Conquering Complexity: Addressing Security Challenges of the Connected Vehicle October 3, 2018 Securely Connecting People, Applications, and Devices
Ted Shorter Chief Technology Officer CSS Ted.Shorter@css-security.com www.css-security.com Conquering Complexity: Addressing Security Challenges of the Connected Vehicle October 3, 2018
The Promise of Connected Vehicles Vehicle maintenance Infotainment Telematics Accident avoidance Software-defined Vehicles 3
The Promise of Connected Vehicles Automation Car sharing Coordination Security becomes critical 4
The Challenge of Connected Vehicles 5 5
Securing Vehicles is Hard Attractive target Constrained platforms OEMs manage complex supply chains Multi-vendor Cost-sensitive Difficult to patch or update 6
Securing Vehicles is Hard Long design times 5 years Long life spans 15-20 year life expectancy Average age of vehicles on the road: 11.6 years Safety comes first 7
Complexity is the Enemy of Security Components per vehicle: ~1800 80-150 ECUs per vehicle Hundreds of suppliers 8
Lines of Code Source: informationisbeautiful.net 9
CAN Bus and OBD-II CAN designed in 1983 No security built in design OBD mandated in 1996 Universal access to on-board diagnostics 10
Right to Repair Dealer repair 3rd-Party Mechanic repair Owner repair Upgrades and aftermarket CY2015 Automotive aftermarket: $450 Billion* *Source: Global Market Insights.com 11
Authentication and Authorization Roles Authentication & Authorization in the Enterprise: Subjects Roles Resources Assignment Permission (membership) (e.g., Read, Write) Application Administrators Application Users Application App Owners Business Units Data Data Data 12
Authentication and Authorization Roles Authentication & Authorization in the Vehicle: Manufacturer Engine Dealer Networks Owner* Infotainment Mechanic Dashboard Passenger* Rentee Vehicle ECUs Renter V2V Braking Telematics Suspension Firmware Steering 13
Crypto Agility The algorithms and keys we use today will not be secure in the future Constrained devices are not immune to this fact Know what you have: End-entity certificates and keys Roots of Trust Plan for algorithm end-of-life updatability 14
So, what now? Best Practices Still Apply Existing Technologies, Used in New Ways Defense in Depth Fail Safely (and Securely) Least Privilege Separation of Duties Segmentation / Multi-Bus / Firewalls Over-the-Air Updates Code Signing PKI / Digital Certificates Certificate & Key Management TCP/IP Federation Encryption Hardware Key Storage (TPM,HSM) RADIUS 15
Industry Groups Standards and Regulation are inevitable SAE (Society of Automotive Engineers) ISO (International Standards Organization) IEEE (Institute of Electronics Engineers) NIST / AIAG (Automotive Industry Action Group) Auto-ISAC (Automotive Information Sharing and Analysis Center) CAMP (Crash Avoidance Metrics Partners) 16
V2X Vehicle-to-Vehicle Vehicle-to-Infrastructure First pilots in 2012 Live in some vehicles today 17
In Summary The first step is knowing you have a problem IoT Security is hard; automotive security is harder Change is coming, but it will take time Regulation and Standards are also coming 18
Thank you! For more information on certificate management software, PKI managed services, or PKI professional services at CSS, please visit us at: www.css-security.com. Ted Shorter, Chief Technology Officer Certified Security Solutions, Inc. Email: Ted.Shorter@css-security.com Direct: (216) 785-2970 Follow us on As the market leader in enterprise and IoT digital identity security for data, devices and applications, CSS is a cyber security company that builds and supports platforms to enable secure commerce for global businesses connected to the Internet. Headquartered in Cleveland, Ohio, with operations throughout North America, CSS is at the forefront of delivering innovative software products and SaaS solutions that are secure, scalable, economical and easy to integrate into any business. All Rights Reserved.