auto-isac community call · the global automotive industry through the analysis and sharing of...

12 October 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Auto-ISAC

Monthly Community Call

2 October 2019


Agenda

Time (ET) Topic

11:00

Welcome

➢ Why we’re here

➢ Expectations for this community

11:10

Auto-ISAC Update

➢ Auto-ISAC overview

➢ Heard around the community

➢ What’s Trending

11:20

Featured Speakers

➢ Joe Fabbre, Global Technology Director, Green Hills

Software

11:45Around the Room

➢ Sharing around the virtual room

11:55 Closing Remarks

Welcome


Welcome - Auto-ISAC Community Call!

Welcome

Purpose: These monthly Auto-ISAC Community Meetings are an

opportunity for you, our Members & connected vehicle ecosystem

partners, to:

✓ Stay informed of Auto-ISAC activities

✓ Share information on key vehicle cybersecurity topics

✓ Learn about exciting initiatives within the automotive

community from our featured speakers

Participants: Auto-ISAC Members, Potential Members, Partners,

Academia, Industry Stakeholders, and Government Agencies

Classification Level: TLP GREEN: may be shared within the Auto-

ISAC Community, and “off the record”

How to Connect: For further info, questions, or to add other POCs to

the invite, please contact Auto-ISAC Membership Engagement Lead Kim

Engles ([email protected])


Engaging in the Auto-ISAC Community

❖ Join❖ If your organization is eligible, apply for Auto-ISAC membership

❖ If you aren’t eligible for membership, connect with us as a partner

❖ Get engaged – “Cybersecurity is everyone’s responsibility!”

❖ Participate❖ Participate in monthly virtual conference calls (1st Wednesday of month)

❖ If you have a topic of interest, connect our Membership Engagement

Lead, Kim Engles – [email protected]

❖ Engage & ask questions!

❖ Share – “If you see something, say something!”❖ Submit threat intelligence or other relevant information

❖ Send us information on potential vulnerabilities

❖ Contribute incident reports and lessons learned

❖ Provide best practices around mitigation techniques

Welcome

10Innovator Partners

19Navigator Partners

Coordination with 23critical infrastructure ISACs through the National ISAC

Council

Membership represents 99%of cars on the road in North

America

19OEM Members

33 Supplier &Commercial

Vehicle Members

mailto:[email protected]


Community Speaker Series

Featured Speaker

Why Do We Feature Speakers?❖ These calls are an opportunity for information exchange & learning

❖ Goal is to educate & provide awareness around cybersecurity for the connected

vehicle

What Does it Mean to Be Featured?❖ Perspectives across our ecosystem are shared from members,

government, academia, researchers, industry, associations and

others.

❖ Goal is to showcase a rich & balanced variety of topics and viewpoints

❖ Featured speakers are not endorsed by Auto-ISAC nor do the speakers

speak on behalf of Auto-ISAC

How Can I Be Featured?❖ If you have a topic of interest you would like to share with

the broader Auto-ISAC Community, then we encourage you

to contact our Membership Engagement Lead, Kim Engles

([email protected])

1800+Community Participants

23 Featured Speakers to date

6 Best Practice Guides

available on website



Auto-ISAC Mission

Mission ScopeServe as an unbiased information

broker to provide a central point of

coordination and communication for

the global automotive industry through

the analysis and sharing of trusted and

timely cyber threat information..

Light- and heavy-duty vehicles,

suppliers, commercial vehicle fleets and

carriers. Currently, we are focused on

vehicle cyber security, and anticipate

expanding into manufacturing and IT

security related to the vehicle.

What We Do

Community Development

Workshops, exercises, all hands, summits and town halls

Intel Sharing

Data curation across

intel feeds, submissions

and research

Analysis

Validation,

context and

recommendations

Best Practices

Development,

dissemination and

maintenance

Partnerships

Industry, academia,

vendors, researchers

and government

Community Development

Workshops, exercises, all hands, summits and town halls

ISAC Overview


Our 2019 Board of Directors

Executive Committee (ExCom) Leadership

Jeff Massimilla

Auto-ISAC

Chairman

General Motors

Tom Stricker

Auto-ISAC Vice

Chairman

Toyota

Mark Chernoby

Auto-ISAC

Treasurer

FCA

Jenny Gilger

Auto-ISAC

Secretary

Honda

Geoff Wood

Affiliate Advisory

Board Chair

Harman

Geoff Wood

Affiliate Advisory

Board Chair

Harman

Todd Lawless

Affiliate Advisory

Board Vice Chair

Continental

Bob Kaster

Supplier Affinity

Group Chair

Bosch

Larry Hilkene

Commercial Vehicle

Affinity Group Chair

Cummins

2019 Affiliate

Advisory

Board (AAB)

Leadership

Auto-ISAC Leadership


Auto-ISAC Team and Support Staff

Faye Francy, Executive Director

[email protected]

