CHALLENGES FOR SECURITY WITHIN AUTOMOTIVE · 2017-12-01 · CHALLENGES FOR SECURITY WITHIN...

© 2017 Renesas Electronics Corporation. All rights reserved.

CHALLENGES FOR SECURITY WITHIN AUTOMOTIVE

TIER2 PERSPECTIVE

26 JAN 2017

HARMAN HUNJAN

MANAGER

AUTOMOTIVE SECURITY COMPETENCE CENTRE

ENGINEERING GROUP

RENESAS ELECTRONICS EUROPE LTD


AGENDA

Security: Why do we need to be concerned

Security and Safety

Security Cycle

Security: A Core Organisational Horizontal

Cost Model Dilemma

Making Informed Security Decisions

CyberSecurity Standards

ISO-SAE Automotive Cyber Security Standard Overview


WHY DO I NEED TO BE CONCERNED? : CONSUMER WORLD


WHY DO I NEED TO BE CONCERNED? : TECHNOLOGY

• More Interfaces (Bluetooth, WIFI, RF, DAB, 2-5G, C2X)

• More software layers (Linux, RTOS, AUTOSAR, driver, application)

• New Vehicles are computers on wheels20 years of previous

hacking experience can now be applied

• Millions of lines of code in a vehicle increase the possibility of

exploitable vulnerabilities due to software defects

• The attack surface is growing, leading to more vulnerable systems.

• Secure back-end communications

Gateway • Content protection & DRM

• Firewalling (USB, Bluetooth, etc.)

Infotainment

• Secure on-board communications

• Secure download / programming

• Secure boot

All application domains

• Protection against manipulation during run-time

• Secure data storage

• Life cycle management (ECU / MCU)

Car-to-X Communications (C2X)

• Secure OTA communications (ultra high-speed authentication)


ATTACK

FAILURE

System

SECURITY & SAFETY

An attack occurs outside the system

An attack is intentional

The attacker exploits a vulnerability of the system to achieve a benefit from a system disadvantage

Safety target : to protect against harm due to a malfunctioning behaviour coming from

failures

unintended behaviour

Security target : to protect from issues associated to

Loss of privacy

Vehicle operability due to threat/attack

Financial loss

Safety implication of the threats

Different analysis approaches:

• Failure analysis ≠ Threat analysis

• Security tasks ≠ Safety tasks

Common process framework to allow

cooperation in order to prevent the

harm under the scope of safety coming

from an intentional attack

Renesas Confidential

SA

FE

TY

S

EC

UR

ITY

A failure occurs inside the system

A failure is unintentional

A failure is the termination of the ability of an element to perform a function as required


- Drive Definition

- ISO, SAE, ETSI

- C2C

Security

Requirements

& Consortia

SECURITY CYCLE

Analysis

Methodology &

Tools

- Aligned with Standards (EVITA, CVSS)

- Training Programmes (E-Learning)

Threat and

Attack Analysis

- Comprehensive Databases

- Impact Analysis

Secure IP

- HSM

- AES, RNG, LFSR

- INTRUSION DETECTION

- ANTI-COUNTERFEITING

- E-FUSING

Secure S/W

- Secure S/W solutions along with

targeted strengthening of Secure H/W

at application levels by using Secure

S/W extensions

- Body, Powertrain, Chassis,

Infotainment solutions.

Secure Solution

- Consultancy to customer

- Concept Security

- Product Security

- Assessment reports

Security

Assessment &

Validation

- Validation of countermeasures

FIPS


SECURITY: A CORE ORGANISATIONAL HORIZONTAL

Security Process, Procedures, Standardisation

Security Analysis

Security Assessment

Security Certification

Secure

IP

Secure

SW

Secure

Sub S

olu

tions

Secure

Firm

ware

Secure

Devic

e S

olu

tion

Compliance and Structure

Target: Ensure safety and security of everyone in their day to day lives

Security needs to be

implemented as a core

horizontal process to aid

vertical developments

Standard should define the

expectations of the interfacing to the

verticals and the development and

maintenance through the lifecycle.

Target of Automotive Security Standard


COST MODEL DILEMMA

Security provisioning comes with cost – this needs to be visualised in the supply chain.

Customer Decisions points:

1. Features

2. Cost

3. Performance

4. Safety grade

5. Security ‘grade’

6. …..

7. …..

To fulfil security ‘grade’ TIER2s need:

- Effective Security Protection

- Effective Security Performance

- Effective Security Training

To achieve this TIER2s need:

- Effective Secure IP

- Security Certification

- Security Analysis System

aligned with Standards!

Methods

Target: Customers buy secure

silicon solution!

