111 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Auto-ISAC

Monthly Community Call

December 2019

211 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Agenda

Time (ET) Topic

11:00

Welcome

➢ Why we’re here

➢ Expectations for this community

11:05

Auto-ISAC Update

➢ Auto-ISAC overview

➢ Heard around the community

➢ What’s Trending

11:15 DHS CISA Community Update – NEW FEATURE!

11:20

Featured Speakers

➢ Sven Schrecker, Vice President and Chief Architect,

Cyber Security, LHP Engineering Services

11:45Around the Room

➢ Sharing around the virtual room

11:55 Closing Remarks

Welcome

311 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Welcome - Auto-ISAC Community Call!

Welcome

Purpose: These monthly Auto-ISAC Community Meetings are an

opportunity for you, our Members & connected vehicle ecosystem

partners, to:

✓ Stay informed of Auto-ISAC activities

✓ Share information on key vehicle cybersecurity topics

✓ Learn about exciting initiatives within the automotive

community from our featured speakers

Participants: Auto-ISAC Members, Potential Members, Partners,

Academia, Industry Stakeholders, and Government Agencies

Classification Level: TLP GREEN: may be shared within the Auto-

ISAC Community, and “off the record”

How to Connect: For further info, questions, or to add other POCs to

the invite, please contact Auto-ISAC Membership Engagement Lead Kim

Engles (kimengles@automotiveisac.com)

411 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Engaging in the Auto-ISAC Community

❖ Join❖ If your organization is eligible, apply for Auto-ISAC membership

❖ If you aren’t eligible for membership, connect with us as a partner

❖ Get engaged – “Cybersecurity is everyone’s responsibility!”

❖ Participate❖ Participate in monthly virtual conference calls (1st Wednesday of month)

❖ If you have a topic of interest, connect our Membership Engagement

Lead, Kim Engles – kimengles@automotiveisac.com

❖ Engage & ask questions!

❖ Share – “If you see something, say something!”❖ Submit threat intelligence or other relevant information

❖ Send us information on potential vulnerabilities

❖ Contribute incident reports and lessons learned

❖ Provide best practices around mitigation techniques

Welcome

12Innovator Partners

19Navigator Partners

Coordination with 23critical infrastructure ISACs through the National ISAC

Council

Membership represents 99%of cars on the road in North

America

20OEM Members

36 Supplier &Commercial

Vehicle Members

511 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Auto-ISAC Mission

Mission ScopeServe as an unbiased information

broker to provide a central point of

coordination and communication for

the global automotive industry through

the analysis and sharing of trusted and

timely cyber threat information..

Light- and heavy-duty vehicles,

suppliers, commercial vehicle fleets and

carriers. Currently, we are focused on

vehicle cyber security, and anticipate

expanding into IT/OT security related to

the vehicle.

What We Do

Community Development

Workshops, exercises, all hands, summits and town halls

Intel Sharing

Data curation across

intel feeds, submissions

and research

Analysis

Validation,

context and

recommendations

Best Practices

Development,

dissemination and

maintenance

Partnerships

Industry, academia,

vendors, researchers

and government

Community Development

Workshops, exercises, all hands, summits and town halls

ISAC Overview

611 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Our 2019 Board of Directors

Executive Committee (ExCom) Leadership

Jeff Massimilla

Auto-ISAC

Chairman

General Motors

Tom Stricker

Auto-ISAC Vice

Chairman

Toyota

Mark Chernoby

Auto-ISAC

Treasurer

FCA

Jenny Gilger

Auto-ISAC

Secretary

Honda

Geoff Wood

Affiliate Advisory

Board Chair

Harman

Geoff Wood

Affiliate Advisory

Board Chair

Harman

Todd Lawless

Affiliate Advisory

Board Vice Chair

Continental

Bob Kaster

Supplier Affinity

Group Chair

Bosch

Larry Hilkene

Commercial Vehicle

Affinity Group Chair

Cummins

2019 Advisory

Board (AB)

Leadership

Auto-ISAC Leadership

711 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Auto-ISAC Team and Support Staff

