welcome to session i · what is specific to smart city cybersecurity? -1 • operates many vital...

Exchange on best practices and challenges

Welcome to session I

Dr. Eric Armengaud

AVL List GmbH (Headquarters) Confidential

ITEA cyber Security DayExchange on best practices and challenges

Facts and Figures

AV L C O M P A NY P R E SEN TAT I O N

Global Footprint

Represented in 26 countries

45 Affiliates divided over 93 locations

45 Global Tech and Engineering Centers (including Resident Offices)

Founded

Years of Experience

Employees Worldwide

Engineers and Scientists

Of Turnover Invested in

Inhouse R&D

Export Quota

Granted Patents in Force

ENGINEERING SERVICES

▪ Design and development services for all elements of ICE, HEV, BEV and FCEV powertrain systems

▪ System integration into vehicle, stationary or marine applications

▪ Supporting future technologies in areas such as ADAS and Autonomous Driving

▪ Technical and engineering centers around the globe

INSTRUMENTATION AND TESTSYSTEMS

▪ Advanced and accurate simulation and testing solutions for every aspect of the powertrain development process

▪ Seamless integration of the latest simulation,automation and testing technologies

▪ Pushing key tasks to the start of development

ADVANCED SIMULATIONTECHNOLOGIES

▪ We are a proven partner in delivering efficiency gains with the help of virtualization

▪ Simulation solutions for all phases of the powertrain and vehicle development process

▪ High-definition insights into the behavior and interactions of components, systems and entire vehicles

AV L C O M P A NY P R E SEN TAT I O N

ELECTRIFICATION ADAS AND AUTONOMOUS DRIVING ZERO-IMPACT EMISSION

VEHICLE ENGINEERING DATA INTELLIGENCE

AV L C O M P A NY P R E SEN TAT I O N

ERTRAC, Strategic Research Agenda, Input to 9th EU Framework Programme, March 2018, www.ertrac.org

Confidential / 5 Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 |

From road transportation to smart mobility

Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 |

Holistic dependability engineering for collaborative, autonomous systems

Runtime

Design Time

www.deis-project.eu

Confidential / 6

AV L C O M P A NY P R E SEN TAT I O N

We Owe It to the PlanetIt is our duty as an organization to contribute to the

resolution of social, cultural and global issues – especially

with regards to environmental protection, sustainability and

global emission reduction.

Thank you

HANS-LIST-PLATZ 1, 8020 GRAZ

www.av l .com info@avl.com

Smart mobility and cybersecurity

contacts:

F. Bodin (bodin@irisa.fr)

Paul-André Pincemin (pa.pincemin@rennesmetropole.fr)

15 January 2021

Rennes

Introduction

• The implementation of smart mobility services is a driver for metropolises

development

– Transportation is an important part of the metropolis budget

• Smart mobility increases the potential for cyber attacks

• The development of a metropolitan reference framework objective is

– To allow reasonable risk-taking (x4 in France since 2019, src: ANSSI)

– To help build an effective remediation capacity

– To set up experimental and simulation capabilities

• The general point of view taken is that of the metropolitan organising

authority

• Rennes Metropolis’ action is included in the French program CSF "Territory

of Trust".

Smart mobility -1

• Covers many sectors*

– Accessibility for people with reduced mobility

– Mobility assistance

– Transport management

– The fight against climate change

– Active modes, shared and alternative transports

– Data sharing and protection

– Protection of the environment, air quality

– Road safety

– Safety in transport

– Etc.

*http://www.mobilite-intelligente.com

Smart mobility -2

• Focus on synergies between transport modes

• Involves numerous infrastructures

– Operated by different entities

• Based on the collection and exchange of data

– From sensors, operators, etc.

– As well as personal data

• Is framed by numerous standards and norms

– But approaches to deal with transversal issues not well

defined yet for smart mobility

An illustration of the systems involved

What is specific to smart city cybersecurity? -1

• Operates many vital services (e.g. water)

• In a mix of legacy and new infrastructures

• Preserving citizen’s trust is critical

• Combines SI and IoT cybersecurity issues

• IoT devices are usually weak on security, can be stolen, etc.

