dot/dhs: joint agency work on vehicle cyber security · o fleet management information system...

Tampa Convention Center • Tampa, Florida

The National Transportation Systems Center

Advancing transportation innovation for the public good

U.S. Department of TransportationOffice of the Secretary of TransportationJohn A. Volpe National Transportation Systems Center

Principal Investigator (PI): Kevin Harnett

DOT-Volpe Center’s Advanced Vehicle Technology Division

August 16, 2017

DOT/DHS: Joint Agency Work on Vehicle Cyber Security

Energy Exchange: Connect • Collaborate • Conserve

Government Vehicles Security Program – Telematics Overview

Government Vehicles Program – Software Engineering Institute (SEI) /CERT OBD-2 Dongle/Telematics Testing

Government Vehicles Security Program – Telematics Cybersecurity Guidance Development

Volpe Center Automotive Cybersecurity R&D Showcase

Agenda

2


• Established in 1970• Part of U.S. Department of Transportation (DOT) Office of Research and

Technology• Mission: To Improve the nation’s transportation system by serving as a

center of excellence for informed decision making, anticipating emerging transportation issues, and advancing technical, operational, and institutional innovations

• Fee-for-service; no direct appropriations• www.volpe.dot.gov

DOT’s Volpe National Transportation System Center

3

http://www.volpe.dot.gov/


Joint DOT/DHS Automotive

Cybersecurity R&D Program

FY 14-15 Program Tasks

Automotive Cybersecurity Industry

Consortium (ACIC) Program Initiation

Automotive Cybersecurity Best

Practices and Guidelines in the Private Sector


Investigate Government Fleet Cybersecurity

Requirements

ACIC Planning Support


Government Vehicle Cybersecurity Program

Support

Pilot Cybersecurity Vulnerability

Assessments of Vehicle Telematic Systems

Government Vehicle Cybersecurity Procurement

Specification Support

Technical Support for DHS Automotive

Cybersecurity R&D

Operational ACIC Support

Commercial Truck Cybersecurity Support

Tools and Vehicle Testing

Automotive Cybersecurity Tool

Showcase

DOT-Volpe Automotive Cybersecurity R&D Program Overview

4


DHS Cybersecurity for Government Vehicles Security

Program – Telematics Overview

5


Modern Vehicle Architecture

6


• First Responder and Law Enforcement vehicles -Rescue, ambulance, police-Must be safe and reliable

• Undercover Vehicles – mission critical-Must be safe and reliable -Blend in – not tracked or identified either by emanating too much or by not emanating at all

• Government Official/Overseas Embassy Vehicles (e.g., "Black SUV") -Must be safe and need to hide

• Non-Tactical DoD Vehicles

• General use government vehicles-Vehicles that do not fall into above categories

Government Critical Mission Use

7


General Services Administration (GSA) Telematics Program

Telematics

• The term “Telematics” refers to a technology that combines telecommunications and information processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO 14-443, Federal Vehicle Fleets)

Source: General Services Administration (GSA) Office of Fleet Management

8


General Services Administration (GSA) Telematics Program

Telematics• The term “Telematics” refers to a technology that combines telecommunications and information

processing to send, receive, and store information related to remote objects, such as vehicles. (Source GAO 14-443, Federal Vehicle Fleets)

Source: General Services Administration (GSA) Office of Fleet Management

• EO 13693: Sustainability into the Next Decade (March 2016) Requirements- By 2017, all agencies should ensure that telematics collects the maximum vehicle diagnostics (fuel consumption,

emissions, maintenance, utilization, idling, speed, and location data) at the asset level for acquisitions of new passenger, light duty and medium duty vehicles (where appropriate)

Executive OrderReporting Requirement

GPS Tracking Only

GPS Tracking &Vehicle Diagnostics

Speed X XLocation data X XIdling X XUtilization X XMaintenance XFuel consumption XEmissions (varies by year, manufacturer, make & model) X

9


Government Fleet Management Telematics and Risks

INTERNETINTERNETProviderNetwork

ENGINE

TRANSMISSION

ECMBCM

SECURITY

LOCKS/WINDOWS

CL

US

TE

R

CA

N B

US

OBDDONGLE

w/ TELEMATICS

))))

ProvidersServers

BASE STATION

SERVICE CENTER

FLEET MANAGER

WHO ELSE??

Connected to anExternal Network

Interfacing witha Public Network accessible by

Anyone Anywhere

Attack Surface Threats

Logical Architecture Physical Architecture

CAN BUS

10


DHS Cybersecurity for Government Vehicles Program

Software Engineering Institute (SEI)/CERT OBD-2 Dongle Testing

11


Power Supply

Ettus ResearchSoftware-Defined Radio

WiFi Access Point

Linux laptop withOpenBTS

Device Under Test

Bus Pirate

SIM cards

Android Phones

SEI/CERT OBD-2 Device Testing Configuration

12


Power Supply

Ettus ResearchSoftware-Defined Radio

WiFi Access Point

Linux laptop withOpenBTS

Device Under Test

Bus Pirate

SIM cards

Android Phones

SEI/CERT OBD-2 Device Testing Configuration (cont’d)

13


• Development / un-configured device (Tested Q1 2016)– Accepted unauthenticated admin commands via SMS– Could load our own, trojaned firmware– Unauthenticated Internet services – No encryption in transit

• Production device (Tested Q1 2017)– SMS disabled– Can no longer force download of trojaned firmware– Internet service appropriately firewalled– Remaining risks

