cybersecurity and the transportation space · james scott, senior fellow, institute for critical...
Post on 25-Jun-2020
3 Views
Preview:
TRANSCRIPT
Cybersecurity and the Transportation SpaceSUZANNE L IGHTMAN
SENIOR ADVISOR, INFORMATION SECURITY
NIST
ElementsWhy Consider Cybersecurity?
The Risk Environment◦ Places to Begin◦ Progression of Attacks
Cybersecurity and Safety
Privacy
What Is the Industry Doing?
Beyond the Vehicle
Is There Help Available?
Questions?
Why Consider Cybersecurity?Most…devices that lack security by design simply pass the security responsibility to the consumer, thus, treating the customers as techno-crash test dummies.
James Scott, Senior Fellow, Institute for Critical Infrastructure Technology” ― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
The Risk EnvironmentHuman stupidity is finite, but human maliciousness appears to be infinite
The Risk Environment Cont.Large attack surface
The Risk Environment Cont.Cybersecurity risks change constantly◦New vulnerabilities are uncovered◦New ways to exploit those vulnerabilities are developed
The Risk Environment Cont.You can’t just make the vehicle and wave bye-bye
◦ Increased use of electronics to allow ADAS means more exposure
◦Everything cyber needs updates!!!!!
Progression of Attacks
Proof of Concept by Sophisticated
Adversary
Code Developed to Automate
Attack
Everyone Can Use Attack
Where Do I Start Looking?“I” in the metaphorical sense
Where Do I Start Looking?Communication Channels◦You have to start with a way in◦Every channel is a way in and they all have to be considered
◦ It’s not what you think the channel is for, it’s what others can make it do
Where Do I Start Looking Cont.Places where people interact with the vehicle◦ People are easy to fool◦ The worst attacks often depend on people being the weak link
◦ Target hack was traced to phishing◦ Sony◦ Thyssen-Krupp
◦ NEVER depend on people
Where Do I Start Looking Cont.Where You Depend on Others
Cybersecurity and SafetyThey are complementary◦They are NOT the same◦Cybersecurity can help protect safety measures◦Cybersecurity can also inhibit safety measures
Misunderstanding safety and understanding cybersecurity (or vice versa) can get you into a lot of trouble!
Cybersecurity and Safety Cont.A cybersecurity issue can lead to a safety issue◦ Exfiltration of proprietary data
◦ Might not be a problem for safety immediately◦ Until they figure out how to leverage the information
◦ Malware is an example◦ Depending on how it manifests
◦ Botnets – can effect safety communications by hogging bandwidth◦ Ransomeware – could effect operations in an unsafe manner
PrivacyYes, I know you don’t want to hear about it
But you are going to have toBecause of ◦ Government regulation◦ Problems with Data Sharing
◦ The Equifax issue◦ People disabling safety features because of perceived (or real) privacy threats
◦ V2V◦ Black boxes
What Is the Industry Doing?The vehicle manufacturing industry is very concerned◦ They have liability◦ It is part of the safety culture
Actions◦ SAE – SDO – J3061 guidance on cybersecurity◦ JWG – ISO/SAE – 21434 – standard on developing and
maintaining cybersecurity in vehicles
Beyond the VehicleEveryone always wants to talk about autonomous vehicles
But What About the Infrastructure?True autonomous vehicles will need infrastructure…
And that infrastructure will depend on cybersecurity
Rising Interest in InfrastructureAs autonomous vehicles come closer to reality, interest in infrastructure hacks rise.
Attack against SF light rail system
Researchers use ghost messages to cause traffic jam
Researchers able to trick “smart” traffic lights
Issues to Consider for Infrastructure Owners1. Lack of knowledge
2. Lack of resources
3. Lack of awareness
Ok, Now You Are ScaredWhat can I do? Who Will save us?
Is There Help Available?NIST (well, duh)◦ NISTIR 8062 Privacy Engineering
◦ Places privacy in a risk management framework◦ So you can think of business objectives and risks
◦ Introduces privacy objectives that can be used in evaluating systems◦ Predictability◦ Manageability◦ Dissassociability
◦ NIST Cybersecurity Framework◦ Provides a common language to discuss cybersecurity from executive to technical◦ Helps everyone understand where you are and where you want to be◦ Can be used to transfer expertise
Is There Help Available? Continued◦States with Experience
◦ Michigan◦ California◦ Wyoming
◦Cities with experience◦ Tampa◦ New York City◦ Los Angeles
Is There Help Available? ContinuedSAE has several committees on cybersecurity◦ The electrical systems committee
◦ Shares latest news and information◦ Good place to keep up to date
◦ The cybersecurity committee◦ SAE side of the JWG
UNECE has a working group that is looking at concerns from a regulatory perspective (very EU focused)
Questions?
Suzanne.Lightman@nist.gov
top related