Upload
andreas-mai
View
443
Download
4
Embed Size (px)
DESCRIPTION
Connected vehicles are becoming rolling data centers. More attack surfaces expose vehicles to cyber threats that have become common in the IT industry. Connected vehicles will require an end-to-end security architecture spanning from chip level to cloud based security services that protect vehicles over the entire life cycle.
Citation preview
Cisco Confidential Cisco IBSG © 2011 Cisco and/or its affiliates. All rights reserved. Internet Business Solutions Group 1
Andreas Mai Director Smart Connected Vehicles
April 2014
Mission Critical: Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Daily Security Intelligence Daily Web Requests Deployed Security Devices Applications
& Micro-Applications
100TB Security
Intelligence
1.6M Deployed
Devices
13B Web Requests
150,000 Micro-
applications
1,000 Applications
93B Daily Email
Messages
35% Enterprise Email
5,500 IPS Signatures
150M Deployed
Endpoints
3-5 min Updates
Security Intelligence Operations:
• Broadest Visibility
• Global Footprint
• Defense in Depth
5B Daily Email
Connections
4.5B Daily Email Blocks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Threat Operations Center Advanced Algorithms Cisco SensorBase
Global Threat
Telemetry
Global Threat Telemetry
8:10 GMT All Cisco Customers Protected
Bank Branch in Chicago
ISP Datacenter in Moscow
Ad Agency HQ in London
8:03 GMT IPS Detects Hacker Probing
8:07 GMT Web Security Detects
New Botnet
8:00 GMT Email Security Detects Compromised Server
OEM .. OEM 2 OEM 1
8:03 GMT IPS Detects Hacker Probing
8:07 GMT Web Security Detects
New Botnet
8:00 GMT Email Security Detects Compromised Server
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Malware Attacks through all Communication Channels
Public
Clouds Automaker
Clouds
Private
Clouds
Enterprise
Clouds
Roadside
Networks V2I
Communications
Onboard Networks,
Devices & Apps
Onboard
Wi-Fi Hotspot
Tethered
Smartphone
Local / On-board
Communications
V2V
Communications
Onboard Diagnostic
Interface (OBD II)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
8 128 128 0 32
1372
CAN CAN Virtual Package Ethernet
Security:
E.g., AES 128
bit (16 byte)
signature
Packet Size [Bits]
“Free” bytes for
user data Room for
security?
1,500
“160”
(Cumbersome) Workaround:
• Receiver collects 20 CAN
packets into one virtual
packet
• … but what happens if one
packet is missed ? • Every message
broadcasted by a single
ECU: but what if a rogue
ECU is cheating?
• 11bit/29bit ‘message-ID’
field, is not verifiable
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Creates malware
on the ADAS
Exposes OBU and
starts sending
many bad packets
Sends a super-packet Malware created in car’s
communication gateway
Enterprise Web OEM Roadside Grid Home
Audio/ Video Diagnostics Telematics ADAS ….
The car is disabled or
destroyed
Unauthorized packets
are sent
OBU
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Advanced Vehicle
Security System
Enterprise Web OEM Roadside Grid Home
ADAS Audio/ Video Diagnostics Telematics ….
Secure Car
Gateway
(SCG)
Security Cloud
Vehicle Threat Defense Update Vehicle Misbehavior Detection
Vehicle Threat Report
2
1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Vehicle System:
• Harden ECUs: HW, OS, App SW, secure BL, incl. chemistry
• Validate and protect code integrity
• Authenticate messages, KMS
• Detect anomalies/ intrusions
• Secure OTA S/W update
• Protect privileged service mode
• Secure App sandbox
1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Security Cloud 2
4. Cloud Services: Assist
vehicle’s threat defense,
update vehicle onboard
defense, and remove
threats before they reach
vehicles
Cloud Security
5. Interactions: for
security cloud to
assist onboard
threat defense
Threat
Related
Information
Updates &
Threat
Defense
Assistance
6. Remote Mgt.
Provisioning, key and
credential mgt, remote
monitoring, malware
removal, …
6. Remote Mgt.
7.Misbehavior
Detection
Anomalies,
Context based
defense
7.Misbehavior
Detection
Local Wireless
and Physical
Connections
Onboard
Security Gateway
2. Vehicle Services:
Secure vehicle access,
secure communications,
malware defense,
onboard activity
monitoring, onboard
authentication and key
management, …
Public
Clouds Private
Clouds
Enterprise
Clouds
Automaker
Clouds
Through
Security
Cloud
3. Secure V2I
Communications
• IPSE, SSL.,...
• Dynamically
established at
proper protocol
layers
• Scalable to support
10+ M vehicles
Not
through
Security
Cloud
Remote
Traffic
1. Vehicle
System
Security
In-Vehicle Networks
Vehicle ECUs, Sensors,
Actuators, Applications
1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Build End to End Security Architecture
Secure
Car Cloud
Services
Secure
Car Gateway
Secure
Car Network
Secure
NW Access
3G/ LTE
WiFi/ DSRC
Security+
On ECU
SW Crypto HW
Leverage Entire Portfolio to Design Security System
Pay now!
Car Theft
3G/LTE
IVI
OBU
Service Theft
Conduct Threat, Penetration & Vulnerability Analysis
Disablement
…. ???
RansomeWare
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Some already established security teams … Others are still considering whether it is necessary
• Some already delivered security requirements to their Tier1s … Others have not yet written any security requirements
• Some are fully aware and actively engaged in security standardization … Others are still hesitant if/how to get involved in Vehicle Security Standards
PAY
GOV
Mandate
OEM
Required
Vehicle
Security
Standard
Tier-1
USP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Thank you.