no safety without security
TRANSCRIPT
![Page 1: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/1.jpg)
No Safety without Security
Ed Adams, Security InnovationNeil Lakomiak, Underwriters Laboratories
Doug Pluta, Cisco
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
![Page 2: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/2.jpg)
IoT is vulnerable
![Page 3: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/3.jpg)
Software runs the world (even hardware)
What enables IoT?
![Page 4: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/4.jpg)
F22 RaptorS-Class Mercedes
1.7 MillionLines of Code
6.5M MillionLines of Code
100 MillionLines of Code
IoT Reality CheckSoftware Runs the World in the Oddest of Places
787 Dreamliner
and100 ECUs
5 Networks2 miles of cable
10+ Operating Systems50% of total cost
![Page 5: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/5.jpg)
The scope of safety is evolving from discrete products to systems of products and software
From This…….
To This…….
![Page 6: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/6.jpg)
No Safety without SecurityParallels & Paradigm Shifts for Physical Security
Underwriters Laboratories (UL)
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
![Page 7: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/7.jpg)
Products will no longer remain static
![Page 8: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/8.jpg)
The NeedLike testing hardware, similar approaches are needed to evaluate the security of software
• Testable
• Comparable
• Transparent
• Repeatable
• Measureable
![Page 9: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/9.jpg)
Operational Security-Home IoTHow Cisco Identifies Home IoT Threats
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
![Page 10: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/10.jpg)
No Safety Without Security• Internet-based home security ecosystems are not secure
• Physical systems – Cameras & locks • IP-based systems – Internet-based control through apps and the cloud
• Mitigating safety issues with both systems is critical• Digital hacks occur through the internet but can also be instigated when hackers gain physical
access to devices• Users must understand the well-documented vulnerabilities of both their home gateways and IoT
devices and implement the most critical security options
• Unending number of potential threats• Need a better understanding of hacker motivations• Mitigation can be helped through technology but onus will always be on the end user
![Page 11: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/11.jpg)
Home IoT Device Hacks
![Page 12: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/12.jpg)
OpSec• Technology is being developed to assist end users with network
posture assurance, device and network intrusion protection and firewall features (Unified Threat Managers)
• OpSec adds proactive investigation, analysis and operational mitigation to any security technology we deploy
• Use of open source intelligence (OSINT), dark web and Human Intelligence (HUMINT) activities allows OpSec to identify vulnerabilities and threats proactively
• Technology can be a curative, but only when users and manufacturers take the threats seriously and act to protect networks and devices
![Page 13: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/13.jpg)
New risks and Challenges – Connected Car
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV
![Page 14: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/14.jpg)
Connected Car Market
Source: HIS Automotive
![Page 15: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/15.jpg)
Vulnerable? Let me Count the Ways
Between vehicles:V2VV2I
Wireless
Internal:DVDUSBSDAuxODBCAN BusHSMBEthernetTouchscreen
External:BluetoothODB DongleInternetDealer Diagnostics WiFiKey fobTPMSPower plug
![Page 16: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/16.jpg)
Application Security Practicesin the Automotive Industry
Agree DisagreeMy company makes secure software a priority 61% 39%Hackers are actively targeting automobiles 64% 36%Automakers know less about security than others 61% 39%
It is possible to build a nearly hack-proof car 28% 72%My company has automobile security experts 64% 36%Software should be updated over the air 46% 54%
July 2015 survey524 respondents OEM = 234 Tier 1 = 163 Tier 2 = 137
36%33%
21%
9%
2%
Very difficultDifficultSomewhat difficult
Not difficultEasy
How difficult is it to secure automotive applications ?
![Page 17: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/17.jpg)
The Hacker Threat
![Page 18: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/18.jpg)
New Hacks
A Sky News investigation finds that almost half the 89,000 vehicles broken into in London last year were hacked electronically.
![Page 19: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/19.jpg)
• 35,000 US road deaths, and 3,800,000 injuries
• Fatalities and injuries = $300B/year
• Congestion = $230B/year
• Leading cause of death, people aged 15-34 in US
Let’s Talk About Traffic Safety
Technology EvolutionPassive Active Proactive
![Page 20: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/20.jpg)
• V2V wireless communications for “always on” warning
• 300 meter range using 802.11p wireless protocol• IEEE, ETSI, and SAE standards
• Over 6,000,000 crashes, 35,000 road deaths, and 3,000,000 injuries
• US fatalities and injuries = $300B/year
• Congestion = $230B/year
• Leading cause of death, people aged 15-34 in US
V2V
V2I
State of Automotive Safety
How could technology possibly help?
![Page 21: No Safety Without Security](https://reader035.vdocuments.net/reader035/viewer/2022081604/58864a621a28ab32768b608d/html5/thumbnails/21.jpg)
Connected Cars:Putting our Theory to Test
• Basic Safety Message:• All equipped vehicles broadcast 10 times/second• Here I am; Here’s my speed & direction; Brake
status; (plus…??)• On board logic detects hazards and alerts driver
• Communications are V2X• Vehicle-to-vehicle• Vehicle-to-infrastructure• Vehicle-to-RSE (road-side equipment)• Vehicle-to-AMD (after-market device)• VRUs (vulnerable road users)