Guidelines
Guidelines
for
Vehicle
Cyber
y
Security
y
Hiro
Onishi
Alpine
Electronics
Research
of
America,
Inc.
honishi@alpine
@ p
‐
la.com
1
©
2013
Alpine
Electronics,
Inc.
Not
for
commercial
distribution.
INDEX
1. Cyber
‐
Physical
System
Risks
INDEX
2. Vehicle
Cyber
Risks
‐
Vulnerabilities
in
maintaining
g
vehicle
cyber
y
security
y
3. Vehicle
Cyber
Security
Approaches
‐
Risk analysis
Risk analysis
‐
Concept
of
system security
4
Vehicle Cyber Security Guidelines
4. Vehicle
Cyber
Security
Guidelines
‐
European project “EVITA”
J
(IPA)’
id
‐
Japanese agency (IPA)’s guide
‐
SAE
committee’s
approach
5
S
1.
Risks
for
Cyber
‐
Physical
System
– Case
1
Davis
‐
Besse Nuclear
Plant, Ohio
(Jan.
25,
’03)
(
,
)
16:00:
Noticed
network
slow
down
16:50:
Safety
Parameter
Display
System
(SPDS)
crashed
17:13:
Plant
process
p
computer
p
crashed
(
had
analog
backup)
Reference: Edward Fok. (Dec. 7, ’11)
“ d i C b S i f
“Introduction to Cyber Security Issues for Transportation” [Web seminar]
1.
Risks
for
Cyber
‐
Physical
System
– Case
2
Air plane manipulation
(Apr ’13 US)
Air
plane
manipulation
(Apr.
13,
US)
+
Security
consultants
pointed
out:
They
y
were
able
to
manipulate
p
airplane’s
p
navigation
g
system
y
with
android
application
*.
+
4
days
later,
Dept.
of
Transportation
denied
the
possibility
**.
Reference: Reference:
1.
Risks
for
Cyber
‐
Physical
System
– Case
3
Lodz, Poland
(Jan.
’08)
4
light
rail
trams
derailed,
12
people
injured
Tool used:
Converted television IR remote
Tool
used:
Converted
television
IR
remote
Exploit:
Locks,
disabling
track
changes
when
vehicle
presented
were
not
installed
Reference: Edward Fok. (Dec. 7, ’11)
“Introduction to Cyber Security Issues for Transportation”
[Web seminar]
Pictures: Courtesy of EUROPICS
1.
Cyber
‐
Physical
System
Risks
C
tl
“
C b
h i l
t
i k ”
Currently,
“
Cyber
‐
physical
system
risks”
can
be
a
serious
social
concern,
as
it
may
impact
the
following:
+
(Nuclear
/
chemical)
plants
+
Military
facilities
and
weapons
+
Government
facilities
and
systems
+
Transportation
(Trains,
Airplanes,
Vehicles
,
Ships,
etc)
U ili i
(El
i
id W
li
)
+
Utilities
(Electric
‐
grid,
Water
‐
line,
etc)
+
Finance
(ATM,
Ticket
machines,
etc)
+ Medical / Health related equipment and others
2.
Vehicle
Cyber
Risks
Vehicles can be targets of cyber attacks because
Vehicles can be targets of cyber attacks, because …
+
Vehicles
can
be
used
to
inflict
serious
bodily
injury
+
Vehicles
are
high
value
items
+
Vehicles
are
frequently
parked
in
un
‐
secured
locations
+ Vehicle could be targeted for anti social activity
(
i
)
+
Vehicle
could
be
targeted
for
anti
‐
social
activity
(ex.
terrorism)
Å
Stop/control
massive
number
of
vehicles
Å
Cause massive panic through false information
References:
~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11
~ I f ti T h l P ti A (A ’11)
Å
Cause
massive
panic
through
false
information
7
~ Information‐Technology Promotion Agency. (Apr. ’11) “Movements of Vehicle Cyber Security”, (Japanese)
2.
Vehicle
Cyber
Risks
ABS Air Bag Navigation Telematics ACC ?? V2I communication V2V communication
Cruise control Car Telephone
Navigation
Emergency call LDW Autonomous driving
electronics based
M d
ith
t
80 CPU 2
il
f
bl
Modern
cars
can
come
with
up
to
80
CPUs,
2
miles
of
cable,
several
hundred
MB
of
software,
and
5
in
‐
vehicle
networks,
Æ
“Vehicle” is NO longer just a “Mechanical System”
Æ
Vehicle
is
NO
longer
just
a
Mechanical
System
Reference: A Weimerskirch‐ESCRYPT “Security Considerations for Connected Vehicles”
Reference: A. Weimerskirch ESCRYPT, Security Considerations for Connected Vehicles ,
2.
Vehicle
Cyber
Risks
1
1
Internet
1
Smart-phone
1
1
1
Hacker
1
1
1
Comp ter
Computer
Music-player
Virus or malware carried in smart‐phones or music‐players
can easily invade automotive electronics
9
2.
Vehicle
Cyber
Risks
Special risks
CASE
‐
1
CASE
‐
2
Special risks
Vehicles
are
only
able
to
communicate
externally
through
mobile
phones
Communication
for
crash
‐
avoidance
Æ
Limited
time
(100ms
order)
Base
station
Vehicle
Mobile
phone
Vehicle ‐A
2.
Cyber
Risks
for
Vehicle
Additi
l
l
biliti
d t
t /i t
t
it
VULNERABILITY
1:
Limited
vehicle
external
connectivity
Additional vulnerabilities, compared to computer/internet security.
y
Æ
Difficulty
in
updating
security
software
Æ
Difficulty
in
monitoring
automotive
electronics
status
VULNERABILITY 2:
Limited computational performance
VULNERABILITY
2:
Limited
computational
performance,
Due
to
high
endurance
and
long
vehicle
life
‐
cycle
(10
years)
Æ
Vulnerability
to
compete
against
hacker’s
PC
l i
i
OEM
Tier
‐
1
Tier
‐
2
VULNERABILITY
3:
Real
‐
time
operation
VULNERABILITY
4:
Vehicle
consists
of
various
components/parts.
Æ
Large
industry
pyramid
from
suppliers
to
OEM
Parts suppliers
g
y py
pp
VULNERABILITY
5:
Unpredictable
attack
scenarios
and
threats
VULNERABILITY
6:
Hazard
to
drivers
and
passengers
lives
Reference: ~ Information‐Technology Promotion Agency (of Japanese government). (Apr. ’11) “ ’10 report: Movements of Vehicle Cyber‐security”, (Japanese)
~ A. Weimerskirch, “Security Considerations for Connected Vehicles”,
11
in SAE Government and Industry Meeting, Washington DC, Jan. ’12
~ P. Kleberger, T. Olovsson and E. Jonsson, "Security aspects of the in‐vehicle network in the connected
3.
Vehicle
Cyber
Security
Approaches
Additional complicated vulnerabilities,
compared to computer/internet security
compared to computer/internet security
Industry expects both ‘proper guidelines’
& ‘competitive approaches’.
T d fi
id li
To define proper guidelines,
well‐defined risk‐analysis is required.
3.
Vehicle
Cyber
Security
Approaches
Proper security requires well‐defined risk analysis.
Vehicle cyber security is vulnerable, but Risk
=
Vulnerability
Risk = function (
Vulnerability, Hackers’ motivation/skills, Hazard
)
Inputs:
Vulnerability:
Vulnerability
of
system
security
Hackers’ motivation/skills:
Å
Adversary ROI
Å
Investment /risk /return
Hazard:
a a d
Magnitude
g
of
hazards,
,
when security is compromised.
y
p
13
3.
Vehicle
Cyber
Security
Approaches
Risk‐analysis: Hackers’ motivations/skills
Risk‐analysis: Hackers motivations/skills
Aims
Approaches
Type
Target
(
potential)
Skill
Hacker
Type
Financial
yp
g
yp
(
p)
Vehicle,
Components/parts Classic: Steal vehicle, components or parts
Individual,
Group
Low,
Medium Driver, Acquire driving log or history and physically
attack drivers or steal/damage drivers’ Individual, Medium
Financial,
Harm to
Driver’s property attack drivers or steal/damage driversproperty Medium Group Driver
Harm
to
individual
Medium, High GroupManipulate single or small number of vehicles
to cause (severe) accidents
Individual, Group M i l t l b f ( li )
Harm
to
individual
New typesCommunity Group,Organization High
(i.e. terrorism) Manipulate large number of (e.g. police)
vehicles to cause (severe) accidents and
damage to community
Damage
to
community
+
In
general,
the
person
who
invents
a tool
to
break
security
possesses
a
much
higher
skills
than
the
person
who
is
only
using
the
tool.
Æ
e.g.:
the
case
of
“immobilizer
cutter”
References:
+
Inside
hackers possess
deeper
knowledge
about
the
security
mechanism.
References:
~ A. Weimerskirch, “Do Vehicles Need Data Security?” SAE World Congress, Detroit, MI, Apr. ’11
3.
