Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment...
Transcript of Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment...
![Page 1: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/1.jpg)
AutomotiveCybersecuritySummit
Building an Automotive Cybersecurity Testing Lab
Justin Montalbano
105/01/2017
![Page 2: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/2.jpg)
AutomotiveCybersecuritySummit
Agenda Introduction
Delphi Cybersecurity
CyberSEAL Lab
Importance of Cybersecurity Testing
Processes
Tools
People
Facility
Q&A2
![Page 3: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/3.jpg)
AutomotiveCybersecuritySummit
Introduction
Cybersecurity Lab Technical Manager @ Delphi– Ethical Hacker / Web / Networking
– Automotive / Medical / Manufacturing
– Enjoys
• Exploring nature
• Family
• Breaking things
3
![Page 4: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/4.jpg)
AutomotiveCybersecuritySummit
Delphi Cybersecurity
4
Vision Establish Delphi as a Global Leader in
Automotive Cybersecurity with scalable secured products
Pillars of Cybersecurity Engineering
– Focus on helping our engineers develop secure automotive components
Process & Tools– Focus on developing processes for the
organization to follow in regards to security as well as the tools used for testing and securing products
Lab (Testing / R&D)– Focus on pen tests of our products and
research into newly developed cybersecurity products
![Page 5: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/5.jpg)
AutomotiveCybersecuritySummit
Cybersecurity Engineering & Assessments Lab (CyberSEAL)
5
Testing Facility
Mission
Red TeamTesting, Validation
and Training
Research and Development
Cybersecurity Certification
Garage Bays Lab Workbenches
Influence Cybersecurity in
Academia
![Page 6: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/6.jpg)
AutomotiveCybersecuritySummit
Importance of Cybersecurity Testing
6
Different types of cybersecurity testing:– Red team testing (production/updates)– Compliance (requirements) Testing– Incident Response Investigations
Long Term Cost Saving– On average, the cost to fix a bug, post-release, is
30x the cost of doing security by design.
Catch vulnerabilities before they show up in the wild (YouTube, social media)
Save brand from “hacking” damage *Source: National Institute of Science and Technology
![Page 7: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/7.jpg)
AutomotiveCybersecuritySummit
Importance of Cybersecurity Testing
Cannot have safety without cybersecurity.
Confirms security requirements are implemented and effective
Provides assurance to senior management.
Mitigates low hanging fruit and known vulnerabilities.
Potential to discover new bugs in updated systems.
Ensures a level of customer trust with your company.
Helps build a security culture within an organization.
7
Every company should have some form of a cybersecurity testing process, whether it be internal, external or a mix of both.
![Page 8: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/8.jpg)
AutomotiveCybersecuritySummit
Processes
8
![Page 9: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/9.jpg)
AutomotiveCybersecuritySummit
Process ModelsTypes of automotive testing models
• Automotive testing models:
– Full Vehicle Assessments
– ECU/Component Assessments
9
![Page 10: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/10.jpg)
AutomotiveCybersecuritySummit
Process Methods
**NIST 800-115 (Technical Guide to Information Security Testing and Assessment)
**Risk Based Assessment Methodology (RBAM)
SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems
OWASP Testing Guide (web focused)
PCI Penetration Testing Guide (payment industry focused)
Penetration Testing Execution Standard (PTES)
Penetration Testing Framework
Information Systems Security Assessment Framework (ISSAF)10
There are specific types of methods for testing different technologies. Currently no automotive defined cybersecurity testing method.
![Page 11: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/11.jpg)
AutomotiveCybersecuritySummit
Process Methods
11
![Page 12: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/12.jpg)
AutomotiveCybersecuritySummit
Detailed Delphi Processes
12
Threat Analysis Risk Assessment
(TARA)
The process of determining the potential
threats a system possesses as well as the
risks associated with each individual
threat. (threat modeling)
OUTPUT: TARA Report
Vulnerability Assessment
The process of performing penetration
tests on a system to find common
vulnerabilities and provide mitigation
techniques to those specific vulnerabilities.
OUTPUT: Vulnerability Report,
Mitigation Report
Verification Assessment
The process of verifying that product
teams have successfully mitigated the
recommended mitigations to the
discovered vulnerabilities.
OUTPUT: Verification Report
(rubber stamp)
Planning & Design Design Validation Process Validation Production & Continuous Improvement
![Page 13: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/13.jpg)
AutomotiveCybersecuritySummit
Tools
13
![Page 14: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/14.jpg)
AutomotiveCybersecuritySummit
Testing ToolsAreas to focus tools around
Hardware
– Debugging ports / Chip Programmers
Software
– Operating Systems / Applications
Interface(s)
– RF (Wifi, GPS, Bluetooth, V2X, TPMS, Key Fob, sensors, etc.)
