automotive cybersecurity: it’s more than ... - nxp community
TRANSCRIPT
COMPANY PUBLIC 0
Automotive Cybersecurity:
It’s More Than Just Cryptography
NXP Tech Day – Paris
November 21st, 2019
Fabrice Poulard – Automotive Security Expert Group
COMPANY PUBLIC 1
Global Mobility
Autonomy Electrification Connectivity
COMPANY PUBLIC 1
Enabled by Safe and Secure Systems
COMPANY PUBLIC 2
Cybersecurity: Cryptography & More
Cryptography
Essential Cybersecurity Toolbox
Key Management? Root-of-Trust?
System Integration?Standards?
Compliance?
Threats? Incident Response?Crypto-Agility?
Future Proof?
Platform Security?
COMPANY PUBLIC 3
A Glimpse at Cybersecurity Threats in Automotive
https://www.youtube.com/watch?v=MK0SrxBC1xs
Remote hack of an unaltered car
(July 2015)
https://www.youtube.com/watch?v=8pffcngJJq0
Vehicle theft by relay attack
Ransom for a drive
Tampering the odometer
https://www.nhtsa.gov/equipment/odometer-fraud
VDI Conference on IT Security for Vehicles
(Berlin / July 2017)
Engine tuning
Workshop around the corner, or in your garage
Local Attacks Remote Attacks
COMPANY PUBLIC 4
Cyberattack Costs vs. Scalability
Local Attacks Remote Attacks
ECU (IC) Local interfaces Remote interfaces
Attack Costs
Attack Scalability
I
E
I
E
I
E
$$$$$ $
I Identify vulnerability E Exploit vulnerability
Major Concerns!
COMPANY PUBLIC 5
Core Security Principles
Security Measures
Local Attacks Remote Attacks
ECU (IC) Local interfaces Remote interfaces
Secure
Domain
Isolation
Secure
External
Interfaces
Secure
Internal
Communication
Secure
Software
Execution
···010110···
Secure Foundations (HW + FW)Secure
Solutions & Services
Resistance to
Local Attacks
COMPANY PUBLIC 6
Secure
Domain Isolation
Secure
Interfaces
Secure
Networks
Secure
Processing
PREVENT
access
DETECT
attacks
REDUCE
impact
FIX
vulnerabilities
Firewalling
(context-aware
message filtering)
Separated Functional
Domains
M2M Authentication &
Firewalling
Secure MessagingMessage Filtering &
Rate Limitation
Code / Data
Authentication
(@ run-time)
Code / Data
Authentication
(@ start-up)
Resource Control
(virtualization)
Secure Updates
Intrusion Detection
Systems
(IDS)
Holistic Approach – Solutions
COMPANY PUBLIC 7
Secure
Domain Isolation
Secure
Interfaces
Secure
Networks
Secure
Processing
PREVENT
access
DETECT
attacks
REDUCE
impact
FIX
vulnerabilities
Secure
Engineering
Firewalling
(context-aware
message filtering)
Separated Functional
Domains
M2M Authentication &
Firewalling
Secure MessagingMessage Filtering &
Rate Limitation
Code / Data
Authentication
(@ run-time)
Code / Data
Authentication
(@ start-up)
Resource Control
(virtualization)
Secure Updates
Intrusion Detection
Systems
(IDS)
Threat Monitoring,
Intelligence Sharing, …
SDLC incl. Security
Reviews & Testing, …Incident Management / Response
Security-Aware Organization, Policies, Governance
Holistic Approach – Solutions and Organization
COMPANY PUBLIC 8
Secure Subsystems
On-Chip
Specific 𝑓()Generic Services
Companion Chip
Anatomy of a Secure Automotive ECU
ECU Functions & Features
Core Security Principles
···010110···
Application DomainComplex Subsystems
Multiple Processing Elements
Multiple Interfaces
Secure DomainResistance to Local Attacks
Root of Trust
Acceleration of Security Primitives
Hardware Enforced Isolation
COMPANY PUBLIC 9
NXP’s Automotive Security Solutions
Automotive ICs with on-chip security subsystems²
Powertrain &
Vehicle Dynamics
ADAS & Highly
Automated Driving
Infotainment &
In-Vehicle Experience
Body & Comfort
Vehicle Networking
HSE (HSM)
Security Controller (SECO)
CSE
High performance
High performance
Versatile feature set
Ease-of-use
Cost-optimized
Connectivity
i.MX8
&
i.MX6
S32x
&
MPC57xx
Layerscape
Media content protection
Security Engine (SEC)
On-chip Secure Subsystems
Generic Set of Services
High Performance
Platform Control
COMPANY PUBLIC 10