Faye Francy, Executive Director

fayefrancy@automotiveisac.com

Josh Poster, Program Operations

Manager

joshposter@automotiveisac.com

Jessica Etts, Senior Intel Coordinator

jessicaetts@automotiveisac.com

Kim Engles, Membership

Engagement Lead

kimengles@automotiveisac.com

Lisa D Scheffenacker, Business

Administrator

lisascheffenacker@automotiveisac.com

Jake Walker, Cyber Intel Analyst

jacobwalker@automotiveisac.com

Julie Kirk, Finance

juliekirk@automotiveisac.com

Michelle Menner, Organizational

Coordinator

michellemenner@automotiveisac.com

Linda Rhodes, Legal Counsel, Mayer

Brown

lrhodes@mayerbown.com

Heather Rosenker, Communications

(Auto-Alliance)

heatherrosenker@automotiveisac.com

Auto-ISAC Staff

Auto-ISAC Staff

811 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Recent Activities

Auto-ISAC Update

Highlights of Key Activities in November

➢ Auto-ISAC attended

➢ Members Only Information Sharing Workshop in Novi, MI

➢ Members Only European Regional Event in Stuttgart, Germany

Looking Ahead to December

➢ Auto-ISAC will be attending

➢ Members Only Analyst Workshop in Novi, MI

➢ Members Only Information Sharing Workshop in Novi, MI

➢ Members Only Board of Directors and Affiliate Board Meetings in Novi,

MI

➢ Members Only All Members Meeting in Novi, MI

➢ NCI Quarterly In Person Meeting in Washington, DC

911 December 2019TLP WHITE: May be distributed without restriction.

Though cryptography is and will continue to be a powerful tool for automotive security, the proper implementation of cryptographic tools is highly complex.

-For Autonomous Vehicles, There’s a Difference Between Security and Safety: The automotiveindustry has selected a tried and true security technology called Public Key Infrastructure (PKI). As securitytechnologies go, there’s nothing more secure, nothing more tested and nothing more respected for itssecurity performance in digital systems. The system will validate these signatures with the public key, testingwhether digital systems have been tampered with. (Link)

-Volvo Uses Blockchain to Track Car Battery Materials: Volvo has announced it will use blockchaintechnology to track the use of cobalt in its batteries, the first automaker to do so. Developed to support thebitcoin cryptocurrency, blockchain was quickly identified as a method organizations could use to store datathat is inherently resistant to modification, such as hacking. (Link)

-GM Looking into Making Its ECUs More Aftermarket Friendly: Report: These days, electronic enginemanagement systems actually make the process of finding more horsepower rather simple – as long as youcan crack the computer code. That’s becoming increasingly difficult in some cars, especially at GeneralMotors which has touted “unhackable” ECUs in vehicles like the Corvette for a few years now. (Link)

-TPM-Fail: What It Means & What to Do About It: On November 12, researchers, led by a team atWorcester Polytechnic Institute, disclosed details of two new potentially serious security vulnerabilities —dubbed TPM-Fail. Because millions of deployed systems probably have the TPM-Fail vulnerability, thescope of exposure is wide. The challenge is that not everyone is ready to perform these patches wheneveran exploit such as this becomes known. (Link)

-New Crypto-Cracking Record Reached, With Less Help Than Usual from Moore’s Law: Researchershave reached a new milestone in the annals of cryptography with the factoring of the largest RSA key sizeever computed and a matching computation of the largest-ever integer discrete logarithm. New records ofthis type occur regularly as the performance of computer hardware increases over time. The recordsannounced on Monday evening are more significant because they were achieved considerably faster thanhardware improvements alone would predict, thanks to enhancements in software used and the algorithmsit implemented. (Link)

Auto-ISAC Intelligence

What’s Trending?

What’s Trending

For more information or questions please contact analyst@automotiveisac.com

1011 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

DHS Cybersecurity and Infrastructure

Security Agency (CISA)

What’s Trending?

What’s Trending

For more information about DHS CISA please visit https://www.cisa.gov/

1111 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Community Speaker Series

Featured Speaker

Why Do We Feature Speakers?❖ These calls are an opportunity for information exchange & learning

❖ Goal is to educate & provide awareness around cybersecurity for the connected

vehicle

What Does it Mean to Be Featured?❖ Perspectives across our ecosystem are shared from members,

government, academia, researchers, industry, associations and

others.