Tools Secure

IP

Develop

AES ECC

PQCrypto

E-

learning

Follow and input

AESIN C2C

ISO

SAE AutoSar (partial)

Secure

S/W

Safe&Secure

1

2

3 4

5

To achieve this TIER2s need

Secure

Solutions MAC-SEC TRNG

R & D


MAKING INFORMED SECURITY DECISIONS

Threats & Attacks

- Analyse - Judge Motivations - Calculate Probability

Asset

Risk Profile

Security Options

- Analyse - Select Protection Options - Calculate probability improvement

Methodology and Structure required to make informed decisions for the Security Protection Requirements

Ph

ysic

al

H/W

S/W

Security Protection Areas

© 2017 Renesas Electronics Corporation. All rights reserved. Internal use only

10

CYBERSECURITY STANDARDS: AUTOMOTIVE AND INDUSTRIAL

(1) Work in progress – expected in 2019

2009 2010 2011 2012 2013 2014 2015 2016

ISA/IEC TS 62443-1-1 Industrial

communication networks -

Network and system security (formerly referred as ISA-99 part 1)

ISA/IEC 62443-2-1 Industrial

communication networks - Network and system security

- Establishing an industrial

automation and control system

security program (formerly referred as ANSI/ISA-99 part 2)

J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle system

ETSI TR 102

893 V1.1.1 –

ITS;

Security;

Threat,

Vulnerability

and Risk

Analysis (TVRA)

DIS ISO 26262 Road vehicles -- Functional

safety 2nd edition with cybersecurity

ISO/IEC

Information

technology --

Trusted platform

module library

ETSI TR 102 698 - ITS;

Vehicular Communications;

C2C-CC Demonstrator 2008;

Use Cases and Technical

Specifications

ISA/IEC 62443-3-3 Industrial

communication networks -

Network and system security - System security

requirements and security levels

(2) Work in Progress

ISO/SAE N3556 (draft) TC 22

Road Vehicles — Vehicle

CyberSecurity Engineering

(proposed title)

(1)

J3101 WIP Requirements for Hardware-

Protected Security for

Ground Vehicle Applications

(2)

Hardware Security Modules (HSM) Specifications

2008 2009 2010 2011 2012 2013 2014 2015

European funded Research Projects

Bosch HSM based on EVITA SHE Specification

Start of Security WG

EVITA deliverables

End of the SEVECOM project

End of the SESAMO project

End of the PRECIOSA

project

End of the EVITA project


ISO-SAE AUTOMOTIVE CYBER SECURITY STANDARD UK EXPERTS DELEGATION VIEW

• In parallel to the established ISO26262, there is an urgent need for a definitive Security Process for Automotive.

• Safety and Security have a strong overlap and interface, but at the same time it is important that both are

considered independently

• Safety and Security are independent disciplines requiring specific expertise.

• Safety analysis is related to unintentional faults where as security is related to intentional faults/exploitation of

vulnerabilities.

• The dynamic nature of threats/attacks puts additional requirements on the security lifecycle.

• The concept of item evaluation (eg CC) is an important part that the standard also needs to be define/guide.

• UK supports the drive to develop a single standard that will cater for Automotive Security Engineering, building on

the core components defined already in J3061.

• Based on the experience of the expert members, we look forward to active debate and consensus to achieve the

target goal of this standard.


UK DELEGATION: KEY OBJECTIVES FOR THE STANDARD (1/2)

Establish defined terminology that can be used universally and consistently through the development

lifecycle within organisations, across development teams and across the automotive industry.

Set the expectation of the need to make informed decisions within the development cycle which are

supported by tangible qualitative/quantative evidence.

Clear definition of the expected minimum work products required to

align to expected legislative compliance

provide a coherent interface to Safety.

Handle Security incident response

Handle Decommissioning

Develop a Security Culture within an organisation/industry – security is not bolt on – it is built in.

Bind together industry based security activities by actively referring to associated/relevant

standards/consortia such as, ISO26262, J3061, J3101, C2C


UK DELEGATION: KEY OBJECTIVES FOR THE STANDARD (2/2)

Automotive

Security

Standard

What to do (INSTRUCTION)

- Identify Assets

- Assess Threats/Risks

- Prioritise

- Review

- Control

- Document

- …

How to do (SUPPORT)

- Examples of common approaches

- EVITA

- STRIDE

- HEAVENS

- C2C

- …. In Reference to:

- H/W

- S/W

- Infrastructure

- Incident response

- Decommissioning

This is expected to apply to

OEMs, tier 1s, hardware and

software developers/suppliers.


ISO-SAE AUTOMOTIVE CYBER SECURITY STANDARD

Part1: Automotive Security Engineering

Security and Risk Mgmt Vocab

Roles in Automotive Security Process

Part2: Management and Supporting Processes

Mgmt of Automotive Security

Automotive Security Mgmt in Product Concept and

Development

Automotive Security Mgmt after release for production

Supporting Processes

Supplier Mgmt

Part3: Item Development

Risk Mgmt and Automotive Security Engineering

Initial Check for Security Relevance

Automotive Security Requirements Development

Development

Verification and Validation

Release for Production

Preparation of operational phase

5 Task Forces Assigned

1. Risk Assessment Process

2. Product Development

3. Operations, Maintenance and other supporting process

4. Process Overview

5. Project Management Team

Scope of the proposed deliverable.

This standard shall be written in order to allow for coordinated and

state-of-the-art procedures in the automotive industry for realizing

cybersecurity during engineering and production of vehicles and

automotive components and to facilitate the communication of

automotive security issues across enterprise boundaries by defining a

common language. This standard does neither address the concrete

choice of security countermeasures and their parameters nor the

security related contents which should be included into communication

standards with external devices.


www.renesas.com

CHALLENGES FOR SECURITY WITHIN AUTOMOTIVE · 2017-12-01 · CHALLENGES FOR SECURITY WITHIN...

Documents

Transcript of CHALLENGES FOR SECURITY WITHIN AUTOMOTIVE · 2017-12-01 · CHALLENGES FOR SECURITY WITHIN...