• Many open buildings (e.g. city hall)

• Convergence of physical and cyber spaces

• Detains many citizen private data

• Video surveillance data, tax data, service users’ data,…

• Integration of numerous services

• Very large attack surface with “chain reactions” difficult to

identify

• Many infrastructures interdependencies

• Communication network

• Infrastructure remote control

• Backups and restoration not always optimal

• Small and large cities with very different capabilities

• Silos-based organization but transversal infrastructures

• cybersecurity is a holistic issue

• Incremental development on a long period, lack agility

• Many external operators

• Internal threat underestimated, low budget,…

• Mutualisation of CERT and other shared approach possible

• Easier to share attack (real-time) information

• Help smaller cities

What is specific to smart city cybersecurity? -2

Rennes Metropolis current composition

of the reflection committee

With support from Anssi

Identified roadblocks

• No pre-production system usually available

• Definition of contingency modes / operations

• Availability of operational data

• Securing exchange of data

• Large data volume and complex analysis

• Simulation and analysis capacity

• Managing complexity and implementation limitations

• Lacking interoperability cybersecurity-wise

Works status in Rennes

• Effort to set up a structuring framework of the metropolitan

landscape around an experimental "lab" which associates:

– cybersecurity for SMEs

– Industrial users

– Research laboratories

• Identification of structuring technical projects

– Interoperability of systems / tools

– Department-wide supervision / risk assessment

• Collaboration with the data portal project RUDI of the metropolis

• https://rudi.datarennes.fr/

The « CyberLab » setup

• Objectives

• Ensure interoperability and cybersecurity of the smart-city architectures

and provide a platform to the players in the Rennes metropolitan area that

is representative of the infrastructure of a smart city

• Key players: road infrastructure providers, transport/services

companies, IT equipment manufacturers, industrialists, etc.

• First outcome of the reflections in 2020 with AMOSSYS, KEREVAL

and WALLIX

– Create a CyberLab, the first French software-testing platform designed to

assess the Cyber resilience of intelligent mobility solutions, and more

generally, the smart city

– Implementing a defensive, joint, and anticipatory approach

– Need to manage the acceptability of residual risks

– With the support of Rennes Metropolis and Irisa

Secure OperationsEnsuring Cybersecurity to enable Industrial IoT

Unrestricted © Siemens Mobility GmbH siemens.com/dcu

Protecting the data of individuals and companies1

2 Preventing damage from people,companies and infrastructures

3 Establishing a reliable foundation on which confidence in a networked, digital world can take root and grow

Leading global companies joined forces to encourage security in a networked world.

Evolving Landscape

AutomationInformation Processing Digital Connectivity and Intelligence

1950s – 1960s

Military, governments and

other organizations implement

computer systems

1980s

Computers make their

way into schools, homes,

business and industry

2015

Industry 4.0, Internet of Things

& Big Data.

1999

The globeis

connectedby the internet

1970s

Homecomputer

is introduced

1991

The World Wide

Web becomes

publiclyaccessible

2010s

Cloudcomputing

enters the

mainstream

1990s

Digital enhancement

of electrification and

automation

2020s

Smart and autonomous

systems, Artificial Intelligence

2000s

Mobile flexibility

AOHell

Cryptovirology

Level Seven Crew hack

Denial-of-service attacks

Cloudbleed

sl1nk SCADA hacks Infinion/TPM

Meltdown/Spectre

AT&T Hack

Blue Boxing

MorrisWormMelissaWorm

ILOVEYOU

NotPetya

Industroyer/Chrashoverride

WannaCryHeartbleed

Stuxnet

Cybersecurity solutions focused on (OT) Security

OT Security

3-5 years

Forced migration (e.g. PCs, smart phone)

High (> 10 “agents” on office PCs)

Low (~2 generations, Windows 7 and 10)

Standards based (agents & forced patching)

Asset lifecycle 20-40 years

Software lifecycle Usage as long as spare parts available

Options to add security SW Low (old systems w/o “free” performance)

Heterogeneity High (from Windows 95 up to 10)

Main protection concept Case and risk based

IT SecurityConfidentiality Availability

Risk vs Budget

Your RiskEver growing risk landscape

Your BudgetWait or use your creativity

Yeste

rda

y Today

Tom

orr

ow

Yeste

rday

Today

Tom

orr

ow

?

Aft

er

a m

ajo

rin

cid

ent

…costly impacts on operations

$38-88MAverage annual spend

on unplanned downtime2

$1-2M / dayEconomic impact of

buying energy to replace

energy production

capabilities1

225,000Customers without

power due to Black

Energy attack, 20153

$300MCost of NotPetya ransom

ICS attack to single

industrial company in

20174

Sources: 1)Richmond Times, 2)GEOilandGas, 3)E-ISAC, 4)CNBC

Structure by IEC 62443

IEC 62443 - Roles and Scope

IEC 62443 - Roles and Scope

Cybersecurity Concepts for Mobility

Perimeter protection & IDS

…”installed base (legacy) and automation

products without built-in cybersecurity”

Defense in Depth - IEC 62443

…”for future deployments, with products with

built-in cybersecurity features”