Josh Poster, Program Operations

Manager

[email protected]

Jessica Etts, Senior Intel Coordinator

[email protected]

Kim Engles, Membership

Engagement Lead

[email protected]

Lisa D Scheffenacker, Business

Administrator

[email protected]

Jake Walker, Cyber Intel Analyst

[email protected]

Julie Kirk, Finance

[email protected]

Michelle Menner, Organizational

Coordinator

[email protected]

Linda Rhodes, Legal Counsel, Mayer

Brown

[email protected]

Heather Rosenker, Communications

(Auto-Alliance)

[email protected]

Auto-ISAC Staff

Auto-ISAC Staff












Recent Activities

Auto-ISAC Update

Highlights of Key Activities in September

➢ Auto-ISAC and Summit Task Force continued planning our Third Annual Automotive Cybersecurity

Summit. The agenda is live on our website: https://www.automotiveisac.com/auto-isac-summit/

➢ Auto-ISAC attended

➢ DerbyCon in Louisville, KY

➢ SAE COMVEC in Indianapolis, IN

➢ NCI Quarterly Face to Face Meeting in Washington, DC

➢ CISA Cybersecurity Summit in National Harbor, MD

➢ TU Automotive ADAS and Autonomous Vehicles Conference in Novi, MI

➢ GRF Summit on Security & Third-Party Risk in Leesburg, VA

Looking Ahead to October

➢ Auto-ISAC will be attending

➢ GRF Summit on Security & Third-Party Risk in Leesburg, VA

➢ Auto-ISAC’s member only Analyst Workshop and Board of Directors Meeting in Plano, TX

➢ SAE Innovations in Mobility in Novi, MI

https://www.automotiveisac.com/auto-isac-summit/


Attacks on SIM technology have affected a wide number of industries. From bypassing 2FA to exploiting legacy features in the S@T browser, attackers have exploited SIM technology with great success.

-Hackers are Exploiting a Platform-Agnostic Flaw to Track Mobile Phone Locations: Hackers areactively exploiting a critical weakness found in most mobile phones to surreptitiously track the location ofusers and possibly carry out other nefarious actions, researchers warned on Thursday. The attacks work byexploiting an interface intended to be used solely by cell carriers so they can communicate directly with theSIM cards inside subscribers’ phones. The carriers can use the interface to provide specialized servicessuch as using the data stored on the SIM to provide account balances. (Link)

-#S@Tattack: Vulnerability in S@T Sim-Browser Can Let Attackers Globally Take Control ofHundreds of Millions of the Victim Mobile Phones Worldwide: By sending a malicious SMS to victimphone number, attacker can abuse the vulnerabilities in the S@T sim browser to remotely take control of thevictim mobile phone to perform harmful actions such as: send sms, make phone call, get victim’s location,launch other browsers (e.g WAP browser), get victim’s IMEI, etc. The affection of the vulnerability in S@Tspreads worldwide and puts hundreds of millions of telecom subscribers worldwide at risk. (Link)

-SIM Swapping Blamed for Hacking of Twitter CEO's Account: Hackers were able to post offensivemessages from the Twitter account of Jack Dorsey, the social media company’s CEO, after they tricked hismobile services provider into handing over his phone number. The hackers who took control of Dorsey’saccount used it to post racist and anti-Semitic messages and even bomb threats. (Link)

-Prevent SIM-Swapping Hackers From Stealing Your Phone Number—and the Rest of Your Identity:You know what’s worse than having your password stolen? Having your phone number stolen. SIM-swapping, a type of identity theft, is a means for scammers to get access to your phone number and all ofthe personal accounts secured through it. All four of the major phone service providers—AT&T, Verizon, T-Mobile, and Sprint—offer some measure of extra protection against SIM-Swapping if you ask for it. Forstarters, all four companies allow (or require) users to set up a PIN for making large account-level changes,including porting your number to a new SIM card. (Link)

Auto-ISAC Intelligence

What’s Trending?

What’s Trending

For more information or questions please contact [email protected]

https://arstechnica.com/information-technology/2019/09/hackers-are-exploiting-a-platform-agnostic-flaw-to-track-mobile-phone-locations/

https://ginnoslab.org/2019/09/23/stattack-vulnerability-in-st-sim-browser-can-let-attackers-globally-take-control-of-hundreds-of-millions-of-the-victim-mobile-phones-worldwide-to-make-a-phone-call-send-sms-to-any-phone-numbers/

https://www.securityweek.com/sim-swapping-blamed-hacking-twitter-ceos-account

https://lifehacker.com/prevent-sim-swapping-hackers-from-stealing-your-phone-n-1838149833



Community Speakers

➢ Urban Jonson, NMFTA – Heavy Vehicle Cybersecurity Working Group (April 2018)

