functional safety and cybersecurity – experiences and trends...between functional safety,...
TRANSCRIPT
V1.1 | 2018-10-17
Dr. Christof Ebert, Vector Consulting Services, @VectorVCSVector Security/Functional Safety Symposium, Detroit, 17. Oct. 2018
Functional Safety and Cybersecurity – Experiences and Trends
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Vector GroupWelcome
Employees:> 2,000
Vectoriansin 24 Locations
Portfolio: PLM/ALM Embedded SW Testing Diagnostics Calibration Consulting
Turnover:520 Mio. €
in 2017 Associations: participation in
ISO standards etc.
Customers:> 7,500 companies
in 72 countries
Affiliated Companies:GiN | CSM | BASELABS
2/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Current Challenges – Vector Client Survey 2018Welcome
Innovation
Competences
Efficiency
FlexibilityDistributed teams
Connectivity
Safety and security
Complexity
Digital transformation
Compliance
Others0%
10%
20%
30%
40%
50%
60%
70%
80%
0% 10% 20% 30% 40% 50% 60% 70%
Mid
-ter
m c
halle
nges
Short-term challenges
Magic Triangle
Vector Client Survey 2018. Details: www.vector.com/trends. Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 200% due to 5 answers per question. Strong validity with >4% response rate of 2000 recipients from different industries worldwide.
The magic triangle is back:Cost and Efficiency – Quality – Innovation
3/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
1. Welcome
2. Safety needs Security
3. Risk-Oriented Development
4. Practical Guidance and Vector Experiences
5. Conclusions and Outlook
Agenda
4/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Automotive Trends Impact Safety and SecuritySafety needs Security
1. Powertrain
Energy efficiency
2. Driver Assistance
Autonomous driving
3. Connectivity
Always connected
Unintended speed change
Signal confusion
Sudden Driver distraction
5/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
4/5G
OBD DSRC
SuppliersOEM
Public Clouds
Service Provider
ITS Operator
ACES (Autonomy, Connectivity, e-Mobility, Services)Safety needs Security
Automotive cybersecurity will be the major liability risk in the future.Average security gap is detected in 70% of cases by a third party – and soon exploited.
Cyberattacks Hazards
Password attacks
Application vulnerabilities
Rogue clients, malware
Man in the middle attacks
Eavesdropping, Data leakage
Command injection, data corruption,
back doors
Physical attacks,Sensor confusion
Trojans,Ransomware
6/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
1. Welcome
2. Safety needs Security
3. Risk-Oriented Development
4. Practical Guidance and Vector Experiences
5. Conclusions and Outlook
Agenda
7/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Standards Demand Risk-Oriented ApproachRisk-Oriented Development
Functional Safety (IEC 61508, ISO 26262, ISO 21448)
Hazards and risk mitigation Increasing focus on SOTIF and compliance Safety engineering and culture
ISO 26262 ed.2 refers to shared methods, e.g. TARA
architecture methods data formats & functionality
+ Security (ISO 27001, ISO 15408, ISO 21434, SAE J3061)
Security and Safety are interactingand demand holistic systems engineering
Threat and risk mitigation Abuse, misuse, confuse cases Security engineering
Safety Goals and
Requirements
Functional and Technical
Safety-Concept
Op. Scenarios, Hazard, Risk Assessment
Safety Implemen-
tation
Safety Validation
Safety Case, Certification,
Approval
Safety Verification
Assets, Threats and Risk
Assessment
Security Goals and
Requirements
Technical Security Concept
Security Implemen-
tation
Security Validation
Security Case, Audit,
Compliance
Security Verification
Safety Management
after SOP
Security Management
in POS
For (re) liable and efficient ramp-up connect security to safety governance8/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Relevance of ISO 26262 is understood
Many companies implement it highly inefficient, e.g. standard copy/paste, and too much test
Typical implementation risks: Interfaces between organizations, DIA, “out of context”, SOTIF (Safety of intended functionality)
Consider security: “The organization shall institute and maintain effective communication channels between functional safety, cybersecurity and other disciplines that are related to functional safety.
State of the Art: Functional SafetyRisk-Oriented Development
Interfaces situations are most critical1. Driving Situations OEM2. Hazards OEM3. Risks and Safety Integrity Level OEM4. Safety Goals Safety Requirements OEM5. Technical Safety Concept OEM/Tier16. Safety requirements on ECU level OEM/Tier17. Software Safety Requirements Tier1/Vector
Functional safety can be efficiently achieved on the basis of mature development processes.State of the practice is never stable, because methods and standards evolve fast.
