NHTSA S AUTOMOTIVE CYBERSECURITY RESEARCH. Arthur Carter, Frank Barickman, NHTSA

Similar documents
An Overview of NHTSA s Electronics Reliability and Cybersecurity Research Programs Paper ID Abstract

Submitted at:

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Industrial Control Systems Security Guide

Lessons from Defending Cyberspace

DOT HS October 2014 Characterization of Potential Security Threats in Modern Automobiles

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

A Systems Approach to Protecting the U.S. Air Traffic Control System Against Cyber-Terrorism

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

CYBER SECURITY: PERILS AND OPPORTUNITIES

DeltaV System Cyber-Security

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Introduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:

Cisco Advanced Services for Network Security

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

White Paper on Financial Industry Regulatory Climate

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST Cybersecurity Framework Manufacturing Implementation

CYBER SECURITY GUIDANCE

Framework for Improving Critical Infrastructure Cybersecurity

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

GEARS Cyber-Security Services

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Public Safety and Homeland Security. National Broadband Plan Recommendations

Roadmaps to Securing Industrial Control Systems

Security Risk Management For Health IT Systems and Networks

ISO27032 Guidelines for Cyber Security

NERC CIP VERSION 5 COMPLIANCE

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

THREATS AND VULNERABILITIES FOR C 4 I IN COMMERCIAL TELECOMMUNICATIONS: A PARADIGM FOR MITIGATION

SCOPE. September 25, 2014, 0930 EDT

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Rebecca Massello Energetics Incorporated

Document ID. Cyber security for substation automation products and systems

Information Technology Security Review April 16, 2012

Cyber Security Metrics Dashboards & Analytics

Thomas J. Schlagel Chief Information Officer, BNL

Update On Smart Grid Cyber Security

Bellevue University Cybersecurity Programs & Courses

How To Write A Cybersecurity Framework

SECURITY. Risk & Compliance Services

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

Cyber Security Solutions Integrated. Proactive. Resilient.

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Microsoft s cybersecurity commitment

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Information Technology in the Automotive Aftermarket

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015

A COMPLETE APPROACH TO SECURITY

Industrial Security for Process Automation

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

National Cybersecurity & Communications Integration Center (NCCIC)

Facilitated Self-Evaluation v1.0

ITL BULLETIN FOR AUGUST 2012

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Cybersecurity..Is your PE Firm Ready? October 30, 2014

VULNERABILITY ASSESSMENT AND SURVEY PROGRAM. Overview of Assessment Methodology. U.S. Department of Energy Office of Energy Assurance

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Telematics & Wireless M2M

ESKISP Conduct security testing, under supervision

Enterprise Security Tactical Plan

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Dr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT

Designing a security policy to protect your automation solution

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

How Secure is Your SCADA System?

Cybersecurity considerations for electrical distribution systems

Considerations for Hybrid Communications Network Technology for Pipeline Monitoring

Critical Controls for Cyber Security.

KUDELSKI SECURITY DEFENSE.

Remote Management Services Portfolio Overview

FFIEC Cybersecurity Assessment Tool

Cyber Information-Sharing Models: An Overview

Airports and their SCADA Systems. Dr Leigh Armistead, CISSP. Peregrine Technical Solutions

Connected Car Security: A Holistic, Proactive Approach

Civil Aviation and CyberSecurity Dr. Daniel P. Johnson Honeywell Aerospace Advanced Technology

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Security Policy for External Customers

New Era in Cyber Security. Technology Development

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Information Assurance. and Critical Infrastructure Protection

Cisco Security Optimization Service

The Protection Mission a constant endeavor

Cybersecurity Converged Resilience :

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Get Confidence in Mission Security with IV&V Information Assurance

Transcription:

NHTSA S AUTOMOTIVE CYBERSECURITY RESEARCH Arthur Carter, Frank Barickman, NHTSA

Electronic Systems Safety Research Division Electronic Systems Safety (ESS) Research Division conducts research to ensure the safety, security and reliability of the interconnected, complex electronic systems. ESS is also responsible for leading the agency s research in the continuum of automated driving. ESS Automotive Cybersecurity Automated Vehicles Electronics Reliability Vehicle Research and Test Center (VRTC)

