SAE INTERNATIONAL

CYBERSECURITY

Patti Kreh

New Program

Development Manager

05.November.2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Agenda• About SAE

• Why is cybersecurity important ?

• What is industry doing (and challenges) ?

• What is SAE doing (and opportunities) ?

2SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

TECHNICAL

STANDARDS35,000+ aerospace

and

ground vehicle

standards

3

The SAE portfolioa global association of more than 140,000 engineers and related technical experts

PUBLICATIONS100,000+ collection

of technical

publications

MEDIAMagazines, eNewsletters, custom

publishing, Tech Briefs Media Group

MEMBERSHIP140,000 members worldwide,

multiple-tiered/benefit model

ENGINEERING

EVENTSOver 30 global technical

events annually for the

aerospace, automotive, and

commercial vehicle sectors

FOUNDATIONCharitable arm of SAE

International, supporting

STEM for over 30 years;

76,000 K-12 students and

over 7,000 college students.

PROFESSIONAL DEVELOPMENT400 courses portfolio, webinars; in-house,

corporate and self-paced learning

Copyrig

ht (c

) 2014 S

AE

Inte

rnatio

nal. A

ll rights

reserv

ed.

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

…for the aerospace, automotive and commercial vehicle sectorsC

opyrig

ht (c

) 2014 S

AE

Inte

rnatio

nal. A

ll rights

reserv

ed.

SAE | Advanced Engineering UK | November 2015 4

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

In the past 6 months…

5

www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL 7

WHY IS CYBERSECURITY

IMPORTANT ?

SAE | Advanced Engineering UK | November 2015 Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Safety

Brand reputation

Customer confidence

Financial

8

Cybersecurity is everyone’s concern

Source: 2015 Cost of Cyber Crime Study: Global, Sponsored by Hewlett Packard Enterprise, Independently conducted by Ponemon Institute LLC, October 2015

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Safety

Brand reputation

Customer confidence

Financial

9

Cybersecurity is everyone’s concern

Source: 2015 Cost of Cyber Crime Study: Global, Sponsored by Hewlett Packard Enterprise, Independently conducted by Ponemon Institute LLC, October 2015

$5.65M transportation

$2.28M automotive

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL 10

Hacking getting easier, more organized

SAE | Advanced Engineering UK | November 2015Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

SAE INTERNATIONAL 11

Increasing lines of code

Space shuttle <500K

Hubble telescope 1M

Boeing 787 (total flight system) 10M+

Microsoft Windows Operating System 50M+

Average modern high end car 100M

More complexity

Source: informationisbeautiful.net and www.code.org

SAE | Advanced Engineering UK | November 2015Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

SAE INTERNATIONAL

Increased connectivity across all mobility sectors

12

Commercial Vehicle

Self-driving Freightliner

Inspiration rolls out on

public roads in Nevada

Automotive

Modern car safety

critical systems no

longer isolated

www.cnet.com/news/freightliner-autonomous-inspiration-truck/

www.boeing.com/commercial/aeromagazine/articles/qtr_01_09/pdfs/AERO_Q109_article05.pdf

Automotive.ebv.com

Aviation

The 787 Dreamliner-

the world’s first e-Enabled

commercial airplane

SAE | Advanced Engineering UK | November 2015Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Create a Cybersecurity Culture

• Mindset change - Not IF you’ll be hacked, BUT WHEN

• Organizational priority; C-suite attention & resources

• “Security by design” versus “bolted on” later

– Designs and processes to identify, protect, detect, respond, recover over the

entire lifecycle

Legacy components, systems, architecture

• Airplane 30+ years, Auto 11+ years

• Planning for updates (fast and secure)

3rd party; aftermarket devices

• Mobile phones, insurance dongles, hobbyist, tuners

13

Challenges faced by (any) industry

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Secure software development

• Open source and reused code; unanticipated use cases, complexity

Looming government regulation(s)

• Vehicle-to-vehicle communication technology for light vehicles

• Government cybersecurity legislation

Skilled workforce

• Intersection of electrical engineering, computer science, math with

cyberphyical understanding

• Shortage throughout the entire supply chain

(New) Collaboration

• With competitors, with government

14

Challenges faced by (any) industry …continued

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

WHAT IS INDUSTRY DOING ?

15SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

What is industry doing ?

