Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Georg Stütz
Principal Security Certification Expert
CTO Security Team
Security of autonomous and connected cars
AUTOMOTIVE SECURITY
COMPANY PUBLIC 1
There is a major threat…
Governments will call for security certification via regulation
KidnappingWeaponization
COMPANY PUBLIC 2
DID YOU KNOW?
>50
Vehicle hacks
published since 2015
1.4M
Vehicle recalled
in the largest
incident to date
SECURITY IS A MUST-HAVE FOR CONNECTED & AUTONOMOUS VEHICLES
Why now?
Wireless Interfaces
enable scalable attacks
250M connected
vehicles on the
road in 2020
Why is it possible?
High System Complexity
implies high vulnerability
Up to 150 ECUs per car,
up to 200M lines of
software code
Why hacking?
Valuable Data
attracts hackers
Car-generated data
may become a USD
750B market by 2030
COMPANY PUBLIC 3
Can we evaluate and certify a car with current methods?
Full security certification of a car likely not
But, certification will impact the car architecture
NFC
802.11p
802.11p
Radar
LF, UHF
NFCPortable Device
Connectivity
NFC
• A networked computer• up to 100 ECUs per car
• and many sensors
• inter-connected by wires
• more and more software
• Increasingly connected to its environment• to vehicles & infrastructure• to user devices• to cloud services
COMPANY PUBLIC 4
CORE SECURITY PRINCIPLES
Secure
Domain
Isolation
Secure
External
Interfaces
Secure
Internal
Communication
Secure
Software
Execution
They need to be in place in any electrical and electronics network
• Regardless of the actual architecture and implementation
···010110···
···010110···
COMPANY PUBLIC 5
4 LAYERS TO SECURING A CAR
Layer 3: Secure NetworkMessage authentication, filtering, distributed intrusion detection (IDS)
OBD
TCU IVISafety domain
Comfort domain
Body
Braking Powertrain
Cluster
ADAS
Gateway
Layer 1: Secure InterfaceSecure M2M authentication, secure key storage
OBDBody
TCUBraking Powertrain
ClusterIVI
ADAS
Layer 2: Secure GatewayDomain isolation, firewall/filter, centralized intrusion detection (IDS)
OBD
TCU
Gateway
Safety domain
Comfort domain
IVI
Body
Braking Powertrain
Cluster
ADAS
Layer 4: Secure ProcessingSecure boot, run time integrity, OTA updates
OBD
TCU
Gateway
IVISafety domain
Comfort domain
Body
Braking Powertrain
Cluster
ADAS
COMPANY PUBLIC 6
Secure
Processing
Secure
Networks
Secure
Gateway
Secure
InterfacesM2M Authentication &
Firewalling
Secure Messaging
Separated Functional
Domains
Code / Data
Authentication
(@ start-up)
Resource Control
(virtualization)
Intrusion Detection
Systems
(IDS) Secure Updates
Code / Data
Authentication
(@ run-time)
Firewalling
(context-aware
message filtering)
Message Filtering &
Rate Limitation
Applying The Core Security Principles
Prevent
access
Detect
attacks
Reduce
impact
Fix
vulnerabilities
COMPANY PUBLIC 7
AUTOMOTIVE SECURITY – WAY FORWARD
Essential element:
Defense-in-Depth approach
• Multiple layers of protection,
at different levels in the system
• To mitigate the risk of one component of the
defense being compromised or circumvented
Domain Isolation
Secure Network
Secure Interfaces
Secure Processing
TODAY FUTURE
APPLY BEST PRACTICES:
• Security-by-design & Privacy-by-Design
(as opposed to being an afterthought)
• Lifecycle Management (incl. FOTA)
COMPANY PUBLIC 8
Security Culture and Organization – Matured Over TimeSome of the Key Milestones
2010 2015 2020
MIFARE
Classic hack
PSIRT
established
Security Maturity
Process (SMP)
SMP / Trusted
Solutions for Auto
Auto-ISAC
established
Dedicated team
for Auto Security
Involved in
ISO/SAE 21434
Joining
Auto-ISAC
PSIRT
extended
IR process
formalized
Co-shaping global
V2X security stds
V2X Security
Program
Cooperating with
HIS on SHE spec
Auto Security
Strategy
ISO/SAE
21434 JWG Events
Incident
Response
Security-
by-Design
Larger
Context
Program,
Organization
Connected Vehicles & IoTSmart Cards Mobile
COMPANY PUBLIC 9
Training & Awareness – What do we do?
Trainings & Knowledge Transfer
• Basic crypto & security training
• Expert trainings – internally & through external partners
− Technical security trainings, introduction to standards, …
Awareness
• Regular bulletins and campaigns to increase awareness
− General awareness, but also on specific topics
• Internal & External Information Sharing
− Through regular meetings and online portal
− Workshops with partners
− Bi-directional sharing with Auto-ISAC, CERTs, …
COMPANY PUBLIC 10
Product Development – Security Maturity Process
Threat Intel, Best Practices, …
Independent & un-biased
reviews – “4 eyes” principle
Process implementation can
be adjusted per project
Monitoring security
implementations at each gate
CONCEPT DEFINITION PLANNING EXECUTION CLOSURE
PROJECT LIFECYCLE
Security
Milestones
Standards (e.g. ISO 21434)
+ Trusted Solutions:
Framework and Support to
Guide Engineering Teams
Training & Awareness
Lessons Learned (e.g. from IR)
COMPANY PUBLIC 11
Product Security Incident Response Team (PSIRT)
• Product Security IR Process & Team
• Global across products / markets / regions
• Established in 2008 after the MIFARE Classic hack
• Committed to Responsible Disclosure
• In alignment with the security community
• With our customers, partners, Auto-ISAC, CERTs
• Continuous Improvement
• E.g. evaluate & benchmark against Auto-ISAC’s
best practice guide for incidence responseContact: www.nxp.com/psirt, [email protected]
receive
report1
evaluate
vulnerability2
define
solution3 communicate4
evaluate
process5 closure6
COMPANY PUBLIC 12
CONCLUSION
Securing an entire car is not an easy task
• Domain separation is a core concept
• The threat model for autonomous cars is not entirely clear yet
• Security must be considered from the start
A LOT OF WORK REMAINS TO BE DONE – SO LET’S START NOW