AN OVERVIEW OF NHTSA’S VEHICLE CYBERSECURITY RESEARCH PROGRAM Cem Hatipoglu, Ph.D. Chief, Electronic Systems Safety Division National Highway Traffic Safety Administration

SAE INTERNATIONAL

“ Save lives, prevent injuries and reduce economic costs due to road traffic crashes, through education, research, safety standards and enforcement activity.”

NHTSA’s Mission

2

”

SAE INTERNATIONAL

32,675 people died due to motor vehicle accidents in 2014. • Modern crash avoidance and vehicle-to-vehicle (V2V)

communications technologies that heavily rely on electronic systems hold the promise to address most crash challenges

3

The Need for Continued Technological Innovations

SAE INTERNATIONAL

However, these safety features introduce new cybersecurity challenges and vulnerabilities as demonstrated by our research and that of others.

4

The Need for Cybersecurity Research

Failure to tackle the cybersecurity challenge would threaten the technology-driven safety transformation we all want to achieve.

SAE INTERNATIONAL

Organizational changes: Establishment of Electronic Systems Safety Research Division and Electronics Council

5

NHTSA and Vehicle Cybersecurity

Cybersecurity research program: Identified five actionable goals; layered approach

Partnerships: Working with multiple public and private stakeholders

http://www.nhtsa.gov/staticfiles/administration/pdf/presentations_speeches/2015/NHTSA-VehicleCybersecurity_07212015.pdf

SAE INTERNATIONAL 6

Electronic Systems Safety Program Areas

Vehicle Cybersecurity

Electronics Reliability

Automated Vehicles

Protection of vehicular electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation.

SAE INTERNATIONAL 7

Use of Electronics in Cars

Not new… Dates back to 1970s (not including uses in radio)

Today, a typical automobile features over 100 microprocessors, 50 electronic control units, five miles of wiring and 50-100 million lines of code.

•Active Suspension •Active Vibration Control •Adaptive Cruise Control •Adaptive Front Lighting •Airbag Deployment •Anti-lock Braking •Autonomous Emergency Braking •Battery Management •Blind Spot Detection •Cabin Environment Controls •Communication Systems •Cylinder Deactivation •Driver Alertness Monitoring •Electronic Power Steering •Electronic Seat Control •Electronic Stability Control •Electronic Throttle Control •Electronic Toll Collection •Electronic Valve Timing •Engine Control •Entertainment System

•Event Data Recorder •Hill Hold Control •Idle Stop-Start •Instrument Cluster Control •Intelligent Turn Signals •Interior Lighting •Lane Departure Warning •Lane Keeping Assist •Navigation •On-Board Diagnostics •Parental Controls •Parking Systems •Pre-crash Safety •Rear-view Camera •Regenerative Braking •Remote Keyless Entry •Security Systems •Tire Pressure Monitoring •Traffic Sign Recognition •Transmission Control •Windshield Wiper Control

Sample electronic functions on a modern vehicle

SAE INTERNATIONAL 8

Threat Vectors into Vehicle Systems

Physical

Wireless

Short Range Long Range

DSRC

Bring Your Own Device (BYOD) / Aftermarket Devices*

E.g. Insurance dongles on OBD-II;

cellphones via USB

SAE INTERNATIONAL 9

NHTSA’s Vehicle Cybersecurity Research Program and Goals

Share vehicle cybersecurity knowledgebase

Facilitate implementation of voluntary industry standards

Foster development of new system solutions to improve cybersecurity

Investigating minimum performance based vehicle safety requirements for cybersecurity

Develop foundational materials to inform policy decisions

1

2

3

4

5

SAE INTERNATIONAL 10

NHTSA’s Vehicle Cybersecurity Research Program and Goals

Expanding in-house cyber research capabilities

Share vehicle cybersecurity knowledgebase 1

• Communication bus monitoring

• RF monitoring • GPS Spoofing • GPS Simulation • Firmware Analysis

Equipment • Vector CANalyzer • Roller Dynamometer • USRP Software Defined

Radio • GPS Satellite Simulator • Spectrum Analyzer • IDA Pro

Future Capabilities Capabilities • Femtocell/cellular

base transceiver station

• RF Disruption – LTE, DSRC,

GPS, Radar

SAE INTERNATIONAL 11

NHTSA’s Vehicle Cybersecurity Research Program and Goals

Researching cybersecurity best practices in relation to vehicle industry

Attending, organizing and presenting at cybersecurity events; Engaging in detailed public and private discussions on cybersecurity • OEMs, Tier 1, Tier 2 Suppliers, SAE International; TRB; etc. • Other Government Agencies (NHTSA roundtable discussions).

Share vehicle cybersecurity knowledgebase 1

SAE INTERNATIONAL 12

NHTSA’s Vehicle Cybersecurity Research Program and Goals

Monitoring and participating in industry standard setting efforts

Monitoring related global activities • HEAVENS, JASPAR, ISO, Trilateral Working Groups, World Economic Forum, etc.

Encouraged vehicle industry to set up an Automotive information sharing and analysis center (ISAC) • Global Automakers and Alliance of Automotive Manufacturers have undertaken the initiative and

their investigation led to the establishment of the Auto-ISAC, which started operation in 2015. • Encouraging the group to gradually include other key stakeholders, such as the suppliers.

