The road to secure connected cars through cybersecurity – guidelines, hackers, Argus & Karamba

bestpractices391651Due to the Billington Global Automotive Cybersecurity Summit in Detroit, there were announcements about cybersecurity for automotive this week. There is a set of standards from an industry organization and news from cyber security providers.

Billington CyberSecurity, is an independent media company that produces high-level executive conferences and seminars about cybersecurity. Te Premier Sponsor is General Motors Company, the Platinum sponsor is Symantec and the Exclusive Diamond Sponsor is Booz Allen Hamilton. Gold sponsor is AIAG. The Exhibitors are Anomali and P3. Association sponsors are the Auto Alliance, AutoHarvest, Global Automakers, Intelligent Car Coalition, ISSA Motor City,  InfraGard Michigan, Original Equipment Suppliers Association, Property Casualty Insurers Association of America, National Automobile Dealers Association and NAIAS.

Panelists at the event noted that the automotive industry needs to attract hackers to test systems and increased connectivity leads to increase vulnerability. The best example of attracting hackers is FCA’s bug bounty rewards. FTC commisionor Terrell McSweeny believes that hacking shouldn’t be criminalized.

GM GEO Mary Barra said that GM’s self-driving cars will be designed to keep the driver engaged and that autonomous cars should be first tested with drivers who can take over driving when necessary.

Transportation Secretary Anthony Foxx said guidance on best practices for automotive cybersecurity would be coming int the next weeks or months.

Barra told journalists that the new NHTSA framework will help some testing programs to progress.

Argus Offerings

Argus Cyber Security unveiled its car protection portfolio comprised of multiple suites of products and services delivering comprehensive end-to-end security for connected cars. Argus works with the world’s largest car manufacturers (OEMs), their Tier 1 suppliers, large fleet operators and aftermarket connectivity providers to meet head-on the cyber security challenges posed by ever-increasing car connectivity:

  • Argus Connectivity Protection – Defends the infotainment or telematics units by preventing malware installation, detecting operating system (OS) anomalies, isolating suspicious applications, and stopping attacks from spreading to the in-vehicle network.
  • Argus In-Vehicle Network Protection – Provides in-vehicle network-wide security by detecting attacks, suspicious activity, and changes in standard in-vehicle network behavior.
  • Argus ECU Protection – Reinforces select ECUs such as brakes, ADAS, or any other units deemed critical, from attacks originating inside and outside the ECU.
  • Argus Lifespan Protection –Future-proofs the fleet with an additional layer of protection. Collects and analyzes data from Argus in-vehicle solutions and other sources.
  • Argus Aftermarket Protection – Delivers solutions for telematics technology providers, connectivity service providers, fleet managers, insurance companies and dongle manufacturers which protect cars from attacks exploiting their technologies and services –
  • Argus Automotive Cyber Security Services – Offers an additional layer of security through an array of tailored advisory services from the industry’s largest and most experienced automotive cyber security research team.

AUTO-ISAC Guidelines

Members of the Automotive Information Sharing and Analysis Center (“Auto-ISAC”) released an overview of comprehensive Automotive Cybersecurity Best Practices (“Best Practices”) developed as a proactive measure to further enhance vehicle cybersecurity throughout the industry.

Over five months, more than 50 automotive cybersecurity experts from around the world have participated in the development of these Best Practices to advance automotive cybersecurity capabilities.

The Best Practices are structured primarily to guide automaker Best Practice implementation. Suppliers of motor vehicle components may also consider applying the Best Practices within their specific systems, processes, and policies.The Best Practices provide guidance to assist an organization’s development in seven key topic areas, including:

