CHALLENGES FOR SECURITY WITHIN AUTOMOTIVE · 2017-12-01 · CHALLENGES FOR SECURITY WITHIN...
Transcript of CHALLENGES FOR SECURITY WITHIN AUTOMOTIVE · 2017-12-01 · CHALLENGES FOR SECURITY WITHIN...
© 2017 Renesas Electronics Corporation. All rights reserved.
CHALLENGES FOR SECURITY WITHIN AUTOMOTIVE
TIER2 PERSPECTIVE
26 JAN 2017
HARMAN HUNJAN
MANAGER
AUTOMOTIVE SECURITY COMPETENCE CENTRE
ENGINEERING GROUP
RENESAS ELECTRONICS EUROPE LTD
© 2017 Renesas Electronics Corporation. All rights reserved.
AGENDA
Page 2
Security: Why do we need to be concerned
Security and Safety
Security Cycle
Security: A Core Organisational Horizontal
Cost Model Dilemma
Making Informed Security Decisions
CyberSecurity Standards
ISO-SAE Automotive Cyber Security Standard Overview
© 2017 Renesas Electronics Corporation. All rights reserved.
WHY DO I NEED TO BE CONCERNED? : CONSUMER WORLD
Page 3
© 2017 Renesas Electronics Corporation. All rights reserved.
WHY DO I NEED TO BE CONCERNED? : TECHNOLOGY
Page 4
• More Interfaces (Bluetooth, WIFI, RF, DAB, 2-5G, C2X)
• More software layers (Linux, RTOS, AUTOSAR, driver, application)
• New Vehicles are computers on wheels20 years of previous
hacking experience can now be applied
• Millions of lines of code in a vehicle increase the possibility of
exploitable vulnerabilities due to software defects
• The attack surface is growing, leading to more vulnerable systems.
• Secure back-end communications
Gateway • Content protection & DRM
• Firewalling (USB, Bluetooth, etc.)
Infotainment
• Secure on-board communications
• Secure download / programming
• Secure boot
All application domains
• Protection against manipulation during run-time
• Secure data storage
• Life cycle management (ECU / MCU)
Car-to-X Communications (C2X)
• Secure OTA communications (ultra high-speed authentication)
© 2017 Renesas Electronics Corporation. All rights reserved.
ATTACK
FAILURE
System
SECURITY & SAFETY
An attack occurs outside the system
An attack is intentional
The attacker exploits a vulnerability of the system to achieve a benefit from a system disadvantage
Safety target : to protect against harm due to a malfunctioning behaviour coming from
failures
unintended behaviour
Security target : to protect from issues associated to
Loss of privacy
Vehicle operability due to threat/attack
Financial loss
Safety implication of the threats
Different analysis approaches:
• Failure analysis ≠ Threat analysis
• Security tasks ≠ Safety tasks
Common process framework to allow
cooperation in order to prevent the
harm under the scope of safety coming
from an intentional attack
Renesas Confidential Page 5
SA
FE
TY
S
EC
UR
ITY
A failure occurs inside the system
A failure is unintentional
A failure is the termination of the ability of an element to perform a function as required
© 2017 Renesas Electronics Corporation. All rights reserved.
- Drive Definition
- ISO, SAE, ETSI
- C2C
Security
Requirements
& Consortia
SECURITY CYCLE
Analysis
Methodology &
Tools
- Aligned with Standards (EVITA, CVSS)
- Training Programmes (E-Learning)
Threat and
Attack Analysis
- Comprehensive Databases
- Impact Analysis
Secure IP
- HSM
- AES, RNG, LFSR
- INTRUSION DETECTION
- ANTI-COUNTERFEITING
- E-FUSING
Secure S/W
- Secure S/W solutions along with
targeted strengthening of Secure H/W
at application levels by using Secure
S/W extensions
- Body, Powertrain, Chassis,
Infotainment solutions.
Secure Solution
- Consultancy to customer
- Concept Security
- Product Security
- Assessment reports
Security
Assessment &
Validation
- Validation of countermeasures
FIPS
Page 6
© 2017 Renesas Electronics Corporation. All rights reserved.
SECURITY: A CORE ORGANISATIONAL HORIZONTAL
Page 7
Security Process, Procedures, Standardisation
Security Analysis
Security Assessment
Security Certification
Secure
IP
Secure
SW
Secure
Sub S
olu
tions
Secure
Firm
ware
Secure
Devic
e S
olu
tion
Compliance and Structure
Target: Ensure safety and security of everyone in their day to day lives
Security needs to be
implemented as a core
horizontal process to aid
vertical developments
Standard should define the
expectations of the interfacing to the
verticals and the development and
maintenance through the lifecycle.
Target of Automotive Security Standard
© 2017 Renesas Electronics Corporation. All rights reserved.
COST MODEL DILEMMA
Page 8
Security provisioning comes with cost – this needs to be visualised in the supply chain.
Customer Decisions points:
1. Features
2. Cost
3. Performance
4. Safety grade
5. Security ‘grade’
6. …..
7. …..
To fulfil security ‘grade’ TIER2s need:
- Effective Security Protection
- Effective Security Performance
- Effective Security Training
To achieve this TIER2s need:
- Effective Secure IP
- Security Certification
- Security Analysis System
aligned with Standards!
Methods
Target: Customers buy secure
silicon solution!
