Auto-ISAC Community Call · -TPM-Fail: What It Means & What to Do About It: On November 12,...
Transcript of Auto-ISAC Community Call · -TPM-Fail: What It Means & What to Do About It: On November 12,...
111 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Auto-ISAC
Monthly Community Call
December 2019
211 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Agenda
Time (ET) Topic
11:00
Welcome
➢ Why we’re here
➢ Expectations for this community
11:05
Auto-ISAC Update
➢ Auto-ISAC overview
➢ Heard around the community
➢ What’s Trending
11:15 DHS CISA Community Update – NEW FEATURE!
11:20
Featured Speakers
➢ Sven Schrecker, Vice President and Chief Architect,
Cyber Security, LHP Engineering Services
11:45Around the Room
➢ Sharing around the virtual room
11:55 Closing Remarks
Welcome
311 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Welcome - Auto-ISAC Community Call!
Welcome
Purpose: These monthly Auto-ISAC Community Meetings are an
opportunity for you, our Members & connected vehicle ecosystem
partners, to:
✓ Stay informed of Auto-ISAC activities
✓ Share information on key vehicle cybersecurity topics
✓ Learn about exciting initiatives within the automotive
community from our featured speakers
Participants: Auto-ISAC Members, Potential Members, Partners,
Academia, Industry Stakeholders, and Government Agencies
Classification Level: TLP GREEN: may be shared within the Auto-
ISAC Community, and “off the record”
How to Connect: For further info, questions, or to add other POCs to
the invite, please contact Auto-ISAC Membership Engagement Lead Kim
Engles ([email protected])
411 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Engaging in the Auto-ISAC Community
❖ Join❖ If your organization is eligible, apply for Auto-ISAC membership
❖ If you aren’t eligible for membership, connect with us as a partner
❖ Get engaged – “Cybersecurity is everyone’s responsibility!”
❖ Participate❖ Participate in monthly virtual conference calls (1st Wednesday of month)
❖ If you have a topic of interest, connect our Membership Engagement
Lead, Kim Engles – [email protected]
❖ Engage & ask questions!
❖ Share – “If you see something, say something!”❖ Submit threat intelligence or other relevant information
❖ Send us information on potential vulnerabilities
❖ Contribute incident reports and lessons learned
❖ Provide best practices around mitigation techniques
Welcome
12Innovator Partners
19Navigator Partners
Coordination with 23critical infrastructure ISACs through the National ISAC
Council
Membership represents 99%of cars on the road in North
America
20OEM Members
36 Supplier &Commercial
Vehicle Members
511 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Auto-ISAC Mission
Mission ScopeServe as an unbiased information
broker to provide a central point of
coordination and communication for
the global automotive industry through
the analysis and sharing of trusted and
timely cyber threat information..
Light- and heavy-duty vehicles,
suppliers, commercial vehicle fleets and
carriers. Currently, we are focused on
vehicle cyber security, and anticipate
expanding into IT/OT security related to
the vehicle.
