dot/dhs: joint agency work on vehicle cyber security · o fleet management information system...
TRANSCRIPT
Tampa Convention Center • Tampa, Florida
The National Transportation Systems Center
Advancing transportation innovation for the public good
U.S. Department of TransportationOffice of the Secretary of TransportationJohn A. Volpe National Transportation Systems Center
Principal Investigator (PI): Kevin Harnett
DOT-Volpe Center’s Advanced Vehicle Technology Division
August 16, 2017
DOT/DHS: Joint Agency Work on Vehicle Cyber Security
Energy Exchange: Connect • Collaborate • Conserve
Government Vehicles Security Program – Telematics Overview
Government Vehicles Program – Software Engineering Institute (SEI) /CERT OBD-2 Dongle/Telematics Testing
Government Vehicles Security Program – Telematics Cybersecurity Guidance Development
Volpe Center Automotive Cybersecurity R&D Showcase
Agenda
2
Energy Exchange: Connect • Collaborate • Conserve
• Established in 1970• Part of U.S. Department of Transportation (DOT) Office of Research and
Technology• Mission: To Improve the nation’s transportation system by serving as a
center of excellence for informed decision making, anticipating emerging transportation issues, and advancing technical, operational, and institutional innovations
• Fee-for-service; no direct appropriations• www.volpe.dot.gov
DOT’s Volpe National Transportation System Center
3
Energy Exchange: Connect • Collaborate • Conserve
Joint DOT/DHS Automotive
Cybersecurity R&D Program
FY 14-15 Program Tasks
Automotive Cybersecurity Industry
Consortium (ACIC) Program Initiation
Automotive Cybersecurity Best
Practices and Guidelines in the Private Sector
FY 15-16 Program Tasks
Investigate Government Fleet Cybersecurity
Requirements
ACIC Planning Support
FY 16-17 Program Tasks
Government Vehicle Cybersecurity Program
Support
Pilot Cybersecurity Vulnerability
Assessments of Vehicle Telematic Systems
Government Vehicle Cybersecurity Procurement
Specification Support
Technical Support for DHS Automotive
Cybersecurity R&D
Operational ACIC Support
Commercial Truck Cybersecurity Support
Tools and Vehicle Testing
Automotive Cybersecurity Tool
Showcase
DOT-Volpe Automotive Cybersecurity R&D Program Overview
4
Energy Exchange: Connect • Collaborate • Conserve
DHS Cybersecurity for Government Vehicles Security
Program – Telematics Overview
5
Energy Exchange: Connect • Collaborate • Conserve
• First Responder and Law Enforcement vehicles -Rescue, ambulance, police-Must be safe and reliable
• Undercover Vehicles – mission critical-Must be safe and reliable -Blend in – not tracked or identified either by emanating too much or by not emanating at all
• Government Official/Overseas Embassy Vehicles (e.g., "Black SUV") -Must be safe and need to hide
• Non-Tactical DoD Vehicles
• General use government vehicles-Vehicles that do not fall into above categories
Government Critical Mission Use
7
Energy Exchange: Connect • Collaborate • Conserve
General Services Administration (GSA) Telematics Program
Telematics
• The term “Telematics” refers to a technology that combines telecommunications and information processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO 14-443, Federal Vehicle Fleets)
Source: General Services Administration (GSA) Office of Fleet Management
8
Energy Exchange: Connect • Collaborate • Conserve
General Services Administration (GSA) Telematics Program
Telematics• The term “Telematics” refers to a technology that combines telecommunications and information
processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO 14-443, Federal Vehicle Fleets)
Source: General Services Administration (GSA) Office of Fleet Management
• EO 13693: Sustainability into the Next Decade (March 2016) Requirements- By 2017, all agencies should ensure that telematics collects the maximum vehicle diagnostics (fuel consumption,
emissions, maintenance, utilization, idling, speed, and location data) at the asset level for acquisitions of new passenger, light duty and medium duty vehicles (where appropriate)
Executive OrderReporting Requirement
GPS Tracking Only
GPS Tracking &Vehicle Diagnostics
Speed X XLocation data X XIdling X XUtilization X XMaintenance XFuel consumption XEmissions (varies by year, manufacturer, make & model) X
9
Energy Exchange: Connect • Collaborate • Conserve
Government Fleet Management Telematics and Risks
INTERNETINTERNETProviderNetwork
ENGINE
TRANSMISSION
ECMBCM
SECURITY
LOCKS/WINDOWS
CL
US
TE
R
CA
N B
US
OBDDONGLE
w/ TELEMATICS
))))
ProvidersServers
BASE STATION
SERVICE CENTER
FLEET MANAGER
WHO ELSE??
