for Vehicle Cyber Security

Guidelines for Vehicle Cyber Security Hiro Onishi Alpine Electronics Research of America, Inc. honishi@alpine la.com 2013 Alpine Electronics, Inc. Not for commercial distribution. 1

INDEX 1. Cyber Physical System Risks 2. Vehicle Cyber Risks Vulnerabilities in maintaining vehicle cyber security 3. Vehicle Cyber Security Approaches Risk analysis Concept of system security 4. Vehicle Cyber Security Guidelines European project EVITA Japanese agency (IPA) sguide SAE committee s approach 5. Summary 2

1. Risks for Cyber Physical System Case 1 Davis Besse Nuclear Plant, Ohio (Jan. 25, 03) 16:00: Noticed network slow down 16:50: Safety Parameter Display System (SPDS) crashed 17:13: Plant process computer crashed (had analog backup) Reference: Edward Fok. (Dec. 7, 11) Introduction d i to Cyber Cb Security Issues for Transportation [Web seminar] 3

1. Risks for Cyber Physical System Case 2 Air plane manipulation (Apr. 13, US) + Security consultants pointed out: They were able to manipulate airplane s navigation system with android application *. + 4 days later, Dept. of Transportation denied the possibility **. Reference: *: ~ WIRED www.wired.co.uk/news/archive/2013 04/11/android plane hijack **: ~ Information Weekly www.informationweek.com/security/application security /faa dismisses android app airplane takeo/240152838 4

1. Risks for Cyber Physical System Case 3 Lodz, Poland (Jan. 08) 4 light rail trams derailed, 12 people injured Tool used: Converted television IRremote Exploit: Locks, disabling track changes when vehicle presented were not installed Reference: Edward Fok. (Dec. 7, 11) Introduction to Cyber Security Issues for Transportation [Web seminar] Pictures: Courtesy of EUROPICS 5

1. Cyber Physical System Risks Currently, Cyber physical b h i lsystem risks ik can be a serious social concern, as it may impact the following: + (Nuclear / chemical) plants + Military facilities and weapons + Government facilities and systems + Transportation (Trains, Airplanes, Vehicles, Ships, etc) + Utilities i (Electric grid, id Water line, etc) + Finance (ATM, Ticket machines, etc) + Medical / Health related equipment and others 6

2. Vehicle Cyber Risks Vehicles can be targets of cyber attacks, because + Vehicles can be used to inflict serious bodily injury + Vehicles are high value items + Vehicles are frequently parked in un secured locations + Vehicle could be targeted for anti social activity (ex. terrorism) Stop/control massive number of vehicles Cause massive panic through false information References: ~ A. Weimerskirch, Do Vehicles Need Data Security? SAE World Congress, Detroit, MI, Apr. 11 ~ Information Technology Promotion Agency. (Apr. 11) Movements of Vehicle Cyber Security, (Japanese) 7

2. Vehicle Cyber Risks Cruise control ABS Car Telephone?? Air Bag Telematics V2I communication Navigation ACC V2V communication Emergency call LDW Autonomous driving electronics based Modern cars can come with up to 80 CPUs, 2 miles of cable, several hundred MB of software, and 5 in vehicle networks, Vehicle is NO longer just a Mechanical System Reference: A. Weimerskirch ESCRYPT, Security Considerations for Connected Vehicles, in SAE Government and Industry Meeting, Washington DC, Jan. 12 8

2. Vehicle Cyber Risks Internet Smart-phone Hacker Music-player Computer Virus or malware carried in smart phones or music players can easily invade automotive electronics 9

2. Vehicle Cyber Risks Special risks CASE 1 Communication for crash avoidance Limited time (100ms order) CASE 2 Vehicles are only able to communicate externally through mobile phones Base station Vehicle Vehicle A Mobile phone Vehicle ce B 10

2. Cyber Risks for Vehicle Additional vulnerabilities, compared to computer/internet t tsecurity. VULNERABILITY 1: Limited vehicle external connectivity Difficulty in updating security software Difficulty in monitoring automotive electronics status VULNERABILITY2: Limitedcomputational performance, Due to high endurance and long vehicle life cycle (10 years) Vulnerability to compete against hacker s PC VULNERABILITY 3: Real time operation OEM VULNERABILITY 4: Vehicle consists of various components/parts. Large g industry pyramid from suppliers to OEM VULNERABILITY 5: Unpredictable attack scenarios and threats VULNERABILITY 6: Hazard to drivers and passengers lives Tier 1 Tier 2 Parts suppliers Reference: ~ Information Technology Promotion Agency (of Japanese government). (Apr. 11) 10 report: Movements of Vehicle Cyber security, (Japanese) ~ A. Weimerskirch, Security Considerations for Connected Vehicles, in SAE Government and Industry Meeting, Washington DC, Jan. 12 ~ P. Kleberger, T. Olovsson and E. Jonsson, "Security aspects of the in vehicle network in the connected car, Intelligent Vehicles Symposium (IV), 11 IEEE, vol., no., pp.528 533, 5 9 Jun. 11 11