9/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Security demands are growing fast Connectivity and open channels allow security attacks Exploits will persist beyond “zero-day” because so far no OTA governance Safety-critical systems connected to potentially unsecure bus systems
Vector recommendations Extend hazard analysis with pentest-driven
threat analysis and automotive attack models Separate subnets, especially infotainment and HU Reuse proven artefacts to ensure robust safety case Implement tailored security protection with fail
operational strategies for safety-critical systems Encrypt communication end-2-end,
while considering performance needs Protect ECUs with secure boot and HW-defined security
State of the Art: CybersecurityRisk-Oriented Development
Do not copy paste standards because it increases overheads and complexityTailor standards according to your needs and environment.
10/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
1. Welcome
2. Safety needs Security
3. Risk-Oriented Development
4. Practical Guidance and Vector Experiences
5. Conclusions and Outlook
Agenda
11/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Concept of Combined Threat/Hazard Analysis and Risk AssessmentPractical Guidance and Vector Experiences
Consider specific automotive assets derived from CIAAG (Confidentiality, Integrity, Authenticity, Availability, Governance) scheme
Assets Threat-Model & Risks Measures Concept for
Solution Verification
Example: Identified threats
Safety
Injuries because of malfunctioning Passive Entry
Financial
Extra cost due to call-back and law-suits
Operational Performance Car cannot be started, doors cannot be opened
Privacy/Legislation
Theft of personal data
Specific automotive asset categories
Privacy,Legislation,Governance
e.g. private data
Operational Performance
e.g. Drivingexperience
Finance
e.g. Liability, brand image
Safety
e.g. Vehicle functions
12/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Model-Based Dependency AnalysisPractical Guidance and Vector Experiences
Traceability from changes based on hierarchic modelling & update of analysis and tests
SystemRequirements
Logical SystemArchitecture
ComponentArchitecture
SimulationImplementation
PowerMirrorCtrl
Type: PowerMirrorCtrl
SwitchMatrix
Type: SwitchMatrix
PowerMirrorPass
Type: PowerMirr...
PowerMirrorDriver
Type: PowerMirr...
PowerManagement
Type: PowerMan...
x+:pm_pass_x+
y+:pm_pass_y+
y-:pm_pass_y-
x-:pm_pass_x-
y+:pm_driv_y+
x+:pm_driv_x+
y-:pm_driv_y-
x-:pm_driv_x-
y:PM_y
x:PM_x
sel:PM_selection
def12:KeyIn
sel:PM_selection
x:PM_x
y:PM_y x+:pm_pass_x+
y+:pm_pass_y+
y-:pm_pass_y-
x-:pm_pass_x-
y+:pm_driv_y+
x+:pm_driv_x+
y-:pm_driv_y-
x-:pm_driv_x-
KeyIn:KeyIn Assembly Net
Assembly Net
Body Ctrl
Driver Door CtrlPass Door Ctrl
Gateway
SwtichMatrix
PassengerMirror DriverMirror
BatMng
-
-
-
-
-
-
-
-
-
DoorLIN:LIN
Ground
PowerSupply
- cv2:4w -KA_Pass Door Ctrl _0
-
-
CANPT:CANC
System FTA/FMEA
ComponentFTA/FMEA
Fault Injection /
TDD
13/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Agile Scaling for Safety and Security EngineeringPractical Guidance and Vector Experiences
Manage dependencies between teams for safety and security related changes
LegendSW Lead Team 1SW Lead Team 2Technical Lead Testing
Team MemberHardware LeadMechanical Lead
Chief Technical Lead
Kanban Board
Testing Team
HW TeamSW Team 2SW Team 1 Mechanical Team
Scrum of Scrums
Location 1 Location 1
Location 1Location 2
Location 2 Location 3
Safety Manager
Safety Engineering
14/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Tools for Safety and SecurityPractical Guidance and Vector Experiences
Customer Benefits Efficient
implementation of cybersecurity and functional safety
Full Life-Cycle support from requirements to concept, design, test and after-sales
Traceability and governance
Support for heterogeneous environments
Package offer for gap analysis and mitigation activities with Vector SafetyCheck or Vector SecurityCheck
Continuous Safety Case
Vector SafetyCheck and SecurityCheck
PREEvision Safety support
15/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Vector SecurityCheck with COMPASSPractical Guidance and Vector Experiences
Vector SecurityCheck facilitates Systematic risk assessment and mitigation Traceability and Governance with auditable risk and measure list Heuristic checklists with continuously updated threats and mitigation
16/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Design Defensive coding, e.g. memory allocation, avoid
injectable code, least privileges Selected programming rules such as MISRA-C, CERT High cryptographic strength
in line with performance needs Key management and HW-based security Awareness and governance towards social engineering
V&V Methods and Tools Static / dynamic code analyzer Unit test with focused coverage, e.g. MCDC Interface scanner, layered fuzzing tester,
encryption cracker, vulnerability scanner Penetration testing, starting with TARA concept
Safety and Security by Design: Implementation, Verification and ValidationPractical Guidance and Vector Experiences
Classic coverage test is not sufficient anymore.Test for the known – and for the unknown.
