security challenges with its : a law enforcement view
TRANSCRIPT
Security Challenges with ITS : A law enforcement view
Central Observatory for Intelligent Transportation SystemsFRENCH MINISTRY OF INTERIOR
GENDARMERIE NATIONALE
Colonel Franck MARESCALColonel Franck MARESCAL
[email protected]@gendarmerie.interieur.gouv.fr
French Central Observatory for the French Central Observatory for the intelligent transportation systems :intelligent transportation systems :
What For ?What For ?
A better understanding and mastering of the intelligent transport systems will facilitate the work of the gendarmerie missions in these areas :
1. Road safety : to reduce accidents2. Public safety : to fight against crime
(serious offences, robbery)
3. Judiciary police : obtaining digital evidence
4. Risk Prevention : promote cyber security
P 3
Major risks with ITS Major risks with ITS
Main issue
P 4
CHALLENGES :CHALLENGES :What about the threatWhat about the threat
STATEMENTS :1/ so many computer or system security breaches2/ modern cars are today the most complex systems on the planet3/ hackers capabilities : more and more organised (hacker community), motivation for money (conduct business), increasing skill (exchange information).
Lessons we have learned from cyber criminals is not to under estimate their abilities to mount cyber attack project
P 5
CHALLENGES :CHALLENGES :Increasing vulnerabilities :Increasing vulnerabilities :attack surfaces overviewattack surfaces overview
Automaker data centre
cellular network
WIFI (V2X)
Bluetooth
OBD-II
Digital Audio Broadcasting
phone chip
USB port
CAN network
RFIDsensor -wheel-
Smartphone
RFID key
Connected watch
Garage diagnostic suitcase
Smart key
Inside the carInside the car
ECU/JTAG port
Electric charger port
P 6
CHALLENGESCHALLENGES - demo - demoLive connection to a car Live connection to a car
through an OBD plug devicethrough an OBD plug device
P 7
Security risks :- Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver)- Terrorism 1 : kill people during a car crash- Terrorism 2 : battering ram car programming by his owner
CHALLENGES :CHALLENGES :Risk assessment :Risk assessment :
hackers motivating factorshackers motivating factors
P 8
Security risks :- Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver)- Terrorism 1 : kill people during a car crash- Terrorism 2 : battering ram car programming by his owner
Privacy risks :- personal data stolen - way as you drive- phone tapping- video surveillance- localisation
Risk assessment :Risk assessment :hackers motivating factorshackers motivating factors
P 9
Security risks :- Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver)- Terrorism 1 : kill people during a car crash- Terrorism 2 : battering ram car programming by his owner
Privacy risks :- personal data stolen - way as you drive- phone tapping- video surveillance- localisation
Others (financial) :- Vehicle theft (organised crime) : tampering remote key (Mouse Jacking).- Ransom (car is out of order for a while)- carmakers stock-market manipulation
Risk assessment :Risk assessment :hackers motivating factorshackers motivating factors
P 10
Risks Consideration Risks Consideration
““It's essential to ensure security of vehicle :It's essential to ensure security of vehicle :trust model and certification policies should be developed to trust model and certification policies should be developed to prevent risks and support cybersecurity”prevent risks and support cybersecurity”
Declaration of Amsterdam - Ministers of Transports – April 2016 Declaration of Amsterdam - Ministers of Transports – April 2016 Cooperation in the filed of connected and automated vehicle :
March 17, 2016 : Alert Number I-031716-PSA Motor Vehicles Increasingly Vulnerable to Remote Exploits Motor Vehicles Increasingly Vulnerable to Remote Exploits
P 11
Car cyber security Car cyber security guidelinesguidelines
SAE J3061 Guidelines (january 2016) : Cybersecurity guidebook for cyber-physical vehicles systems … ISO is progress
C-ITS platform (European Commission) – WG5 securityRecommendations/actions : report (january 2016)
CaRSEC expert Group within ENISA (march 2016)(European Union Agency for Network and Information Security)3 topics : - Evaluate current standards and initiatives ;- Towards a shared vision on cyber security for smart car in the EU ;- Ensuring the security of embedded systems coming from new actors to the car industry
P 12
ENISA recommendations : december 2015European Union Agency for Network and Information Security
How is automotive cybersecurity organised ?How is automotive cybersecurity organised ?
Law enforcement lab in ITS
Carmakers
Standardisation
Provide cyber expertise :- IT & sec. compagnies
- laboratories & institutes- startup
Observers : Consumers
Road associationInsurers
Public authoritiesMinistry of homeland security
Ministry of transportationMinistry of economy
The parliament
Provide advice :- suppliers
- national commission for data protection- national homologation unit
- industry federation
National network and information security agency
UNECE :United Nations Economic Commission for EuropeEC-DGMOVE : European Community – Directorate Gen Mobility and TransportISO : International Organisation for Standardisation (WG TC22/SC32)ETSI : European Telecomm. Standards Institute (EN 302 637-x)ENISA : European Union Agency for Network and Information SecurityNHTSA : US National Highway Transportation Safety AdministrationSAE : Society of Automotive EngineersAuto ISAC : Automotive Information Sharing Analysis Center
Recommendations
Universities
NHTSAUS-DOT
DARPA
NIST
ENISACaRSEC expert Group
FTC
SAEJ3061
ERTRAC
G7 ITS ITU-T
ISO / TC22
UNECEWP29
ETSIWG5
CENELEC / CSCG
ISA / IECWG17
IEEESCC42/TF1
EC-DGMOVEC-ITS platform WG5
Auto ISAC
P 14
Best practices :Best practices : 7 key factors 7 key factors to obtain a robust security car to obtain a robust security car
1/ Essential framework : resilience & security/privacy by design2/ Need a best practice guideline (a goal based standard) and apply it 3/ Maintain relationships with third-party security technologists (research project and cyber intrusion tests)4/ gathering intelligence in an auto ISAC 5/ detect intrusion and record evidence for forensic purposes6/ combining cyber test in homologation EuroNCAP test 7/ transparency in the compliance with the above mentioned points 1/ to 5/
P 15
Oh my poor teddy bear, you too have been hacked !
Thank you for your attention Thank you for your attention