What We Do
Community Development
Workshops, exercises, all hands, summits and town halls
Intel Sharing
Data curation across
intel feeds, submissions
and research
Analysis
Validation,
context and
recommendations
Best Practices
Development,
dissemination and
maintenance
Partnerships
Industry, academia,
vendors, researchers
and government
Community Development
Workshops, exercises, all hands, summits and town halls
ISAC Overview
611 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Our 2019 Board of Directors
Executive Committee (ExCom) Leadership
Jeff Massimilla
Auto-ISAC
Chairman
General Motors
Tom Stricker
Auto-ISAC Vice
Chairman
Toyota
Mark Chernoby
Auto-ISAC
Treasurer
FCA
Jenny Gilger
Auto-ISAC
Secretary
Honda
Geoff Wood
Affiliate Advisory
Board Chair
Harman
Geoff Wood
Affiliate Advisory
Board Chair
Harman
Todd Lawless
Affiliate Advisory
Board Vice Chair
Continental
Bob Kaster
Supplier Affinity
Group Chair
Bosch
Larry Hilkene
Commercial Vehicle
Affinity Group Chair
Cummins
2019 Advisory
Board (AB)
Leadership
Auto-ISAC Leadership
711 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Auto-ISAC Team and Support Staff
Faye Francy, Executive Director
Josh Poster, Program Operations
Manager
Jessica Etts, Senior Intel Coordinator
Kim Engles, Membership
Engagement Lead
Lisa D Scheffenacker, Business
Administrator
Jake Walker, Cyber Intel Analyst
Julie Kirk, Finance
Michelle Menner, Organizational
Coordinator
Linda Rhodes, Legal Counsel, Mayer
Brown
Heather Rosenker, Communications
(Auto-Alliance)
Auto-ISAC Staff
Auto-ISAC Staff
811 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Recent Activities
Auto-ISAC Update
Highlights of Key Activities in November
➢ Auto-ISAC attended
➢ Members Only Information Sharing Workshop in Novi, MI
➢ Members Only European Regional Event in Stuttgart, Germany
Looking Ahead to December
➢ Auto-ISAC will be attending
➢ Members Only Analyst Workshop in Novi, MI
➢ Members Only Information Sharing Workshop in Novi, MI
➢ Members Only Board of Directors and Affiliate Board Meetings in Novi,
MI
➢ Members Only All Members Meeting in Novi, MI
➢ NCI Quarterly In Person Meeting in Washington, DC
911 December 2019TLP WHITE: May be distributed without restriction.
Though cryptography is and will continue to be a powerful tool for automotive security, the proper implementation of cryptographic tools is highly complex.
-For Autonomous Vehicles, There’s a Difference Between Security and Safety: The automotiveindustry has selected a tried and true security technology called Public Key Infrastructure (PKI). As securitytechnologies go, there’s nothing more secure, nothing more tested and nothing more respected for itssecurity performance in digital systems. The system will validate these signatures with the public key, testingwhether digital systems have been tampered with. (Link)
-Volvo Uses Blockchain to Track Car Battery Materials: Volvo has announced it will use blockchaintechnology to track the use of cobalt in its batteries, the first automaker to do so. Developed to support thebitcoin cryptocurrency, blockchain was quickly identified as a method organizations could use to store datathat is inherently resistant to modification, such as hacking. (Link)
-GM Looking into Making Its ECUs More Aftermarket Friendly: Report: These days, electronic enginemanagement systems actually make the process of finding more horsepower rather simple – as long as youcan crack the computer code. That’s becoming increasingly difficult in some cars, especially at GeneralMotors which has touted “unhackable” ECUs in vehicles like the Corvette for a few years now. (Link)
-TPM-Fail: What It Means & What to Do About It: On November 12, researchers, led by a team atWorcester Polytechnic Institute, disclosed details of two new potentially serious security vulnerabilities —dubbed TPM-Fail. Because millions of deployed systems probably have the TPM-Fail vulnerability, thescope of exposure is wide. The challenge is that not everyone is ready to perform these patches wheneveran exploit such as this becomes known. (Link)
-New Crypto-Cracking Record Reached, With Less Help Than Usual from Moore’s Law: Researchershave reached a new milestone in the annals of cryptography with the factoring of the largest RSA key sizeever computed and a matching computation of the largest-ever integer discrete logarithm. New records ofthis type occur regularly as the performance of computer hardware increases over time. The recordsannounced on Monday evening are more significant because they were achieved considerably faster thanhardware improvements alone would predict, thanks to enhancements in software used and the algorithmsit implemented. (Link)
Auto-ISAC Intelligence
What’s Trending?
What’s Trending
For more information or questions please contact [email protected]
1011 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
DHS Cybersecurity and Infrastructure
Security Agency (CISA)
What’s Trending?
What’s Trending
For more information about DHS CISA please visit https://www.cisa.gov/
1111 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Community Speaker Series
Featured Speaker
Why Do We Feature Speakers?❖ These calls are an opportunity for information exchange & learning
❖ Goal is to educate & provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured?❖ Perspectives across our ecosystem are shared from members,
government, academia, researchers, industry, associations and
others.