Connected to anExternal Network
Interfacing witha Public Network accessible by
Anyone Anywhere
Attack Surface Threats
Logical Architecture Physical Architecture
CAN BUS
10
Energy Exchange: Connect • Collaborate • Conserve
DHS Cybersecurity for Government Vehicles Program
Software Engineering Institute (SEI)/CERT OBD-2 Dongle Testing
11
Energy Exchange: Connect • Collaborate • Conserve
Power Supply
Ettus ResearchSoftware-Defined Radio
WiFi Access Point
Linux laptop withOpenBTS
Device Under Test
Bus Pirate
SIM cards
Android Phones
SEI/CERT OBD-2 Device Testing Configuration
12
Energy Exchange: Connect • Collaborate • Conserve
Power Supply
Ettus ResearchSoftware-Defined Radio
WiFi Access Point
Linux laptop withOpenBTS
Device Under Test
Bus Pirate
SIM cards
Android Phones
SEI/CERT OBD-2 Device Testing Configuration (cont’d)
13
Energy Exchange: Connect • Collaborate • Conserve
• Development / un-configured device (Tested Q1 2016)– Accepted unauthenticated admin commands via SMS– Could load our own, trojaned firmware– Unauthenticated Internet services – No encryption in transit
• Production device (Tested Q1 2017)– SMS disabled– Can no longer force download of trojaned firmware– Internet service appropriately firewalled– Remaining risks
• Inherent cellular vulnerabilities• Still no encryption in transit (Man-in-the-middle)
Software Engineering Institute (SEI) /CERT OBD-2 Device Tests
14
Energy Exchange: Connect • Collaborate • Conserve
• Explains risks and potential impacts of security problems in OBD-II devices
• Describes a repeatable methodology for testing the devices for the most common security problems and misconfigurations
• Technical appendices detail how to perform some of the specialized testing and what equipment is needed– Firmware Updates– Wireless Security
SEI/CERT: OBD-2 Device Tests Methodology Report
15
Energy Exchange: Connect • Collaborate • Conserve
DHS Cybersecurity for Government Vehicles Security Program
Telematics Cybersecurity Guidance Development
16
Energy Exchange: Connect • Collaborate • Conserve
o Fleet Management Information System (FMIS) is an Information System
• All Federal Information Systems require Federal Information Security Management Act (FISMA) compliance
• FISMA requires compliance with NIST standards
o Multiple components to the system
o Primary responsibility is to protect Government personnel, property, and data
VehicleTelematics Communications Management System Database
Cybersecurity Primer for Fleet Managers
17
Energy Exchange: Connect • Collaborate • Conserve
o Each Federal Agency Fleet Manager (FM) requires assessments using NIST guidance• NIST SP 800-53* for guidance on security control implementation • 18 Control families each related to policy, process, technical controls
*NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Rev 4 (April 2013). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Access Control (AC) Identification & Authentication (IA)
Personnel Security (PS)
Audit & accountability (AU)
Incidence Response (IR) Risk Assessment (RA)
Awareness & Training (AT) Maintenance (MA) System & Service acquisition (SA)
Security Assessment & Authorization (CA)
Media Protection (MP) System & Communication Protection (SC)
Configuration Management (CM)
Physical & Environmental Protection (PE)
System & Information Integrity (SI)
Contingency Planning (CP) Planning (PL) Program Management (PM)
FISMA Compliance / NIST Guidance
18
Energy Exchange: Connect • Collaborate • Conserve
o Each Federal Agency Fleet Manager (FM) requires risk assessments using NIST guidance• NIST SP 800-53 for guidance on security control implementation • 13 Control Families selected…
FISMA Compliance / NIST Guidance
19
Energy Exchange: Connect • Collaborate • Conserve
ID FAMILY CONTROLS SELECTEDAC Access Control AC-6 - Least Privilege
AC-14 - Permitted actions Without Identification or AuthenticationAC-17 - Remote accessAC-18 - Wireless access
AU Audit and accountability AU-2 - Audit EventsCA Security Assessment and Authorization CA-6 - Security Authorization
CA-8 - Penetration TestingCM Configuration Management CM-7 - Least FunctionalityIA Identification and Authentication IA-3 - Device Identification and Authentication
IA-7 - Cryptographic Module AuthenticationIR Incidence Response IR-1 - Incident Response Policy and Procedures
MA Maintenance MA-2 - Controlled MaintenancePL Planning PL-2 - System Security Plan
PL-8 - Information Security ArchitecturePS Personnel Security PS-7 - Third-party Personnel Security
RA Risk Assessment RA-3 - Risk AssessmentRA-5 - Vulnerability Scanning
SA System and Service acquisition SA-11 - Developer Security Testing and EvaluationSA-12 – Supply Chain Protection
SC System and Communications Protection SC-2 - Application PartitioningSC-7 - Boundary ProtectionSC-13 - Cryptographic ProtectionSC-23 - Session AuthenticitySC-28 - Protection Of Information At RestSC-39 - Process Isolation
