UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Similar documents
Status report of TF-CS/OTA

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Final Report of TF-CS/OTA

Cloud Security Standards Supplier Survey. Version 1

Cloud Security Standards and Guidelines

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Cloud Security Standards

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Economic and Social Council

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Secure Access & SWIFT Customer Security Controls Framework

Information Security Controls Policy

IoT & SCADA Cyber Security Services

External Supplier Control Obligations. Cyber Security

NEN The Education Network

Advent IM Ltd ISO/IEC 27001:2013 vs

the SWIFT Customer Security

Cyber Security and Vehicle Diagnostics. Mark Zachos DG Technologies

Cyber risk management into the ISM Code

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

Network Security Policy

The Common Controls Framework BY ADOBE

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

ANATOMY OF AN ATTACK!

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

ITU activities on secure vehicle software updates

Cyber Security Requirements for Electronic Safety and Security

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Security analysis and assessment of threats in European signalling systems?

13W-AutoSPIN Automotive Cybersecurity

MINIMUM SECURITY CONTROLS SUMMARY

Secure Software Update for ITS Communication Devices in ITU-T Standardization

HIPAA Regulatory Compliance

Information technology Security techniques Information security controls for the energy utility industry

General Data Protection Regulation

QuickBooks Online Security White Paper July 2017

A practical guide to IT security

SECURITY & PRIVACY DOCUMENTATION

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

WORKSHARE SECURITY OVERVIEW

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

ADIENT VENDOR SECURITY STANDARD

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Practical Guide to Securing the SDLC

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Security+ SY0-501 Study Guide Table of Contents

Industrial Control System Security white paper

ISO/IEC TR TECHNICAL REPORT

Google Cloud & the General Data Protection Regulation (GDPR)

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Automotive Anomaly Monitors and Threat Analysis in the Cloud

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Internet of Things Security standards

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Security

K12 Cybersecurity Roadmap

RICOH Unified Communication System. Security White Paper (Ver. 3.5) RICOH Co., Ltd.

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Information security management guidelines for financial services

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

WELCOME ISO/IEC 27001:2017 Information Briefing

Altius IT Policy Collection

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cyber Security Program

SECURITY PRACTICES OVERVIEW

Just How Vulnerable is Your Safety System?

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Objectives of the Security Policy Project for the University of Cyprus

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ST. VINCENT AND THE GRENADINES

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Modicon M580 PAC. CSPN Security Target. Version

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ASD CERTIFICATION REPORT

Security Management Models And Practices Feb 5, 2008

Information Security Policy

Maritime cyber risk management

MASP Chapter on Safety and Security

IC32E - Pre-Instructional Survey

CS 356 Operating System Security. Fall 2013

Information Technology General Control Review

ISO/IEC Information technology Security techniques Code of practice for information security management

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Securing the future of mobility

NW NATURAL CYBER SECURITY 2016.JUNE.16

ITG. Information Security Management System Manual

BUSINESS CONTINUITY MANAGEMENT

Standard CIP Cyber Security Critical Cyber Asset Identification

Internet of Things Toolkit for Small and Medium Businesses

Education Network Security

Standard CIP Cyber Security Critical Cyber Asset Identification

GateHouse Logistics. GateHouse Logistics A/S Security Statement. Document Data. Release date: 7 August Number of pages: Version: 3.

Transcription:

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update) Koji NAKAO, NICT, Japan (Expert of UNECE WP29/TFCS)

General Flow of works in WP29/TFCS and OTA Data protection Cyber Security Software updates Legal aspects Security aspects Security aspects Type approval aspects Safety aspects out of scope Threat analysis preregistration postregistration Current Status Define mitigation principles Develop Develop flow diagram recommendation for safe execution Define approval method Develop guidance/recommendation for ITS/AD 2

Scope of Threats Assessment (Basic Model) In-Vehicle Environment Back- End Systems Communic ation Path Outside- Vehicle Environment Communication Paths Aftermarket Information Device On-board Information Device Power Management Control ECU Seat Belt Control ECU Driving Support ECU Parking Assist ECU Skid Control ECU etc., 3

