an overview of nhtsa’s vehicle cybersecurity … meetings... · electronic systems safety program...
TRANSCRIPT
AN OVERVIEW OF NHTSA’S VEHICLE CYBERSECURITY RESEARCH PROGRAM Cem Hatipoglu, Ph.D. Chief, Electronic Systems Safety Division National Highway Traffic Safety Administration
SAE INTERNATIONAL
“ Save lives, prevent injuries and reduce economic costs due to road traffic crashes, through education, research, safety standards and enforcement activity.”
NHTSA’s Mission
2
”
SAE INTERNATIONAL
32,675 people died due to motor vehicle accidents in 2014. • Modern crash avoidance and vehicle-to-vehicle (V2V)
communications technologies that heavily rely on electronic systems hold the promise to address most crash challenges
3
The Need for Continued Technological Innovations
SAE INTERNATIONAL
However, these safety features introduce new cybersecurity challenges and vulnerabilities as demonstrated by our research and that of others.
4
The Need for Cybersecurity Research
Failure to tackle the cybersecurity challenge would threaten the technology-driven safety transformation we all want to achieve.
SAE INTERNATIONAL
Organizational changes: Establishment of Electronic Systems Safety Research Division and Electronics Council
5
NHTSA and Vehicle Cybersecurity
Cybersecurity research program: Identified five actionable goals; layered approach
Partnerships: Working with multiple public and private stakeholders
http://www.nhtsa.gov/staticfiles/administration/pdf/presentations_speeches/2015/NHTSA-VehicleCybersecurity_07212015.pdf
SAE INTERNATIONAL 6
Electronic Systems Safety Program Areas
Vehicle Cybersecurity
Electronics Reliability
Automated Vehicles
Protection of vehicular electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation.
SAE INTERNATIONAL 7
Use of Electronics in Cars
Not new… Dates back to 1970s (not including uses in radio)
Today, a typical automobile features over 100 microprocessors, 50 electronic control units, five miles of wiring and 50-100 million lines of code.
•Active Suspension •Active Vibration Control •Adaptive Cruise Control •Adaptive Front Lighting •Airbag Deployment •Anti-lock Braking •Autonomous Emergency Braking •Battery Management •Blind Spot Detection •Cabin Environment Controls •Communication Systems •Cylinder Deactivation •Driver Alertness Monitoring •Electronic Power Steering •Electronic Seat Control •Electronic Stability Control •Electronic Throttle Control •Electronic Toll Collection •Electronic Valve Timing •Engine Control •Entertainment System
•Event Data Recorder •Hill Hold Control •Idle Stop-Start •Instrument Cluster Control •Intelligent Turn Signals •Interior Lighting •Lane Departure Warning •Lane Keeping Assist •Navigation •On-Board Diagnostics •Parental Controls •Parking Systems •Pre-crash Safety •Rear-view Camera •Regenerative Braking •Remote Keyless Entry •Security Systems •Tire Pressure Monitoring •Traffic Sign Recognition •Transmission Control •Windshield Wiper Control
Sample electronic functions on a modern vehicle
SAE INTERNATIONAL 8
Threat Vectors into Vehicle Systems
Physical
Wireless
Short Range Long Range
DSRC
Bring Your Own Device (BYOD) / Aftermarket Devices*
E.g. Insurance dongles on OBD-II;
cellphones via USB
SAE INTERNATIONAL 9
NHTSA’s Vehicle Cybersecurity Research Program and Goals
Share vehicle cybersecurity knowledgebase
Facilitate implementation of voluntary industry standards
Foster development of new system solutions to improve cybersecurity
Investigating minimum performance based vehicle safety requirements for cybersecurity
Develop foundational materials to inform policy decisions
1
2
3
4
5
SAE INTERNATIONAL 10
NHTSA’s Vehicle Cybersecurity Research Program and Goals
Expanding in-house cyber research capabilities
Share vehicle cybersecurity knowledgebase 1
• Communication bus monitoring
• RF monitoring • GPS Spoofing • GPS Simulation • Firmware Analysis
Equipment • Vector CANalyzer • Roller Dynamometer • USRP Software Defined
Radio • GPS Satellite Simulator • Spectrum Analyzer • IDA Pro
Future Capabilities Capabilities • Femtocell/cellular
base transceiver station
• RF Disruption – LTE, DSRC,
GPS, Radar
SAE INTERNATIONAL 11
NHTSA’s Vehicle Cybersecurity Research Program and Goals
Researching cybersecurity best practices in relation to vehicle industry
Attending, organizing and presenting at cybersecurity events; Engaging in detailed public and private discussions on cybersecurity • OEMs, Tier 1, Tier 2 Suppliers, SAE International; TRB; etc. • Other Government Agencies (NHTSA roundtable discussions).
Share vehicle cybersecurity knowledgebase 1
SAE INTERNATIONAL 12
NHTSA’s Vehicle Cybersecurity Research Program and Goals
Monitoring and participating in industry standard setting efforts
Monitoring related global activities • HEAVENS, JASPAR, ISO, Trilateral Working Groups, World Economic Forum, etc.