❖ Goal is to showcase a rich & balanced variety of topics and viewpoints

❖ Featured speakers are not endorsed by Auto-ISAC nor do the speakers

speak on behalf of Auto-ISAC

How Can I Be Featured?❖ If you have a topic of interest you would like to share with

the broader Auto-ISAC Community, then we encourage you

to contact our Membership Engagement Lead, Kim Engles

(kimengles@automotiveisac.com)

1800+Community Participants

25 Featured Speakers to date

6 Best Practice Guides

available on website

1211 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Community Speakers

➢ Urban Jonson, NMFTA, Heavy Vehicle Cybersecurity Working Group (April 2018)

➢ Ross Froat, American Trucking Association, ATA Cyberwatch Program (Oct 2018)

➢ Dan Sahar, Vice President of Product of Upstream, 2019 Automotive Cybersecurity Report (June 2019)

➢ Katherine Hartman, Chief – Research, Evaluation and Program Management, ITS Joint Program Office, US DOT (August 2019)

➢ Joe Fabbre, Global Technology Director, Green Hills Software (October 2019)

➢ Oscar Marcia, CISSP, Eonti, Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)

Example of Previous Community Speakers

Past Community Call Slides are located at: www.automotiveisac.com/communitycalls/

Featured Speakers

1311 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Welcome to Today’s Speaker

Featured Speaker

Sven Schrecker, Vice President and Chief Architect, Cyber Security, LHP

Engineering Services

In his role as the Vice President and Chief Architect of Cyber Security, Sven

Schrecker leads the division to address Cyber Security within the greater

transportation vertical. He consults with Automotive OEMs and Tier 1/2

Suppliers to ensure Cyber Security and Functional Safety of the vehicles and

parts. He represents these companies, both up and down their supply chain, to

enable proper cyber security solutions, roadmap, and timelines. His current

industry-wide goals are to increase uptake rate of Cyber Security

implementations, address pre-OTA Update integrity challenges, and to work with

standards organizations to properly define the cyber security requirements and

recommendations within the automotive vertical.

Before joining LHP, Sven was the Chief Architect for IoT Security Solutions at

Intel Corp. for nearly 15 years, where he worked on internal and external

programs to further the security capabilities in hardware, software, and the

difficult to define grey area in between. He was responsible for open, standards-

based platforms to enable end-to-end IoT security strategy across both existing

(brown field) and new (green field) technologies, to demonstrably increase

security focused at Embedded and Industrial deployments across all IoT

verticals.

Sven is also the Founding Chair of the Industrial Internet Consortium (IIC)

Security Working Group (SWG). He attended the first meeting of the IIC in

Washington DC in March 2014 and became the chair soon after. He is the

primary author of the Industrial Internet Security Framework which is the seminal

document that lays the foundation for security, and trustworthiness, in the

Industrial Internet of Things (IIoT), and is leading the team that is writing a

technical paper on Automotive Trustworthiness. He Chairs the Automotive

Security Task Group and co-chairs the Security Liaisons Task Group (with

Platform Industry 4.0).

Automotive Trustworthiness

Automotive Profile for Security Maturity Model

Sven Schrecker [sven.schrecker@lhpes.com]Co-chair, Security Working GroupVP Cyber Security, LHP Engineering Services

Dec 11, 2019

About the Industrial Internet Consortium

• Vision: The Industrial Internet Consortium is the world’s leading organization transforming business and society by accelerating the Industrial Internet of Things (IIoT).

• Mission: To deliver a trustworthy IIoT in which the world’s systems and devices are securely connected and controlled to deliver transformational outcomes.

A Global Organization Spanning 30 Countries

Trustworthiness

This is one discipline, not five distinct

disciplines.

Treat them so.Image Source: Industrial Internet Consortium

Industry Gap Analysis

1) Trustworthiness is a natural fit for Automotive industry

2) Needs high-level convergence of organizational, process, and technical vision

3) Have various levels of rigor based on different ASIL/CAL Levels

4) There are a number of domains and sub-domains that must be addressed

5) Challenges with security often only addressed through the supply chain

6) Need way to measure security progress (incl progression through roadmap)

17

OEM

Shifter

PCB

Dealer

After-Market

Dealer

After-Market

After-Market

Automotive Supply Chain Complexity

Comprehensive Approach:Security Maturity Model

19

Security Maturity, not Security Implementation

Security Maturity –

• degree of confidence in the effectiveness of a security implementation

• in meeting organizational needs

• with an understanding of necessity, benefits and costs

Two dimensions:

Comprehensiveness –

✓ Depth in addressing requirements and use cases,

✓ Consistency of approach and use of possible automation,

✓ Assurance support (through reviews, validation and even formal methods).