Protection against

unintentional or accidental

attacks

Protection against

deliberate attacks with simple

means

Attacker type

Script Kiddie

Protection against

intentional attackswith

advanced means

Attacker type

Criminal organization

Protection against

intentional attackswith

advanced resources

Attacker type

Nations / Agencies

SL 1 SL 2 SL 3 SL 4

Cybersecurity goalIEC 62443 Security Levels

Cybersecurity Pillars

IDS JRS / SPX DCU

DCUData Capture Unit (Data Diode)

CONFIDENTIAL

© Siemens Mobility GmbH2020

Enabling connectivity while keeping networks physically isolated? …Data Diode technology

▪ Guarantees protection and network

isolation via hardware design that

lacks the vulnerability of firewalls

▪ Reliable - MTBF +16yrs

▪ Galvanic isolation & physical

separation ensures only one-way

communication

Critical network Open network

Tx

Rx

Tx

Rx PHY

Tx

Rx PHY

Tx

Rx

Tx

Rx

4Siemens

DCU

Electromagnetic induction

Connectivity Concept

Industrial Edge RuntimeOWG

Cloud Connector

Connectors

StorageApp

VPN

Rail Operator

Cloud App

Device Management

Vendor

DCU

OWG

Real-time

data collection

– OWG sender

Deploy Security

Patches

– Worldwide

0% risk of customer

operation disruption

– DCU

Diagnostics and

Local data storage

- OWG receiver

Rollout Applications

and Updates

– Worldwide

TVDIXL

OCC

3. Cloud

2. IT Network

1. OT Network (SIG)

Router + FW

Designed to be modular

OWG - Receiver

VPN

Rail Operator DCU

3. Cloud

Vendor

Cloud App

Asset Management

2. IT Network

1. OT Network (SIG)

OWG - Sender

SCADA / Interlocking

Router + FW

Safety assessmentSL3 - IEC 62443 4- 2

Vendor neutralStandard protocols

0% riskoperation disruption

USP´s

IDSIntrusion Detection System

CONFIDENTIAL

© Siemens Mobility GmbH2020

IDS Server

Syslog

Endpoints

Port mirror

IDS Sensor IDS Sensor

Industrial Switches

Topology with DCU

IT/Enterprise network

OT / Signaling (safety) network

Portmirror

Industrial SwitchesEndpoints

Security logs Security logs

Se

cu

ritylo

gs

Se

cu

ritylo

gs

JRSJuridical Recording System & Encryption

© Siemens Mobility GmbH2020

What & Why

What

JRS collects, stores and validates all critical

SIG system data.

JRS provides “Proof” that the stored data is

unaltered and complete (integrity intact).

JRS prevents the alteration and/or deletion

of data acc. to IEC 62443 security concept:

• Components

• Communication

Why

Data from juridical recorders is needed for all

legal or formal investigations of accidents or

“near-miss” situations.

CENELEC 50701 will require data integrity tools

for new railway systems.

Main features

1. Modular juridical recorder -Based on X.509 Certificates (PKI)

2. RAID 6 - High performance and

reliable of data storage

3. Secure OS – S2L2 with Certificates,

Secure Boot and Whitelisting.

4. IEC 62443 4-2 SL3 - Compliant

5. Interference Free – Compatible

with DCU

Funtionality

1 | Data collection 2 | Data Storage 3 | Evaluation & Validation

DCU / Diagnostic PCs RAID 6 JRS software

4 | Data Extraction

Customer or Siemens

Components

IXL

POLLUTION-FREE TOMORROW

WORKING FORA

…ONE JOURNEY AT ATIME

SIEMENSMobility

Disclaimer

© Siemens AG 2020

Subject to changes and errors. The information given in this document

only contains general descriptions and/or performance features which

may not always specifically reflect those described, or which may

undergo modification in the course of further development of the

products. The requested performance features are binding only when

they are expressly agreed upon in the concluded contract.

All product designations may be trademarks or other rights of

Siemens AG, its affiliated companies or other companies whose use by

third parties for their own purposes could violate the rights of the

respective owner.

Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02Page 26

ContactPublished by Siemens Mobility GmbH

Andres G. Guilarte

Global Product Manager

SMO RI PR SD

Germany

E-mail andres.guilarte@siemens.com

Page 27 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02

Security for the Internet of Lights

Sandeep Kumar

R&D Group Manager IoT Security

Signify Research

Signify is the world leader in lightingWe provide high-quality energy efficient lighting products, systems and services

37,000people in 74 countries

No. 1Connected, LED,

Conventional

€6.2bn sales in 2019,

~ 75% professional

No. 1Industry Leader

Dow Jones Sustainability Index 2017-2019

Systems and ServicesLight sources Luminaires

68

#1 smart home lighting system to light your home and garden smarter

The Internet of Lights

It all began with LEDIFICATION

ENERGY EFFICIENCY LONG LASTING BETTER QUALITY

The next revolution: BEYOND Lighting

CONNECTIVITYSENSORSCONTROLS

REMOTE

MANAGEMENT

Indoor PositioningPerfect light, precise location

determine the real-time and exactposition and orientation of a shopperusing visual light communication

