Automotive Anomaly Monitors and Threat Analysis in the Cloud

Similar documents
PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

How Security Mechanisms Can Protect Cars Against Hackers. Christoph Dietachmayr, CIS Solution Manager EB USA Techday, Dec.

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

SW-Update. Thomas Fleischmann June 5 th 2015

Trusted Platform Modules Automotive applications and differentiation from HSM

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Cyber Security and Vehicle Diagnostics. Mark Zachos DG Technologies

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Automotive Gateway: A Key Component to Securing the Connected Car

Automotive Cybersecurity: A steep learning curve

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Countermeasures against Cyber-attacks

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

ARM processors driving automotive innovation

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

KPIT S Connected Vehicle Practice

Context-aware Automotive Intrusion Detection

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

Automotive Cyber Security

Securing the future of mobility

Secure Product Design Lifecycle for Connected Vehicles

Cyber security of automated vehicles

10 th AUTOSAR Open Conference

Security Concerns in Automotive Systems. James Martin

Securing the Autonomous Automobile

13W-AutoSPIN Automotive Cybersecurity

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Security for Connected/Autonomous Car

Turbocharging Connectivity Beyond Cellular

Development of Intrusion Detection System for vehicle CAN bus cyber security

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Mentor Automotive. Vehicle Network Design to meet the needs of ADAS and Autonomous Driving

Preventing External Connected Devices From Compromising Vehicle Systems Vector Congress November 7, 2017 Novi, MI

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

MIGRATING TO CAN FD. Tony Adamson. Marketing Director CAN / LIN / FlexRay

Designing a software framework for automated driving. Dr.-Ing. Sebastian Ohl, 2017 October 12 th

Cyber security mechanisms for connected vehicles

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Virtual Hardware ECU How to Significantly Increase Your Testing Throughput!

Security Challenges with ITS : A law enforcement view

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

Autorama, Connecting Your Car to

IOT FLAGSHIP PROJECT. Dr. Mario Drobics, AIT

Examining future priorities for cyber security management

TechPaper. Over-the-air updates what advantages does the AUTOSAR Adaptive Platform offer?

Diagnostic Trends 2017 An Overview

Vehicle To Android Communication Mode

Monitoring and Managing IIoT Security

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

OTA and Remote Diagnostics

NC1701 ENHANCED VEHICLE COMMUNICATIONS CONTROLLER

Efficient testing of ECUs despite Security

Vehicle Connectivity in Intelligent Transport Systems: Today and Future Prof. Dr. Ece Güran Schmidt - Middle East Technical University

Mentor Automotive Save Energy with Embedded Software! Andrew Patterson Presented to CENEX 14 th September 2016

Embedded Automotive Systems Security:

An Experimental Analysis of the SAE J1939 Standard

Cybersecurity for Automobiles: BlackBerry s 7-Pillar Recommendation

Connected Car Solutions Based on IoT

Experimental Security Analysis of a Modern Automobile

Automotive Security: Challenges and Solutions

Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer

Using a Certified Hypervisor to Secure V2X communication

How to protect Automotive systems with ARM Security Architecture

Functional Safety and Cyber-Security Experiences and Trends

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Open Source in Automotive Infotainment

Building Trust in the Internet of Things

Securing IoT with the ARM mbed ecosystem

Automotive Security An Overview of Standardization in AUTOSAR

Connect Vehicles: A Security Throwback

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

STW s Connectivity Solution for Mobile Equipment: The Vehicle Data System (VDS) and VDS-Remote (VDS-R) 31 July 2009, STW, Norcross, Bob Geiger

Automotive OTA The potential and the challenge

November 16, TTTech Computertechnik AG / TTTech Auto AG Copyright TTTech Auto AG. All rights reserved


Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Cybersecurity Solutions for Connected Vehicles

1000BASE-T1 from Standard to Series Production

IC32E - Pre-Instructional Survey

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Automotive Security through New Communication Lockdown Utilizing Programmable Logic Solutions

Market Trends and Challenges in Vehicle Security

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

SentinelOne Technical Brief

Ido Sarig, General Manager, IOT Solutions Group DELIVERING END-TO-END INTELLIGENCE FOR THE INTERNET OF THINGS

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

Autonomous Driving From Fail-Safe to Fail-Operational Systems

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

Agenda. About TRL. What is the issue? Security Analysis. Consequences of a Cyber attack. Concluding remarks. Page 2