S32’s On-Chip Secure Subsystem: HSE
Cryptographic
Operations
Key
Management
Trusted
Execution
System
Utilities
Security
Configurations
Establishes Trust
Easily Integrates
Conceals
Accelerates
Cryptographic Operations
All Secret Keys
Secure Boot + Root of Trust
In Your Design
Adapts
Through Secure Updates
COMPANY PUBLIC 11
Integrating NXP’s HSE in Standard Security Stacks
HW
HSE (FW)Messaging UnitShared RAM INTC
NXP SW
Legend
3rd Party SW
Rich Service API
Multi-Thread Ready
Buffer-free Interface
Domain Separations
Host – HSE Interface
COMPANY PUBLIC 12
Resource Layer
API Layer
Service Layer
Integrating NXP’s HSE in Standard Security Stacks
HW
MCAL
Service Layer
Application Layer
RTE
ECU Abstraction Layer
CSM
Crypto Interface
Crypto Driver
HSE (FW)
HSE Host I/F HSE Host I/F
Crypto Driver
RNGBKEK cryptodev
QNX BSP
QNX Crypto API
Messaging UnitShared RAM INTC
Key Blobling Random Gen.
NXP SW
Legend
3rd Party SW
Crypto Driver (SW)
SecOC
Kernel space
User space
HSE Host I/F
Crypto Driver
Kernel Crypto API
AF_ALG
SW Algorithms
OpenSSL
DM Crypt
Storage encryption
Net-stack
HW RNG API
COMPANY PUBLIC 13
HSE: Three Main Service Classes
Key Management
Key file management
Key import
Key export
Key generation
Key derivation
Key exchange
Cryptographic
Operations
AES
Encryption & decryption
CMAC / HMAC
Generation & verification
Hashing (SHA2 & SHA3)
RSA / ECC signature
Generation & verification
RSA OAEP / ECIES
Encryption & decryption
Random generation
Secure Boot
Secure Use
Strict secure boot
Verify then start
Parallel secure boot
Start then verify
On-demand verification
Secure boot control in app.
Configurable sanctions
E.g. key usage restrictions
All operations
HW accelerated
AES key up to 256 bits
RSA key up to 4096 bits
Secure boot
optimized for speed
COMPANY PUBLIC 14
Your Key Benefits With NXP’s HSE Solution
One-Stop-ShopNXP responsible for the complete solution
Off-the-shelf Enablement
Optimum Performances
Optimum Security Assurance Level
Faster Time-to-MarketFirmware availability aligned with customer samples
Custom Extensions If Required
COMPANY PUBLIC 15
NXP’s Automotive Security Solutions
Automotive ICs with on-chip security subsystems² Security companions
Powertrain &
Vehicle Dynamics
ADAS & Highly
Automated Driving
Infotainment &
In-Vehicle Experience
Body & Comfort
Vehicle Networking
HSE (HSM)
Security Controller (SECO)
CSE
Secure Element (SE)
High performance
High performance
Versatile feature set
Ease-of-use
Cost-optimized
Tamper-resistant secure system
ideal for M2M authentication (e.g. V2X)
Connectivity
i.MX8
&
i.MX6
S32x
&
MPC57xx
Layerscape
Media content protection
Security Engine (SEC)Stand-alone Secure Subsystems
Generic Set of Services
High-resistance Against Local Attacks
COMPANY PUBLIC 16
NXP’s Automotive Secure Element Certified against CC
COMPANY PUBLIC 17
NXP’s Automotive Security Solutions
Automotive ICs with on-chip security subsystems² Security companions
Powertrain &
Vehicle Dynamics
ADAS & Highly
Automated Driving
Infotainment &
In-Vehicle Experience
Body & Comfort
Vehicle Networking
HSE (HSM)
Security Controller (SECO)
CSE
Secure Element (SE)
High performance
High performance
Versatile feature set
Ease-of-use
Cost-optimized
Tamper-resistant secure system
ideal for M2M authentication (e.g. V2X)
Function-specific secure ICs
Secure CAN Transceiver (TJA115x)
Secure Ethernet Switch
Connectivity
i.MX8
&
i.MX6
S32x
&
MPC57xx
Layerscape
Secure Car Access ICs
For enhanced IDS & IPS
Network frame analysis (L2/L3/L4)
For advanced RKE / PKE solutions
Media content protection
Security Engine (SEC)
V2X DSRC Baseband (SAF5x00)
Ultra-fast ECDSA verifications
Stand-alone IC
Specific Set of Services
Optimized for the Target Function
COMPANY PUBLIC 19
ECU
Function-specific Secure IC: Secure CAN Transceiver
TJA115x CAN Transceiver CAN
TXD
RXD
TX
White List
RX
Black List
MCU
Leaky Bucket
