a holistic security approach for the connected car€¦ · vector cybersecurity sympopsioum 2019 -...
TRANSCRIPT
© SYSGO AG · INTERNAL 1
A holistic Security Approach
for the connected Car
Vector Cyber Security Symposium, 03.04.2019
© SYSGO AG · INTERNAL 2
Agenda
• SYSGO Introduction
• Security Challenges
• Hacker Types
• OEM Need
• Security Use Cases
• Key Take Away
© SYSGO AG · INTERNAL 3
The Company - SYSGO AGEmbedded Software Technology Leader
Founded 1991 (Mainz/Germany)
>80% Engineers have
certification competences
Since 2012 independent
entity from the Thales Group
(~65,000 Employees and Operations in 56 countries)
Local Facilities in Germany, France, Czech Republic, UK
Global Distribution and support network including
EMEA and APAC
© SYSGO AG · INTERNAL 4
Embedded Devices Trends Impacting Security
• Deployed embedded systems are more and more inter-connected
and connected to Internet
• Complexity and functional density of embedded devices are
rising
• Heterogeneous information flows are more common
• Need for high-assurance for mixed-critical systems
Increase challenges on addressing security issues
• Need for:
• Security to be integrated into the device (H/W and S/W)
• Proper separation and control of functionalities and information flow
• Need proper compositional certification approach
© SYSGO AG · INTERNAL 5
Connected Car – Attack Surfaces
© SYSGO AG · INTERNAL 6
National Interest
Personal Gain
Personal Fame
Curiosity
Script-Kiddy HobbyistHacker
Expert Specialist
Vandal
Thief
Spy
Trespasser
The World Today
Tools created by experts now used by less-skilled attackers and criminals
Fastest growing segment
Author
From: Intel Open Source Technology Center – GENIVI 2012 AMM
Motivation for Hackers
© SYSGO AG · INTERNAL 7
Security & Safety Cert Overview
Aerospace Automotive Railway Smart Grids
SafetyLong history of
standardisation
Introduced
standard
Long history of
standardisation
Based on
industrial
automation
Security
Defining next
level on security
standard;
Clear path
Starting work
on security
standard;
Defining path
Starting work
on security
standard;
Defining path
Many national
initiatives;
Defining path
© SYSGO AG · INTERNAL 8
The Quality vs. Security Analogy
Quality Security
• Nobody wants to pay for it
• It is expected
• You never reach 100%
• Always needs monitoring
© SYSGO AG · INTERNAL 9
BMW
© SYSGO AG · INTERNAL 10
Security Status @ Automotive OEMs
• All OEMs are looking after an e2e security solution
• They own value- and data stream in already existing
infrastructure
• Invest in software competence
• Collaborate with “start ups” to accelerate innovation
• Most of them unsure about security requirements
• Customers are not willing to pay for security features
(for embedded devices)
© SYSGO AG · INTERNAL 11
End-2-End architecture approach e.g. PKI
Secure Gateway & Funct. Sep. Platform
Optional
HSM
Hardware Platform
Gateway /
Download
Manager
Security
KMS
onboardClient-Applications by 3rd
Parties
Update
Services
1 On-board Devices
(ECUs)• ECUs communicate and
behave securely
• With optional hardware
security module
Key Management Backend Infrastructure
Key Gen & Distribution PKI Management
3 Key Management
Infrastructures• Back-End supporting ECUs
• Should be a single-handed,
centralized Architecture (not
split per each ECU)
• For automotive OEM this
means a global approach
WAN / „OTA“
Key Management & Update
Infrastructure2 Com Network• Infrastructure
© SYSGO AG · INTERNAL 12
Security by Design
Root of Trust
Secure Development
Secure Life Cycle
ISO 27000 Common
Criteria
Secure
Boot
Sec. Update
(S)OTA
CloudSecure Com
Secure Architecture
App App App App
© SYSGO AG · INTERNAL 13
IDS use case
© SYSGO AG · INTERNAL 14
Key Take Away
• Security architectures need a holistic view on requirements over
• Backbone, cloud
• Edge services
• Embedded device
• They need constant update capabilities (e.g. via OTA)
• Secure by multiple – partly overlapping - approaches
• Hardware
• Software
• Functional separation
• Key management and handling
• Firewalls …
• And not jeopardizing performance, cost and latency of systems
© SYSGO AG · INTERNAL 15
Thank you for your attention!
More information on www.sysgo.com
Or contact at [email protected]