes - startup Auto ISAC Law enforcement lab in ITS UNECE WP29 ISO / TC22 ETSI WG5 National network and information security agency ISA / IEC WG17 CENELEC / CSCG IEEE SCC42/TF1 Standardisation UNECE :United Nations Economic Commission for Europe EC-DGMOVE : European Community Directorate Gen Mobility and Transport ISO : International Organisation for Standardisation (WG TC22/SC32) ETSI : European Telecomm. Standards Institute (EN x) ENISA : European Union Agency for Network and Information Security NHTSA : US National Highway Transportation Safety Administration SAE : Society of Automotive Engineers Auto ISAC : Automotive Information Sharing Analysis Center Public authorities Ministry of homeland security Ministry of transportation Ministry of economy The parliament

14 Best practices : 7 key factors to obtain a robust security car 1/ Essential framework : resilience & security/privacy by design 2/ Need a best practice guideline (a goal based standard) and apply it 3/ Maintain relationships with third-party security technologists (research project and cyber intrusion tests) 4/ gathering intelligence in an auto ISAC 5/ detect intrusion and record evidence for forensic purposes 6/ combining cyber test in homologation EuroNCAP test 7/ transparency in the compliance with the above mentioned points 1/ to 5/ P 14

15 Thank you for your attention Oh my poor teddy bear, you too have been hacked! P 15