Comments on 18 mitigations proposed by OICA(TFCS-06-11) Koji NAKAO, NICT

Proposed Mitigations Mitigations 1. Access to files and data shall be authorized 2. Best practices for backend systems shall be followed (e.g. OWASP, ISO 27000 group) 3. Confidential data shall be encrypted 4. Cybersecurity best practices for software and hardware development shall be followed 5. Cybersecurity best practices shall be followed for storing private keys 6. Data protection best practices shall be followed for storing private and sensitive data. Data protection regulations of individual countries shall be adhered to. 7. Data shall be (end-to-end) authenticated and integrity protected 8. Internal messages shall contain a freshness value 9. Internal/Diagnostic messages shall be authenticated and integrity protected 10. Measures to detect intrusion are recommended 11. Measures to detect unauthorized privileged access are recommended 12. Measures to ensure the availability of data are recommended 13. Organizations shall ensure the defined security procedures are followed 14. Software and configuration shall be authenticated and integrity protected 15. The certification policy for V2X communication shall be followed. 16. V2X messages shall be Authenticated and Integrity protected 17. V2X messages shall contain a freshness value 18. V2X messages should be checked for plausibility

Scope of Mitigations In-Vehicle Environment Back-End Systems Aftermarket Information Device Back-End Systems Outside-Vehicle Environment On-board Information Device Power Management Control ECU Seat Belt Control ECU Driving Support ECU Communication Paths Parking Assist ECU Communication Path Skid Control ECU etc.,

1. Access to files and data shall be authorized Scope: All (In-Vehicle, External-Vehicle, Back-End Systems (?)); Definition of “files” and “data” is not clear; In the case of ISO/IEC 27002: An access control policy should be established, documented and reviewed based on business and information security requirements. Recommendation for our mitigation: An access control policy shall be established, documented and reviewed based on information security requirements. The policy shall be followed. It should be noted that “the access control policy” shall include how to limit access to information (files and data).

2. Best practices for backend systems shall be followed (e. g 2. Best practices for backend systems shall be followed (e.g. OWASP, ISO 27000 group) Scope: Back-end systems; “Best Practices” is not clear. For example, there is no best practices document for ISO/IEC 27000 series. But ISO/IEC 27002 is called as “Code of Practice”; Recommendation for our mitigation: Security Controls shall be applied to back-end systems. Security Controls can be found in OWASP and ISO/IEC 27000 series.

3. Confidential data shall be encrypted Scope: All (?) It is dependent on “cryptographic policy” what type of data shall be encrypted or not. It also depend on regulations defined in countries. Recommendation for our mitigation: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information (including confidential data), a policy on the use of cryptographic controls for protection of information shall be developed and followed.

4. Cybersecurity best practices for software and hardware development shall be followed Scope: All (?) “Cybersecurity best practices” is not clear. In the case of Cybersecurity, it is often discussed to implement “process model” such as OODA (“Observe”  “Orient”  “Decide”  “Act”) which is different from ISMS PDCA. It is also important for us to consider software/hardware development based on “Security by Design”. It should be strongly recommended to conduct “vulnerability check” before Security by Design and after the development in continuous manner. Recommendation for our mitigation: Security Controls shall be applied for software and hardware development. Security Controls shall include vulnerability check and security by design methodologies. They can be found in xxx (documents should be listed).

5. Cybersecurity best practices shall be followed for storing private keys Scope: All (?) “Cybersecurity best practices” is not clear. Why we only focus on “storing private keys”? Do we have a common understanding to use “Public Key Infra” in our environment? Recommendation for our mitigation: This should be merged with No. 3. “Cryptography policy” shall cover for storing private keys.

6. Data protection best practices shall be followed for storing private and sensitive data.　Data protection regulations of individual countries shall be adhered to Scope: All (?) or In-Vehicle and Back-end systems(?) “Data protection best practices” is not clear. We need to refer to the existing data protection best practices. Recommendation for our mitigation: No change. But the following text should be added at the end. Data protection best practices can be found in xxxx. (there are several International Standards developed by ISO/SC27/WG5.)

7. Data shall be (end-to-end) authenticated and integrity protected Scope: All (?) or In-Vehicle and Back-end systems(?) “Data” maybe is located in Vehicle or in Back-end systems? For clarification, data is authenticated by using MAC in this context? Recommendation for our mitigation: Data in Vehicle and/or Back-end systems shall be authenticated and integrity protected. Note: We need to distinguish this mitigation from mitigation-9 (internal/ diagnostic messages).

8. Internal messages shall contain a freshness value Scope: In-Vehicle and Back-end systems(?) The purpose of this mitigation is only for security control against “replay attack”?? For example, “adding time-stamp” is normally recognized in the best practice for cybersecurity. Recommendation for our mitigation: This can be merged with Mitigation-8.

9. Internal/Diagnostic messages shall be authenticated and integrity protected Scope: Message In-Vehicle and Back-end systems and diagnostic message for all? What is different between data used in Mit-7 and message in Mit-9 (here)?? Recommendation for our mitigation: No change. But add the following text to cover Mit-8. The messages shall contain a freshness value.

10. Measures to detect intrusion are recommended Scope: In-Vehicle and Back-end systems This mitigation will include mechanisms for detection of malware and abnormal behavior? If so, this should also cover the measure to detect abnormal behavior after infection. Recommendation for our mitigation: Measures to detect intrusion and/or abnormal behavior are recommended

11. Measures to detect unauthorized privileged access are recommended Scope: In-Vehicle and Back-end systems This mitigation will include mechanisms for detection of spoofing message and abnormal message? Recommendation for our mitigation: No change.

12. Measures to ensure the availability of data are recommended Scope: In-Vehicle and Back-end systems This mitigation will include mechanisms for detection against DDoS?? If so, this is not only for ensuring the availability of data, but for ensuring the availability of vehicle. The availability of the back-end system is basically covered by Mit-2. Recommendation for our mitigation: If there is no clarification, then this should be deleted from the list of Mits.

13. Organizations shall ensure the defined security procedures are followed Scope: Organizations ??? “Organizations” is not clear. Code of Practices of Information Security is already guided in ISO/IEC 27002 for (any types of) If this Mit will cover any other security controls rather than ISO/IEC 27002, then we need to clarify more the purpose of this mitigation. The availability of the back-end system is basically covered by Mit-2. Recommendation for our mitigation: Measures to ensure the availability of data and vehicle are recommended

14. Software and configuration shall be authenticated and integrity protected Scope: In-Vehicle and Back-end systems (?) “Software” is not clear. This mitigation is trying to ensure data authentication and data integrity for software resouces and configuration files using MAC and Integrity check code? What is different from Mit-7 (data authentication and integrity). Data in Mit-7 is not software and configuration?? Recommendation for our mitigation: If there is no specific reasons focusing on software and configuration, then this can be covered by Mit-7.

15. The certification policy for V2X communication shall be followed. Scope: External-Vehicle (V2X communication)(?) Do we agree to use Certification scheme? The certification policy is only for V2X communication. Is there any other application for the certification? Recommendation for our mitigation: It is recommended to keep this Mitigation as is, however we need to clarify and consider this Mit further. Contributions are requested for the next WP29 TFCS.

16. V2X messages shall be Authenticated and Integrity protected Scope: External-Vehicle (V2X communication)(?) As for message authentication and integrity, we have Mit-9 (only focusing to Internal/Diagnostic messages). Do we need two mitigations (Mit-9 and 16)? Can we cover all messages by a single Mitigation? Recommendation for our mitigation: One solution is to merge this mitigation into Mit-9. In this case, Mit-9 should read: Internal/External/Diagnostic messages shall be authenticated and integrity protected. The messages shall contain a freshness value.

17. V2X messages shall contain a freshness value Recommendation for our mitigation: This mitigation has already covered by Mit-9 (see in Mit-16)

18. V2X messages should be checked for plausibility Scope: External-Vehicle (V2X communication)(?) I have no idea how to check the message for plausibility. Recommendation for our mitigation: It is recommended to keep this Mitigation as is, however we need to clarify and consider this Mit further. Contributions are requested for the next WP29 TFCS.

Additional considerations: “Jamming detection” can be covered by Mit-12 (availability)?? It is also recommended to detect “Illegal monitoring” in-vehicle. Is this covered by “vulnerability check” in Mit-4??