RX: Bus Monitoring
Simple CAN transceiver replacement
Pure hardware based solution (no software)
On-the-fly CAN ID whitelisting & blacklisting
Flooding prevention by leaky bucket principle
Immediate intrusion containment
Secure in-field reconfiguration possible
TX: Message Filtering
COMPANY PUBLIC 20
Function-specific Secure ICs: Secure Car Access Solutions
TransponderTP
Base station
BS
1. LF Challenge
2. LF Response
Immobilizer
Authentication for Engine Start
RF Data Exchange
2-way RF & Distance Bonding
Smart
Car ManagementµC
RF Tx/Rx
µC
RF Tx/Rx
TP*
RF Tx
µC
RF Rx
*Immobilizer function included
RF signal (rolling code)
(on Button press)
Remote
Keyless EntryOn-demand Authentication BS*
*Immo/RKE function included
LF Rx 1. LF Wake-Up/Challenge
2. RF Response
Passive
Keyless Entry TP*µC
RF Rx*RF Tx*
BS*
Hand-free, with Distance Bounding
LF Tx
RF
Tx*
Smart Access
(mobile devices)access via NFC/BLE-enabled devices eSE
NFCSecure Data Exchange
(e.g. CCC Digital Key)
BLE
eSE
NFC
BLE
COMPANY PUBLIC 21
Introducing Ultra-Wideband (UWB) in Automotive
• Protection against car theft
Security: ultimate countermeasure against relay attacks
• Door lock user recognition
Convenience: individual movement pattern granting access
• Child seat positioning
Safety: accurate guided positioning of the child seat
• Trailer recognition
Convenience: approach-triggered trailer hitch
• Easy trunk opening
Convenience: approach-triggered trunk opening
Going further https://www.youtube.com/watch?v=6Y8rgUD7DL4
COMPANY PUBLIC 22
SOLUTIONS & TECHNOLOGIES PROCESSES PEOPLE
NXP’s Holistic Approach to Product Security
Broad portfolio of security solutions
(HW & SW / FW)
Secure product engineering process
Internal / external security evaluation (VA)
Researchers, industry partners,
Auto-ISAC, CERTs, …
Information security policies
Site security (ISO 27001)
Computer Security IR Team (CSIRT)
Security Operations Center (SOC)
Product Security IR Team (PSIRT)
Security-aware organization
Threat intelligence feed
COMPANY PUBLIC 23
2010 20202015
MIFARE
Classic hack
PSIRT
established
Security Maturity
Process (SMP)
SMP / trusted
solutions for auto
Auto-ISAC
established
Dedicated team
for auto security
Involved in
ISO/SAE 21434
Joined
Auto-ISAC
PSIRT
extended
IR process
formalized
Co-shaping global V2X
security standards
V2X security
program
Cooperating with
HIS on SHE spec
Auto security
strategy
ISO/SAE
21434 JWG Events
Incident
Response
Security-
by-Design
Larger
Context
Program,
Organization
Connected Vehicles and IoTSmart Cards Mobile
Security Culture and Organization – Matured Over TimeSome of the key milestones
COMPANY PUBLIC 24
• Manages Product Security Incidents
– Global across products / markets / regions
– Established in 2008 after the MIFARE Classic hack
• Committed to Responsible Disclosure
– In alignment with the security community
– With our customers, partners, Auto-ISAC, CERTs
• Continuous Improvement
– Evaluate and benchmark against Auto-ISAC’s best practice guide for incident response management Web site: www.nxp.com/psirt Contact: [email protected]
Product Security Incident Response Team (PSIRT)
Receive
report1
Evaluate
vulnerability2
Define
solution3 Communicate4
Evaluate
process5 Closure6
COMPANY PUBLIC 25
NXP’s Security Organization
• Dedicated expert teams – security as core competence
• Collaboration across organizations / teams / backgrounds / competences / markets
• Have expertise close to our customers
Global strategy
Product & engineering security
Technology foundation
Incident response PSIRT / CSIRT
Security Strategy & Innovation
Regio
n
Regio
n
Regio
n
Regio
n
Global
Sales & Marketing
Busin
ess L
ine
Busin
ess L
ine
Busin
ess L
ine
Busin
ess L
ine
CTO / Security
Competence Center
Customer Support
Security Champions
Security Teams / Experts
COMPANY PUBLIC 26
Training and Awareness – What do we do?