Threat Vectors into Automotive Systems Physical and Remote access into the vehicle: Physical interfaces Short Range wireless interfaces Long range wireless interfaces With prolonged physical access, researchers demonstrated in specific cases access via: Ports: OBD-II, CD/DVD Players, USB, etc. Certain Vehicle data bus types (e.g. Controller Area Network CAN) that interconnect vehicle electronic and controls systems Wireless: Key FOBs, Wi-Fi, Bluetooth, etc.

Automotive Cyber Threat Generalization Difficult Original Equipment Manufacturers (OEMs) design their platforms differently There are many architectural variations Many are proprietary The platform designs are constantly evolving OEMs more proactive in design-for-security Private discussions with OEMs and Tier 1s Functional Safety is closely coupled with Automotive Cybersecurity

NHTSA s Integrated Research Approach Build a Cybersecurity Knowledge Base Identify key stakeholders, lessons learned from other industry sectors, and gap areas in need of further research Facilitate coordination and information exchange Support the development of industry standards, guidelines, and best practices Outreach and influence industry through SAE International and other industry groups, at industry conferences, etc. Research minimum technical requirements Systematic vehicle security assessment approach Study vehicle architectures and threat vectors and risks Test and evaluate automotive cybersecurity environment Complete research supportive of future technical requirements Cybersecurity policies, regulations, principles Research alternatives, certification and enforcement challenges

Testing Capabilities Building capabilities to support in-house NHTSA applied cybersecurity research. Projects objectives are driving laboratory capabilities

VRTC Cybersecurity Capabilities Communication bus monitoring RF monitoring GPS Spoofing GPS Simulation Firmware Analysis Equipment Vector CANalyzer Roller Dynamometer USRP Software Defined Radio GPS Satellite Simulator Spectrum Analyzer IDA Pro Future Capabilities Femtocell/cellular base transceiver station RF Disruption LTE DSRC GPS Radar

Task for NHTSA : Assessment of the Need for New Safety Standards (Electronics) The Moving Ahead for Progress in the 21st Century Act (MAP-21) Division C, Title I, Subtitle D, Section 31402 requires that the agency examine the need for safety standards with regard to electronic systems in passenger motor vehicles. Act directed the agency to consider the electronic components; the interaction of electronic components; the security needs for those electronic systems to prevent unauthorized access, and the effect of surrounding environments on the electronic systems, allow public comment. MAP-21 also requires that the agency submit a report to Congress on its findings pursuant to the examination referenced above. Current Status: The agency published a Federal Register Notice on Electronic system safety and security on October 7, 2014. Public comments were due December 8, 2014. Presents our research program and progress on examining the need for safety standards with regard to electronic systems in passenger motor vehicles. Public comments are being assessed.

Federal Register Notice (Cybersecurity side) Process-oriented approaches to addressing cybersecurity concerns Design and quality control processes that focus on cybersecurity issues throughout the lifecycle of a product. Dealing with cybersecurity issues through establishing robust information sharing forums such as an Information Sharing and Analysis Center (ISAC). Generally a cycle of cybersecurity activities are implied; Layered approach Prevention Methods (gateways, isolation, authentication) Detection Methods (e.g. Anomaly based intrusion detection) Reaction Methods (containment; e.g. shut down sys/communications) Treatment Methods (distribute knowledge to others) Follow-up with a report to congress next year

NHTSA Cybersecurity Reports NHTSA Released four Automotive Cybersecurity Reports in October 2014 Assessment of the Information Sharing and Analysis Center Model; A Summary of Cybersecurity Best Practices; Characterization of Potential Security Threats in Modern Automobiles: A Composite Modeling Approach; and National Institute of Standards and Technology Cybersecurity Risk Management Framework Applied to Modern Vehicles

