5*stars automotive cybersecurity through assurance€¦ · •the 5*stars project directly counters...
Post on 18-Oct-2020
6 Views
Preview:
TRANSCRIPT
5*StarSAutomotive Cybersecurity
Through Assurance
SMMT CAV Forum
5th December 2017
Introduction
• Automotive Cybersecurity Through Assurance is a collaborative research project funded by InnovateUK
• The project will address the challenges of achieving cybersecurity assurance for CAVs and meaningful ways of communicating cybersecurity risk to consumers
Why cybersecurity matters
• Remote compromise of vehicle systems
1. Gain remote access via vulnerable entry point (e.g. Wi-Fi, Bluetooth)
2. Exploit flaw in Head Unit to gain code execution
3. Bridge or “pivot” via in-vehicle network to exploit other (safety-related) ECUs
21
Head Unit
Other ECU(e.g. steering,
braking)
CAN
3
Source: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
The vehicle attack surface
Background
• Consumer level interest in cybersecurity is increasing
• Potential future regulations e.g. UN ECE
• US SPY Car Act 2015 proposes a “cyber dashboard”
• Consumer groups such as Consumer Reports (USA)
• CITL* developing metrics for security of software including IoT
• UK insurance industry has committed to recognise cybersecurity risk within its future risk based Group Rating system
• There is currently no way for consumers to make informed buying decisions based on cybersecurity, or for insurers to evaluate cybersecurity risk
* CITL – Cyber Independent Testing Lab
Project Objectives
• The project objectives are to research and develop:
• an assurance methodology to assure that vehicles and their components have been designed and tested to the relevant cybersecurity standards throughout their lifecycle
• a uniform and consistent CAV innovation framework to monitor & manage the continuously evolving landscape of digitally connected products & infrastructure
• consumer and insurer oriented rating framework, analogous to existing EuroNCAP type ratings for vehicle safety
• Develop a digital framework for Innovation Management of CAV R&D outputs
• The project outputs will be processes and tools for product development and assurance ready for commercial adoption
Cybersecurity Assurance
Consumer Visible Risk
Rating
Threat Analysis
Maturity Framework
Vehicle Assessment
Relationship to other initiatives
5*StarS “Automotive Cybersecurity Through Assurance” Project
Assurance Framework Risk Rating Framework
Regulations, Standards and Best Practice
ISO/SAE AWI 21434 Cybersecurity Engineering
Under development
Align and Informstandardisation
Innovation & Product development according to
international standards
Vehicle manufacturers and suppliers
Cybersecurity Assessment Laboratory
Insurers & Consumers
Assurance rating
Submit for assessment
SAE J3061 ASDL UN ECE
Challenges
• Some of the challenges that the project must address:
1. Defining a manageable scope for the assessment scheme and rating
2. Adapting the framework to reflect the continuously evolving threat landscape
3. Establishing meaningful ways of communicating cybersecurity risk to consumers
4. Managing consumer perception of the rating and avoiding misunderstandings
1. Defining a manageable scope
• Individual implementations each have a different set of attack points
• Attack vectors appropriate to the implementation to be considered based on relevant standards
• The scope will be limited to the vehicle architecture
2. Evolving threat landscape
• The threat landscape is constantly evolving
• New attacks are continually discovered
• The assurance framework and risk rating will account for this through an agility concept
• The methodology will be based on recognised standards and methods for security engineering, security by design and risk management
Vu
lner
abili
ties
Time
Unknown
Known
Time of testing
3. Communicating cybersecurity risk
• Establishing meaningful metrics for security is important but difficult
• Security is hard to measure and any judgement is only valid at a point in time
• Coverage is a commonly used concept in testing, but is difficult to apply to security
• How do we know when we have done enough?
• It is usual to speak about assurance rather than coverage for security• How can we rate the level of assurance?
4. Managing consumer perception
• “Cyber is something customers are making purchasing decisions on,” he said, adding that the customer’s notion of a particular company’s cybersecurity proficiency is likely to become like many other competitive metrics when it comes to winning a spot on a buyer’s consideration list. (Jeff Massimilla, GM, http://articles.sae.org/15549/)
• "For a measure to significantly inform customers, it requires pervasiveness, understandability, simplicity and efficiency” NISTIR 8151 Dramatically Reducing Software Vulnerabilities
• The risk rating framework must be designed so that it is both understandable to consumers and a meaningful statement about security
Clarifications
• The rating is intended to be a measure of assurance, rather than an absolute statement of “how hackable” a vehicle is
• The project is not intending to define a checklist of security features a vehicle should have to get “5 stars”
• The rating criteria will not be static – the project will address the need for the rating scheme to evolve over time in line with the evolving threat landscape
• The project is intended to complement other standards and regulatory activities, rather than trying to replace or compete with them
Digital Framework for Innovation Management of CAV R&D• The CAV Innovation Framework will develop a digital
platform of knowledge management tools for Project Management, Innovation Strategy and Internal Collaboration.
• It will support the development of secure products in line with both digital & technology readiness levels .
• Addressing the gap between security standards, innovation methods & disruptive digitalisation to support emerging readiness levels such as the APC DETC’s Digital Readiness Level (DRL) announced earlier this year.
Dissemination
Standardisation Bodies
BSI, ISO, SAE
Stakeholder Groups
OEMs and suppliersInsurers
Government
Conferences andIndustry Events
Workshops throughout project to inform and foster acceptance
Dissemination at key international events as project matures
Media campaigns once concept proven
Align and inform through partners’ engagement in standards development
Consumer / Motoring Media
Start Year 1 Year 2
Engaging with the project
• We are establishing a stakeholder panel to inform the project and ensure it is aligned with industry needs
• Please visit the project website to enquire about joining the stakeholder panel or to request updates on the project
https://5starsproject.com/
Summary
• Cybersecurity is a fundamental impediment to CAV adoption
• The 5*StarS project directly counters this with • An innovative assurance methodology for assessing the cybersecurity of new vehicles• A risk based rating framework analogous to Euro NCAP, clarifying risk for the insurance
industry and enabling consumer confidence in CAVs
• Leveraging best practices from other sectors, to deliver cybersecurity assured CAVs more quickly than through legislation/standards alone
https://5starsproject.com/
Acknowledgements
top related