  • Governance: Aligns a vehicle cybersecurity program to an organization’s broader mission and objectives.Assessment and Management Best Practices include:
    • Establish standardized processes to identify, measure, and prioritize sources of cybersecurity risk.
    • Establish a decision process to manage identified risks.
    • Document a process for reporting and communicating risks to appropriate stakeholders.
    • Monitor and evaluate changes in identified risks as part of a risk assessment feedback loop.
    • Include the supply chain in risk assessments.
    • Establish a process to confirm compliance by critical suppliers to verify security requirements, guidelines, and trainings.
    • Include a risk assessment in the initial vehicle development stage, and reevaluate at each stage of the vehicle lifecycle.
  • Risk assessment and management: Mitigates the potential impact of cybersecurity vulnerabilities by developing processes for identification, categorization, prioritization, and treatment of cybersecurity risks.
  • Security by Design: Follows secure design principles in developing a secure vehicle, as well as the integration of cybersecurity features during the product development process.
    • Consider commensurate security risks early on and at key stages in the design process.
    • Identify and address potential threats and attack targets in the design process.
    • Consider and understand appropriate methods of attack surface reduction.
    • Layer cybersecurity defenses to achieve defense-in-depth.
    • Identify trust boundaries and protect them using security controls.
    • Include security design reviews in the development process.
    • Emphasize secure connections to, from, and within the vehicle.
    • Limit network interactions and help ensure appropriate separation of environments.
    • Test hardware and software to evaluate product integrity and security as part of component testing.
    • Perform software-level vulnerability testing, including software unit and integration testing.
    • Test and validate security systems at the vehicle level.
    • Authenticate and validate all software updates, regardless of the update method.
    • Consider data privacy risks and requirements in accordance with the Consumer Privacy Protection Principles for Vehicle Technologies and Services.
  • Threat detection and protection: Detects threats, vulnerabilities, and incidents to proactively monitor environments and mitigate risk. Proactive cybersecurity through the detection of threats, vulnerabilities, and incidents empowers automakers to mitigate associated risk and consequences. Threat detection processes raise awareness of suspicious activity, enabling proactive remediation and recovery activities. Best Practices for Threat Detection and Protection include:
    • Document the incident response lifecycle, from identification and containment through remediation and recovery.
    • Ensure an incident response team is in place to coordinate an enterprise-wide response to a vehicle cyber incident.
    • Perform periodic testing and incident simulations to promote incident response team preparation.
    • Identify and validate where in the vehicle an incident originated.
    • Determine actual and potential fleet wide impact of a vehicle cyber incident.
    • Contain an incident to eliminate or lessen its severity.
    • Promote timely and appropriate action to remediate a vehicle cyber incident.
    • Restore standard vehicle functionality and enterprise operations; address long-term implications of a vehicle cyber incident.
    • Notify appropriate internal and external stakeholders of a vehicle cyber incident.
    • Improve incident response plans over time based on lessons learned.
  • An incident response plan documents processes to inform a response to cybersecurity incidents affecting the motor vehicle ecosystem. Best Practices include protocols for recovering from cybersecurity incidents in a reliable and expeditious manner, and ways to ensure continuous process improvement. Best Practices for Incident Response and Recovery include:
  • Incident response: Enables automakers to respond to a vehicle cyber incident in a reliable and expeditious manner. Best Practices include protocols for recovering from cybersecurity incidents in a reliable and expeditious manner, and ways to ensure continuous process improvement
  • Awareness and training: Cultivates a culture of cybersecurity and ensures individuals understand their role and responsibility in promoting vehicle cybersecurity.
    • Establish training programs for internal stakeholders across the motor vehicle ecosystem.
    • Include IT, mobile, and vehicle-specific cybersecurity awareness.
    • Educate employees on security awareness, roles, and responsibilities.
    • Tailor training and awareness programs to roles.
  • Collaboration and engagement with appropriate third parties: Enhances cyber threat awareness and attack response.

The creation of Best Practices follows the release of the Framework for Automotive Cybersecurity Best Practices jointly released by the Alliance of Automobile Manufacturers (“Auto Alliance”) and the Association of Global Automakers (“Global Automakers”) in January 2016. The Auto-ISAC coordinated with both organizations throughout the Best Practices development.

Karamba Comment

After the announcement, David Barzilai, co-founder of Karamba Security said, “While the auto industry shows major efforts to address cyber threats, as shown in the ISAC best practices document, Karamba Security believes that the most important measure against cyber threats is to automatically harden car controllers according to factory settings. This enables automatic detection and prevention of security bug exploits and blocks attackers from successfully hacking the car.”

Karamba Security is a pioneer in electronic control unit (ECU) endpoint security to protect the connected car. The company seals and secures the ECUs within automobiles to detect and protect them from cyberattacks and ensure the car’s safe, ongoing operations.