❖ Goal is to showcase a rich & balanced variety of topics and viewpoints
❖ Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured?❖ If you have a topic of interest you would like to share with
the broader Auto-ISAC Community, then we encourage you
to contact our Membership Engagement Lead, Kim Engles
1800+Community Participants
25 Featured Speakers to date
6 Best Practice Guides
available on website
1211 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Community Speakers
➢ Urban Jonson, NMFTA, Heavy Vehicle Cybersecurity Working Group (April 2018)
➢ Ross Froat, American Trucking Association, ATA Cyberwatch Program (Oct 2018)
➢ Dan Sahar, Vice President of Product of Upstream, 2019 Automotive Cybersecurity Report (June 2019)
➢ Katherine Hartman, Chief – Research, Evaluation and Program Management, ITS Joint Program Office, US DOT (August 2019)
➢ Joe Fabbre, Global Technology Director, Green Hills Software (October 2019)
➢ Oscar Marcia, CISSP, Eonti, Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Example of Previous Community Speakers
Past Community Call Slides are located at: www.automotiveisac.com/communitycalls/
Featured Speakers
1311 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Welcome to Today’s Speaker
Featured Speaker
Sven Schrecker, Vice President and Chief Architect, Cyber Security, LHP
Engineering Services
In his role as the Vice President and Chief Architect of Cyber Security, Sven
Schrecker leads the division to address Cyber Security within the greater
transportation vertical. He consults with Automotive OEMs and Tier 1/2
Suppliers to ensure Cyber Security and Functional Safety of the vehicles and
parts. He represents these companies, both up and down their supply chain, to
enable proper cyber security solutions, roadmap, and timelines. His current
industry-wide goals are to increase uptake rate of Cyber Security
implementations, address pre-OTA Update integrity challenges, and to work with
standards organizations to properly define the cyber security requirements and
recommendations within the automotive vertical.
Before joining LHP, Sven was the Chief Architect for IoT Security Solutions at
Intel Corp. for nearly 15 years, where he worked on internal and external
programs to further the security capabilities in hardware, software, and the
difficult to define grey area in between. He was responsible for open, standards-
based platforms to enable end-to-end IoT security strategy across both existing
(brown field) and new (green field) technologies, to demonstrably increase
security focused at Embedded and Industrial deployments across all IoT
verticals.
Sven is also the Founding Chair of the Industrial Internet Consortium (IIC)
Security Working Group (SWG). He attended the first meeting of the IIC in
Washington DC in March 2014 and became the chair soon after. He is the
primary author of the Industrial Internet Security Framework which is the seminal
document that lays the foundation for security, and trustworthiness, in the
Industrial Internet of Things (IIoT), and is leading the team that is writing a
technical paper on Automotive Trustworthiness. He Chairs the Automotive
Security Task Group and co-chairs the Security Liaisons Task Group (with
Platform Industry 4.0).
Automotive Trustworthiness
Automotive Profile for Security Maturity Model
Sven Schrecker [[email protected]]Co-chair, Security Working GroupVP Cyber Security, LHP Engineering Services
Dec 11, 2019
About the Industrial Internet Consortium
• Vision: The Industrial Internet Consortium is the world’s leading organization transforming business and society by accelerating the Industrial Internet of Things (IIoT).
• Mission: To deliver a trustworthy IIoT in which the world’s systems and devices are securely connected and controlled to deliver transformational outcomes.
A Global Organization Spanning 30 Countries
Trustworthiness
This is one discipline, not five distinct
disciplines.
Treat them so.Image Source: Industrial Internet Consortium
Industry Gap Analysis
1) Trustworthiness is a natural fit for Automotive industry
2) Needs high-level convergence of organizational, process, and technical vision
3) Have various levels of rigor based on different ASIL/CAL Levels
4) There are a number of domains and sub-domains that must be addressed
5) Challenges with security often only addressed through the supply chain
6) Need way to measure security progress (incl progression through roadmap)
17
OEM
Shifter
PCB
Dealer
After-Market
Dealer
After-Market
After-Market
Automotive Supply Chain Complexity
Comprehensive Approach:Security Maturity Model
19
Security Maturity, not Security Implementation
Security Maturity –
• degree of confidence in the effectiveness of a security implementation
• in meeting organizational needs
• with an understanding of necessity, benefits and costs
Two dimensions:
Comprehensiveness –
✓ Depth in addressing requirements and use cases,
✓ Consistency of approach and use of possible automation,
✓ Assurance support (through reviews, validation and even formal methods).