Creating security organizations

• Appointing security executives

• Establishing security operations centers

• Hiring security experts and analysts

Collaborating in research consortia

Writing Standards

Conducting threat analysis

Conducting penetration testing

Closing vulnerabilities

Training; hands-on, mock incidents

16SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Adopting common privacy principles

Establish Information Sharing

and Analysis Centers (ISACs)

Offering bug bounties

17

What is industry doing ? …continued

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

WHAT IS SAE DOING ?

18SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Standards

Conferences

Publications

Media

Training

19

What is SAE doing ?

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Aerospace:

– ARINC 811 Commercial Aircraft Information Security Concepts of Operation

and Process Framework

– ARINC 821 Aircraft Network Server System Functional Definition

– ARINC 823 Encrypted data link communications (ACARS)

– ARINC 781 Aviation Satellite Communication

– ARINC 791 Ku-band, Ka-band aviation satellite communication services

…every ARINC standard developed with security concerns in mind

Automotive:

– J3061 Cybersecurity Guidebook for Cyber-Physical Automotive Systems

– J3101 Requirements for Hardware-Protected Security for Ground Vehicle

Applications

20

SAE Cybersecurity Standards

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

J3061 Cybersecurity Guidebook for Cyber-Physical Automotive Systems

‒ Provides an automotive security guidebook that will help drive a process to

address all the Cybersecurity threats the automotive environment is

experiencing. Anticipated release: YE2015

J3101 Requirements for Hardware-Protected Security for Ground Vehicle

Applications

‒ Defines a common set of requirements for security to be implemented in

hardware for ground vehicles to facilitate security enhanced applications,

developing expectations for necessary functionality to achieve an ideal system

for hardware protection for ground vehicle applications, including examples,

but not explicitly detailing implementation requirements. Underdevelopment

21

SAE Automotive Cybersecurity Standards

SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL 22SAE | Advanced Engineering UK | November 2015Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

SAE Battelle CyberAuto Challenge

Real vehicles; real problems

High school, college and professionals

5 day camp / workshop; classroom discussions

complemented by hands-on vehicle work

24 hour Challenge - practicum

Teams composed of OEs, suppliers, government,

researchers-”white hat” hackers, educators

Extensive on-line student preparation (cryptology,

microcircuit design, CAN, etc.)

2016: July 25-29 Warren, MI

Forging the next generation of cyber auto engineer

24SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

QUESTIONS?

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

http://www.darkreading.com/analytics/threat-intelligence/automobile-industry-

accelerates-into-security/d/d-id/1297313

http://www.foxnews.com/leisure/2015/09/11/are-bounty-hunting-hackers-key-to-car-

security/

http://www.thedetroitbureau.com/2014/11/automakers-create-privacy-principles-for-

new-vehicles/

http://on.aol.com/video/car-hacking-with-carknow--translogic-135-517884188

http://articles.sae.org/13809/

https://securityledger.com/2015/02/bmw-fixes-connecteddrive-flaw-with-over-the-air-

patch/

http://www.informationisbeautiful.net/visualizations/million-lines-of-code/

http://advice.careerbuilder.com/posts/hiring-trends-to-expect-in-2015

http://www.dhs.gov/national-cyber-security-awareness-month

Articles and sources

26SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/

http://money.cnn.com/2015/08/06/technology/tesla-hack/index.html

www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-

onstar-cars/

https://threatpost.com/holes-in-progressive-dongle-could-lead-to-car-hacks/110511/

http://www.wired.com/2015/04/twitter-plane-chris-roberts-security-reasearch-cold-

war

http://www.wired.com/2015/10/five-car-hacking-lessons-we-learned-this-summer/

http://airinsight.com/2013/04/08/cyber-security-and-aviation/

http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-

aviation-industry-did-they-fail-cybersecurity-101/

http://www.cnet.com/news/freightliner-autonomous-inspiration-truck/

Articles and sources

27SAE | Advanced Engineering UK | November 2015

SAE INTERNATIONAL

Copyright © SAE International. Further use or distribution is not permitted without permission from SAE

Patti Kreh

New Business Development Manager

SAE Industry Technologies Consortia (ITC)

SAE INTERNATIONAL

755 West Big Beaver Road, Suite 1600

Troy, MI 48084

o +1.248.273.2474

m +1.248.210.5418

e patti.kreh@sae.org

www.sae.org

28

Thank you

SAE | Advanced Engineering UK | November 2015