Tools Secure
IP
Develop
AES ECC
PQCrypto
E-
learning
Follow and input
AESIN C2C
ISO
SAE AutoSar (partial)
Secure
S/W
Safe&Secure
1
2
3 4
5
To achieve this TIER2s need
Secure
Solutions MAC-SEC TRNG
R & D
© 2017 Renesas Electronics Corporation. All rights reserved. Page 9
MAKING INFORMED SECURITY DECISIONS
Threats & Attacks
- Analyse - Judge Motivations - Calculate Probability
Asset
Risk Profile
Security Options
- Analyse - Select Protection Options - Calculate probability improvement
Methodology and Structure required to make informed decisions for the Security Protection Requirements
Ph
ysic
al
H/W
S/W
Security Protection Areas
© 2017 Renesas Electronics Corporation. All rights reserved. Internal use only
10
CYBERSECURITY STANDARDS: AUTOMOTIVE AND INDUSTRIAL
(1) Work in progress – expected in 2019
2009 2010 2011 2012 2013 2014 2015 2016
ISA/IEC TS 62443-1-1 Industrial
communication networks -
Network and system security (formerly referred as ISA-99 part 1)
ISA/IEC 62443-2-1 Industrial
communication networks - Network and system security
- Establishing an industrial
automation and control system
security program (formerly referred as ANSI/ISA-99 part 2)
J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle system
ETSI TR 102
893 V1.1.1 –
ITS;
Security;
Threat,
Vulnerability
and Risk
Analysis (TVRA)
DIS ISO 26262 Road vehicles -- Functional
safety 2nd edition with cybersecurity
ISO/IEC
Information
technology --
Trusted platform
module library
ETSI TR 102 698 - ITS;
Vehicular Communications;
C2C-CC Demonstrator 2008;
Use Cases and Technical
Specifications
ISA/IEC 62443-3-3 Industrial
communication networks -
Network and system security - System security
requirements and security levels
(2) Work in Progress
ISO/SAE N3556 (draft) TC 22
Road Vehicles — Vehicle
CyberSecurity Engineering
(proposed title)
(1)
J3101 WIP Requirements for Hardware-
Protected Security for
Ground Vehicle Applications
(2)
Hardware Security Modules (HSM) Specifications
2008 2009 2010 2011 2012 2013 2014 2015
European funded Research Projects
Bosch HSM based on EVITA SHE Specification
Start of Security WG
EVITA deliverables
End of the SEVECOM project
End of the SESAMO project
End of the PRECIOSA
project
End of the EVITA project
© 2017 Renesas Electronics Corporation. All rights reserved. Internal use only
ISO-SAE AUTOMOTIVE CYBER SECURITY STANDARD UK EXPERTS DELEGATION VIEW
• In parallel to the established ISO26262, there is an urgent need for a definitive Security Process for Automotive.
• Safety and Security have a strong overlap and interface, but at the same time it is important that both are
considered independently
• Safety and Security are independent disciplines requiring specific expertise.
• Safety analysis is related to unintentional faults where as security is related to intentional faults/exploitation of
vulnerabilities.
• The dynamic nature of threats/attacks puts additional requirements on the security lifecycle.
• The concept of item evaluation (eg CC) is an important part that the standard also needs to be define/guide.
• UK supports the drive to develop a single standard that will cater for Automotive Security Engineering, building on
the core components defined already in J3061.
• Based on the experience of the expert members, we look forward to active debate and consensus to achieve the
target goal of this standard.
© 2017 Renesas Electronics Corporation. All rights reserved. Internal use only
UK DELEGATION: KEY OBJECTIVES FOR THE STANDARD (1/2)
Establish defined terminology that can be used universally and consistently through the development
lifecycle within organisations, across development teams and across the automotive industry.
Set the expectation of the need to make informed decisions within the development cycle which are
supported by tangible qualitative/quantative evidence.
Clear definition of the expected minimum work products required to
align to expected legislative compliance
provide a coherent interface to Safety.
Handle Security incident response
Handle Decommissioning
Develop a Security Culture within an organisation/industry – security is not bolt on – it is built in.
Bind together industry based security activities by actively referring to associated/relevant
standards/consortia such as, ISO26262, J3061, J3101, C2C
Page 12
© 2017 Renesas Electronics Corporation. All rights reserved.
UK DELEGATION: KEY OBJECTIVES FOR THE STANDARD (2/2)
Page 13
Automotive
Security
Standard
What to do (INSTRUCTION)
- Identify Assets
- Assess Threats/Risks
- Prioritise
- Review
- Control
- Document
- …
How to do (SUPPORT)
- Examples of common approaches
- EVITA
- STRIDE
- HEAVENS
- C2C
- …. In Reference to:
- H/W
- S/W
- Infrastructure
- Incident response
- Decommissioning
This is expected to apply to
OEMs, tier 1s, hardware and
software developers/suppliers.
© 2017 Renesas Electronics Corporation. All rights reserved. Page 14
ISO-SAE AUTOMOTIVE CYBER SECURITY STANDARD
Part1: Automotive Security Engineering
Security and Risk Mgmt Vocab
Roles in Automotive Security Process
Part2: Management and Supporting Processes
Mgmt of Automotive Security
Automotive Security Mgmt in Product Concept and
Development
Automotive Security Mgmt after release for production
Supporting Processes
Supplier Mgmt
Part3: Item Development
Risk Mgmt and Automotive Security Engineering
Initial Check for Security Relevance
Automotive Security Requirements Development
Development
Verification and Validation
Release for Production
Preparation of operational phase
5 Task Forces Assigned
1. Risk Assessment Process
2. Product Development
3. Operations, Maintenance and other supporting process
4. Process Overview
5. Project Management Team
Scope of the proposed deliverable.
This standard shall be written in order to allow for coordinated and
state-of-the-art procedures in the automotive industry for realizing
cybersecurity during engineering and production of vehicles and
automotive components and to facilitate the communication of
automotive security issues across enterprise boundaries by defining a
common language. This standard does neither address the concrete
choice of security countermeasures and their parameters nor the
security related contents which should be included into communication
standards with external devices.
© 2017 Renesas Electronics Corporation. All rights reserved.
www.renesas.com