SI System and Information Integrity SI-2 - Flaw RemediationSI-3 - Malicious Code ProtectionSI-5 - Security Alerts, Advisories, And DirectivesSI-7 - Software, Firmware, and Information IntegritySI-10 - Information Input ValidationSI-16 - Memory Protection
FISMA Compliance / NIST Guidance
20
Energy Exchange: Connect • Collaborate • Conserve
ID FAMILY CONTROLS SELECTED
AC Access Control AC-6 - Least PrivilegeAC-14 - Permitted actions Without Identification or AuthenticationAC-17 - Remote accessAC-18 - Wireless access
AU Audit and accountability AU-2 - Audit EventsCA Security Assessment and Authorization CA-6 - Security Authorization
CA-8 - Penetration TestingCM Configuration Management CM-7 - Least FunctionalityIA Identification and Authentication IA-3 - Device Identification and Authentication
IA-7 - Cryptographic Module AuthenticationIR Incidence Response IR-1 - Incident Response Policy and Procedures
MA Maintenance MA-2 - Controlled MaintenancePL Planning PL-2 - System Security Plan
PL-8 - Information Security ArchitecturePS Personnel Security PS-7 - Third-party Personnel Security
RA Risk Assessment RA-3 - Risk AssessmentRA-5 - Vulnerability Scanning
SA System and Service acquisition SA-11 - Developer Security Testing and EvaluationSA-12 – Supply Chain Protection
SC System and Communications Protection SC-2 - Application PartitioningSC-7 - Boundary ProtectionSC-13 - Cryptographic ProtectionSC-23 - Session AuthenticitySC-28 - Protection Of Information At RestSC-39 - Process Isolation
SI System and Information Integrity SI-2 - Flaw RemediationSI-3 - Malicious Code ProtectionSI-5 - Security Alerts, Advisories, And Directives
SI-7 - Software, Firmware, and Information IntegritySI-10 - Information Input ValidationSI-16 - Memory Protection
Example Firmware Update Controls
FISMA Compliance / NIST Guidance (“Firmware Updates” Controls)
21
Energy Exchange: Connect • Collaborate • Conserve
ID FAMILY CONTROLS SELECTED
AC access Control AC-6 - Least PrivilegeAC-14 - Permitted actions Without Identification or AuthenticationAC-17 - Remote accessAC-18 - Wireless access
AU Audit and accountability AU-2 - Audit EventsCA Security Assessment and Authorization CA-6 - Security Authorization
CA-8 - Penetration TestingCM Configuration Management CM-7 - Least FunctionalityIA Identification and Authentication IA-3 - Device Identification and Authentication
IA-7 - Cryptographic Module AuthenticationIR Incidence Response IR-1 - Incident Response Policy and Procedures
MA Maintenance MA-2 - Controlled MaintenancePL Planning PL-2 - System Security Plan
PL-8 - Information Security ArchitecturePS Personnel Security PS-7 - Third-party Personnel SecurityRA Risk Assessment RA-3 - Risk Assessment
RA-5 - Vulnerability ScanningSA System and Service acquisition SA-11 - Developer Security Testing and Evaluation
SA-12 – Supply Chain ProtectionSC System and Communications Protection SC-2 - Application Partitioning
SC-7 - Boundary ProtectionSC-13 - Cryptographic ProtectionSC-23 - Session AuthenticitySC-28 - Protection Of Information At RestSC-39 - Process Isolation
SI System and Information Integrity SI-2 - Flaw RemediationSI-3 - Malicious Code ProtectionSI-5 - Security Alerts, Advisories, And DirectivesSI-7 - Software, Firmware, and Information IntegritySI-10 - Information Input ValidationSI-16 - Memory Protection
Example Wireless Security Controls
FISMA Compliance / NIST Guidance (“Wireless Security” Controls)
22
Energy Exchange: Connect • Collaborate • Conserve
Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to:
o Protect Communications Between Devices/Systems• It is recommended that encryption be implemented to protect all communications external to a device
o Protect Firmware on Devices/Systems• It is recommended that the use of digital signatures and encryption are used to both protect firmware on the
device and authenticate and protect updating of firmware to the device
Telematics Recommendation
23
Energy Exchange: Connect • Collaborate • Conserve
Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to:
o Protect Communications Between Devices/Systems• It is recommended that encryption be implemented to protect all communications external to a device
o Protect Firmware on Devices/Systems• It is recommended that the use of digital signatures and encryption are used to both protect firmware on the
device and authenticate and protect updating of firmware to the device
o Protect Action of Devices/Systems• It is recommended that implementation of the principle of least privilege is implemented on all devices
o Protect Integrity of Devices/Systems• It is recommended that manufacturers and/or maintainers of devices institute a *vulnerability response
program for receiving, implementing, and addressing vulnerabilities discovered or reported in their products
* ISO/IEC 29147:2014 Information technology -- Security techniques -- Vulnerability Disclosure) https://www.iso.org/standard/45170.htmlISO/IEC 30111:2013 (Information technology -- Security techniques -- Vulnerability Handling Processes) https://www.iso.org/standard/53231.html