Facilitate implementation of voluntary industry standards 2

SAE INTERNATIONAL 13

NHTSA’s Vehicle Cybersecurity Research Program and Goals

Researching and monitoring activities on process solutions

“Layers of Protection”: Investigating various forms of solutions

Foster development of new system solutions to improve cybersecurity 3

Protective/Preventive Methods

Anomaly-based intrusion detection

Real-time response mechanisms

Assess Treatment Solutions

Systems to monitor vehicle data buses

Feedback loop for continuous improvements (e.g. facilitated by an ISAC –Information Sharing and Analysis Center).

Secure communications Encryption, Gateways, firewalls; Separation of functions

Address and isolate intrusions before vehicle systems compromised

SAE INTERNATIONAL 14

NHTSA’s Vehicle Cybersecurity Research Program and Goals

Develop a systematic vehicle security assessment approach

Study vehicle architectures and threat vectors and risks

Test and evaluate vehicle cybersecurity environment • Need performance metrics to validate theories in applied settings • Objective test procedures: practical, repeatable, reproducible

Investigating minimum performance based vehicle safety requirements for cybersecurity 4

SAE INTERNATIONAL 15

NHTSA’s Vehicle Cybersecurity Research Program and Goals

Research policy alternatives, certification and enforcement possibilities and associated challenges

Develop foundational materials to inform policy decisions 5

In October 2014, NHTSA published a federal register (FR) notice on “Automotive Electronic Control Systems Safety and Security”

NHTSA has completed the Report to Congress on the need for safety standards with regard to electronic systems based on its examination to date and public comments received to this FR notice • MAP-21 requirement; Expected to be published in the

coming weeks

SAE INTERNATIONAL 16

Current NHTSA Research on Vehicle Cybersecurity

Investigating Protective/Preventive solutions • Message authentication for communications Interfaces ( V2V project initiating) • Gateways, firewalls (project underway)

Researching Intrusion Detection Solutions • Vehicle bus monitoring for anomalous behavior; (project underway)

Assessing Treatment Solutions • Feedback loop for continuous improvements (Monitoring progress in standing up and

operationalizing an Automotive ISAC ).

Crosscutting Research • Vulnerability Testing (projects underway at our applied labs) • Software / Firmware Updates – including over the air means (project underway) • Evaluate Heavy Vehicle Cybersecurity (project underway) • Collaboration/coordination with other Federal agencies (e.g. DHS, NIST, FAA)

SAE INTERNATIONAL 17

Cyber Roundtable Discussion on January 19, 2016

“Vehicle Cybersecurity Roundtable” event held on Tuesday, Jan 19, 2016

Discussion topics included: Best approaches in this domain (regulations, guidelines, voluntary industry standards,

best practices, etc.) How best to capitalize efforts from other environments while applying to distinct

aspects of auto industry The roles of distinct stakeholder groups (government, industry, others) Policies, plans, strategies appropriate to respond to the speed of change and

challenges in cybersecurity Potential roadblocks to closing gaps or adopting available guidance for the

industry

The intent of the event was to identify actionable steps for the stakeholder groups to take such that the vehicle manufacturing industry can address the vehicle cybersecurity challenges effectively and expeditiously.

A follow on meeting with Federal stakeholders is scheduled for Friday, Jan 22, 2016.

SAE INTERNATIONAL 18

Summary

•They enable safety, efficiency, mobility and convenience features. •Safety and security assurance challenges come along. •Research programs in place to gather foundational materials informing future policy decisions.

Vehicle electronics growth is here to stay.

•Various research results targeted to be published 2015-2017 timeframe. •Extensions to heavy vehicle platforms underway. •Applied in-house research capabilities being expanded. •Non-traditional alternatives being considered. •Extensive stakeholder engagement ongoing.

NHTSA continues research in cybersecurity at quickest reasonable pace.

•Federal Register Notice on Electronic Systems Safety and Security published in October 2014. •NHTSA completed the report to Congress on the potential need for additional safety/security standards.

Electronics report to Congress underway.

•Electronics Reliability and Vehicle Cybersecurity • Building blocks for automated vehicles

•Similarities and differences with or without driver in the loop is of significant interest

Research extensions to Automated Vehicles in plan.

SAE INTERNATIONAL 19

NHTSA Resources

NHTSA’s crash avoidance research technical publications are posted at:

http://www.nhtsa.gov/Research/Crash+Avoidance/Office+of+Crash+Avoidance+Research+Technical+Publications

Electronic Systems Safety Research Division’s reports, related public documents are placed in the following non-rulemaking dockets:

• NHTSA-2014-0070: Vehicle Automation Topics and Publications • NHTSA-2014-0071: Automotive Cybersecurity Topics and Publications • NHTSA-2014-0092: Automotive Functional Safety and Reliability Topics

and Publications Dockets can be accessed at http://www.regulations.gov/

SAE INTERNATIONAL 20

NHTSA Resources

Cem Hatipoglu, Ph.D.

cem.hatipoglu@dot.gov

www.NHTSA.gov