– USB
– Cellular (LTE, GSM, CDMA)
– Network(s) (CAN, Ethernet, MOST, etc.)
14
![Page 15: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/15.jpg)
AutomotiveCybersecuritySummit
Testing ToolsList of tools and their use
Vehicle Diagnostic Tool (dealership tool) Reset vehicle fault/error codes
Oscilloscope / RF Signal Analyzer / Logic Analyzer Signal decoding and interpretation
Intrepid Vehicle Spy / Vector CANoe / SAINT2 Vehicle simulation / emulation
USB Rubber Ducky / Facedancer21 / USB Kill USB interface testing
Bus Pirate / JTAGulator / JTAG/SWD Debugger Debug port testing
HackRF / BladeRF / YARD Stick One / Ubertooth One / Pineapple / RF Shield Radio frequency interface testing
15
Linux Test Machines
Cell Site Simulator Cellular Testing
Protecode SC / Black Duck Software Composition Analysis
Coverity / Veracode Static Code Analysis
Wireshark / Burp Suite / Fiddler Traffic analyzer/manipulator
![Page 16: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/16.jpg)
AutomotiveCybersecuritySummit
16
Testing ToolsPhotos
Oscilloscope Spectrum Analyzer Raspberry Pi HackRF One
Bus Pirate JTAGulator BladeRF Segger jlink
![Page 17: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/17.jpg)
AutomotiveCybersecuritySummit
Management Tools
Git / File Sync
Task / Project Management
Secure File Storage / Distribution
Automated Testing Suite
17
TestScript
TestExecution
TestAutomation
![Page 18: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/18.jpg)
AutomotiveCybersecuritySummit
People
18
![Page 19: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/19.jpg)
AutomotiveCybersecuritySummit
Technical Manager Oversee the lab operations
Lab Engineer Lead(s) Leads, organizes and executes assessments
Lab Engineer(s) Organizes and executes assessments
Interns Learns, organizes and executes assessments
Liaison between testing & product development Arranges products for testing and works with product teams to review/integrate
19
Organization of PeopleRoles for cybersecurity testing team
![Page 20: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/20.jpg)
AutomotiveCybersecuritySummit
Formal Education: Information Assurance, Network Security, Electrical Engineering, Computer Science or Computer
Engineering
Work Experience: Penetration testing for enterprise, embedded and/or other connected systems
Development of test plans and deep understanding of electronics, full stack (OSI Model)
Certificates: Certified Penetration Testing Consultant (CPTC), Certified Penetration Testing Engineer (CPTE), GIAC
Certified Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP)
Common Titles: Security Analyst, Security Consultant or Security Engineer
Where to find these people? College Hackathons, Information Security Conferences (SANS, DefCON, BSides, Blackhat, GrrCON,
etc.) 20
Organization of PeopleSkillsets essential for cybersecurity testing
![Page 21: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/21.jpg)
AutomotiveCybersecuritySummit
Facility
21
![Page 22: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/22.jpg)
AutomotiveCybersecuritySummit
Facility for Testing An independent team with a dedicated lab is essential to harvest security
personnel.
Depending on the cybersecurity automotive testing model you follow (component level or full vehicle), different setups can be configured.
Can look into 3rd party contracting for a testing facility, but may be more costly in the long run. Although, 3rd party testing validation is always encouraged and should not be neglected.
22
![Page 23: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/23.jpg)
AutomotiveCybersecuritySummit
Key Take Aways Cybersecurity testing is crucial to securing ECUs.
You cannot have safety without security.
Integrate cybersecurity testing into development processes.
Ensure your lab is equip with the proper tools to test with a red team perspective.
Build a team of hackers to influence a culture of security throughout your organization.
Encourage an independent testing facility(ies) and team to build a “go-to” cybersecurity team.
3rd Party contracting can help assist in areas of low resources, but can be expensive long term.
23
![Page 24: Building an Automotive Cybersecurity Testing Lab · Information Systems Security Assessment Framework (ISSAF) 10 There are specific types of methods for testing different technologies.](https://reader033.fdocuments.us/reader033/viewer/2022041910/5e671b610b23b859a06f4d6f/html5/thumbnails/24.jpg)
AutomotiveCybersecuritySummit
Q&A
24
?