Security Challenges with ITS : A law enforcement view

Central Observatory for Intelligent Transportation SystemsFRENCH MINISTRY OF INTERIOR

GENDARMERIE NATIONALE

Colonel Franck MARESCALColonel Franck MARESCAL

franck.marescal@gendarmerie.interieur.gouv.frfranck.marescal@gendarmerie.interieur.gouv.fr

French Central Observatory for the French Central Observatory for the intelligent transportation systems :intelligent transportation systems :

What For ?What For ?

A better understanding and mastering of the intelligent transport systems will facilitate the work of the gendarmerie missions in these areas :

1. Road safety : to reduce accidents2. Public safety : to fight against crime

(serious offences, robbery)

3. Judiciary police : obtaining digital evidence

4. Risk Prevention : promote cyber security

P 3

Major risks with ITS Major risks with ITS

Main issue

P 4

CHALLENGES :CHALLENGES :What about the threatWhat about the threat

STATEMENTS :1/ so many computer or system security breaches2/ modern cars are today the most complex systems on the planet3/ hackers capabilities : more and more organised (hacker community), motivation for money (conduct business), increasing skill (exchange information).

Lessons we have learned from cyber criminals is not to under estimate their abilities to mount cyber attack project

P 5

CHALLENGES :CHALLENGES :Increasing vulnerabilities :Increasing vulnerabilities :attack surfaces overviewattack surfaces overview

Automaker data centre

cellular network

WIFI (V2X)

Bluetooth

OBD-II

Digital Audio Broadcasting

phone chip

USB port

CAN network

RFIDsensor -wheel-

Smartphone

RFID key

Connected watch

Garage diagnostic suitcase

Smart key

Inside the carInside the car

ECU/JTAG port

Electric charger port

P 6

CHALLENGESCHALLENGES - demo - demoLive connection to a car Live connection to a car

through an OBD plug devicethrough an OBD plug device

P 7

Security risks :- Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver)- Terrorism 1 : kill people during a car crash- Terrorism 2 : battering ram car programming by his owner

CHALLENGES :CHALLENGES :Risk assessment :Risk assessment :

hackers motivating factorshackers motivating factors

P 8

Security risks :- Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver)- Terrorism 1 : kill people during a car crash- Terrorism 2 : battering ram car programming by his owner

Privacy risks :- personal data stolen - way as you drive- phone tapping- video surveillance- localisation

Risk assessment :Risk assessment :hackers motivating factorshackers motivating factors

P 9

Security risks :- Denial of Service (DoS) : V2V, ADAS, GPS, infrastructure - Intimidation : car is out of control (threaten the driver)- Terrorism 1 : kill people during a car crash- Terrorism 2 : battering ram car programming by his owner

Privacy risks :- personal data stolen - way as you drive- phone tapping- video surveillance- localisation

Others (financial) :- Vehicle theft (organised crime) : tampering remote key (Mouse Jacking).- Ransom (car is out of order for a while)- carmakers stock-market manipulation

Risk assessment :Risk assessment :hackers motivating factorshackers motivating factors

P 10

Risks Consideration Risks Consideration

““It's essential to ensure security of vehicle :It's essential to ensure security of vehicle :trust model and certification policies should be developed to trust model and certification policies should be developed to prevent risks and support cybersecurity”prevent risks and support cybersecurity”

Declaration of Amsterdam - Ministers of Transports – April 2016 Declaration of Amsterdam - Ministers of Transports – April 2016 Cooperation in the filed of connected and automated vehicle :

March 17, 2016 : Alert Number I-031716-PSA Motor Vehicles Increasingly Vulnerable to Remote Exploits Motor Vehicles Increasingly Vulnerable to Remote Exploits

P 11

Car cyber security Car cyber security guidelinesguidelines

SAE J3061 Guidelines (january 2016) : Cybersecurity guidebook for cyber-physical vehicles systems … ISO is progress

C-ITS platform (European Commission) – WG5 securityRecommendations/actions : report (january 2016)

CaRSEC expert Group within ENISA (march 2016)(European Union Agency for Network and Information Security)3 topics : - Evaluate current standards and initiatives ;- Towards a shared vision on cyber security for smart car in the EU ;- Ensuring the security of embedded systems coming from new actors to the car industry

P 12

ENISA recommendations : december 2015European Union Agency for Network and Information Security

How is automotive cybersecurity organised ?How is automotive cybersecurity organised ?

Law enforcement lab in ITS

Carmakers

Standardisation

Provide cyber expertise :- IT & sec. compagnies

- laboratories & institutes- startup

Observers : Consumers

Road associationInsurers

Public authoritiesMinistry of homeland security

Ministry of transportationMinistry of economy

The parliament

Provide advice :- suppliers

- national commission for data protection- national homologation unit

- industry federation

National network and information security agency

UNECE :United Nations Economic Commission for EuropeEC-DGMOVE : European Community – Directorate Gen Mobility and TransportISO : International Organisation for Standardisation (WG TC22/SC32)ETSI : European Telecomm. Standards Institute (EN 302 637-x)ENISA : European Union Agency for Network and Information SecurityNHTSA : US National Highway Transportation Safety AdministrationSAE : Society of Automotive EngineersAuto ISAC : Automotive Information Sharing Analysis Center

Recommendations

Universities

NHTSAUS-DOT

DARPA

NIST

ENISACaRSEC expert Group

FTC

SAEJ3061

ERTRAC

G7 ITS ITU-T

ISO / TC22

UNECEWP29

ETSIWG5

CENELEC / CSCG

ISA / IECWG17

IEEESCC42/TF1

EC-DGMOVEC-ITS platform WG5

Auto ISAC

P 14

Best practices :Best practices : 7 key factors 7 key factors to obtain a robust security car to obtain a robust security car

1/ Essential framework : resilience & security/privacy by design2/ Need a best practice guideline (a goal based standard) and apply it 3/ Maintain relationships with third-party security technologists (research project and cyber intrusion tests)4/ gathering intelligence in an auto ISAC 5/ detect intrusion and record evidence for forensic purposes6/ combining cyber test in homologation EuroNCAP test 7/ transparency in the compliance with the above mentioned points 1/ to 5/

P 15

Oh my poor teddy bear, you too have been hacked !

Thank you for your attention Thank you for your attention