Secure Product Design Lifecycle for Connected Vehicles

Similar documents
The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Certified Information Security Manager (CISM) Course Overview

What It Takes to be a CISO in 2017

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Security

Cyber Security on Commercial Airplanes

Cybersecurity in Higher Ed

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Innovation policy for Industry 4.0

NYDFS Cybersecurity Regulations

Cyber Risks in the Boardroom Conference

Twilio cloud communications SECURITY

MASP Chapter on Safety and Security

Cyber Insurance: What is your bank doing to manage risk? presented by

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Security and Architecture SUZANNE GRAHAM

Designing and Building a Cybersecurity Program

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SECURING THE CONNECTED ENTERPRISE.

Cyber Criminal Methods & Prevention Techniques. By

Ransomware A case study of the impact, recovery and remediation events

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Managing Cybersecurity Risk

Business continuity management and cyber resiliency

locuz.com SOC Services

Cyber Attacks & Breaches It s not if, it s When

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Connected Medical Devices

CCISO Blueprint v1. EC-Council

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Internet of Things Toolkit for Small and Medium Businesses

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Canada Life Cyber Security Statement 2018

The NIST Cybersecurity Framework

align security instill confidence

How to Prepare a Response to Cyber Attack for a Multinational Company.

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

13W-AutoSPIN Automotive Cybersecurity

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Securing the future of mobility

THE POWER OF TECH-SAVVY BOARDS:

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

WHITE PAPER. Title. Managed Services for SAS Technology

Security Audit What Why

Cybersecurity Auditing in an Unsecure World

Seagate Supply Chain Standards and Operational Systems

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cybersecurity Engineering and Assurance for Connected and Automated Vehicles

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cyber Security Technologies

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

LBI Public Information. Please consider the impact to the environment before printing this.

Securing the Cloud Today: How do we get there?

Bringing Cybersecurity to the Boardroom Bret Arsenault

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Cybersecurity. Securely enabling transformation and change

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cybersecurity Overview

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Security Incident Management in Microsoft Dynamics 365

NERC Staff Organization Chart Budget 2019

Jeff Wilbur VP Marketing Iconix

Building a Resilient Security Posture for Effective Breach Prevention

Defense in Depth Security in the Enterprise

Development of Intrusion Detection System for vehicle CAN bus cyber security

Angela McKay Director, Government Security Policy and Strategy Microsoft

Cybersecurity Survey Results

IoT & SCADA Cyber Security Services

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Verizon Software Defined Perimeter (SDP).

Oracle Data Cloud ( ODC ) Inbound Security Policies

Cybersecurity Today Avoid Becoming a News Headline

Cybersecurity and Data Protection Developments

Position Title: IT Security Specialist

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Bradford J. Willke. 19 September 2007

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

INTELLIGENCE DRIVEN GRC FOR SECURITY

NERC Staff Organization Chart Budget 2019

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

NW NATURAL CYBER SECURITY 2016.JUNE.16

Keys to a more secure data environment

Transcription:

Secure Product Design Lifecycle for Connected Vehicles Lisa Boran Vehicle Cybersecurity Manager, Ford Motor Company SAE J3061 Chair SAE/ISO Cybersecurity Engineering Chair

AGENDA Cybersecurity Standards Awareness Vehicle Complexity Holistic Cybersecurity Approach External Engagement 2

Automotive Cybersecurity Activity (Not Exhaustive) Widespread Interest In Automotive Cybersecurity Development 3

Vehicle was Self Contained Past Vehicle Design Emphasis was on Engine Design, Comfort and Chassis and Security Primarily Revolved Around Vehicle Theft, Odo Tampering & Chip Tuning 4

Areas of Potential Cybersecurity Vulnerabilities Private Clouds Public Clouds Wireless Communications Roadside Networks Brought-In Device Communications Onboard Diagnostic Interface Embedded Computers on Local Vehicle Network Vehicle to Vehicle (V2V) Vehicle to Infrastructure (V2I) Vehicle to Grid Sensors/Cameras/ Microphones Security Measures In Place That Align With Industry Best Practices To Help Protect Current and Future Technologies 5

