车联网信息安全实践指导
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Security Verification
Most security attacks are process and implementation related. They rarely lie within the cryptographic protocols and algorithms.
-6-
AUTOMOTIVE CYBERSECURITY Practical Guidance
Effective cybersecurity vs Cyberattack
OEM
Eavesdropping, Data leakage
Command injection, data corruption, back doors
Safety Verification
Security Verification
+ Security (ISO 27001, ISO 15408, ISO 21434, SAE J3061)
� Threat analysis and risk assessment � Abuse, misuse, confuse cases � Security engineering
WoO numerical Equipment /
Effort Effort numerical Threat numerical Threat level (high=4; low=1) Safety Financial Operational Privacy Impact Level
Asset / CIAAG
TARA - Identify and Agree on Assets
Specific automotive asset categories
Privacy, Legislation, Governance
e.g. private dat a
Safety e.g. Vehicle
functions
Suppliers
Man in the OBD middle attacksDSRC
ITS Operator
4G LTE
Physical attacks, Sensor confusion
Rogue clients, malware Public
Clouds
Trojans, Ransomware
Password attacks
Technical Security Concept HW SW SRV
Security Implementation
Security Mgmt in Production,
Operation, Service
Security Case, Assessment, Compliance
Security Validation
Refined Architecture
Security work products
TARA
Security Concept
Technical Security Concept
-8-
Determine Necessary Security Level with TARA Results
Asset ID Threat ID Expertise Expertise numerical Window of Opportunity
-2-
Automotive Trends Impact Safety and Security
1. Powertrain Energy efficiency Unintended speed change
2. Driver Assistance Autonomous driving Signal confusion
cation
Secure Gateways
Secure InVehicle
Communication
Secure Plawk.baidu.comform
New development: Inside out
✓ Secure communication to services outside the vehicle
✓ Intrusion detection mechanisms ✓ Firewalls ✓ Key Infrastructure / Vehicle PKI ✓ Synchronized secure time ✓ Authenticity of messages ✓ Integrity and freshness of
Security and Safety are inter-related and demand holistic systems engineering
-4-
ISO/SAE 21434 for Automotive Cybersecurity
Planning � Kickoff - 17.10.2016 � Currently: Committee Draft � Release: 2020 (Planned)
messages ✓ Confidentiality of messages
✓ Key storage ✓ Secure boot and secure update ✓ Crypto library ✓ HW trust anchor (HTA)
- 10 -
Security by Design: Secure Coding
Safety Management
after SOP
Security Management in
POS
Safety Case, Certification,
Approval
Security Case, Audit,
Compliance
Safety Validation
Security Validation
with respect to ISO 26262.
functions.
system can impact safety-
critical functions.
-9-
Layered Security Concept
Legacy: Outside in
Secure External Communi-
Operational Performance
e.g. Driving experience
Finance
e.g. Theft, liability, brand
image
Checklist to identify assets
➢ Which information, algorithm or intellectual property shall remain confidential?
Approach Risk-oriented approach following the Vector method for the whole lifecycle: � Concept/design phase � Product development � Production (roll out) � Operation � Decommissioning (roll over)
Attack vector
Potential effect of
Threat
SGID
Vehicle
attack
Function
Ast 01 Safety-
Avail Availability: Attacker floods Attacker disables engine Tht-1 Not further considered on advice of Layman 0 Critical 0 Standar 0
➢ Which data (e.g. configuration parameters) shall remain unchanged?
➢ Which functions or procedures shall be exclusively applied by e.g. the OEM?
➢ Which functions or data shall be always available?
Security Level
Requirements
Security Goals
Functional Security Rqmts.
Rqmts. of sec. Mechanisms
Architecture
TOE: Target of Evaluation
Preliminary Architecture
➢ Which company guidelines or legal requirements on data or procedures must be fulfilled?
Automotive Cybersecurity focuses on Confidentiality, Integrity, Authenticity, Availability, Governance (CIAAG)
Application vulnerabilities
Service Provider
Security will be the major liability risk in the future. Average security breach is detected in 70% of all cases by third party – after 8 months.