Scope –
✓Alignment of understanding and details to situation, ranging from a general approach to vertical industry or even system specifics.
The Hierarchy: Domains, Subdomains, Practices
Domains are pivotal to determining
the priorities of security maturity
enhancement at the strategic level.
At the domains level, the business
stakeholder determines the
priorities of the direction in
improving security
Subdomains reflect the basic
means of obtaining these priorities
at the planning level.
At the sub domains level, the
stakeholder identifies the typical
needs for addressing security
concerns.
Practices define typical activities
associated with sub domains and
identified at the tactical level.
At the practices level, the
stakeholder considers how the
practice supports specific security
activities.
Security Maturity Model: Structure
Governance Domain
Comprehensiveness Levels
Minimum Ad Hoc Consistent FormalizedNone
• Minimum
requirements
implemented
• No assurance activities
• main use cases
• well-known
security incidents
• similar
environments
• Assurance: ad
hoc reviews
• baseline mitigations
• Consider best
practices, standards,
regulations,
classifications
• Use software and
other tools.
• assurance: security
patterns, secure-by-
default designs and
known protection
approaches and
mechanisms
• Well-
established
process forms
the basis
• continuous
support and
security
enhancements.
• assurance:
focus on the
coverage of
security needs
and timely
addressing of issues
Scoring: Scope
Level 1, General
This is the broadest scope. The security practice is implemented in the computer systems and networks without any assessment of its relevance to the specific IoT sector, equipment used, software or processes to be maintained. The security capabilities and techniques are applied as they were in the typical environment.
Level 2, Industry specific
The scope is narrowed from the general case to an industry-specific scenario. The security practice is implemented considering sector-specific issues, particularly those regarding components and processes that are prone to certain types of attacks, and known vulnerabilities and incidents that took place.
Level 3, System specific
This is the narrowest scope. The security practice implementation is aligned with the specific organizational needs and risks of the system under consideration, identified trust boundaries, components, technologies, processes and usage scenarios. Combining the general and domain specific objectives in a unique manner sets the requirements of this implementation.
26
Target Comprehensiveness Scope
Security Governance 2 (Ad hoc)+ Industry+Security Strategy and Governance 2 (Ad hoc) Industry+Security Program Management 2 (Ad hoc) SystemCompliance Management 2 (Ad hoc) IndustryThreat Modeling and Risk Assessment 3 (Consistent)+ Industry+Threat Modeling 4 (Formalized) SystemRisk Attitude 3 (Consistent) IndustrySupply Chain and External Dependencies Management 2 (Ad hoc) IndustrySupply Chain Risk Management 2 (Ad hoc) IndustryThird-Party Dependencies Management 2 (Ad hoc) IndustrySecurity Enablement 2 (Ad hoc)+ Industry+Identity and Access Management 2 (Ad hoc) IndustryEstablishing and Maintaining Identities 2 (Ad hoc) IndustryAccess control 2 (Ad hoc) IndustryAsset protection 2 (Ad hoc) IndustryAsset, Change and Configuration Management 2 (Ad hoc) IndustryPhysical Protection 2 (Ad hoc) IndustryData Protection 2 (Ad hoc)+ Industry+Security Model and Policy for Data 3 (Consistent) SystemImplementation of Data Protection Controls 2 (Ad hoc)+ IndustrySecurity Hardening 2 (Ad hoc)+ Industry+Vulnerability and Patch Management 4 (Formalized) Industry+Vulnerability Assessment 4 (Formalized) SystemPatch Management 4 (Formalized) IndustrySituational Awareness 2 (Ad hoc) Industry+Audit 2 (Ad hoc) SystemInformation Sharing and Communication 2 (Ad hoc) IndustryEvent and Incident Response, Continuity of Operations 2 (Ad hoc)+ Industry+Event Detection and Response Plan 4 (Formalized) SystemRemediation, Recovery, and Continuity of Operation 2 (Ad hoc) Industry
Profiles
• Adding information to “what’s needs to be done” and “indicators of accomplishment” that is specific to an industry or system (scopes)
• This extends the tables into a profile
• Profiles can be industry and/or system
• Profiles make the general considerations more specific or provide more detail
• Industry profiles can add information to general scope, or to system scope as well
• Information does not have to be added to all tables
Security Maturity Model
• Provides a common mechanism to express the confidence in the level of security
• Addresses challenges for describing security capabilities down the supply chain
• Does not define implementation
• Separates requirements into domains, subdomains, and practices
• Enables security assessment to be evaluate level of security achievement
• Encourages security capability improvement over time (roadmap)
• Allows for industry profiles (e.g. Automotive) for tailoring security maturity
https://www.iiconsortium.org/smm.htm
https://www.iiconsortium.org/pdf/IoT_SMM_Practitioner_Guide_2019-02-25.pdf
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_FINAL_Updated_V1.1.pdf
12/11/2019
Questions and Comments?
