AutoSIG AutonomousVehicles 02.12.14 PaulMartin Plextek · • Defence and Security • Healthcare...
Transcript of AutoSIG AutonomousVehicles 02.12.14 PaulMartin Plextek · • Defence and Security • Healthcare...
Securing V2X
Dr Paul Martin
CTO
Contents
• What
• Why
• How
• When
World class Products, Systems and Services
• Innovative, Independent, Entrepreneurial
• Based near Cambridge, UK
• Part of Plextek Group
• Privately owned - established 1989
• 120 staff
• Markets
• Automotive and Transport
• Defence and Security
• Healthcare
• IOT
• Wearable Devices
Contents
What
V2V
• V2V1) Driver information
• Cascaded video – reason for queue
2) Vehicle safety assistance
• Braking assistance
• Erratic vehicle warning
3) Platoon control
• Real time vehicle control
• Maintenance of vehicle Platoons
• Joining/leaving Platoon
• Short note on Platoons – SARTRE trial
– Fuel saving between 7% to 16%,
– Safety – less driver fatigue and mistakes
– Ease road congestion – less gap between cars
V2i
• V2i - Personal1) Online purchasing smartphone to vendor
• V2i - Car1) Purchasing from Android terminal in car eg
• Road tolls
• Car rental
2) Telematics data – used for
• Real time vehicle insurance
• Accident notification and investigation
• Fraud prevention
3) Vehicle assistance
• Find parking spaces
• Organise traffic flow
V2i – Relationship Example
• V2i Android terminal in car – real time insurance
TRUST
TRUST
TRUST
I verify I am the driver and I
will pay for the insurance
I will not allow the car to start
unless a valid driver is present
and the insurance is paid
I check insurance is OK
on the road
I provide valid insurance
V2V – Relationship Example
• V2V Platooning (TNO Demonstration)
TRUST
I trust the Platooning System
Each car has compatible systems
which are functioning correctly
Role is to ensure legislation
supports the required level of
safety for society as a whole
HMG
Regulator
Public
TRUST
TRUST
Security Context Scope
• Application Model Peer Entities
• End points vary
• Categorisation Important
V2X Application Peer Peer Timeliness Importance
Software update OEM (Tier 1/2) Target ECU Delay tolerant Variable
Virtual Signing Highways Agency In car display (ECU) < 2 seconds Important/Legal
Platoon Control Other vehicle Steering/braking/acceleration
ECUs
Minimum delay Urgent/D2L
Real Time Insurance Insurance Company Security ECU(s) Delay tolerant Urgent/D2L
Real Time Insurance Law Enforcement Security ECU(s)/Navigation Delay tolerant Important/Legal
Contents
Why
Protection
Why Protect V2X?
• Physical Danger that a vehicle system is compromised by a remote
wireless operation (Cyber Attack)
• Physical Danger that a vehicle system is compromised by a local
(plugged-in) operation
• Motivations
– Identical to “standard” internet
• Physical effect
• Monetary advantage
• For fun
Three Primary Functions
The Three Primary Information Security Functions
ANTI-TAMPERProtecting customers IP
(Reverse Engineering,
Cloning, etc)
INFORMATION
ASSURANCEProtecting customers information/data
through Cryptography and Fault
Tolerant Design
TRUSTSilicon, software,
firmware and IP is
“trojan-free”
Actors
• OEMs1) Reputation risk
2) Legal Liability
3) Revenue
• Supply Chain1) Reputation risk
2) Legal Liability
3) Revenue
• Standards Bodies1) Functional Safety Guidance
2) Interworking
Actors
• Government1) Public safety
2) Cost of clearing up
3) National reputation
4) Desire for improved transport systems
• Insurance Industry1) Reducing claims
2) Clear insurance framework
• Threat Landscape1) Internet transition into the vehicle
2) Change in attack motivation
3) Development of attack capability
Contents
How
Techniques
• Categorise and manage Threat Landscape
• Match principles from IT industry
• Treat Cyber threat as a functional safety threat
• Ensure development processes use robust Cyberresistance principles
• Establish a chain of Trust throughout supply chain
• Establish a Cyber incident management scheme throughout supply chain
• Cooperate with competitors and other members of the supply chain to improve the resistance of the whole
• Use well understood tools and techniques
Threat Landscape
• Create List of all threats
• Calculate potential cost of each threat
• Detail countermeasures to each threat
• Calculate cost of each countermeasure
• Decide where to draw the line
• Repeat for each significant variant
Prioritisation
• Implement features above red line
Function Threat Difficulty Cost if active Priority Countermeasure Effectiveness Cost
Active Lane Assist Left camera spoofed Difficult Cost to retrofit anti-spoofing D2L
Authenticate ALA ECU camera information link
functions L L
Encrypt ALA ECU - camera link L M
Right camera spoofed Difficult Cost to retrofit anti-spoofing D2L
Authenticate ALA ECU camera information link
functions L L
Encrypt ALA ECU - camera link L M
ALA ECU compromised Medium D2L Remove default hardcoded debug entry points H L
Use h/w encrypted programme code store H M
Use s/w encrypted programme code store H M
Selectively adopt IT Principles
Functional Safety
• Consider V2X end to end function
• How does it interact with functional safety?
• Example
– Vehicle disabled when insurance is invalid
– Example of external service interacting with a
functional safety feature
– Vehicle disabled while moving – No
– Vehicle disabled while engine stopped - Possibly
– Exception conditions – Yes (level crossing)
– Cyber threat – Yes
Trust in V2X Supply Chain
• Trust landscape
1) Threats understood and documented by all
members of supply chain
2) Appropriate countermeasures in place
3) Software verified to threat model on delivery
4) Hardware verified to threat model on delivery
5) Service verified to threat model
Tier 3/4/5
Tier 2
Tier 1
OEMData transport
Service
Provider Service
ProviderService
Provider
Incident Management
Use Examples from IT Industry
• Qualify and train supply chain
– Be prepared to remove uncooperative suppliers
• Setup peer incident management teams throughout supply chain
– When incidents occur, these teams provide the options
• Run simulated scenarios to exercise team
• Extend to cover
– Multiple OEMs
– Multiple Tier 1/2/3/4
– Multiple service providers
Detailed Tools
Use security capability developed for automotive industry
Use security capability developed for other industries
Initiatives
Collaboration Group formed to explore
Cyber Security for connected vehicles
Contents
When
Investment
• Balance to be struck
1) Perceived threat
2) Available investment to counter threat
• Balance re-evaluated regularly
1) New model design
2) New feature development
3) Changing threat landscape
4) Standards iteration
5) Time
Risk Counter
When
• Is the threat to your products and services managed?
1) Threat assessment drives budgeting
2) “When” spend is required is driven by budget
• Begin budgeting now for V2X services threat
assessment
• Invest resources in cross-industry collaboration
Summary
• Introduced context of securing V2X
– Categorisation
• Introduced motivations behind securing V2X
– Attacks, interested parties
• Provided top level suggestions for approaches
– 8 approaches discussed
• Looked at possible timescales
– Risk vs Investment
Contents
Thank You
Dr Paul Martin