Encouraged vehicle industry to set up an Automotive information sharing and analysis center (ISAC) • Global Automakers and Alliance of Automotive Manufacturers have undertaken the initiative and
their investigation led to the establishment of the Auto-ISAC, which started operation in 2015. • Encouraging the group to gradually include other key stakeholders, such as the suppliers.
Facilitate implementation of voluntary industry standards 2
SAE INTERNATIONAL 13
NHTSA’s Vehicle Cybersecurity Research Program and Goals
Researching and monitoring activities on process solutions
“Layers of Protection”: Investigating various forms of solutions
Foster development of new system solutions to improve cybersecurity 3
Protective/Preventive Methods
Anomaly-based intrusion detection
Real-time response mechanisms
Assess Treatment Solutions
Systems to monitor vehicle data buses
Feedback loop for continuous improvements (e.g. facilitated by an ISAC –Information Sharing and Analysis Center).
Secure communications Encryption, Gateways, firewalls; Separation of functions
Address and isolate intrusions before vehicle systems compromised
SAE INTERNATIONAL 14
NHTSA’s Vehicle Cybersecurity Research Program and Goals
Develop a systematic vehicle security assessment approach
Study vehicle architectures and threat vectors and risks
Test and evaluate vehicle cybersecurity environment • Need performance metrics to validate theories in applied settings • Objective test procedures: practical, repeatable, reproducible
Investigating minimum performance based vehicle safety requirements for cybersecurity 4
SAE INTERNATIONAL 15
NHTSA’s Vehicle Cybersecurity Research Program and Goals
Research policy alternatives, certification and enforcement possibilities and associated challenges
Develop foundational materials to inform policy decisions 5
In October 2014, NHTSA published a federal register (FR) notice on “Automotive Electronic Control Systems Safety and Security”
NHTSA has completed the Report to Congress on the need for safety standards with regard to electronic systems based on its examination to date and public comments received to this FR notice • MAP-21 requirement; Expected to be published in the
coming weeks
SAE INTERNATIONAL 16
Current NHTSA Research on Vehicle Cybersecurity
Investigating Protective/Preventive solutions • Message authentication for communications Interfaces ( V2V project initiating) • Gateways, firewalls (project underway)
Researching Intrusion Detection Solutions • Vehicle bus monitoring for anomalous behavior; (project underway)
Assessing Treatment Solutions • Feedback loop for continuous improvements (Monitoring progress in standing up and
operationalizing an Automotive ISAC ).
Crosscutting Research • Vulnerability Testing (projects underway at our applied labs) • Software / Firmware Updates – including over the air means (project underway) • Evaluate Heavy Vehicle Cybersecurity (project underway) • Collaboration/coordination with other Federal agencies (e.g. DHS, NIST, FAA)
SAE INTERNATIONAL 17
Cyber Roundtable Discussion on January 19, 2016
“Vehicle Cybersecurity Roundtable” event held on Tuesday, Jan 19, 2016
Discussion topics included: Best approaches in this domain (regulations, guidelines, voluntary industry standards,
best practices, etc.) How best to capitalize efforts from other environments while applying to distinct
aspects of auto industry The roles of distinct stakeholder groups (government, industry, others) Policies, plans, strategies appropriate to respond to the speed of change and
challenges in cybersecurity Potential roadblocks to closing gaps or adopting available guidance for the
industry
The intent of the event was to identify actionable steps for the stakeholder groups to take such that the vehicle manufacturing industry can address the vehicle cybersecurity challenges effectively and expeditiously.
A follow on meeting with Federal stakeholders is scheduled for Friday, Jan 22, 2016.
SAE INTERNATIONAL 18
Summary
•They enable safety, efficiency, mobility and convenience features. •Safety and security assurance challenges come along. •Research programs in place to gather foundational materials informing future policy decisions.
Vehicle electronics growth is here to stay.
•Various research results targeted to be published 2015-2017 timeframe. •Extensions to heavy vehicle platforms underway. •Applied in-house research capabilities being expanded. •Non-traditional alternatives being considered. •Extensive stakeholder engagement ongoing.
NHTSA continues research in cybersecurity at quickest reasonable pace.
•Federal Register Notice on Electronic Systems Safety and Security published in October 2014. •NHTSA completed the report to Congress on the potential need for additional safety/security standards.
Electronics report to Congress underway.
•Electronics Reliability and Vehicle Cybersecurity • Building blocks for automated vehicles
•Similarities and differences with or without driver in the loop is of significant interest
Research extensions to Automated Vehicles in plan.
SAE INTERNATIONAL 19
NHTSA Resources
NHTSA’s crash avoidance research technical publications are posted at:
http://www.nhtsa.gov/Research/Crash+Avoidance/Office+of+Crash+Avoidance+Research+Technical+Publications
Electronic Systems Safety Research Division’s reports, related public documents are placed in the following non-rulemaking dockets:
• NHTSA-2014-0070: Vehicle Automation Topics and Publications • NHTSA-2014-0071: Automotive Cybersecurity Topics and Publications • NHTSA-2014-0092: Automotive Functional Safety and Reliability Topics
and Publications Dockets can be accessed at http://www.regulations.gov/
SAE INTERNATIONAL 20
NHTSA Resources
Cem Hatipoglu, Ph.D.
www.NHTSA.gov