cybersecurity: process to solutions
TRANSCRIPT
Visteon Confidential
Cybersecurity: Process to Solutions
Srini AdirajuHead of Cybersecurity
2
Agenda
• Foundation of cybersecurity• People• Process• Solutions
• Field monitoring and responding immediately to threats
• Resolving security flaws in a speedy and efficient manner to increase consumer confidence in auto brands
Visteon Corporation proprietary
Broadest Cockpit Electronics Portfolio in the Industry
3
Complete and Innovative Portfolio Positions Visteon for Continued Growth
Instrumentclusters
ARWindshield
HUD
Displays
InfotainmentV2X
CockpitDomain Controller
1 24
ADASDomain Controller
Artificial Intelligence
Cybersecurity
Cloud
33
Visteon Corporation proprietary
Cybersecurity – Market Trends
Automotive Industry is Going Through a Huge Transition
• Extensive use of open source software • Low powered MCUs• Dealer tools • Networked services• Increasing threat surfaces• Increasing number of ECUs• IOT explosion• Data privacy• Connected cars/devices• Software updates, certificate management• Car sharing• Autonomous/ADAS car • Research focus on automobiles
4
• Wireless• Bluetooth• NFC• Radio data system• TCP/IP network• Cellular• CarPlay/Android Auto/smartphone integration• Dealer tools• SDCard/USB/hardware devices
Visteon Corporation proprietary
Industry Challenges Increasing Threats
5
Automotive Industry Trends
Analog Hybrid Digital
Visteon Corporation proprietary
6
Electronic Control Unit (ECU) Consolidation
SmartCoreTM Domain Controller
Application processor
Operating system
Instrument clustersoftware stack
Vehicle informationprocessor
Application processor
Operating system
SWService
SWService
SWService
HMI
Multi-core processor
Hyp
ervi
sor
ClusterOS
InfotainmentOS
HMI
Cluster SW SW SW
All-Digital Instrument Cluster
ECU #1
Central Information Display (CID)
ECU #2
Vehicle informationprocessor
2-D / 3-D graphics 2-D / 3-Dgraphics
Visteon Corporation proprietary
End-to-End Secure Development Life Cycle7
Secure Development Life Cycle
Requirements
• Security requirements
Architecture and Secure Design
• Threat analysis and risk analysis
Feature Development and Test Plans
• Security tests
Code Analysis
• Code review and static code analysis
• Security operations
Validation
• Network and fuzz testing
• Internal pen testing
• Pen testing• Security
operations
Field Operations
• Pen testing• Security
operations
Visteon Corporation proprietary
8
ECU Threat Analysis
Visteon Corporation proprietary
ECU Security
• Secure hypervisor• HSM and SHE modules• Secure boot • Verified file system• Hardened kernel• Secure OTA• TLS/IPSec for TCP/IP communication• Network firewalls• Certificate management
Multi-Layered Security4
ECUSecure system
***
Secure applications
Secure boot
Authentication &verification
Secure hardware
Secure network
4K
4K4K4K 4K
4K
4K4K4K 4K 4K4K
Secure Layers Security Architecture
Visteon Corporation proprietary
End-to-End Secure Development Life Cycle10
Secure Development Life Cycle
Requirements
• Security requirements
Architecture and Secure Design
• Threat analysis and risk analysis
Feature Development and Test Plans
• Security tests
Code Analysis
• Code review and static code analysis
• Security operations
Validation
• Network and fuzz testing
• Internal pen testing
• Pen testing• Security
operations
Field Operations
• Pen testing• Security
operations
Visteon Corporation proprietary
11
Open Source Software Vulnerabilities and Common Database
https://nvd.nist.gov/
Visteon Corporation proprietary
12
Incident Response Process
Visteon Corporation proprietary
Start of Production
Detection of the Incident
Data Collection
andAssessment
Threat Analysis and Risk
Assessment
SoftwareUpdate
• Event reporting• Penetration testing• Bug bounty• Scanning vulnerability
databases
• Bill of materials− Software− Hardware
• Code archive process
Severity Classification
Communication
Cybersecurity – Incident Response
• Incident reporting mechanism• Dedicated team
• Information collection and assessment• Hardware and software bill of materials
• Treat the information with confidentiality• Possible information security incident?
• False alarm• Information collection• Assessment• Incident categorization and severity classification
• Solutions• Short-term• Long-term• Deployment campaigns
Visteon Corporation proprietary
Security Comes with Cost
• SOCs with different capabilities, different solutions, multiple ECUs• Increased hardware and software costs• Changes to manufacturing process, tools, EOL testing, etc.• Software and hardware testing tools.• New technologies, new network topologies
• Increased boot time
• Signing infrastructure, factory integration
Visteon Corporation proprietary
15
Multi-Layered Cybersecurity: Process to Solutions
Visteon Corporation proprietary
SECURE SYSTEMSSecure software updates
(FOTA, USB)Secure programming/diagnostics
Secure networkSecure manufacturing
methods
PROCESSJ3061 secure dev life cycle
Secure manufacturing processField monitoring
SECURE HARDWAREHardware security modules
Secure hardware extensionsOne time programmable memory
JTAG protection
SECURE SOFTWARESecure boot / application protection
Secure communicationSecure storage/access controls Trusted execution environment
Secure hypervisor multi OS
ECU
Visteon Corporation proprietary