Telematics Recommendation
24
Energy Exchange: Connect • Collaborate • Conserve
Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to:o Protect Communications Between Devices/Systems
• It is recommended that encryption be implemented to protect all communications external to a device
o Protect Firmware on Devices/Systems• It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of
firmware to the device
o Protect Action of Devices/Systems• It is recommended that implementation of the principle of least privilege is implemented on all devices
o Protect Integrity of Devices/Systems• It is recommended that manufacturers and/or maintainers of devices institute a vulnerability response program for receiving, implementing, and addressing
vulnerabilities discovered or reported in their products
Example Telematics Cybersecurity Risk Assessment Questionnaire
25
Energy Exchange: Connect • Collaborate • Conserve
Healing Vulnerabilities to Enhance Software Security and Safety (HEAVENS) is an attacker-centric type of risk analysis tool utilizing STRIDE* threat definitions to correlate threats with security attributes
HEAVENS Risk Assessment Process
26
* Microsoft’s Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DOS) and Elevation of Privileges (STRIDE): https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
Energy Exchange: Connect • Collaborate • Conserve
• Telematics Cybersecurity Primer for Agencies (June 2017)
• Telematics Cybersecurity Primer for Agencies – Risk Assessment Questionnaire (June 2017)
• HEAVANS Risk Model and Program Deliverables (April 2016)
Available Documents
27
Energy Exchange: Connect • Collaborate • Conserve
Volpe Center Automotive Cybersecurity
R&D Showcase
28
Energy Exchange: Connect • Collaborate • Conserve
• Federal Programs and Labs Vehicle Cybersecurity Workshop (October 18) - Workshop for federally-funded Automotive Cybersecurity Programs (e.g. DHS, NHTSA, DARPA, Army/TARDEC, NIST, TC/DRDC, etc.) and Federal Laboratories (e.g. DOE, DoD, Federally-funded Research and Development Centers-FFRDCs, etc.)
– Bring together Federally Funded stakeholders to share information about and collaborate on ongoing and future Government projects in Automotive Cybersecurity
– Minimize duplication of efforts in Federal Automotive Cybersecurity R&D
– Workshop Report (available on request for Federal or Federal Contractor staff only)
DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016)
29
Energy Exchange: Connect • Collaborate • Conserve
• Need for continued collaboration between federal laboratories
• Government Vehicles Telematics Cybersecurity Workshop (to be held in DC on December 13th 2017)
• Feasibility study of virtual test vehicles and test benches
Federal Programs and Labs Vehicle Cybersecurity Workshop - Conclusions
Energy Exchange: Connect • Collaborate • Conserve
• Open Source Automotive Cybersecurity Research Tool Forum (October 19-20) – Many automotive cybersecurity Open Source Software (OSS) research tools are in development. Tools support areas: new hardware interfaces, discovery, injection, sniffing, reverse engineering, fuzzing, software defined radio (SDR) and simulation. Forum goals:– Demonstrate the current state of the art in automotive cybersecurity tools on real automobiles– Foster researcher-to-researcher relationships– Share knowledge about cybersecurity research issues and automation challenges– Incentivize increased academic and security researcher interest in automotive cybersecurity– Connect tool developers with collaborators, end users, and potential funding sources– Workshop Report (available on request)
DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016) Cont’d
31
Energy Exchange: Connect • Collaborate • Conserve
• Virtual workbenches are needed due to limited vehicle access
• A growing proliferation of open source tools
• Open source tools are getting more powerful and sophisticated
• Open source software/hardware significantly lowers the entry barrier for researchers
• “User as developer” model creates positive feedback loop
Open Source Automotive Cybersecurity Research Tool Forum - Conclusions
32
Energy Exchange: Connect • Collaborate • Conserve
• Development of an Open Source OS Tools Portal for use by Government researchers, and academia
• Continuation of the Automotive Cybersecurity R&D Showcase type of event with more “hands on” activities (e.g. academia training classes)
• Continued outreach to the open source community
Open Source Automotive Cybersecurity Research Tool Forum – Next Steps
33
Energy Exchange: Connect • Collaborate • Conserve
Chase GarwoodProgram ManagerDepartment of Homeland SecurityScience and Technology (S&T)HSARPA Cybersecurity Division (CSD)
Email: [email protected]: 202-254-6076
Kevin Harnett Cybersecurity Program ManagerU.S. Department of TransportationOffice of Research and TechnologyJohn A. Volpe National TransportationSystems Center (Volpe Center)
Email: [email protected]: 617-699-7086
Contact Information
35