3211 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Open Discussion
Around the Room
Any questions about the
Auto-ISAC or future topics
for discussion?
3311 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Connect with us at upcoming events:
SAE DoD Maintenance and Logistics Exhibition Dec. 9-11, Spokane, WA
SAE DoD Maintenance Symposium Dec. 9-12, Spokane, WA
NCI Quarterly Face to Face Meeting***Dec. 11th, Washington,
DC
Auto-ISAC Community Call*** Dec. 11th, Telecon
Event Outlook
**For full 2019 calendar, visit www.automotiveisac.com
Closing Remarks
3411 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Closing Remarks
If you are an OEM, supplier or commercial
vehicle company, now is a great time to join
Auto-ISAC!
How to Get Involved: Membership
To learn more about Auto-ISAC Membership or Partnership,
please contact Kim Engles ([email protected]).
➢ Real-time Intelligence
Sharing
➢ Development of Best Practice
Guides
➢ Intelligence Summaries ➢ Exchanges and Workshops
➢ Regular intelligence
meetings
➢ Tabletop exercises
➢ Crisis Notifications ➢ Webinars and Presentations
➢ Member Contact Directory ➢ Annual Auto-ISAC Summit Event
3511 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and
support
- Annual definition of
activity commitments
and expected outcomes
- Provides guidance on
key topics / activities
INNOVATORPaid Partnership
- Annual investment
and agreement
- Specific commitment
to engage with ISAC
- In-kind contributions
allowed
COLLABORATORCoordination
Partnership- “See something, say
something”
- May not require a formal
agreement
- Information exchanges-
coordination activities
BENEFACTORSponsorship
Partnership - Participate in monthly
community calls
- Sponsor Summit
- Network with Auto
Community
- Webinar / Events
Solutions
Providers
For-profit companies
that sell connected
vehicle cybersecurity
products & services.
Examples: Hacker ONE,
SANS, IOActive
Affiliations
Government,
academia, research,
non-profit orgs with
complementary
missions to Auto-ISAC.
Examples: NCI, DHS,
NHTSA
Community
Companies interested
in engaging the
automotive ecosystem
and supporting -
educating the
community.
Examples: Summit
sponsorship –
key events
Associations
Industry associations
and others who want
to support and invest
in the Auto-ISAC
activities.
Examples: Auto Alliance,
Global Auto, ATA
Closing Remarks
3611 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
➢Focused Intelligence Information/Briefings
➢Cybersecurity intelligence sharing
➢Vulnerability resolution
➢Member to Member Sharing
➢Distribute Information Gathering Costs across the Sector
➢Non-attribution and Anonymity of Submissions
➢Information source for the entire organization
➢Risk mitigation for automotive industry
➢Comparative advantage in risk mitigation
➢Security and Resiliency
Auto-ISAC Benefits
Securing Across the Auto Industry
Closing Remarks
3711 December 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Our contact info
Faye FrancyExecutive Director
20 F Street NW, Suite 700
Washington, DC 20001
703-861-5417
Kim EnglesMembership Engagement
Lead
20 F Street NW, Suite 700
Washington, DC 20001
240-422-9008
Josh PosterProgram Operations
Manager
20 F Street NW, Suite 700
Washington, DC 20001
Jessica EttsSenior Intel Coordinator
20 F Street NW, Suite 700
Washington, DC 20001