3. Vehicle Cyber Security Approaches Additional complicated vulnerabilities, compared to computer/internet security Industry expects both proper guidelines & competitive approaches. To dfi define proper guidelines, well defined risk analysis is required. 12

3. Vehicle Cyber Security Approaches Proper security requires well defined riskanalysis. Vehicle cyber security is vulnerable, but Risk = Vulnerability Inputs: Risk=function(Vulnerability, Hackers motivation/skills, Hazard) Vulnerability: Vulnerability of system security Hackers motivation/skills: Adversary ROI Investment /risk /return Hazard: aad Magnitude of hazards, when security is compromised. Reference: ~ D. Etue (SafeNet), web seminar Cyber Security in Highly Innovative World, (Jul, 13) 13

3. Vehicle Cyber Security Approaches Risk analysis: Hackers motivations/skills New types Aims Hacker Type Target Approaches Type (potential) ) Skill Financial Financial, Harm to individual Harm to individual Damage to community Vehicle, Components/parts Driver, Driver s property Driver Community Classic: Steal vehicle, components or parts Acquire driving log or history and physically attack drivers or steal/damage drivers property Manipulate single or small number of vehicles to cause (severe) accidents Manipulate large number of (e.g. police) vehicles to cause (severe) accidents and damage to community Individual, Group Individual, Group Individual, Group Group, Organization (i.e. terrorism) Low, Medium Medium Medium, High High + In general, the person who invents a tool to break security possesses a much higher skills than the person who is only using the tool. e.g.: the case of immobilizer cutter + Inside hackers possess deeper knowledge about the security mechanism. References: ~ A. Weimerskirch, Do Vehicles Need Data Security? SAE World Congress, Detroit, MI, Apr. 11 ~ Information Technology Promotion Agency. (Apr. 11) Movements of Vehicle Cyber Security, (Japanese) ~EVITA deliverable D2.3 Security requirements for automotive on board networks based on dark side scenarios ( 09) 14 14

3. Vehicle Cyber Security Approaches * Risk analysis: Hazard assessment ISO 26262(Automotive Functional Safety) ) Functions CD/DVD control Sample of hazard assessment Vehicle center console Sample Malfunctions CD/DVD is not working Erroneous guidance, Navigation e.g. opposite direction on freeway Emergency call is not placed at accident Rearview camera When backing up, image of rear view (Monitoring) camera freezes (shows old image) Air conditioner Heater is not working during the winter in Canada Exposure Controllability Severity ASIL E3 C1 S1 QM E2 C2 S3 Emergency Call E1 C3 S3 A E3 C2 S2 A Control E3 C3 S3 Turn signal Shows signal activation in cluster, In cluster panel though actual signal is not working E1 C2 S3 ** Power window Unwanted window closing E2 C2 S3 A Air bag Fault activation during driving E4 C3 S3 A C QM D Reference: *: H. Onishi, Approach for Vehicle Cyber Security with Functional Safety Concept in SAE World Congress, Detroit, MI, Apr. 13 **: R. Hamann et al., ISO 26262 Release Just Ahead: Remaining Problems and Proposals for Solutions" in SAE World Congress, Detroit, MI, Apr. 11 15

3. Vehicle Cyber Security Approaches Concepts of system security + 6 security phases should be covered by both process/management and technologies ~CIP(Critical Infrastructure Protection)byNERC(North American Electric Reliability Corporation) * 6 phases Analysis and Assessment Remediation Indications and Warnings Mitigation ii i Incident Response Reconstitution + New concept: Trustworthy (computing)design approaches ** Initialdesignsystem system in consideration of Security, Privacy, Reliability and Business Integrity. e.g. Brake should be reliable Rf References: *: http://en.wikipedia.org/wiki/critical_infrastructure_protection **: Craig Mundie (Microsoft CTO and Senior VP), ( 02) 16