Report: Assessment of the Information Sharing and Analysis Center(ISAC) Model An ISAC is a trusted, sector-specific entity that can provide a 24-hour per day and 7-day per week secure operating capability that establishes the coordination, information sharing, and intelligence requirements for dealing with cybersecurity incidents, threats, and vulnerabilities. An ISAC can serve as an industry resource to gather key information about cybersecurity events and issues and identify, communicate, and analyze potential impacts of such concerns to the industry. How ISACs are implemented in other sectors; How existing ISACs can be leveraged to expeditiously form of a new sector ISAC. Report sent to Global/Alliance to aid with their Auto-ISAC activities

Report: A Summary of Cybersecurity Best Practices Documents results from the analysis and review of best practices and observations across a variety of industry segments in the field of cybersecurity involving electronic control systems; Provides relevant benchmarks for the Agency and the industry; This information helps Increase the collective knowledge base in automotive cybersecurity; Identify potential knowledge gaps; Describe the risk and threat environments; Support follow-on tasks used to establish security guidelines.

Report: Characterization of Potential Security Threats in Modern Automobiles Describes a composite modeling approach for potential cybersecurity threats in modern vehicles. Threat models, threat descriptions, and examples of various types of conceivable threats to automotive systems are included, along with a matrix containing a condensed version of the various potential attacks. Threat models, descriptions, and examples of various types of threats to automotive systems are included, along with a matrix containing a condensed version of the various sample attack possibilities. A Composite Threat Model is presented Contains common elements from various methods examined. Use cases are studied

Report: NIST Risk Management Framework Applied to Modern Vehicles Reviews the NIST guidelines and foundational publications from an automotive cybersecurity risk management stand-point. The NIST approach is often used as a baseline to develop a more targeted risk management approach for the specific use cases and issues in specific industries and sectors. The Risk Management Framework provides a 6-step structured process that integrates information security and risk management activities into the system development life cycle. Tailored to modern vehicles: Assess Threats via Use Cases Categorize Vehicle Systems Confidentiality, Integrity, and Availability, with requirement levels of Low, Moderate, High, and Not applicable are used for each Select Security Controls Implement Security Controls Assess Security Controls Monitor Security Controls (Repeat)

Summary Encouraging the development of an Automotive ISAC Continuing to coordinate with key stakeholders Standards organizations, private and public sector information exchanges FR notice comments being processed Holding discussions with OEMs, Tier 1s, Tier 2s, Safety Critical System Developers in other sectors etc. Other Federal and State Agencies: - NHTSA holding a Cyber Roundtable on Feb 13, 2015.

Summary Technical Research Monitoring SAE Automotive Cybersecurity Guidelines development effort Planning to expand cybersecurity research to include higher levels of automation Initiating research into anomaly based intrusion detection systems capabilities and effectiveness Applied Research into cybersecurity related testing Main goal: Development of security requirements or guidance for safety assurance of critical automotive systems based on foundational research results

NHTSA Resources Federal Register Notice on Electronic Systems Safety and Security http://www.regulations.gov/#!docketdetail;d=nhtsa-2014-0108 NHTSA s crash avoidance research technical publications are posted at: http://www.nhtsa.gov/research/crash+avoidance/office+of+crash+avoidan ce+research+technical+publications ESS research reports, related public documents will be placed in the following non-rulemaking dockets: NHTSA-2014-0070: Vehicle Automation Topics and Publications NHTSA-2014-0071: Automotive Cybersecurity Topics and Publications NHTSA-2014-0092: Automotive Functional Safety and Reliability Topics and Publications Dockets can be accessed at http://www.regulations.gov/

Contact Information Art Carter Program Lead, Automotive Cybersecurity, ESS, NHTSA Phone: 202-366-5669 E-mail: arthur.carter@dot.gov Frank Barickman Electronics Team Lead, Vehicle Research and Test Center, NHTSA Phone: 937-666-3315 E-mail: frank.barickman@dot.gov

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information