Cybersecurity From a Tier 1’s Perspective - UMTRI · Cybersecurity From a Tier 1’s Perspective...
Transcript of Cybersecurity From a Tier 1’s Perspective - UMTRI · Cybersecurity From a Tier 1’s Perspective...
Christopher A Lupini Director, Cybersecurity Engineering Delphi Automotive Systems
September 16th 2015
Cybersecurity From a Tier 1’s Perspective
• Gasoline and diesel fuel injection systems
• Engine management system controllers
• Hybrid & electric vehicle technologies
• Infotainment • Rear seat entertainment • Integrated center stack • Driver interface systems • Connected vehicle
infrastructure
Megatrends Drive Our Technology Portfolio
2
• Active Safety systems • Vehicle-to-Vehicle
communication • Automated driving • Driver state monitoring • Occupant classification
systems
Safe Green Connected
Security is a priority for components with software communication
Cybersecurity Engineering
Future Automated Driving Infrastructure
Traffic Lights with vision
From - vehicle data To – infotainment (map, traffic, entertainment), ADAS (roadway \topology, dynamic zones)
Vehicle Share Request Vehicle from parking request
Dynamic Signs Speed changes, Lane changes
Share request
V2V Low speed Autonomous vehicles
Traffic Signs with vision
4
Cloud Cloud
Cloud
Cloud
Cloud
Connected Eco-System Back-end
Server Infotainment Map Traffic Entertainment ADAS Topology Dynamic Zones
Vehicle Data Speed Position Location Diagnostics Etc.
5
Vehicle Data Parking info Signage Etc..
Vehicle Data Acceleration Status Warnings Position
Vehicle-to-Vehicle (V2V) Vehicle-to-Infrastructure (V2I)
Personal Device
Potential Automated Driving Players
Data Centers: IBM, SAP, Microsoft, Oracle, Amazon, Google, Salesforce, Yahoo, Teradata, Cisco
Network (Short Range): Cisco, Arada, Savari, NXP, Qualcomm, Coda
Vehicle Sharing: Google/Uber, Zipcar, Lyft
Security: McAfee, Symantec [+datacenters]
Maps: Google, Navteq. Nokia, Apple, TomTom, Garmin
Vehicle Systems: Delphi and others
Cellular infrastructure: AT&T, Verizon, Sprint, T-mobile, etc
6
4G LTE
OBD
DSRC
Suppliers OEM
Public Clouds
Service Provider
ITS Operator
Exponentially increasing security sphere
7
What can go wrong? Why need Cybersecurity?
8
There is no safety without security
Cybersecurity Engineering
What Needs To Be Addressed? Scope of Problem
Prevent unauthorized personnel from taking control of in-vehicle electronic systems via wireless or wired means.
Related Areas Security of mobile media information such as copyrighted video and audio being used
in the car. Security of in-vehicle parameters such as engine calibrations, odometer, etc. Accuracy and validity of in-vehicle parameters such as vehicle speed. Will involve
Functional Safety ISO 26262. Integrity of emission-control systems Detection of counterfeit ECUs
Heightened Threats Personal Device Integration Telematics Cloud Access V2X Automated Driving IoT – car may not be the primary target
10 10
Why Cybersecurity Matters
Senator Edward Markey letter December 2013 Sent to twenty automakers demanding answers to a long list of questions about their
automobiles’ potential vulnerability to hacking.
Answers trickled in during the next year
Breach of OPM (Office of Personnel Management) OPM is the HR system of the US Government with records of security clearances
Hackers stole over 20M current and former federal employees data.
Target Breach Hackers breached Target and stole over 40M customers data including credit cards,
names, mailing addresses, phone numbers, etc.
Target offers $10M to settle a class-action lawsuit
And the list goes on… www.reddit.com/r/pwned for most recent breaches
11 11
Why Cybersecurity Matters (cont.) In his report, Senator Markey (D-MA) highlighted the following 8 key findings: • Nearly 100% of cars on the market include wireless technologies that could pose
vulnerabilities to hacking or privacy intrusions.
• Most OEMs were unaware of or unable to report on past hacking incidents.
• Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all OEMs, and many manufacturers did not seem to understand the questions posed by Senator Markey.
• Only two OEMs were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
• OEMs collect large amounts of data on driving history and vehicle performance.
• A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.
• Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies — how long they store information about drivers — vary considerably among manufacturers.
• Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.
(February 11, 2015)
12 12
Why Cybersecurity Matters (cont.)
• S.1806 - SPY Car Act of 2015 - Introduced 07/21/2015
• National Highway Traffic Safety Administration (NHTSA) to issue motor vehicle cybersecurity regulations Require motor vehicles manufactured for sale in the United States to protect
against unauthorized access to: (1) electronic controls or driving data, including information about the vehicle's location, speed, owner, driver, or passengers; or (2) driving data collected by electronic systems built into a vehicle
13 13
IT’s Role in Vehicle cybersecurity
14
Close partnership with Delphi Information Security
Information Technology Key Management Infrastructure DTCP, HDCP, V2X, future encryption key/certificate support
Cybersecurity Awareness Program Secure Coding Guidelines Vulnerability Definitions for Engineers
Cybersecurity Incident Response Program Proper communication channels for Engineering or IT related vulnerability Public website for OEMs, Tier 1s, Hackers/Security Researchers to reach
out through.
Cybersecurity Lessons Learned Align Engineering with IT
Tier 1 Supplier has a different view than OEMs We can sell solutions on their own or as de-facto standards
Tier 1 customers include agriculture, construction, etc.
Cybersecurity protection points available: Cloud/cell/Bluetooth CAN/LIN/FR/MOST bus (gateway or router; intrusion detection) Smart chip Secure hardware module onboard microcontroller Atomic level
Collaboration with suppliers and customers: Training Consulting Standards
15 15
Delphi’s Cybersecurity Approach
Vision • Enable a safe and secure vehicle experience through the identification and mitigation of cybersecurity risks for Delphi products
Mission
• Enhance Delphi’s reputation as a leader in the development of safe and secure vehicle systems
• Develop secured hardware and software products in collaboration with our customers and suppliers
• Establish cybersecurity requirements and incorporate into Product Development Process (PDP)
Key partnerships
• Collaborate with OEMs, silicon providers and industry experts to develop relevant solutions
• Research new techniques through cross-industry information sharing • Cooperate with national and international organizations on regulations
and design standards
Focused on a high-security driving experience
16 Cybersecurity Engineering
Delphi Cybersecurity Organization
Director, Global Software Engineering
Michael Groene
Director, Cybersecurity
Chris Lupini
Powertrain
Harry Husted
E&S
Ron Szabo
E/EA
Rob Seidler
VP, Engineering
Glen De Vos
VP, Engineering & Program Management
Mary Gustanski
Chief Information Security Officer
John Bingham
Technical Lead, Engineering
Technical Lead, Process & Tools
IDI, Functional Security Manager
EC, Functional Security Manager
PT, Functional Security Manager
17 Cybersecurity Engineering
Cybersecurity Lab, Manager
Academia & Industry Activities
18
Aligned with industry and academic initiatives
Industry involvement
Cybersecurity Engineering
Academic involvement Software and
Security Engineering
Research Center
• Coordinates applied and basic research on software and system security
• 13 participating universities
University of Michigan
Transportation Research Institute
• Consult on all aspects of transportation cybersecurity and privacy
• Cybersecurity Test Lab evaluates cybersecurity solutions
• SAE Cybersecurity Committee member
• Future member of IT – Information Sharing and Analysis Center (IT-ISAC)
• 2014 – 2015 SAE Battelle Cyber Auto Challenge host
OEM Cybersecurity Strategy
19 Cybersecurity Engineering
Partnering with key OEMs to identify best approach for cybersecurity protection for current product launches
Protection methods
Example OEM partnerships
Gateway provides vehicle and/or product-level protection
Communication paths secured with controller-level protection
Cybersecurity Guidelines and Actions
20
Structured approach to cybersecurity
Prepare React Design Align Deploy
Develop cybersecurity awareness program
Create cybersecurity
incident response program
Design to engineering guidelines with OEM
collaboration
Deploy according to global Delphi
processes
Align with Delphi
Information and Security organization
Delphi’s cybersecurity strategy centered on core principles
Cybersecurity Engineering