Training and Knowledge Transfer
• Regular basic security training
• Expert training on dedicated topics – internally
and through external partners
Awareness
• Regular bulletins and campaigns to increase
awareness
• Internal and external information sharing, through:
▪ Regular internal meetings and online portal
▪ Workshops with partners
▪ Bi-directional sharing with Auto-ISAC, CERTs, …
COMPANY PUBLIC 27
NXP was amongst the first suppliers to join
the Auto-ISAC (Aug. 2016)
Collaboration, Information Sharing
We collaborate with various third parties
Researchers, industry partners, CERTs, …
We are an active member of the Auto-ISAC
A key forum and network for automotive cybersecurity
• Enables leveraging industry know-how & best practices, and sharing
intelligence on threats & vulnerabilities
• Go-to-contacts for peer support and advise
Core values: collaboration, trust, confidentiality
Published 7 best practice guides
• Valuable benchmark for any cybersecurity program
COMPANY PUBLIC 28
Standards & Best Practices
NXP participates in the development of
various Automotive security standards
ISO/SAE 21434
SAE TEVEES18 (J3061, J3101, …)
AUTOSAR WP-X-SEC
IEEE 1609 WAVE, ETSI TC ITS
Car Connectivity Consortium (CCC)Digital Key Specification
COMPANY PUBLIC 29
+ Autonomy
• ADAS
• Self-Driving
• Sensors
• AI & ML
+ Connectivity
• V2X / DSRC
• Remote diagnostics
• User device connectivity
• OTA (map, software) updates
+ Electronics
• Airbags
• Anti-lock Braking System
• Electronic Stability Control
• Traction control
Vehicle Safety & Cybersecurity Standards
Mechanics
• Seatbelts
• Headrests
• Crumple zones
• Laminated glass
Improve safety
+ Improve user experience
Through:
Functional Safety(ISO 26262)
SOTIF(ISO 21448)
Cybersecurity(ISO/SAE 21434)
Driving force for:
To address:
SOTIF = Safety Of The
Intended Functionality
Unintentional hazards Intentional threats Unanticipated hazards
In: Known scenarios
+Unknown scenarios
Trend:
COMPANY PUBLIC 30
Threat intelligence, BPWG, …
Independent and un-biased
reviews – “4 eyes” principle
Process implementation can
be adjusted per project
Monitoring security
implementation at each gate
CONCEPT DEFINITION PLANNING EXECUTION CLOSURE
PROJECT LIFECYCLE
Security
Milestones
Standards (ISO 21434, SAE J3061, …)Training and awareness
Lessons learned (e.g. from IR)
Product Development – Security Maturity Process
COMPANY PUBLIC 31
Your Key Takeaways!
SOLUTIONS & TECHNOLOGIES PROCESSES PEOPLE
www.nxp.com/psirt
ISO/SAE 21434
Security gates
within our standard
Automotive processes
Secure CAN
Transceiver
Automotive SE
CC EAL5+
Going further www.nxp.com/automotivesecurity blog.nxp.com/category/automotive
UWB
20+ years in
the smart card
industry
Organization
matured
over time!
COMPANY PUBLIC 32
www.nxp.com/automotivesecurity