➢ Ross Froat, American Trucking Association on the ATA Cyberwatch Program (Oct 2018)

➢ Chris Ballinger, CEO and Founder of MOBI, the Mobility Open Blockchain Initiative (April 2019)

➢ Dan Sahar, Vice President of Product of Upstream, 2019 Automotive Cybersecurity Report (June 2019)

➢ Josh Hammond, IOActive, 2018 Commonalities in Vehicle Vulnerabilities (July 2019)

➢ Katherine Hartman, Chief – Research, Evaluation and Program Management, ITS Joint Program Office, US DOT (August 2019)

Example of Previous Community Speakers

Past Community Call Slides are located at: www.automotiveisac.com/communitycalls/

Featured Speakers

http://www.automotiveisac.com/communitycalls/


Welcome to Today’s Speaker

Featured Speaker

Abstract: Over the last decade automotive security issues have garnered lots of

public attention. As a result, tier suppliers and OEMs have worked hard to bolster

cybersecurity in vehicle electronic systems. But are we doing the right things? During

this talk we’ll discuss several common misconceptions about security products and

techniques utilized in automotive systems.

Joe Fabbre is a Software

architect and technology

evangelist specializing in safety

and security for embedded

systems. Vertical market focus

includes automotive, industrial,

medical, and networking. Joe

holds a M.S. Computer Science

from Illinois Institute of Technology

and a B.S. Computer Engineering

from the University of Notre

Dame.

© 2019 Green Hills Software Slide 13

Seven Myths of Automotive Cybersecurity

Joe Fabbre

Global Technology Director

Green Hills Software

© 2019 Green Hills Software © Green Hills Software Slide 14

Why is security priority #1?

❑ 70M+ cars are produced each year❑ The software in cars is replicated❑ They all have the same flaws❑ Across hundreds of thousands or millions of units❑ A single exploit can simultaneously impact ALL of those units


Complexity is the Enemy

Graph data: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/


Bugs

❑ Bugs/defects per 1,000 lines of code:▪ Industry Average: 1-25▪ Microsoft Applications:

• Internal QA: 10-20• Shipped: 0.5

▪ “Cleanroom development”:• Internal QA: 3• Shipped: 0.1

(Discovered bugs/defects)

From Code Complete, Second Edition by Steve McConnell


Vulnerabilities

❑ Vulnerabilities per 1,000 lines of code▪ Google Chrome: 0.06▪ Firefox: 0.05▪ Linux Kernel: 0.04▪ OpenSSL: 0.13▪ Python: 0.02▪ PHP: 0.06

(CVEs from 2010-2014, Code from Jan 2015)

Many vulnerabilities are not discovered!!!!


Back of the Napkin Math

❑ As an estimate, let’s say that over 5 years there are:▪ 0.05 discovered vulnerabilities

per 1,000 lines of code▪ 0.15 undiscovered (but serious)

vulnerabilities per 1,000 lines of code

❑ And for a modern automobile, let’s say▪ 100M lines of code


Back of the Napkin Math

❑ This means:

▪ 5,000 vulnerabilities will be discovered in the platform over 5 years

▪ 15,000 vulnerabilities will be undiscovered, but represent a potential for zero-day attacks

© 2019 Green Hills Software [email protected] Slide 20

Automotive Cybersecurity Myths


Myth #1

Virtualization provides secure separation.


VM Escapes


Myth #2

Static code analysis tools will clean up my software vulnerabilities.


Myth #3

Secure Boot will keep me safe.


Myth #4

My OTA system will save me if all else fails.


Necessary, but not sufficient


Myth #5

Free/Open source software is secure because “many eyes” review it all the

time.


Constant Stream


Myth #6

My hypervisor/operating system is EAL4+ and that is good enough.


Is EAL4+ really secure?

3 days later…


Common Criteria Security Evaluations

❑ EAL 6+ specification (SKPP)

▪ Protecting “classified and other high-valued information”

▪ Against “sophisticated threat agents”

❑ EAL 4+ specification (CAPP)

▪ “assumed non-hostile and well managed user community”

▪ Requiring protection against…“inadvertent or casual attempts to breach the system security”


Myth #7

My EAL 6+ separation kernel makes my system impenetrable.


Separation Architecture

A separation architecture limits the amount of code which can affect the critical parts of the system.

And this limits the number of vulnerabilities, potentially allowing even for coding practices that remove all vulnerabilities.


Separation Strategy

Separation Architecture consists of two parts:

1. Operating system which isolates software components from each other, and give them only minimal privileges.

2. Architecting the system to separate:

• Known code from unknown code• Security/safety/important code

from unimportant code.


Holistic Security


Open Discussion

Around the Room

Any questions about the

Auto-ISAC or future topics

for discussion?