Scope –

✓Alignment of understanding and details to situation, ranging from a general approach to vertical industry or even system specifics.

The Hierarchy: Domains, Subdomains, Practices

Domains are pivotal to determining

the priorities of security maturity

enhancement at the strategic level.

At the domains level, the business

stakeholder determines the

priorities of the direction in

improving security

Subdomains reflect the basic

means of obtaining these priorities

at the planning level.

At the sub domains level, the

stakeholder identifies the typical

needs for addressing security

concerns.

Practices define typical activities

associated with sub domains and

identified at the tactical level.

At the practices level, the

stakeholder considers how the

practice supports specific security

activities.

Security Maturity Model: Structure

Governance Domain

Comprehensiveness Levels

Minimum Ad Hoc Consistent FormalizedNone

• Minimum

requirements

implemented

• No assurance activities

• main use cases

• well-known

security incidents

• similar

environments

• Assurance: ad

hoc reviews

• baseline mitigations

• Consider best

practices, standards,

regulations,

classifications

• Use software and

other tools.

• assurance: security

patterns, secure-by-

default designs and

known protection

approaches and

mechanisms

• Well-

established

process forms

the basis

• continuous

support and

security

enhancements.

• assurance:

focus on the

coverage of

security needs

and timely

addressing of issues

Scoring: Scope

Level 1, General

This is the broadest scope. The security practice is implemented in the computer systems and networks without any assessment of its relevance to the specific IoT sector, equipment used, software or processes to be maintained. The security capabilities and techniques are applied as they were in the typical environment.

Level 2, Industry specific

The scope is narrowed from the general case to an industry-specific scenario. The security practice is implemented considering sector-specific issues, particularly those regarding components and processes that are prone to certain types of attacks, and known vulnerabilities and incidents that took place.

Level 3, System specific

This is the narrowest scope. The security practice implementation is aligned with the specific organizational needs and risks of the system under consideration, identified trust boundaries, components, technologies, processes and usage scenarios. Combining the general and domain specific objectives in a unique manner sets the requirements of this implementation.

26

Target Comprehensiveness Scope

Security Governance 2 (Ad hoc)+ Industry+Security Strategy and Governance 2 (Ad hoc) Industry+Security Program Management 2 (Ad hoc) SystemCompliance Management 2 (Ad hoc) IndustryThreat Modeling and Risk Assessment 3 (Consistent)+ Industry+Threat Modeling 4 (Formalized) SystemRisk Attitude 3 (Consistent) IndustrySupply Chain and External Dependencies Management 2 (Ad hoc) IndustrySupply Chain Risk Management 2 (Ad hoc) IndustryThird-Party Dependencies Management 2 (Ad hoc) IndustrySecurity Enablement 2 (Ad hoc)+ Industry+Identity and Access Management 2 (Ad hoc) IndustryEstablishing and Maintaining Identities 2 (Ad hoc) IndustryAccess control 2 (Ad hoc) IndustryAsset protection 2 (Ad hoc) IndustryAsset, Change and Configuration Management 2 (Ad hoc) IndustryPhysical Protection 2 (Ad hoc) IndustryData Protection 2 (Ad hoc)+ Industry+Security Model and Policy for Data 3 (Consistent) SystemImplementation of Data Protection Controls 2 (Ad hoc)+ IndustrySecurity Hardening 2 (Ad hoc)+ Industry+Vulnerability and Patch Management 4 (Formalized) Industry+Vulnerability Assessment 4 (Formalized) SystemPatch Management 4 (Formalized) IndustrySituational Awareness 2 (Ad hoc) Industry+Audit 2 (Ad hoc) SystemInformation Sharing and Communication 2 (Ad hoc) IndustryEvent and Incident Response, Continuity of Operations 2 (Ad hoc)+ Industry+Event Detection and Response Plan 4 (Formalized) SystemRemediation, Recovery, and Continuity of Operation 2 (Ad hoc) Industry

Profiles

• Adding information to “what’s needs to be done” and “indicators of accomplishment” that is specific to an industry or system (scopes)

• This extends the tables into a profile

• Profiles can be industry and/or system

• Profiles make the general considerations more specific or provide more detail

• Industry profiles can add information to general scope, or to system scope as well