Space Management

Optimize office space through occupancy and space usage data collected over the smart lighting system

There is more to lighting beyond illumination

Internet of Lights

the most dense sensor network on the planet

largest attack surface of remotely connectable

devices

Security:Challenges and Best Practices

Challenges

1. MINDSET: Build security into formerly analog world

Requirements

• Security Risk Assessment (SRA)

• Privacy Impact Assessment (PIA)

Design

• Security Architecture Review

Implementation

• Secure code review

• Hardening

• 3rd party code analysis

Verification

• Functional Security Testing

• Penetration Testing

Release

• Security Review

• Incident Response Plan

Response

• Software updates

• Responsible Disclosure

• Security Monitoring

Security Training across Organization

Secure Development Lifecycle (SDL) Process

Not just build, but keep it secure: monitoring, patching, vulnerability management

Best practice

Challenges

HUGE

DEPLOYMEN

T SIZEs

COMMISSIONER

BASED

WORKFLOW

2. LIFECYCLE: Managing over multiple technology waves

VERY LONG

LIFETIME

Security lifecycle – security from cradle to grave

Application Running

Reconfigured

Manufactured

Installed

Commissioned

Application Running

Software update

Removed & replaced

Decommissioned

Reownership & recommissioned

Bootstrapping Operational Maintenance & re-bootstrapping

Operational Maintenance & re-bootstrapping

Key generation and storage

Authentication & Authorization

Authenticity (and Confidentiality)

Secure communication

Authorization

Key storageKey updates

Best practice

Challenges

GLOBAL

STANDARDS

UNIQUE FOR

LIGHTING:

Latency,

Synchronicity,

..

3. TECHNOLOGY and REGULATIONS: Finding the right balance

DEVICE

CONSTRAINTS

Our compliance wishlist

80

Professional lighting systems

Professional lighting services

Consumer smart homelighting systems

IEC

62

44

3-4

-1

Secu

re S

oft

war

e D

evel

op

me

nt

Life

cycl

e

Best practice

82

Investor Presentation

Security Challenges of Telecom Industry

ITEA Cyber Security Day, 15th January 2021

Dr. Emin İslam Tatlı

Turkcell Cyber Security Director

8383

Investor Presentation

About Turkcell

CYBER SECURITY

STRATEGIC FOCUS AREAS

Digital Business Solutions Techfin ServicesDigital Services

Security Management

Infrastructure Security

Security Testing

Security Monitoring

(SOC)

Telecom Services

Identity&AccessManagement

8484

Investor Presentation

Turkcell Managed Security Services

SOC(+Forensics)

Pentest Identity&AccessMng.

Consultancy

Cyber ThreatIntelligence

DDoS Attack Simulation

Turkcell DigitalSecurity Service

Turkcell Anti-Fraud

PhishingSimulation

Diameter FWGUI & Product

SEPP Cont. Vulnerability ScanSOC SOAR

SOC Log Archive SOC EDR

8585

Investor Presentation

The New Challenges

• Security complexity of Telecom Industry has increased:o Past: access network security, core network securityo Today: web security, mobile app security, security testing, 5G security (IoT

security, IIoT security), fintech security, DevSecOps

• Penetration Testing has become insufficient, new concepts are needed:o Red-teaming, Purple-teamingo Attack Surface Analysiso Continuous Security Testingo Paper-based reporting is no more adequate.

8686

Investor Presentation

The New Challenges (cont.)

• Vulnerability & Patch Management have become the number one issue of cyber security:o More and more critical vulnerabilities are published per week-month.o Critical vulnerabilities are exploited in 1-2 days via large-scale analysis.o Patching hundreds of systems in time is difficult, priority plan is

needed.o Backdoors, Supply-chain attacks

• DevSecOps/Secure SDLCo Secure SDLCs (e.g. SAMM, BSIMM etc.) need to be integrated into

Developer IDE and DevOps platforms.o Outsourced software development has become riskier.

8787

Investor Presentation

The New Challenges (cont.)

• Authenticationo Username-password still aliveo Behaviour-based authenticationo Can CAPTCHA be replaced with ML?

• DDoS (Distributed Denial of Service) o More and more enterprises and SMEs exploit Telco-grade DDoS

mitigation.o Number and size of pps-based attacks are rapidly growing compared to

bps-attacks.o Multiple customers are explicitly attacked at the same time.o Machine learning should be better exploited, especially for clean traffic

profiling.

8888

Investor Presentation

Thank You!

Twitter: @eitatliLinkedin: https://www.linkedin.com/in/tatli/