Please confirm the Threats Table developed by WP29/TFCS This table can be shared with Q13/17. 4

Example of Threats table Category of Threats Mitigations Example of vulnerability or attack methodologies 5

Category of Threats Compromise of back-end server Internal Communication channels used to attack a vehicle Update process used to attack a vehicle Human factor and social engineering Compromise of external connectivity Target of an attack on a vehicle System design exploits (inadequate design and planning or lack of adaption) Data loss / "data leakage" from vehicle Physical manipulation of systems to enable an attack Vehicle used as a means to propagate an attack Communication loss to/from vehicle (potentially out of scope as not cyber security) 6

Example of vulnerability or attack methodology for Compromise of external connectivity 1. Manipulation of telematics (e.g. manipulate temperature measurement of sensitive goods, remotely unlock cargo doors) 2. Interference with short range wireless systems or sensors 3. Corrupted applications, or those with poor software security, used as a method to attack vehicle systems 4. External interfaces such as USB or other ports may be used as a point of attack, for example through code injection 5. Virus from infected media connected to system 6. Utilise diagnostic access (e.g. dongles in OBD port) to facilitate an attack, e.g. manipulate vehicle parameters (directly or indirectly) 7

Proposed Mitigations Mitigations 1. Access to files and data shall be authorized 2. Best practices for backend systems shall be followed (e.g. OWASP, ISO 27000 group) 3. Confidential data shall be encrypted 4. Cybersecurity best practices for software and hardware development shall be followed 5. Cybersecurity best practices shall be followed for storing private keys 6. Data protection best practices shall be followed for storing private and sensitive data. Data protection regulations of individual countries shall be adhered to. 7. Data shall be (end-to-end) authenticated and integrity protected 8. Internal messages shall contain a freshness value 9. Internal/Diagnostic messages shall be authenticated and integrity protected 10. Measures to detect intrusion are recommended 11. Measures to detect unauthorized privileged access are recommended 12. Measures to ensure the availability of data are recommended 13. Organizations shall ensure the defined security procedures are followed 14. Software and configuration shall be authenticated and integrity protected 15. The certification policy for V2X communication shall be followed. 16. V2X messages shall be Authenticated and Integrity protected 17. V2X messages shall contain a freshness value 18. V2X messages should be checked for plausibility 8

Part 1 Summary of the statements for security controls(1) 1. Security Controls shall be applied to back-end systems to minimise the risk of insider attack 2. Security Controls shall be applied to back-end systems to minimise unauthorised access 3. Where back-end servers are critical to the provision of services there are recovery measures in case of system outage 4. Security Controls shall be applied to minimise risks associated with cloud computing 5. Security Controls shall be applied to back-end systems to prevent data leakage 6. Systems shall implement security by design to minimise risks 7. Access control techniques and designs shall be applied to protect system data/code 8. Through system design and access control it should not be possible for unauthorised personnel to access personal or system critical data 9. Measures to prevent and detect unauthorized access are employed 10. Messages processed by a receiving vehicle shall be authenticated and integrity protected 11. Cybersecurity best practices shall be followed for storing private keys 12. Confidential data transmitted to or from the vehicle shall be protected 9

Part 1 Summary of the statements for security controls(2) 13. Measures to detect and recover from a denial of service attack shall be employed 14. Measures to protect systems against embedded viruses/malware are recommended 15. Measures to detect malicious internal messages are recommended 16. Secure software update procedures are employed 17. Cybersecurity best practices shall be followed for defining and controlling maintenance procedures 18. Cybersecurity best practices shall be followed for defining and controlling user roles and access privileges 19. Organizations shall ensure security procedures are defined and followed 20. Security controls are applied to systems that have remote access 21. Software shall be security assessed, authenticated and integrity protected 22. Security controls are applied to external interfaces 23. Cybersecurity best practices for software and hardware development shall be followed 24. Data protection best practices shall be followed for storing private and sensitive data 25. Systems should be designed to be resilient to attacks and respond appropriately when its defences or sensors fail 10

Part 2 Headline statements with example controls (1) 1) Security Controls shall be applied to back-end systems to minimise the risk of insider attack Ref: OWASP and ISO/IEC 27000 series. Controls may include: - Role based access controls ("need to know" principle, "separation of duties") and appropriate training for staff - Staff activity logging/ monitoring mechanisms - Security information and event management - Dual control principle Note: applies to threat examples 1, 5 OWASP: Open Web Application Security Project 11

Part 2 Headline statements with example controls (2) 2) Security Controls shall be applied to back-end systems to minimise unauthorised access Ref: OWASP and ISO/IEC 27000 series. Controls may include: - Securely configuring servers (e.g. system hardening) - Protections of external internet connections, including authentication/verification of messages received and provision of encrypted communication channels - Monitoring of server systems and communications - Manage the risks and security of cloud servers (if used) - Security information and event management Note: applies to threat examples 2, 7 12

Part 2 Headline statements with example controls (3) 3) Where back-end servers are critical to the provision of services there are recovery measures in case of system outage Example Security Controls can be found in OWASP and ISO/IEC 27000 series. Note: applies to threat examples 4, [34] 4) Security Controls shall be applied to minimise risks associated with cloud computing Ref: OWASP and ISO/IEC 27000 series, NCSC cloud computing guidance. Controls may include: - Monitoring of server systems - Managing the risks and security of cloud servers - Applying data minimisation techniques to reduce the impact should data be lost - Security information and event management Note: applies to threat example 6 13

Part 2 Headline statements with example controls (4) 5) Security Controls shall be applied to back-end systems to prevent data leakage Example Security Controls can be found in OWASP and ISO/IEC 27000 series. Controls may include: - Appropriate procedures for handling, transferring and disposing of data assets - Appropriate training for staff, especially those handling data assets - Applying data minimisation and purpose limitation techniques to reduce the impact should data be lost Note: applies to threat example 9 14

Part 2 Headline statements with example controls (5) 6) Systems shall implement security by design to minimise risks Controls may include: - Access control to vehicle files and data - Network segmentation and implementation of trust boundaries - System monitoring - Software testing - Active memory protection - Software integrity checking techniques - Hardening of e.g. operating system Note: applies to threat example 12 15

Part 2 Headline statements with example controls (6) 25) Systems should be designed to be resilient to attacks and respond appropriately when its defences or sensors fail Example security controls can be found in OWASP and ISO/IEC 27000 series. Controls may include: - Redundancy or back-ups designed in, in case of system outage - Security risks are assessed and managed appropriately and proportionately - Measures to ensure the availability of data are recommended - Safety critical systems are designed to fail safe - Systems to detect and respond to sensor spoofing Note: applies to threat examples [82, 83, 84, 85, 86] 16

Part 3 List of example controls identified (1) The follow are example controls identified. They are grouped into similar themes. The themes are given in italics. These themes have been created by the author as a means of identifying similar controls. Access control Establishing trust boundaries and access controls Apply least access principle to minimise risk. Role based access controls ("need to know" principle, "separation of duties") are established and applied Access control and read/write procedures established for vehicle files, systems and data. Access control rights established and implemented for remote systems to a vehicle Enforce Boundary Defences and Access Control between external interfaces and other vehicle systems Enforce Boundary Defences and Access Control between hosted software (apps) and other vehicle systems Dual control principle Multi factor authentication for applications involving root access 17

Part 3 List of example controls identified (2) Cryptographic key management Actively manage and protect cryptographic keys Effective key management and protection for any cryptography used Control of data held on vehicles and servers and communicated therefrom Implement appropriate data controls Apply data minimisation and purpose limitation techniques to reduce the impact should data be lost Data minimisation techniques applied to communications Establish a policy on the use of cryptographic controls for protection of information are developed and followed. This includes an identification of what data is held and the need to protect it. Secure storage of sensitive information Encrypt sensitive data and ensure keys are appropriately and securely managed Systems are designed so that end-users can efficiently and appropriately access, delete and manage their personal data Strict write permissions and authentication measures for updating/ accessing vehicle parameters Active memory protection Apply techniques to prevent fraudulent manipulation of critical system data Consider use of Hardware Security Module (HSM), tamper detection, and device authentication techniques to reduce vulnerabilities 18

Part 3 List of example controls identified (3) Device and application authentication Apply device authentication techniques Authentication of devices and equipment Device configurations to be verified Procedures established for what applications may be permitted, what they can do and under what conditions Controls for messages Message authentication and integrity checking Only allow a safe set of instructions to be passed to a vehicle Input validation for all messages Application based input validation (in terms of what kind of data/input the affected application is expecting) Authentication of data Check size of received data Consistency checks using other vehicle sensors (e.g. temperature, radar ) Employing rate limiting measures based on context Limiting and monitoring message content and protocols Setting acknowledgement messages for V2X messages (currently not standardised) Techniques to prevent replay attacks, such as timestamping and use of freshness values 19 Timestamping messages and setting expiration time for messages

Part 3 List of example controls identified (4) Software coding Organisations adopt secure coding practices Apply software testing and integrity checking techniques End of life considerations Appropriate procedures for handling, transferring and disposing of data assets Define measures to ensure secure deletion of user data in case of a change of ownership Training Specific cyber awareness and security training needs are identified for roles, especially those in the design and engineering functions, and then implemented There is a security programme defining procedures Appropriate training for staff, especially those handling data assets Appropriate training of maintenance staff Establish security development and maintenance process including e.g. review, cross-check and approval gateways 20

Part 3 List of example controls identified (5) Network design Avoid flat networks (apply defence in depth, isolation of components and network segregation) Network segmentation and implementation of trust boundaries Protections of external internet connections, including authentication/verification of messages received and provision of encrypted communication channels Sandboxing for protected execution of 3rd party software The use of combinations of gateways, firewalls, intrusion prevention or detection mechanisms, and monitoring are employed to defend systems Monitoring System monitoring for unexpected messages/behaviour Enacting proportionate physical protection and monitoring Monitoring of server systems and communications Systems to detect and respond to sensor spoofing Session management policies to avoid session hijacking Encryption of communication and software Encryption for communications containing sensitive data, including software updates Encryption of software code 21

Part 3 List of example controls identified (6) Controls for updates Secure communications used for updates Implement Cryptographic protection and signing of software updates Implement the use of configuration templates and policies Ensure configuration control and that it is possible to roll-back updates Version and timestamp and logging of updates Ensure the veracity of the update Establish secure update procedures, including configuration templates and policies for updates. Ensure configuration control and that it is possible to roll-back updates. Version and timestamp and logging of the update 22

Software Update (OTA) Requirements and interim solutions proposed in Paris for documentation - Pre-registration - Type approvals (extended or newly obtained) are linked to the Whole Vehicle Type Approval (WVTA). - Documented in the Certificate/Document of Conformity (CoC/DoC). - Requirement for both hardware and software information to be provided. - Post-registration - A transparent documentation of the modification is needed. - This can be achieved by an extension of the CoC/DoC of the vehicle detailing the changes - With such documentation, changes of the registration can be performed according to national processes. 23

General Flow of works in WP29/TFCS and OTA Data protection Cyber Security Software updates Legal aspects Security aspects Security aspects Type approval aspects Safety aspects out of scope Threat analysis preregistration postregistration Current Status Define mitigation principles Develop Develop flow diagram recommendation for safe execution Define approval method Develop guidance/recommendation for ITS/AD 24

Schedule for output from WP29/TF TF-CS/OTA is on track to deliver guidance papers/ recommendations on the issues of cyber security and software updates as planned by the end of 2017 Start drafting guidance papers/recommendation Finalize work ad hoc Threats2 April 2017 Webmeeting TFCS-06 13.-14.06.2017 Washington ad hoc S/W TAN 02 August 2017 Hamburg TFCS-08 11-12 Oct. 2017 Tokyo TFCS-10 December 2017 London (?) TFCS-05 10.-11.05.2017 Paris ad hoc Mitigations mid/end July Webmeeting TFCS-07 30-31 Aug. 2017 Netherlands TFCS-09 9-10 Nov. 2017 Geneva Cyber security threats (table) confirmed Finalize mitigations + S/W update process Current Status 25

Implement & use Security* Design Security* Maintain & improve Security* Monitor & review Security* 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback