Georg Stütz

Principal Security Certification Expert

CTO Security Team

Security of autonomous and connected cars

AUTOMOTIVE SECURITY

COMPANY PUBLIC 1

There is a major threat…

Governments will call for security certification via regulation

KidnappingWeaponization

COMPANY PUBLIC 2

DID YOU KNOW?

>50

Vehicle hacks

published since 2015

1.4M

Vehicle recalled

in the largest

incident to date

SECURITY IS A MUST-HAVE FOR CONNECTED & AUTONOMOUS VEHICLES

Why now?

Wireless Interfaces

enable scalable attacks

250M connected

vehicles on the

road in 2020

Why is it possible?

High System Complexity

implies high vulnerability

Up to 150 ECUs per car,

up to 200M lines of

software code

Why hacking?

Valuable Data

attracts hackers

Car-generated data

may become a USD

750B market by 2030

COMPANY PUBLIC 3

Can we evaluate and certify a car with current methods?

Full security certification of a car likely not

But, certification will impact the car architecture

NFC

802.11p

802.11p

Radar

LF, UHF

NFCPortable Device

Connectivity

NFC

• A networked computer• up to 100 ECUs per car

• and many sensors

• inter-connected by wires

• more and more software

• Increasingly connected to its environment• to vehicles & infrastructure• to user devices• to cloud services

COMPANY PUBLIC 4

CORE SECURITY PRINCIPLES

Secure

Domain

Isolation

Secure

External

Interfaces

Secure

Internal

Communication

Secure

Software

Execution

They need to be in place in any electrical and electronics network

• Regardless of the actual architecture and implementation

···010110···

···010110···

COMPANY PUBLIC 5

4 LAYERS TO SECURING A CAR

Layer 3: Secure NetworkMessage authentication, filtering, distributed intrusion detection (IDS)

OBD

TCU IVISafety domain

Comfort domain

Body

Braking Powertrain

Cluster

ADAS

Gateway

Layer 1: Secure InterfaceSecure M2M authentication, secure key storage

OBDBody

TCUBraking Powertrain

ClusterIVI

ADAS

Layer 2: Secure GatewayDomain isolation, firewall/filter, centralized intrusion detection (IDS)

OBD

TCU

Gateway

Safety domain

Comfort domain

IVI

Body

Braking Powertrain

Cluster

ADAS

Layer 4: Secure ProcessingSecure boot, run time integrity, OTA updates

OBD

TCU

Gateway

IVISafety domain

Comfort domain

Body

Braking Powertrain

Cluster

ADAS

COMPANY PUBLIC 6

Secure

Processing

Secure

Networks

Secure

Gateway

Secure

InterfacesM2M Authentication &

Firewalling

Secure Messaging

Separated Functional

Domains

Code / Data

Authentication

(@ start-up)

Resource Control

(virtualization)

Intrusion Detection

Systems

(IDS) Secure Updates

Code / Data

Authentication

(@ run-time)

Firewalling

(context-aware

message filtering)

Message Filtering &

Rate Limitation

Applying The Core Security Principles

Prevent

access

Detect

attacks

Reduce

impact

Fix

vulnerabilities

COMPANY PUBLIC 7

AUTOMOTIVE SECURITY – WAY FORWARD

Essential element:

Defense-in-Depth approach

• Multiple layers of protection,

at different levels in the system

• To mitigate the risk of one component of the

defense being compromised or circumvented

Domain Isolation

Secure Network

Secure Interfaces

Secure Processing

TODAY FUTURE

APPLY BEST PRACTICES:

• Security-by-design & Privacy-by-Design

(as opposed to being an afterthought)

• Lifecycle Management (incl. FOTA)

COMPANY PUBLIC 8

Security Culture and Organization – Matured Over TimeSome of the Key Milestones

2010 2015 2020

MIFARE

Classic hack

PSIRT

established

Security Maturity

Process (SMP)

SMP / Trusted

Solutions for Auto

Auto-ISAC

established

Dedicated team

for Auto Security

Involved in

ISO/SAE 21434

Joining

Auto-ISAC

PSIRT

extended

IR process

formalized

Co-shaping global

V2X security stds

V2X Security

Program

Cooperating with

HIS on SHE spec

Auto Security

Strategy

ISO/SAE

21434 JWG Events

Incident

Response

Security-

by-Design

Larger

Context

Program,

Organization

Connected Vehicles & IoTSmart Cards Mobile

COMPANY PUBLIC 9

Training & Awareness – What do we do?

Trainings & Knowledge Transfer

• Basic crypto & security training

• Expert trainings – internally & through external partners

− Technical security trainings, introduction to standards, …

Awareness

• Regular bulletins and campaigns to increase awareness

− General awareness, but also on specific topics

• Internal & External Information Sharing

− Through regular meetings and online portal

− Workshops with partners

− Bi-directional sharing with Auto-ISAC, CERTs, …

COMPANY PUBLIC 10

Product Development – Security Maturity Process

Threat Intel, Best Practices, …

Independent & un-biased

reviews – “4 eyes” principle

Process implementation can

be adjusted per project

Monitoring security

implementations at each gate

CONCEPT DEFINITION PLANNING EXECUTION CLOSURE

PROJECT LIFECYCLE

Security

Milestones

Standards (e.g. ISO 21434)

+ Trusted Solutions:

Framework and Support to

Guide Engineering Teams

Training & Awareness

Lessons Learned (e.g. from IR)

COMPANY PUBLIC 11

Product Security Incident Response Team (PSIRT)

• Product Security IR Process & Team

• Global across products / markets / regions

• Established in 2008 after the MIFARE Classic hack

• Committed to Responsible Disclosure

• In alignment with the security community

• With our customers, partners, Auto-ISAC, CERTs

• Continuous Improvement

• E.g. evaluate & benchmark against Auto-ISAC’s

best practice guide for incidence responseContact: www.nxp.com/psirt, psirt@nxp.com

receive

report1

evaluate

vulnerability2

define

solution3 communicate4

evaluate

process5 closure6

COMPANY PUBLIC 12

CONCLUSION

Securing an entire car is not an easy task

• Domain separation is a core concept

• The threat model for autonomous cars is not entirely clear yet

• Security must be considered from the start

A LOT OF WORK REMAINS TO BE DONE – SO LET’S START NOW

COMPANY PUBLIC 13INTERNAL/PROPRIETARY 13

www.nxp.com/automotivesecurity