Vehicle
Cyber
Security
Approaches
Risk analysis: Hazard assessment
ISO 26262(
)
Risk‐analysis: Hazard assessment‐
ISO
‐
26262(
Automotive Functional Safety)
Sample of hazard assessment – ‘Vehicle center console’
CD/DVD control
Functions
Functions
Exposure Controllability SeverityASIL
ASIL
E3
C1
QM
Sample Malfunctions Sample Malfunctions CD/DVD is not workingS1
Rearview camera Navigation Emergency CallE1
C3
S3
A
A
E2
C2
S3
Emergency call is not placed at accident
Erroneous guidance,
e.g. opposite direction on freeway
When backing up image of rear view
* Rearview camera (Monitoring) Air conditioner Control
E3
C3
S3
E3
C2
S2
A
Heater is not working during the winter in Canada
When backing up, image of rear view
camera freezes (shows old image)
Turn signal
QM
C2
S3
Shows signal activation in cluster
C
** Power window
E2
C2
S3
A
Air bag Fault activation during driving
E4
C3
S3
D
Unwanted window closing
Turn signal
In cluster panel
E1
C2
S3
QM
Shows signal activation in cluster, though actual signal is not working
Reference:
*: H Onishi “Approach for Vehicle Cyber Security with Functional Safety Concept“
Air bag Fault activation during driving
E4
C3
S3
D
15
: H. Onishi, Approach for Vehicle Cyber Security with Functional Safety Concept
in SAE World Congress, Detroit, MI, Apr. ’13
**: R. Hamann et al., “ISO 26262 Release Just Ahead: Remaining Problems and Proposals for Solutions"
3.
Vehicle
Cyber
Security
Approaches
Concepts of system security
+ 6 security phases should be covered by both process/management
Concepts of system security
and technologies
~ CIP(
Critical Infrastructure Protection) by NERC(
North American Electric Reliability Corporation)
*6 phases
6 phases
‐
Analysis
and
Assessment
‐
Remediation
‐
Indications
and
Warnings
i i
i
‐
Mitigation
‐
Incident
Response
‐
Reconstitution
+ New concept: “Trustworthy (
computing
) design” approaches
**Initial design system in consideration of “Security” “Privacy”
Initial
design
system
in
consideration of
Security , Privacy ,
“Reliability” and “Business
Integrity”.
Æe.g. Brake should be reliableR f
References:
4.
Vehicle
Cyber
Security
Guidelines
Guidelines samples for cyber‐physical systems
Guidelines samples for cyber‐physical systems
Name
Process
Contents
Domain
Publisher
Guideline
Technology
Description
Name
Domain
Process
IEC62443
(Industrial network & system security)
Publisher
Industrial system
Technology
Description
3
3
Cover broader industrial systemsNIST Guide to
Industrial Control
NIST‐800‐61 PC/internet &
Industrial system
Handle incidents (including attack
analysis, recovery, etc)
3
3
Coverfrom management & technical sides broader industrial systems,3
3
Industrial system System security NERC CIP (Critical InfrastructureProtection) IndustrialPC/internet system &
3
(mainly) (part
3
of)Cover broader critical infrastructures, Considering, 6 phases (e.g. mitigation,
recovery)
from management & technical sides
Vehicle EU ‘EVITA’ deliverables Vehicle information
3
3
3
3
Outputs from research project
Vehicle agency ‐IPA
information
security guide
3
J3061(Cyber security
Guidebook for Cyber‐
Physical Automotive Systems)** Vehicle
3
Under
development
17
References: *: www.nerc.com/pa/Stand/Pages/CIPStandards.aspx **:www.sae.org/servlets/works/documentHome.do?comtID=TEVEES18&docID=J3061&inputPage=dOcDeTaIlS y )4.
Vehicle
Cyber
Security
Guidelines
European project “EVITA”
European project
EVITA
Created possible attack‐trees for selected use cases (
18 use case for 6 groups
).
Attack goal
Attack
methods
4.
Vehicle
Cyber
Security
Guidelines
European project “EVITA”
European project
EVITA
Provide security requirements, based on
the identified attack
‐
trees.
Sample of security requirements – ‘Privacy/confidentiality’
…
19
Reference: ~ EVITA deliverable D2.3 “Security requirements for automotive on‐board networks
4.
Vehicle
Cyber
Security
Guidelines
European project “EVITA”
European project
EVITA
Provide reference architecture including HSW(
g
(
Hardware Security Module
)
)
+ Development of Hardware Security Modules deployed with ECUs
‐
Key protection
T
t d
ti
b
‐
Trusted computing base
‐
Secured Storage
‐
Cost effective
+ In
‐
car cryptographic protocols to secure ECU
‐
ECU and sensor communication
+ Software framework integrating
authentication, encryption &
authentication, encryption
&
access control, etc
4.
Vehicle
Cyber
Security
Guidelines
Japanese agency (IPA)’s guide
Japanese agency (IPA) s guide
+ Covers whole life
‐
cycle of vehicle (
‘Planning’ ~ ‘Disposal’
).
+ Covers all players related to vehicle life
‐
cycle.
Information‐Technology Promotion Agency
21
4.
Vehicle
Cyber
Security
Guidelines
Japanese agency (IPA)’s guide
Japanese agency (IPA) s guide
Vehicle system model of IPA guideline
4.
Vehicle
Cyber
Security
Guidelines
Japanese agency (IPA)’s guide
Japanese agency (IPA) s guide
Threats and countermeasures (
based
on
vehicle
system
model
)
: Direct threats thru physical I/O : Indirect threats thru vehicle bus
: Potential effective t
countermeasures