Connectivity and Complexity Explosion 3 rd Party Connected Services 15 16 1 2 3 Mobile Brought-in Connectivity 4 10 9 OEM Connected Services 5 11 GNSS Antenna Beamed-in Connectivity 7 14 13 12 6 17 8 Built-in Connectivity Interconnectivity And Increased Hacker Capability Makes Vehicles Potential Targets for Attack 6

Importance of Designing Security Upfront Loss of function or denial of service impacts Safety Vehicle theft Customer dissatisfaction Loss of privacy Unauthorized personal information obtained Unauthorized vehicle tracking Impact to reputation and integrity Financial loss Warranty Loss of sales Unauthorized access to features/functions Higher insurance costs to the customers Fraudulent commercial transactions Theft of intellectual property Safety And Security Are Important To Our Customers 7

Business Drivers Innovation Customer Expectations Holistic Cybersecurity Approach Organization (People, Process, Technology) Risk Management Policies & Standards, Governance Continuous Improvement Of Internal Cyber Security Processes and Tools Secure Vehicle Design (e.g. HW, SW, Data, Networks, Access Control Security) Secure Vehicle Production (e.g. Supply Chain Management, Service) Secure Vehicle Operation (e.g. Infrastructure Vehicle Assembly) New and Emerging Requirements Internal Requirements & Processes Regulations Assess ---- Test ---- Address Monitor and Report 8

Secure Design Proof of Security Due Diligence Self Attestation 9

Risk Categories Enterprise Impact (E.I.) Functional Safety (F.S.) Privacy (P.I.I.) Connectivity/ Access (C) Helps Manage Priority And Resource Allocation 10

Security Controls Toolbox (Not Exhaustive) Security control needs to be a Defense-in-Depth Layered Technique involving a suite of controls. There are a number of potential tools in the security controls toolbox: Firewalls Authorization / Authentication mechanisms Gateways / Network separation Secure data storage/ Secure hardware Intrusion Detection/Prevention Secure Data Transport Encryption Packaging/Tamper Proofing Access Control Memory Management Secure SW Coding/OS No one is a complete answer, each potential tool has benefits and limitations. Controls Are Applicable Within Context. Several Different Tools Are Required To Obtain The Appropriate Controls. 11

Building A Cybersecurity Culture Secure Process and Planning Testing Supply Chain Mgmt. Auditing PII Policy Security Statement of Work Vehicle Assessments Supplier Audits Incident Requirements/ Specifications Security Attribute Meetings Governance Governance Management Engagements Analysis Past Vehicle Design Emphasis was on Engine Design, Comfort and Chassis and / Policy / Security Primarily Revolved Around Vehicle Security Theft, Odo Tampering NHTSA & Chip Tuning Business Privacy Design Security Budget Security Capability Study Insurance Witness Testing Governance Technical Design Reviews Compliance Tracking Regulatory Witness Testing Public Disclosure Program Capability Study Risk Management Self-Attestation Product Development Process Integration Application/ Infrastructure Code Reviews Regulatory Compliance External Auto ISAC Benchmarking Red Team Threat Modeling & Analysis Bug Bounty Program Static Code Verification Plans Comms / Reporting Escalation Field Monitoring Cyber Security Training Dealer Awareness Training Threat Intelligence User Notification Fuzz Testing 12

Incident Management Field Monitoring Triage Inputs Determine Validity and Priority Product Team to Determine Impact, Containment, Recovery & Remediation Present to Appropriate Review Board Communication/Reporting A Well Documented Incident Response Plan 13

Cybersecurity Workforce In Vehicle Cyber Security Teams Threat Analysis & Risk Assessment Backend IT Security Cyber Intelligence/ Defense Gov t Affairs / Public Relations PD Teams Red Team Safety Office/ Legal Incident Assessment Team Security Governance Data Monitoring 14

External Engagement Industry Research Consortia Security Supply Base Government Involvement University Collaborations Information Sharing Standards Development 15

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback