agile safety and cybersecurity for critical systems€¦ · any distribution or copyi ng is subject...

V1.0 | 2019-07-01

Dr. Christof Ebert, Vector Consulting Services, @VectorVCSStuttgart, 1. Jul. 2019

Agile Safety and Cybersecurity for Critical Systems

© 2019. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2019-07-01

Vector Consulting Services

Welcome

Transport

Automotive

Aerospace

Medical

Digital Transformation

IT & Finance

Vector is global market leader in automotive software and engineering toolchain with over 2.700 employees

Vector Consulting Services is supporting clients worldwide

Product development, IT and change management

Processes, tools, trainings, coaching transformation, interim support

Agile, cybersecurity, safety, ASPICE, requirements engineering, etc.

www.vector.com/consulting

www.vector.com/consulting-career

2/29


1. Welcome

2. Risk-Oriented Development

3. Scaling Agile for Critical Projects

4. Practical Guidance and Vector Experiences

5. Conclusions and Outlook

Agenda

3/29


Vector Client Survey 2019

Risk-Oriented Development

Safety and Security dominate both short-term and mid-term

Mid

-ter

m c

hal

lenges

Short-term challengesVector Client Survey 2019.

Details: www.vector.com/trends. Horizontal axis shows short-term challenges;

vertical axis shows mid-term challenges. Sum > 300% due to 5 answers per question. Strong

validity with 4% response rate of 2000 recipients from different industries worldwide.

Innovation

Competences

Efficiency

Flexibility

Distributed teamsConnectivity

Quality

Complexity

Digital transformation

Compliance

Others0%

10%

20%

30%

40%

50%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Competitiveness

Innovation

: The Fight of Two Forces

4/29


Automotive Trends Impact Safety and Security


1. Powertrain

Energy efficiency

2. Driver Assistance

Autonomous driving

3. Connectivity

Always connected

Unintended speed change

Signal confusion

Sudden Driver distraction

5/29


Combined Safety and Security Need Holistic Systems Engineering


Functional Safety

Goal: Protect health

Risk: External hazards

Governance: ISO 26262 etc.

Methods:

HARA, FTA, FMEA, …

Fail operational, …

Redundancy, …

Liability Risk management Holistic systems engineering

Cybersecurity

Goal: Protect assets

Risk: Internal threats


Methods:

TARA, Def. Coding…

Cryptography, ID/IP, …

Key management, …

Privacy

Goal: Protect personality

Risk: Data threats


Methods:

TARA,…

Cryptography,…

Explicit consent, …

6/29


Standards Demand Risk-Oriented Approach


Functional Safety (IEC 61508, ISO 26262, ISO 21448)

Hazards and risk mitigation Increasing focus on SOTIF and compliance Safety engineering and culture

ISO 26262 ed.2 refers to shared methods, e.g. TARA

architecture methods data formats & functionality

+ Security (ISO 27001, ISO 15408, ISO 21434, SAE J3061)

Security and Safety are interactingand demand holistic systems engineering

Threat and risk mitigation Abuse, misuse, confuse cases Security engineering

Safety Goals and

Requirements

Functional and Technical

Safety-Concept

Op. Scenarios, Hazard, Risk Assessment

Safety Implemen-

tation

Safety Validation

Safety Case, Certification,

Approval

Safety Verification

Assets, Threats and Risk

Assessment

Security Goals and

Requirements

Technical Security Concept

Security Implemen-

tation

Security Validation

Security Case, Audit,

Compliance

Security Verification

Safety Management

after SOP

Security Management

in POS

For (re) liable and efficient ramp-up connect security to safety governance7/29


4/5G

OBD DSRC

SuppliersOEM

Public Clouds

Service Provider

ITS Operator

ACES (Autonomy, Connectivity, e-Mobility, Services)


Cybersecurity will be the major liability risk in the future.Average security gap is detected in 70% of cases by a third party – and soon exploited.

Cyberattacks Hazards

Password attacks

Application vulnerabilities

Rogue clients, malware

Man in the middle attacks

Eavesdropping, Data leakage

Command injection, data corruption,

back doors

Physical attacks,Sensor confusion

Trojans,Ransomware

8/29


Functional Safety and Cybersecurity Demand Risk-Oriented Development


Risk = Severity of harmful event × Probability of occurrence

Prob

abili

ty

Severity

acceptable risk

inacceptablerisk

Risk-oriented engineering means to intelligently mitigate the residual risks

Asset Attack Threat

Attack Potential Security Goal

is performed

against is reduced by

requirescauses

has value for

Threat Agent(e.g. hacker)

Stakeholders(e.g., driver, OEM)

has

Security Engineering

is achieved by

9/29


1. Welcome





Agenda

10/29


Agile Appears Easy – But Is Very Demanding in Real Projects

Scaling Agile for Critical Projects

„Companies with organization-wide agile culture clearly financially outperform their peers.”

Sources: Vector Consulting Services 2019 (industry survey), McKinsey 2018/19, Harvard Business Manager 2017

„Agile is often considered as throwing away processes.”

„IEEE Software and Vector clients consider Agile as highest ranking technology in terms of past AND future impact.”

11/29


Agile Must Be Scaled for “Critical” Industry Needs


Process

Interaction and dependencies

Risk mitigation

Compliance

Technology

Legacy evolution

Synchronization

Safety, cybersecurity

Organization

Empowered distributed teams

Collaboration

Global value streams

Business

Value focus

Flexible fast delivery

Supply chains

12/29


Agile Scaling for Critical Systems


High

HighLow

RiskCriticality

Governance

Flexibility, Continuity

Sources: Vector + IEEE, 2018

Vector ACE, 2019

ACE: Agile for Critical Engineering

Agile Scaling needs methodology and guidance

13/29


Team Preferences: Discipline vs. Delivery


Delivery Orientation

Prov

en M

ethod

s O

rien

tation

Approach

Often quality experts are toomethod-driven anddogmatic, while market expectations are increasingly agile

Teams an projects face severe tensions: Fear Culture

Culture focus, i.e. high leadership need

31!

31

!

Team Preferences Goals

Ensure successful agile transformation while delivering safety and security

Balance quality needs withagile needs, i.e., discipline vs. delivery

Safety Manager

Quality Manager

Typical “Agile” Expectation

14/29


1. Welcome





Agenda

15/29


Case Study: Challenge with Cost and Time at a Global Automotive Leader

Practical Guidance and Vector Experiences

Agile transformation

Organization of the team to Scrum teams of suitable size.

Coaching of Scrum Masters and Product Owners with focus on sense of urgency, removal of obstacles, and short term wins.

Training of management about agile, change of management style and removal of obstacles.

“Downsizing of SAFe” to avoid over-engineering of agile methods in teams.

Results:

22% lower solution cost

26% reduced time to market

On-time delivery of committed milestones has improved

Transparency towards Business Owners and other interfaces outside of R&D has considerably increased.

Delivery Orientation

Transformation Rating

Create a sense of urgency

Create a guiding coalition

Create a vision for change

Communicate the vision

Remove obstacles

Create short term wins

Consolidate improvements

Anchor the changes

Prov

en M

ethod

s O

rien

tation Team Preferences

! !

16/29


Concept of Combined Threat/Hazard Analysis and Risk Assessment


Consider specific automotive assets derived from CIAAG (Confidentiality, Integrity, Authenticity, Availability, Governance) scheme

Assets Threat-Model & Risks Measures Concept for

Solution Verification

Example: Identified threats

Safety

Injuries because of malfunctioning Passive Entry

Financial

Extra cost due to call-back and law-suits

Operational Performance Car cannot be started, doors cannot be opened

Privacy/Legislation

Theft of personal data

Specific automotive asset categories

Privacy,Legislation,Governance

e.g. private data

Operational Performance

e.g. Drivingexperience

Finance

e.g. Liability, brand image

Safety

e.g. Vehicle functions

17/29


Model-Based Dependency Analysis


Traceability from changes based on hierarchic modelling & update of analysis and tests

SystemRequirements

Logical SystemArchitecture

ComponentArchitecture

SimulationImplementation

PowerMirrorCtrl

Type: PowerMirrorCtrl

SwitchMatrix

Type: SwitchMatrix

PowerMirrorPass

Type: PowerMirr...

PowerMirrorDriver

Type: PowerMirr...

PowerManagement

Type: PowerMan...

x+:pm_pass_x+

y+:pm_pass_y+

y-:pm_pass_y-

x-:pm_pass_x-

y+:pm_driv_y+

x+:pm_driv_x+

y-:pm_driv_y-

x-:pm_driv_x-

y:PM_y

x:PM_x

sel:PM_selection

def12:KeyIn

sel:PM_selection

x:PM_x

y:PM_y x+:pm_pass_x+

y+:pm_pass_y+

y-:pm_pass_y-

x-:pm_pass_x-

y+:pm_driv_y+

x+:pm_driv_x+

y-:pm_driv_y-

x-:pm_driv_x-

KeyIn:KeyIn Assembly Net

Assembly Net

Body Ctrl

Driver Door CtrlPass Door Ctrl

Gateway

SwtichMatrix

PassengerMirror DriverMirror

BatMng

-

-

-

-

-

-

-

-

-

DoorLIN:LIN

Ground

PowerSupply

- cv2:4w -KA_Pass Door Ctrl _0

-

-

CANPT:CANC

System FTA/FMEA

ComponentFTA/FMEA

Fault Injection /

TDD

18/29


Agile Scaling for Safety and Security Engineering


Manage dependencies between teams for safety and security related changes

Legend

SW Lead Team 1SW Lead Team 2Technical Lead Testing

Team MemberHardware LeadMechanical Lead

Chief Technical Lead

Kanban Board

Testing Team

HW TeamSW Team 2SW Team 1 Mechanical Team

Scrum of Scrums

Location 1 Location 1

Location 1Location 2

Location 2 Location 3

Safety Manager

Safety Engineering

19/29


Tools for Safety and Security


Customer Benefits Efficient

implementation of cybersecurity and functional safety

Full Life-Cycle support from requirements to concept, design, test and after-sales

Traceability and governance

Support for heterogeneous environments

Package offer for gap analysis and mitigation activities with Vector SafetyCheck or Vector SecurityCheck

Continuous Safety Case

Vector SafetyCheck and SecurityCheck

PREEvision Safety support

20/29


Vector SecurityCheck with COMPASS


Vector SecurityCheck facilitates Systematic risk assessment and mitigation Traceability and Governance with auditable risk and measure list Heuristic checklists with continuously updated threats and mitigation

21/29


Design Defensive coding, e.g. memory allocation, avoid

injectable code, least privileges Selected programming rules such as MISRA-C, CERT High cryptographic strength

in line with performance needs Key management and HW-based security Awareness and governance towards social engineering

V&V Methods and Tools Static / dynamic code analyzer Unit test with focused coverage, e.g. MCDC Interface scanner, layered fuzzing tester,

encryption cracker, vulnerability scanner Penetration testing, starting with TARA concept

Safety and Security by Design: Implementation, Verification and Validation


Classic coverage test is not sufficient anymore.Test for the known – and for the unknown.

Ensure automatic regression tests are running with each delivery.22/29


Game Changer: OTA Facilitates Security Across the Life-cycle


There is no security without continuous Over the Air (OTA) update strategy

OEM Side Update Process

23/29


1. Welcome





Agenda

24/29


Risk-Oriented Development Must Cover the Entire Life-Cycle

Conclusions and Outlook

Systematic safety and security engineering Scaleable incident monitoring and response Multiple modes of operation (normal, attack, emergency, fail operational, fail safe, etc.)

Safety hazards

and security threats

Safety / Security by design

Development

Secured supply chain

Production

Incident responseand upgrades

Operations

Secure provisioningand governance

Services

25/29


Integrated Development for Safety and Security


Similar to Safety, Security needs to be an integrated part of the development process. Build security upon existing safety governance.

?

Hazard and Risk Assessment

Safety Goals

Functional Safety-Concept

Features and Operation Scenarios

Technical Safety-Concept

Implement. of Safety

Mechanisms

Verify Safety Mechanisms

Test Safety Mechanisms

Validate Safety Assumptions

Safety Case

Safety ActivitySafety Verification on

Unit Level

Assets andAttack

Potentials

Threat and Risk Assessment

Security Goals

Security Architecture

Technical Security Concept

Implement. of Security

Mechanisms

Verify Security Mechanisms

Test Security Mechanisms,

Pen Tests

Validate Security

Assumptions

Security Case

Security Activity

Security Verification on

Unit Level

Safe / Secure Implementation of Nominal Functions

Safety Operations

Security Operations

26/29


Vector Offers Comprehensive Portfolio for Cybersecurity and Functional Safety


Vector Cybersecurity and Safety Solutions

Trainings

Compliance audits

SecurityCheck, SafetyCheck

Security/Safety support, e.g. virtual safety/security

manager and pentesting

AUTOSAR Basic Software:

MICROSAR Safe

Tools for Design, Test and Lifecycle support:

PREEvision

DaVinci

CANoe

CANdela and Indigo

Engineering Services for Safety and Security

HW based Security

27/29


Vector Cybersecurity Symposium 22. April 2020 in Stuttgart Free admission www.vector.com/security

Trainings and Media Free cybersecurity Webinar

(1 hour, continuously updated)www.vector.com/webinar-security

Free Functional Safety Webinar(1 hour, continuously updated)www.vector.com/webinar-safety

Open and in-house trainings are worldwide available

Vector White Papers with Case Studies www.vector.com/media-consulting

More Information…


28/29


Thank you for your attention.For more information please contact us.

Passion. Partner. Value.

Vector Consulting Services

@VectorVCS

www.vector.com/[email protected]: +49-711-80670-1520

agile safety and cybersecurity for critical systems€¦ · any distribution or copyi ng is subject...

Documents