Ensure automatic regression tests are running with each delivery.17/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Game Changer: OTA Facilitates Security Across the Life-cyclePractical Guidance and Vector Experiences
There is no security without continuous Over the Air (OTA) update strategy
OEM Side Update Process
18/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Case Study Powertrain: Threats and HazardsPractical Guidance and Vector Experiences
Change Gears
During driving on high speed (Highway) the gear is changing to a higher gear thus reducing acceleration when it is needed during overtaking
S3/E4/C3 C
Adjust speed Speed is unintentionally increased during normal operation in cruise control while driving in a city
S3/E3/C1 C
Function Hazard S/E/C ASIL
Adjust Speed
Velocity
Throttle pedal,Engine control Lock/Unlock
Change GearsTransmission
ASIL C
Throttle
Safety Item
ASIL C
Relate identified security threats to safety hazard analysis
19/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Case Study Powertrain: From TARA to Technical Safety/Security ConceptPractical Guidance and Vector Experiences
Elements of functional architecture
Sec
urity
goa
l and
der
ived
fu
nctio
nal s
ecur
ity r
eq.
Allo
catio
n of
req
. to
ar
chite
ctur
e el
emen
ts
2
1 3ID Level Security Goal ID Requirement
Upd
ate
sw c
omm
and
Auth
entic
ity a
nd
Inte
grity
of s
w u
pdat
e
(Signa
ture
)
sw u
pdat
e
Prev
ent u
naut
horiz
ed
upda
te
Inst
all s
w in
ECU
sw s
tora
ge (e
.g. f
lash
mem
ory)
. . . .
FSR 1The authenticity and integrity of the user_command signal during reading and transmission shall be assured. x x
FSR 2The authenticity and integrity of the authenticity signal during reading and transmission shall be assured. x x
FSR 3The authenticity and integrity of the sw_update during reading and transmission shall be assured. x x x
FSR 4It shall be assured that the signal allow_update generated from the input signals is calculated correctly.
x x x x
FSR 5The authenticity and integrity of the allow_update signal during transmission shall be assured. x x
FSR 6It shall be assured that the signal change_sw generated from the input signals is calculated correctly.
x x
FSR 7
If an error with regards to authenticity and integrity during reading, transmission or calculation of signals or the actuator status occurs, the system will not install the sw update.
x x x x x x
Security Goal Functional Security Requirement Entities of Functional Security ArchitectureInputs Function Blocks
SG05 High
It shall be prevented that unauthentic software is installed on vehicle ECUs.
Transform technical security concept to security requirements.Handle security requirements exactly like functional requirements.
20/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Case Study Powertrain: Separate ConcernsPractical Guidance and Vector Experiences
Connectivity Gateway
CU
Instrument Cluster DSRC 4G
LTE
Laptop
WiFI
Smart-phone
Central Gateway
ADAS DC
Smart Charging
Powertrain DC
Chassis DC
Body DC
Head Unit
Diagnostic Interface (OBD evolution)
Firewall
Key Infrastructure
Secure On Board Comm.
Secure Off Board Comm.
ID / IP
Monitoring / Logging
Hypervisor
Crypto Primitives Download Manager
Secure Flash/Boot
Secure Synchronized Time Manager
Incrementally harden your E/E and IT functions, architectures and components.21/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
1. Welcome
2. Safety needs Security
3. Risk-Oriented Development
4. Practical Guidance and Vector Experiences
5. Conclusions and Outlook
Agenda
22/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Risk-Oriented Development Must Cover the Entire Life-CycleConclusions and Outlook
Systematic safety and security engineering Scaleable incident monitoring and response Multiple modes of operation (normal, attack, emergency, fail operational, fail safe, etc.)
Safety hazards
and security threats
Safety / Security by design
Development
Secured supply chain
Production
Incident responseand upgrades
Operations
Secure provisioningand governance
Services
23/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Vector Offers Comprehensive Portfolio for Cybersecurity and Functional SafetyConclusions and Outlook
Vector Cybersecurity and Safety Solutions
Trainings
Compliance audits
SecurityCheck, SafetyCheck
Security/Safety support, e.g. virtual safety/security
manager and pentesting
AUTOSAR Basic Software:
MICROSAR Safe
Tools for Design, Test and Lifecycle support:
PREEvision
DaVinci
CANoe
CANdela and Indigo
Engineering Services for Safety and Security
HW based Security
24/25
© 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2018-10-17
Thank you for your attention.For more information please contact us.
Passion. Partner. Value.
Vector Consulting Services
@VectorVCS
www.vector.com/[email protected]: +49-711-80670-1520