Prezi

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in the manual

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

e-Security for the Networked Car

An overview of the breadth and diversity of factors to consider in securing the Connected Car.
by SBD Inspiring Innovation on 9 April 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of e-Security for the Networked Car

how do I find out more?
e-Security for the Networked Car
What are you doing about it?
Why?
Why is
e-Security important?
NEWS
True or False?
What?
Where?
When?
How?
What is
e-Security?
e-Security =
protection
from
threats
veh
theft
of
icle
e-theft
theft of vehicle data
enabling vehicle theft
financial loss
theft of personal data
compromised safety
malicious control or failure
loss
of
ope
rat
ion
disabled functions
loss
of
rev
en
ue
enabled
functions
sabotage
terrorism
mass vehicle attack
development
app
a positive twist?
and quantify the risk
if a threat has been attempted or succeeded
manage
assess
identify
the consequences
justify
the level of protection required
Where are the risks?
electric vehicle & urban mobility
diagnostics
infotainment
connected navigation
safety & security
long range
short range
V2X
device integration
home networking
the need for urgency
Senator Markey issues letter to major OEMs in USA
December 2013
Was it a game changer?
responsibility
and
liability
for
e-Security with OEMs
links

safety
,
security
and
privacy
independent

audits

security policies
attack tests
brand reputation
e-theft tools
provide a good example
some OEMs have already suffered
the problem is here to stay
liability
Most OEMs
not prepared
for a major
e-security breach
watch this space!
act now to avoid the lawsuits!
When is
e-Security needed?
risk assessment
recovery & failure management
prevention
detection
recovery
security objectives
potential threats
attack potential
damage potential
risk analysis
implement appropriate measures
FMEA
most
OEMs use FMEA
to meet safety standards
FMEA
insufficient for
cyber-attacks
most
OEMs not using
methods for
cyber-security
Standard tools
(e.g. Excel)
CVSS Calculator
SDL Threat Modeling Tool
OCTAVE
CVSS
STRIDE / DREAD
Local Guideline
NIST
800-30
Microsoft Guideline
NIST Development
Microsoft Development
methodologies
guidelines
tools
Mike Parris
Head of Secure Car Division
"Failure recovery is often the most important aspect of security engineering, yet is one of the most neglected."
Ross Anderson,
Security Engineering (2nd edition)
risk assessment models
summary
it includes
large
and
c
o
m
p
l
e
x
issues
privacy
safety
security
it is a
business
problem, technical solutions are part of the answer
it is an issue for today's connected cars...
e-Security is like a chain
Networked cars are not as secure as they could or should be
e-Security requires a broad business response, not just a technology fix
Over 50 attack points in the eco-system
plus
countless potential weaknesses in the supply chain.
The time is now for Networked Cars
Failure management and recovery is still in its infancy
Automotive processes not designed for Information Security threats.
The single biggest risk today -
now
it is an
even
bigger
issue for tomorrow's autonomous cars
it's only as strong as its weakest link
comprehensive
safety
assets
privacy
independent
appoint an
make it an
enabler of
recommendations
off-the-shelf reports
bespoke consultancy
The Threat of Over-the-Air Hacking for Cars
Safe Car V2X Guide
Privacy Laws vs Telematics:
Is the automotive industry ready for change?
technical consultancy
Our team of experienced consultants can help you choose the most cost-effective and reliable strategies, policies and technologies for your e-Security solutions.
consumer clinics
We can help you obtain early and constructive feedback from all stakeholders about the security, convenience and privacy issues for the next-generation e-Security systems.
emerging markets
Expanding e-Security into new areas requires in-depth understanding of the unique needs and challenges of those areas. Our experienced team can help you deploy e-Security strategies and technologies with confidence.
How can
e-Security be managed?
Mass volume OEM risks customer backlash as theft rates for certain models reach unacceptable levels.
Malicious code injected into vehicle allows remote open and start.
Vehicle accelerator, brakes and steering controlled by a laptop near you.
Thieves make off with thousands of credit card details
Proof of car ownership in chaos as thieves capture thousands of VINs and owner details
Over 100 customer vehicles remotely immobilised by a dealership employee who was made redundant
Prestige OEM suffers the consequences of poor e-Security - costs of recalls for security upgrade mount and reputation is tarnished.
Major privacy alert as authorities track your every journey
example points of access
intercept cellular commands
Bluetooth pairing request
sync infected mobile phone
DSRC / V2X communications
Wi-Fi hotspot
Wireless sensor network (TPMS)
RKE data channel
RFID key
jamming
flooding
masque-rading
false messages
location tracking
eaves-
dropping
direct over-the-air points of access
remote software update
broadcast data channels
direct data call to vehicle
SIM (OMA client) provisioning
cloud-based service points of access
human intervention
malware injection
remote hacking
GPS
satellite radio
digital radio
TMC
RDS
current cyber threats
spyware & botnets
worms, trojans & viruses
social engineering attacks
buffer overflows and SQL injections
zero-day threats
advanced persistent threats
blended threats
polymorphic threats
Tools x
n
Methodologies
x
n
Guidelines x
n
Information Security
ISO 27005
Functional Safety
ISO 26262
ISO 27005 is relevant to ISO 26262
but the two are not explicitly linked
(yet)
"Secured by Design"
Mike Parris
Head of Secure Car Division
chip designers
component suppliers
vehicle manufacturers
system architecture
detailed design
after sales
business processes
customers
corporate liability
brand reputation
Many models exist but only some suitable for automotive use
info@sbd.co.uk
www.sbd.co.uk

security policy

audits and
attack tests
e-Security
champion
competitive advantage
Risk Assessment processes exist but not widely used in Automotive
not understanding the whole picture
How many are properly assessed and protected?
Importance will increase for autonomous vehicles
See the full transcript