• Information does not have to be added to all tables

Security Maturity Model

• Provides a common mechanism to express the confidence in the level of security

• Addresses challenges for describing security capabilities down the supply chain

• Does not define implementation

• Separates requirements into domains, subdomains, and practices

• Enables security assessment to be evaluate level of security achievement

• Encourages security capability improvement over time (roadmap)

• Allows for industry profiles (e.g. Automotive) for tailoring security maturity

https://www.iiconsortium.org/smm.htm

https://www.iiconsortium.org/pdf/IoT_SMM_Practitioner_Guide_2019-02-25.pdf

https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_FINAL_Updated_V1.1.pdf

12/11/2019

Questions and Comments?

3211 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Open Discussion

Around the Room

Any questions about the

Auto-ISAC or future topics

for discussion?

3311 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Connect with us at upcoming events:

SAE DoD Maintenance and Logistics Exhibition Dec. 9-11, Spokane, WA

SAE DoD Maintenance Symposium Dec. 9-12, Spokane, WA

NCI Quarterly Face to Face Meeting***Dec. 11th, Washington,

DC

Auto-ISAC Community Call*** Dec. 11th, Telecon

Event Outlook

**For full 2019 calendar, visit www.automotiveisac.com

Closing Remarks

3411 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Closing Remarks

If you are an OEM, supplier or commercial

vehicle company, now is a great time to join

Auto-ISAC!

How to Get Involved: Membership

To learn more about Auto-ISAC Membership or Partnership,

please contact Kim Engles (kimengles@automotiveisac.com).

➢ Real-time Intelligence

Sharing

➢ Development of Best Practice

Guides

➢ Intelligence Summaries ➢ Exchanges and Workshops

➢ Regular intelligence

meetings

➢ Tabletop exercises

➢ Crisis Notifications ➢ Webinars and Presentations

➢ Member Contact Directory ➢ Annual Auto-ISAC Summit Event

3511 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Strategic Partnership Programs

NAVIGATORSupport Partnership

- Provides guidance and

support

- Annual definition of

activity commitments

and expected outcomes

- Provides guidance on

key topics / activities

INNOVATORPaid Partnership

- Annual investment

and agreement

- Specific commitment

to engage with ISAC

- In-kind contributions

allowed

COLLABORATORCoordination

Partnership- “See something, say

something”

- May not require a formal

agreement

- Information exchanges-

coordination activities

BENEFACTORSponsorship

Partnership - Participate in monthly

community calls

- Sponsor Summit

- Network with Auto

Community

- Webinar / Events

Solutions

Providers

For-profit companies

that sell connected

vehicle cybersecurity

products & services.

Examples: Hacker ONE,

SANS, IOActive

Affiliations

Government,

academia, research,

non-profit orgs with

complementary

missions to Auto-ISAC.

Examples: NCI, DHS,

NHTSA

Community

Companies interested

in engaging the

automotive ecosystem

and supporting -

educating the

community.

Examples: Summit

sponsorship –

key events

Associations

Industry associations

and others who want

to support and invest

in the Auto-ISAC

activities.

Examples: Auto Alliance,

Global Auto, ATA

Closing Remarks

3611 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

➢Focused Intelligence Information/Briefings

➢Cybersecurity intelligence sharing

➢Vulnerability resolution

➢Member to Member Sharing

➢Distribute Information Gathering Costs across the Sector

➢Non-attribution and Anonymity of Submissions

➢Information source for the entire organization

➢Risk mitigation for automotive industry

➢Comparative advantage in risk mitigation

➢Security and Resiliency

Auto-ISAC Benefits

Securing Across the Auto Industry

Closing Remarks

3711 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Our contact info

Faye FrancyExecutive Director

20 F Street NW, Suite 700

Washington, DC 20001

703-861-5417

fayefrancy@automotiveisac.com

Kim EnglesMembership Engagement

Lead

20 F Street NW, Suite 700

Washington, DC 20001

240-422-9008

kimengles@automotiveisac.com

Josh PosterProgram Operations

Manager

20 F Street NW, Suite 700

Washington, DC 20001

joshposter@automotiveisac.com

Jessica EttsSenior Intel Coordinator

20 F Street NW, Suite 700

Washington, DC 20001

jessicaetts@automotiveisac.com