3. Connectivity Always connected Sudden Driver distraction
-3-
Security and Safety Standards
Functional Safety (IEC 61508, ISO 26262, ISO/PAS 21448)
� Hazard and risk analysis � Functions and risk mitigation � Safety engineering
Focus on governance ISO 21434 does NOT mandate technologies or solutions
-5-
Security Engineering
Assets, Threats and Risk
Assessment
Security Goals and
Requirements
Goal:
Avoid design and code errors which can lead to security exploits
Approach ➢ Use a hardened OS with secure partitioning Avoid embedded Linux due to its complexity and rapid change and thus many security gaps, (e.g. NULL function pointer dereferences, which allow hackers to inject executable code). ➢ Deploy secure boot strategy Starting with first-stage ROM loader with a pre-burned cryptographic key, the next levels are verified before executing to ensure authenticity of each component of the boot ➢ Apply rigorous static code analysis Tools like Coverity, Klocwork or Bauhaus allow security checks, such as NULL pointer dereferences, memory access beyond allocated area, reads of uninitialized objects, buffer and array underflows, resource leaks etc. ➢ Use modified condition/decision coverage (MC/DC) Detect backdoors
ISO 26262:2018 does not address security, but requires trade-offs without impact on functional safety.
Assets, Threats and Risk
Assessment
Op. Scenarios, Hazard, Risk Assessment
0
4 No No No No No n/a
Mechanisms
CAN-Bus and thereby tries control during an
client because the HU is rated QM
d
injury impact impact effect impact
to disable vehicle primary overtaking maneuver if
Security Goals and
Requirements
Safety Goals and Requirements
Technical Security Concept
Functional and Technical
Safety-Concept
Security Implemen-tation
Safety Implemen-tation
-7-
Identification of Security Goals by Threat Analysis and Risk Assessment (TARA)
Assets
Attack Vectors
Threat, Risk Analysis
Security Goals
Threat Level
Impact Level
Most security attacks are process and implementation related. They rarely lie within the cryptographic protocols and algorithms.
-6-
AUTOMOTIVE CYBERSECURITY Practical Guidance
Effective cybersecurity vs Cyberattack
OEM
Eavesdropping, Data leakage
Command injection, data corruption, back doors
Safety Verification
Security Verification
+ Security (ISO 27001, ISO 15408, ISO 21434, SAE J3061)
� Threat analysis and risk assessment � Abuse, misuse, confuse cases � Security engineering
WoO numerical Equipment /
Effort Effort numerical Threat numerical Threat level (high=4; low=1) Safety Financial Operational Privacy Impact Level
Asset / CIAAG
TARA - Identify and Agree on Assets
Specific automotive asset categories
Privacy, Legislation, Governance
e.g. private dat a
Safety e.g. Vehicle
functions
Suppliers
Man in the OBD middle attacksDSRC
ITS Operator
4G LTE
Physical attacks, Sensor confusion
Rogue clients, malware Public
Clouds
Trojans, Ransomware
Password attacks
Technical Security Concept HW SW SRV
Security Implementation
Security Mgmt in Production,
Operation, Service
Security Case, Assessment, Compliance
Security Validation
Refined Architecture
Security work products
TARA
Security Concept
Technical Security Concept
-8-
Determine Necessary Security Level with TARA Results
Asset ID Threat ID Expertise Expertise numerical Window of Opportunity
-2-
Automotive Trends Impact Safety and Security
1. Powertrain Energy efficiency Unintended speed change
2. Driver Assistance Autonomous driving Signal confusion
cation
Secure Gateways
Secure InVehicle
Communication
Secure Plawk.baidu.comform
New development: Inside out
✓ Secure communication to services outside the vehicle
✓ Intrusion detection mechanisms ✓ Firewalls ✓ Key Infrastructure / Vehicle PKI ✓ Synchronized secure time ✓ Authenticity of messages ✓ Integrity and freshness of
Security and Safety are inter-related and demand holistic systems engineering
-4-
ISO/SAE 21434 for Automotive Cybersecurity
Planning � Kickoff - 17.10.2016 � Currently: Committee Draft � Release: 2020 (Planned)
messages ✓ Confidentiality of messages
✓ Key storage ✓ Secure boot and secure update ✓ Crypto library ✓ HW trust anchor (HTA)
- 10 -
Security by Design: Secure Coding
Safety Management
after SOP
Security Management in
POS
Safety Case, Certification,
Approval
Security Case, Audit,
Compliance
Safety Validation
Security Validation
with respect to ISO 26262.