M2MD Communications Gateway: fast, secure, efficient

Identity-Based Cyber Defense. March 2017

K12 Cybersecurity Roadmap

AUTOSAR proofs to be THE automotive software platform for intelligent mobility

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Transcription:

Automotive Anomaly Monitors and Threat Analysis in the Cloud Dr. André Weimerskirch Vector Automotive Cyber Security Symposium October 12, 2017

Cybersecurity Components Secure Internal & External Communications 1 Block access to vehicle networks (Firewall) 2 Isolate security sensitive ECUs via gateway 3 Authenticate and/or encrypt comm. Remote Updates and Analytics 1 Record and maintain history 2 Cloud-based analytics 3 OTA security updates Information Sharing 1 Auto-ISAC and information monitoring 2 Incident response 3 Monitoring throughout product lifecycle Protect Computing Platform 1 Secure microcontroller (e.g. HSM) 2 Secure boot and hypervisor Secure environment & 3 integrity monitoring Development Process 1 Secure development and production processes 2 Threat analysis & penetration testing 3 Industry standards (e.g. SAE J3061) Monitor Vehicle Network and ECUs 1 Monitor and protect ECU computing platforms 2 Anomaly detection & prevention of in-vehicle network 3 Plausibility checks of content 2

Multi-Layered Cybersecurity Architecture Cell Phone Cloud Computing V2V / V2I Security Architecture & Integration Secure Phone Environment Secure Virtual Car Key Security Operations Center Threat Analytics SOTA backend Secure Development Process Testing and Validation Over-The-Air Software Architecture Modular Security Architecture Connectivity and Gateway Experts Automotive Software Integration Expertise Keyless and Passive Entry Systems Battery Charging Systems Vehicle Security Services Software Over-The-Air (SOTA) Updates Anomaly Management and Reporting Secure Environment Management & Reporting CAN & Ethernet Network Traffic Wireless Communication Security Secure Server Communications / TLS V2X IEEE 1609.2 WiFi WPA2 Vehicle Network Security (Gateway) CAN Anomaly Detection (SOTA Supported) Dynamic Firewall (SOTA supported) Network Isolation from External Interfaces Secure CAN / Ethernet Bluetooth Security Security Protocol for Virtual Car Key Hypervisor Secure Boot ECU Platform Security Hardened OS Secure Environment Wireless Charging 3

Firewall Applications Applications Applications Firewall Secure Computing Platforms Separation and Protection Secure Platform Run s on separate micro if legacy vehicle protocols needed (e.g. CAN) or for security purposes Secure boot Hardened OS Separation Hypervisor Separate uc Secure Communication Interface firewall/filter Vehicle Buses Vehicle VM Adaptive AutoSar Vehicle Abstraction API Network Anomaly Detection Power Mgmt Flasher Security VM Linux Certificate Mgmt Crypto Secure Logging VM or LXC VM or LXC VM or LXC Application VM s Safety Applications ETSI DENM, CAM Vehicle Abstraction API CarKey API Event Mgr. System Monitor V2X/V2I Traffic Efficiency LDM Cell Talker Bluetooth Diagnostics GPS- MON Linux VM Infotainment US Standard BSM-I, BSM-II, SPaT, MAP, TIM Web Server WiFI AP/Client IDS Service API s Log & Trace OTA (DM & Policy) ecall 4G cellular V2V/ V2I GPS WiFi Secure CAN / Ethernet Secure Boot Secure Boot Secure Boot FOTA to fix security flaws Hypervisor / Software Container Secure Boot 4

Monitors 1. Network anomaly detection smart filtering Intelligent monitoring 2. ECU monitors (control flow, whitelist of executables, hardware monitors,...) 3. Content monitor (plausibility) 5

Network and ECU Monitor Protect computing platforms and network architecture in vehicle Smart firewall Network separation Prevent 3 Run threat analysis in backend/cloud Secure CAN/Ethernet Secure platform 2 Detect and report anomalies 4 Push updated firmware to vehicle Modules in vehicle run local monitors Network monitor ECU monitor Content monitor Monitor and detect OBD2 / interfaces Gateway Network Monitor ECU Monitor 1 Telematics Secure platform & network ECU ECU ECU Run analysis in cloud Update software React and continously improve This loop will continously improve the defense capabilities 6