4. Vehicle Cyber Security Guidelines Guidelines samples for cyber physical systems Guideline Name Publisher IEC62443 (Industrial network & system security) Domain Industrial system Contents Process Technology Description Cover broader industrial systems NIST 800 61 Guide to Industrial Control System security CIP (Critical Infrastructure Protection) NIST NERC PC/internet & Industrial system Industrial system PC/internet & Industrial system (mainly) (part of) Handle incidents (including attack analysis, recovery, etc) Cover broader industrial systems, from management & technical sides Cover broader critical infrastructures, Considering, 6 phases (e.g. mitigation, recovery) EVITA deliverables Vehicle information security guide EU agency IPA Vehicle Vehicle Outputs from research project J3061(Cyber security Guidebook for Cyber Physical Automotive Systems) ) ** Vehicle Under development References: *: www.nerc.com/pa/stand/pages/cipstandards.aspx **: www.sae.org/servlets/works/documenthome.do?comtid=tevees18&docid=j3061&inputpage=docdetails 17

4. Vehicle Cyber Security Guidelines European project EVITA Created possible attack trees for selected use cases (18 use case for 6 groups). Attack goal Attack methods Sample of attacktree Compromise driver s privacy Reference: ~EVITA deliverable D2.3 Security requirements for automotive on board networks based on dark side scenarios ( 09) 18

4. Vehicle Cyber Security Guidelines European project EVITA Provide security requirements, based on the identified attack trees. Sample of security requirements Privacy/confidentiality Reference: ~EVITA deliverable D2.3 Security requirements for automotive on board networks based on dark side scenarios ( 09) 19

4. Vehicle Cyber Security Guidelines European project EVITA Provide reference architecture including HSW(Hardware( Security Module) ) + Development of Hardware Security Modules deployed with ECUs Key protection Trusted computing base Secured Storage Cost effective + In car cryptographic protocols to secure ECU ECU and sensor communication + Software framework integrating authentication, encryption & access control, etc Reference: ~ B. Weyl, et al., The EVITA Project: Securing the Networked Vehicle in escar (Dresden, Gemany 11) 20

4. Vehicle Cyber Security Guidelines Japanese agency (IPA) s guide + Covers whole life cycle of vehicle ( Planning ~ Disposal ). + Covers all players related to vehicle life cycle. Information Technology Promotion Agency Reference: ~ http://www.ipa.go.jp/files/000033402.pdf 21

4. Vehicle Cyber Security Guidelines Japanese agency (IPA) s guide Vehicle system model of IPA guideline Categorized functions in 3 groups Reference: ~ http://www.ipa.go.jp/files/000033402.pdf 22

4. Vehicle Cyber Security Guidelines Japanese agency (IPA) s guide Threats and countermeasures (based on vehicle system model) : Direct threats thru physical I/O : Indirect threats thru vehicle bus :Potentialeffective countermeasures Reference: ~ http://www.ipa.go.jp/files/000033402.pdf 23

4. Vehicle Cyber Security Guidelines SAE Electrical system security committee s approach Automotive Security Guidelines & Risk Management Taskforce (under Vehicle Electrical System Security committee ) + Creates Cyber security Guidebook for Cyber Physical Automotive Systems Complies with Risk Methodology in ISO 26262 Functional Safety Standard Contains automotive cyber security framework and processes Evaluates Threat Analysis and Risk Assessment (TARA) methods Follows simple approach to allow effective implementation across the automotive industry Contains elements of existing industry security standards Provides definitions, Acronyms and sample templates + Expected to be completed by Mid 2014 Reference: ~L. Boran (SAE Committee Chair) Automotive Cyber Security, escar (Nov, 13, Frankfurt, Germany) 24

5. Summary Vulnerabilities in vehicle cyber security: Limited vehicle external connectivity Limited computational performance Real time operation Various components/parts from various suppliers Unpredictable attack scenario and threats Hazardto driversand passengers lives Proper security requires well defined riskanalysis Risk depends on hackers motivation/skills, magnitude of hazard and vulnerability of security. Many guidelines have been issued or are under development for the automotive industry. EVITA(E safety vehicle intrusion protected applications) guideline IPA(Information ( Promotion Agency) guideline SAE guideline under development 25

Thank you for your attention!! Hiro Onishi Alpine Electronics Research of America, Inc. honishi@alpine la.com Tel: +1 310 783 7281 Slide design: Mari Hatazawa mhatazawa@alpine la.com l 26