Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of In-Vehicle Software

Published byBernadette Cox Modified over 6 years ago

Similar presentations

Presentation on theme: "Security of In-Vehicle Software"— Presentation transcript:

1 Security of In-Vehicle Software
Submitted by UL-Netherlands Document No. ITS/AD-09-15 (9th ITS/AD, 22 June 2016, agenda item 4) Security of In-Vehicle Software A Vision on Security for Road Safety Geneva, 22 June 2016 UNECE Informal Group on ITS/ Automated Driving Arjan Geluk, CLASSIFICATION: PUBLIC

2 Agenda The Challenge of Vehicle Security Target Situation: Secure Vehicles for Safe Roads Bridging the Gaps

3 The Challenge of Vehicle Security The Trends
Transition of the automobile into the information age Vehicle connectivity, vehicle automation, data collection Growing complexity connected embedded devices Tens of millions of lines of code Wireless capability: keyless entry, tire-pressure monitoring, infotainment, telematics systems In Security Terms: Increasing probability of exploitable software flaws Larger attack surface Greater risk of privacy violations

4 The Challenge of Vehicle Security The Trends
Increased attention and accessibility for car hacking

5 Target Situation Secure Vehicles for Safe Roads
A vision for the future of automotive cybersecurity Security will be taken as seriously as safety Security and safety will be addressed in an integrated manner Legal frameworks and type approval requirements enforce high levels of security Vehicle authorities consider the whole vehicular infrastructure Wide adoption of industry standards tailored to automotive cybersecurity Privacy is addressed using general data protection rules applied to the automotive domain

6 Target Situation Secure Vehicles for Safe Roads
Security will be taken as seriously as safety Security Critical System Safety Critical System Not addressing security means relying on luck Any system that must be SAFE, must also be SECURE If a non-safe state can be caused unintentially, then what about maliciously?

7 Target Situation Secure Vehicles for Safe Roads
Security and safety will be addressed in an integrated manner Source: SAE J3061

8 Target Situation Secure Vehicles for Safe Roads
Security and safety will be addressed in an integrated manner Key Advantages: Same goal: Prevent the vehicle from entering an unsafe state Take advantages of already implemented frameworks, processes, mentalities Efficiency of overlapping safety and security measures Consistency and completeness

9 Target Situation Secure Vehicles for Safe Roads
Legal frameworks and type approval requirements enforce high levels of security Historically, safety has been driven to a large extent by regulation. Security will be even more so, because Return on investment for security is very long-term We need to act proactively The sector as a whole is not security aware enough (yet!)

10 Target Situation Secure Vehicles for Safe Roads
Legal frameworks and type approval requirements enforce high levels of security Security regulation should be integrated in the existing systems for Creating the standards and regulation Enforcing the regulation through national type approval authorities Incident Response

11 Target Situation Secure Vehicles for Safe Roads
Legal frameworks and type approval requirements enforce high levels of security Flexible enough to adapt, strong enough to enforce

12 Target Situation Secure Vehicles for Safe Roads
Legal frameworks and type approval requirements enforce high levels of security Manufacturer Full type-approval process Classification New Product/Update Update approval process Occasional classification spot-checks Continuous, in-use approach to type approval of in-vehicle software Approval for ONE vehicle type with ONE VERSION of the software

13 Target Situation Secure Vehicles for Safe Roads
Vehicle authorities consider the whole vehicular infrastructure OTA Update Backend Telematics Unit Gateway ECUs A car is now more than just in-vehicle hardware and software

14 Target Situation Secure Vehicles for Safe Roads
Vehicle authorities consider the whole vehicular infrastructure OTA Update Backend Telematics Unit Gateway ECUs Enterprise Private Keys Secure communication using TLS, certificate pinning Trust Anchor Code signature verification, integrity checks, secure distribution of service pack, secure boot loader, etc. …

15 Target Situation Secure Vehicles for Safe Roads
Vehicle authorities consider the whole vehicular infrastructure In-vehicle security measures alone may not be effective Extra-vehicular systems with safety critical functions Vulnerable after-market additions Compromised service stations and vehicle repair shops

16 Target Situation Secure Vehicles for Safe Roads
Wide adoption of industry standards tailored to automotive cybersecurity Current situation: Many security standards and best practices for other domains, but not specific to automotive Standards are being developed, but are in early stages e.g. VDA & SAE contributions to ISO Target: Standards describing a secure development lifecycle and best practices for securing automotive systems, from in-vehicle software until cloud services

17 Target Situation Secure Vehicles for Safe Roads
Privacy is addressed using general data protection rules applied to the automotive domain A lot of sensitive data is being collected by vehicular systems Voluntary “Consumer Privacy Protection Principles” have been developed specifically for the automotive industry Compliance is required with general data protection rules, applied to the automotive domain

18 So how do we get there?

19 Bridging the Gaps? Key measures
Security-by-design, a life-cycle approach for designing in-vehicle software How do regulators conduct surveillance? Rating system? Software Updates: Secure using code signing and trust anchor Roll-out of security patches Management of type-approval if functional changes are conducted Collaboration with the security community Bounty Programs Information sharing of threats, vulnerabilities, best practices among manufacturers. Maturity models Learning from other industries (aeronautical industry? Industrial control systems?) Defence-in-depth Layered approach Segmentation and Isolation Logging In-vehicle network security (redesign of protocols, intrusion detection and prevention) Initiatives Security workgroup under UNECE ISO standardisation using SAE and VDA input

20 THANK YOU.

21 UL Software & Security – Contact Details
Europe Leiden, the Netherlands Call Visit

Download ppt "Security of In-Vehicle Software"

Similar presentations

Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Michael Westra, CISSP June 2012 2012 BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then.

Michael Westra, CISSP June BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
DG Enterprise and Industry Philippe JEAN Sustainable Mobility & Automotive Industry Unit WP.29 Enforcement Working Group meeting 27 June 2013 2013 update.

DG Enterprise and Industry Philippe JEAN Sustainable Mobility & Automotive Industry Unit WP.29 Enforcement Working Group meeting 27 June update.
Implementing Shared Inspection Management Systems Insights from recent WBG research John R. Wille WBG Investment Climate Advisory Services Amman, Jordan.

Implementing Shared Inspection Management Systems Insights from recent WBG research John R. Wille WBG Investment Climate Advisory Services Amman, Jordan.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No. 619682 ) Business Convergence WS#2 Smart Grid Technologies.

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Piemonte Workshop 1 11 September 2006 Paolo Salieri European Commission DG ENTR-H4 Security research in FP7.

Piemonte Workshop 1 11 September 2006 Paolo Salieri European Commission DG ENTR-H4 Security research in FP7.
Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.

Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Software Security WP29 / ITS 11-11-2015 Document No. ITS/AD-07-03-Rev1 (7th ITS/AD, 11 November 2015, agenda item 3-2)

Software Security WP29 / ITS Document No. ITS/AD Rev1 (7th ITS/AD, 11 November 2015, agenda item 3-2)
Software Security WP29 IWG ITS/AD 3-11-2015 Document No. ITS/AD-06-09 (6th ITS/AD, 3 November 2015, agenda item 3-3)

Software Security WP29 IWG ITS/AD Document No. ITS/AD (6th ITS/AD, 3 November 2015, agenda item 3-3)
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015.

Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc
IS3220 Information Technology Infrastructure Security

IS3220 Information Technology Infrastructure Security
T.Russell Shields, Co-Chair, Collaboration on ITS Communication Standards Martin Adolph, Programme Coordinator, ITU ITU activities on secure vehicle software.

T.Russell Shields, Co-Chair, Collaboration on ITS Communication Standards Martin Adolph, Programme Coordinator, ITU ITU activities on secure vehicle software.
FIA MOBILITY & TOURISM Gerd Preuss, FIA Representative at UNECE, WP 29 Protection Against Mileage Fraud Current Status in ITS-AD 110 th GRSG Meeting Geneva,

FIA MOBILITY & TOURISM Gerd Preuss, FIA Representative at UNECE, WP 29 Protection Against Mileage Fraud Current Status in ITS-AD 110 th GRSG Meeting Geneva,

Similar presentations

Ads by Google