Connect with us at upcoming events:GRF Summit on Security & Third-Party Risk*** Sept. 30- Oct 2, Leesburg VA

5th EVs and the Grid Oct. 1-3, Los Angeles, CA

ESCAR Asia Oct. 1-2, Tokyo, Japan

Auto-ISAC Community Call*** Oct. 2, Telecon

TU- Automotive West Coast 2019 Oct. 3-4, San Jose, CA

ATA Management Conference & Exhibition (MCE) Oct. 5-9, San Diego, CA

SAE Thermal Management Systems Symposium Oct. 15-17, Plymouth, MI

Autonomous Vehicle Technology Expo 2019 Oct. 22-24, Novi MI

DOT Forum hosted by NAFA Oct. 23, Washington, DC

Auto-ISAC Summit*** Oct. 23-24, Plano, TX

GRRCON Oct. 24-25, Grand Rapids, MI

LASCON Oct. 24-25, Austin, TX

SAE Innovations in Mobility*** Oct. 28-31, Novi, MI

InsurTech Automotive Summit Oct. 29, Munich Germany

IQPC Automotive Cybersecurity Silicon Valley Oct. 28-30, Detroit, MI

TU-Automotive Europe Oct. 29-30, Munich, Germany

Event Outlook

**For full 2019 calendar, visit www.automotiveisac.com

Closing Remarks

https://grfederation.org/summit/2019/overview

https://infocastinc.com/event/ev-grid/?utm_source=EVGrid2019-0816-8G&utm_medium=email&utm_campaign=2018Events&utm_content=&spMailingID=40440024&spUserID=OTE4OTQ3NDk3NzA1S0&spJobID=1581483738&spReportId=MTU4MTQ4MzczOAS2#section-registration

https://www.escar.info/escar-asia.html

https://www.tu-auto.com/event/

http://www.trucking.org/Events.aspx

https://www.autonomousvehicletechnologyexpo.com/michigan/en/

https://twitter.com/GrrCON/status/1035598141914005505

https://lascon.org/

https://www.sae.org/attend


https://www.iqpc.com/events?field_country=All&field_industry=Automotive+IQ&field_event_type=All&page=2


http://www.automotiveisac.com/


Closing Remarks

If you are an OEM, supplier or commercial

vehicle company, now is a great time to join

Auto-ISAC!

How to Get Involved: Membership

To learn more about Auto-ISAC Membership or Partnership,

please contact Kim Kalinyak ([email protected]).

➢ Real-time Intelligence

Sharing

➢ Development of Best Practice

Guides

➢ Intelligence Summaries ➢ Exchanges and Workshops

➢ Regular intelligence

meetings

➢ Tabletop exercises

➢ Crisis Notifications ➢ Webinars and Presentations

➢ Member Contact Directory ➢ Annual Auto-ISAC Summit Event



Strategic Partnership Programs

NAVIGATORSupport Partnership

- Provides guidance and

support

- Annual definition of

activity commitments

and expected outcomes

- Provides guidance on

key topics / activities

INNOVATORPaid Partnership

- Annual investment

and agreement

- Specific commitment

to engage with ISAC

- In-kind contributions

allowed

COLLABORATORCoordination

Partnership- “See something, say

something”

- May not require a formal

agreement

- Information exchanges-

coordination activities

BENEFACTORSponsorship

Partnership - Participate in monthly

community calls

- Sponsor Summit

- Network with Auto

Community

- Webinar / Events

Solutions

Providers

For-profit companies

that sell connected

vehicle cybersecurity

products & services.

Examples: Hacker ONE,

SANS, IOActive

Affiliations

Government,

academia, research,

non-profit orgs with

complementary

missions to Auto-ISAC.

Examples: NCI, DHS,

NHTSA

Community

Companies interested

in engaging the

automotive ecosystem

and supporting -

educating the

community.

Examples: Summit

sponsorship –

key events

Associations

Industry associations

and others who want

to support and invest

in the Auto-ISAC

activities.

Examples: Auto Alliance,

Global Auto, ATA

Closing Remarks


➢Focused Intelligence Information/Briefings

➢Cybersecurity intelligence sharing

➢Vulnerability resolution

➢Member to Member Sharing

➢Distribute Information Gathering Costs across the Sector

➢Non-attribution and Anonymity of Submissions

➢Information source for the entire organization

➢Risk mitigation for automotive industry

➢Comparative advantage in risk mitigation

➢Security and Resiliency

Auto-ISAC Benefits

Securing Across the Auto Industry

Closing Remarks


Our contact info

Faye FrancyExecutive Director

20 F Street NW, Suite 700

Washington, DC 20001

703-861-5417

[email protected]

Kim EnglesMembership Engagement

Lead



240-422-9008

[email protected]

Josh PosterProgram Operations

Manager



[email protected]

Jessica EttsSenior Intel Coordinator



[email protected]

auto-isac community call · the global automotive industry through the analysis and sharing of...

Documents