Network Anomaly Detection Systems In-vehicle anomaly detection systems (ADS) monitor the onboard communication bus (e.g. CAN and Ethernet) to detect anomalous messages. Attackers will try to inject malicious messages to modify vehicle s behavior (e.g. by a local or remote attack). Anomalous on-board messages are an indication of an anomalous event. Sensor defect Cyber attack It seems there are two levels of anomaly detection: 1. All deterministic, or highly reliable mechanisms, should be incorporated in a Smart Firewall. Anomalies are discarded. 2. Non-deterministic and statistical methods are usually used for intelligent monitoring. These messages are only flagged. #1 is clearly needed and usually deployed in a central gateway. #2 covers prognostics, monitors all anomalies, and might be needed to detect advanced, context related attacks. ADS sends reports about anomalies to a Security Operations Center (SOC) in the cloud where they are analyzed. 7

Network ADS: Lear/Honeywell Architecture Used for prognostics and cybersecurity Event enrichment Event classification Event aggregation and correlation Live threat dashboard Priority assignment Case reports Periodic reports ISAC interface 8

Network ADS: Lear/Honeywell Demonstrator 1. Attack 2. Observe 3. Monitor and Detect 4. Mitigate via OTA 5. Verify OTA action 6. Block further attack Secured! 9

ECU Monitor ECU Monitor components include: Secure Environment OS & Application Logs Self-tests DTCs Secure Environment extends secure boot and validates the integrity of the computing environment during run-time. Whitelists of binaries Software attestation Control flow integrity Secure Environment mechanisms detect an attack and can react based on a policy to restart suspected processes, restrict features, or reboot an entire platform. Upon detection, the ECU Monitor sends reports about anomalies to a Security Operations Center (SOC) in the cloud where they are analyzed. 10

ECU Monitor: Lear Demonstrator 1. Attack 2. Monitor and block attack 3. Secured! 11

Content Monitor: Prerequisite It is likely that the input of exposed interfaces will be used by in-vehicle control applications: Lidar/radar/... V2X/802.11p/pWLAN Slow-down on curves Exposed interfaces must be separated from ADAS/powertrain via firewall/filter, e.g., located in a gateway The gateway will filter all direct attacks, e.g., attacks that inject forged messages to impact the powertrain. This will avoid that a successful hacker can inject control commands. ADAS ADAS Gateway Powertrain Conn. Gateway Interface ADAS Connected Gateway Interface Telematics Interface Powertrain Powertrain 12

Content Monitor So, the attacker can still inject valid messages with forged content to mislead the receiver control application. It seems hard to deploy an application context firewall in the gateway Need a plausibility check in each relevant ECU and/or application Resilient applications are required that can handle false content input Plausibility checks are necessary to support cybersecurity Redundancy: different sensor types (e.g., camera and radar) or different sensors (e.g., two wheel speed sensors) can provide redundant input Redundancy II: different implementations can provide redundant input Logical tests: based on physical properties... Upon detection, the Content Monitor sends reports about anomalies to a Security Operations Center (SOC) in the cloud where they are analyzed. 13

Next Step: System Integration ECU 1 Content Plausibility Monitor ECU Monitor Gateway / Domain Controller Security Operations Center ECU n... Combine Software Over-the-Air Content Plausibility Monitor ECU Monitor ECU Monitor Network ADS 14

Next Big Step: Resilient Architecture Local Reaction Use monitors to detect anomalies. If monitor detection confidence level is deterministic or above a certain threshold (99.9...9%), then there is the possibility to react Network anomaly detection: Smart filtering in a central gateway to discard malicious packets Upon discarding messages, gateway could trigger turning-off external communication completely, or switch to a stricter firewall filter ECU monitor: Upon any alarm, could kill virtual machines, processes, interfaces, etc. Then jump to a fail-operational software module Content monitor: Jump to fail-safe or fail-operational mode 15

Conclusions A variety of security mechanisms is available today to protect vehicle architectures. The next step is to use monitors: 1. Network anomaly detection smart filtering Intelligent monitoring 2. ECU monitors (control flow, whitelist of executables, hardware monitors,...) 3. Content plausibility monitor Each monitor also allows prevention, if it can deterministically detect at real-time in the vehicle Monitoring can be used to support a resilient architecture by detecting an attack and jumping to a fail-operational mode 16

Contact Dr. André Weimerskirch VP Cyber Security Lear Corporation Ann Arbor, Michigan, USA Email: aweimerskirch@lear.com 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback