-
Securely Connecting People, Applications, and Devices
Conquering Complexity: Addressing
Security Challenges of the Connected Vehicle
October 3, 2018
-
Conquering Complexity: Addressing Security
Challenges of the Connected Vehicle
October 3, 2018
Ted Shorter
Chief Technology Officer | CSS
[email protected]
www.css-security.com
http://www.css-security.com/
-
The Promise of Connected Vehicles
3
• Vehicle maintenance
• Infotainment
• Telematics ─ Accident avoidance
• “Software-defined” Vehicles
© 2018 Certified Security Solutions, Inc.
-
The Promise of Connected Vehicles
4
• Automation
• Car sharing
• Coordination
• Security becomes critical
© 2018 Certified Security Solutions, Inc.
-
The Challenge of Connected Vehicles
5© 2018 Certified Security Solutions, Inc.
5
-
Securing Vehicles is Hard
6
• Attractive target
• Constrained platforms
• OEMs manage complex supply chains
• Multi-vendor
• Cost-sensitive
• Difficult to patch or update
© 2018 Certified Security Solutions, Inc.
-
Securing Vehicles is Hard
7
• Long design times
• 5 years
• Long life spans
• 15-20 year life expectancy
• Average age of vehicles on the road: 11.6 years
• Safety comes first
© 2018 Certified Security Solutions, Inc.
-
“Complexity is the Enemy of Security”
8
• Components per vehicle: ~1800
• 80-150 ECUs per vehicle
• Hundreds of suppliers
© 2018 Certified Security Solutions, Inc.
-
Lines of Code
9© 2018 Certified Security Solutions, Inc.
Source: informationisbeautiful.net
-
CAN Bus and OBD-II
10
• CAN designed in 1983
• No security built in design
• OBD mandated in 1996
• Universal access to on-board diagnostics
© 2018 Certified Security Solutions, Inc.
-
© 2018 Certified Security Solutions, Inc.
Right to Repair
11
• Dealer repair
• 3rd-Party Mechanic repair
• Owner repair
• Upgrades and aftermarket
• CY2015 Automotive aftermarket: $450 Billion*
*Source: Global Market Insights .com
-
Authentication and Authorization Roles
12
Authentication & Authorization in the Enterprise:
Subjects Roles Resources
Administrators
Users
Business Units
App Owners
Application
Data
Application
Application
Data
Data
Assignment
(membership)
Permission
(e.g., Read, Write)
© 2018 Certified Security Solutions, Inc.
-
Authentication and Authorization Roles
13
Authentication & Authorization in the Vehicle:
Manufacturer
Dealer
Owner*
Mechanic
Steering
TelematicsRenter
Passenger*
V2V
Vehicle ECUs
Firmware
Braking
Engine
Suspension
Infotainment
Networks
Dashboard
Rentee
© 2018 Certified Security Solutions, Inc.
-
Crypto Agility
© 2018 Certified Security Solutions, Inc. 14
• The algorithms and keys we use today will not be secure in the
future
• Constrained devices are not immune to this fact
• Know what you have:
• End-entity certificates and keys
• Roots of Trust
• Plan for algorithm end-of-life – updatability
-
So, what now?
15
→
© 2018 Certified Security Solutions, Inc.
Best Practices Still Apply
• Defense in Depth
• Fail Safely (and Securely)
• Least Privilege
• Separation of Duties
Existing Technologies, Used in New Ways
• Segmentation / Multi-Bus / Firewalls
• Over-the-Air Updates
• Code Signing
• PKI / Digital Certificates
• Certificate & Key Management
• TCP/IP
• Federation
• Encryption
• Hardware Key Storage (TPM,HSM)
• RADIUS
-
Industry Groups
16
Standards and Regulation are inevitable
• SAE (Society of Automotive Engineers)
• ISO (International Standards Organization)
• IEEE (Institute of Electronics Engineers)
• NIST / AIAG (Automotive Industry Action Group)
• Auto-ISAC (Automotive Information Sharing and Analysis
Center)
• CAMP (Crash Avoidance Metrics Partners)
© 2018 Certified Security Solutions, Inc.
-
V2X
17
• Vehicle-to-Vehicle
• Vehicle-to-Infrastructure
• First pilots in 2012
• Live in some vehicles today
© 2018 Certified Security Solutions, Inc.
-
In Summary
18
• The first step is knowing you have a problem…
• IoT Security is hard; automotive security is harder
• Change is coming, but it will take time
• Regulation and Standards are also coming
© 2018 Certified Security Solutions, Inc.
-
Follow us on
As the market leader in enterprise and IoT digital identity
security for data, devices and applications, CSS is a cyber
security company that builds and supports platforms to enable
secure commerce for global businesses connected to
the Internet. Headquartered in Cleveland, Ohio, with operations
throughout North America, CSS is at the forefront of
delivering innovative software products and SaaS solutions that
are secure, scalable, economical and easy to
integrate into any business.
© 2018 Certified Security Solutions, Inc. All Rights
Reserved.
Thank you!
For more information on certificate management software,
PKI managed services, or PKI professional services at CSS,
please visit us at: www.css-security.com.
Ted Shorter, Chief Technology Officer
Certified Security Solutions, Inc.
Email: [email protected]
Direct: (216) 785-2970
https://twitter.com/cssITsecurityhttps://www.facebook.com/pages/Certified-Security-Solutions-CSS/179282842106626https://www.linkedin.com/company/certified-security-solutionshttps://www.youtube.com/channel/UCNAVX4LB0YxwVjkTVQ8ELGQhttps://www.css-security.com/http://www.css-security.com/