functions.
system can impact safety-
critical functions.
-9-
Layered Security Concept
Legacy: Outside in
Secure External Communi-
Operational Performance
e.g. Driving experience
Finance
e.g. Theft, liability, brand
image
Checklist to identify assets
➢ Which information, algorithm or intellectual property shall remain confidential?
Approach Risk-oriented approach following the Vector method for the whole lifecycle: � Concept/design phase � Product development � Production (roll out) � Operation � Decommissioning (roll over)
Attack vector
Potential effect of
Threat
SGID
Vehicle
attack
Function
Ast 01 Safety-
Avail Availability: Attacker floods Attacker disables engine Tht-1 Not further considered on advice of Layman 0 Critical 0 Standar 0
➢ Which data (e.g. configuration parameters) shall remain unchanged?
➢ Which functions or procedures shall be exclusively applied by e.g. the OEM?
➢ Which functions or data shall be always available?
Security Level
Requirements
Security Goals
Functional Security Rqmts.
Rqmts. of sec. Mechanisms
Architecture
TOE: Target of Evaluation
Preliminary Architecture
➢ Which company guidelines or legal requirements on data or procedures must be fulfilled?
Automotive Cybersecurity focuses on Confidentiality, Integrity, Authenticity, Availability, Governance (CIAAG)
Application vulnerabilities
Service Provider
Security will be the major liability risk in the future. Average security breach is detected in 70% of all cases by third party – after 8 months.
3. Connectivity Always connected Sudden Driver distraction
-3-
Security and Safety Standards
Functional Safety (IEC 61508, ISO 26262, ISO/PAS 21448)
� Hazard and risk analysis � Functions and risk mitigation � Safety engineering
Focus on governance ISO 21434 does NOT mandate technologies or solutions
-5-
Security Engineering
Assets, Threats and Risk
Assessment
Security Goals and
Requirements
Goal:
Avoid design and code errors which can lead to security exploits
Approach ➢ Use a hardened OS with secure partitioning Avoid embedded Linux due to its complexity and rapid change and thus many security gaps, (e.g. NULL function pointer dereferences, which allow hackers to inject executable code). ➢ Deploy secure boot strategy Starting with first-stage ROM loader with a pre-burned cryptographic key, the next levels are verified before executing to ensure authenticity of each component of the boot ➢ Apply rigorous static code analysis Tools like Coverity, Klocwork or Bauhaus allow security checks, such as NULL pointer dereferences, memory access beyond allocated area, reads of uninitialized objects, buffer and array underflows, resource leaks etc. ➢ Use modified condition/decision coverage (MC/DC) Detect backdoors
ISO 26262:2018 does not address security, but requires trade-offs without impact on functional safety.
Assets, Threats and Risk
Assessment
Op. Scenarios, Hazard, Risk Assessment
0
4 No No No No No n/a
Mechanisms
CAN-Bus and thereby tries control during an
client because the HU is rated QM
d
injury impact impact effect impact
to disable vehicle primary overtaking maneuver if
Security Goals and
Requirements
Safety Goals and Requirements
Technical Security Concept
Functional and Technical
Safety-Concept
Security Implemen-tation
Safety Implemen-tation
-7-
Identification of Security Goals by Threat Analysis and Risk Assessment (TARA)
Assets
Attack Vectors
Threat, Risk Analysis
Security Goals
Threat Level
Impact Level