• Inherent cellular vulnerabilities• Still no encryption in transit (Man-in-the-middle)

Software Engineering Institute (SEI) /CERT OBD-2 Device Tests

14


• Explains risks and potential impacts of security problems in OBD-II devices

• Describes a repeatable methodology for testing the devices for the most common security problems and misconfigurations

• Technical appendices detail how to perform some of the specialized testing and what equipment is needed– Firmware Updates– Wireless Security

SEI/CERT: OBD-2 Device Tests Methodology Report

15


DHS Cybersecurity for Government Vehicles Security Program

Telematics Cybersecurity Guidance Development

16


o Fleet Management Information System (FMIS) is an Information System

• All Federal Information Systems require Federal Information Security Management Act (FISMA) compliance

• FISMA requires compliance with NIST standards

o Multiple components to the system

o Primary responsibility is to protect Government personnel, property, and data

VehicleTelematics Communications Management System Database

Cybersecurity Primer for Fleet Managers

17


o Each Federal Agency Fleet Manager (FM) requires assessments using NIST guidance• NIST SP 800-53* for guidance on security control implementation • 18 Control families each related to policy, process, technical controls

*NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Rev 4 (April 2013). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Access Control (AC) Identification & Authentication (IA)

Personnel Security (PS)

Audit & accountability (AU)

Incidence Response (IR) Risk Assessment (RA)

Awareness & Training (AT) Maintenance (MA) System & Service acquisition (SA)

Security Assessment & Authorization (CA)

Media Protection (MP) System & Communication Protection (SC)

Configuration Management (CM)

Physical & Environmental Protection (PE)

System & Information Integrity (SI)

Contingency Planning (CP) Planning (PL) Program Management (PM)

FISMA Compliance / NIST Guidance

18

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf


o Each Federal Agency Fleet Manager (FM) requires risk assessments using NIST guidance• NIST SP 800-53 for guidance on security control implementation • 13 Control Families selected…


19


ID FAMILY CONTROLS SELECTEDAC Access Control AC-6 - Least Privilege

AC-14 - Permitted actions Without Identification or AuthenticationAC-17 - Remote accessAC-18 - Wireless access

AU Audit and accountability AU-2 - Audit EventsCA Security Assessment and Authorization CA-6 - Security Authorization

CA-8 - Penetration TestingCM Configuration Management CM-7 - Least FunctionalityIA Identification and Authentication IA-3 - Device Identification and Authentication

IA-7 - Cryptographic Module AuthenticationIR Incidence Response IR-1 - Incident Response Policy and Procedures

MA Maintenance MA-2 - Controlled MaintenancePL Planning PL-2 - System Security Plan

PL-8 - Information Security ArchitecturePS Personnel Security PS-7 - Third-party Personnel Security

RA Risk Assessment RA-3 - Risk AssessmentRA-5 - Vulnerability Scanning

SA System and Service acquisition SA-11 - Developer Security Testing and EvaluationSA-12 – Supply Chain Protection

SC System and Communications Protection SC-2 - Application PartitioningSC-7 - Boundary ProtectionSC-13 - Cryptographic ProtectionSC-23 - Session AuthenticitySC-28 - Protection Of Information At RestSC-39 - Process Isolation

SI System and Information Integrity SI-2 - Flaw RemediationSI-3 - Malicious Code ProtectionSI-5 - Security Alerts, Advisories, And DirectivesSI-7 - Software, Firmware, and Information IntegritySI-10 - Information Input ValidationSI-16 - Memory Protection


20


ID FAMILY CONTROLS SELECTED

AC Access Control AC-6 - Least PrivilegeAC-14 - Permitted actions Without Identification or AuthenticationAC-17 - Remote accessAC-18 - Wireless access





PL-8 - Information Security ArchitecturePS Personnel Security PS-7 - Third-party Personnel Security

RA Risk Assessment RA-3 - Risk AssessmentRA-5 - Vulnerability Scanning

SA System and Service acquisition SA-11 - Developer Security Testing and EvaluationSA-12 – Supply Chain Protection

SC System and Communications Protection SC-2 - Application PartitioningSC-7 - Boundary ProtectionSC-13 - Cryptographic ProtectionSC-23 - Session AuthenticitySC-28 - Protection Of Information At RestSC-39 - Process Isolation

SI System and Information Integrity SI-2 - Flaw RemediationSI-3 - Malicious Code ProtectionSI-5 - Security Alerts, Advisories, And Directives

SI-7 - Software, Firmware, and Information IntegritySI-10 - Information Input ValidationSI-16 - Memory Protection

Example Firmware Update Controls

FISMA Compliance / NIST Guidance (“Firmware Updates” Controls)

21


ID FAMILY CONTROLS SELECTED

AC access Control AC-6 - Least PrivilegeAC-14 - Permitted actions Without Identification or AuthenticationAC-17 - Remote accessAC-18 - Wireless access





PL-8 - Information Security ArchitecturePS Personnel Security PS-7 - Third-party Personnel SecurityRA Risk Assessment RA-3 - Risk Assessment

RA-5 - Vulnerability ScanningSA System and Service acquisition SA-11 - Developer Security Testing and Evaluation

SA-12 – Supply Chain ProtectionSC System and Communications Protection SC-2 - Application Partitioning

SC-7 - Boundary ProtectionSC-13 - Cryptographic ProtectionSC-23 - Session AuthenticitySC-28 - Protection Of Information At RestSC-39 - Process Isolation

SI System and Information Integrity SI-2 - Flaw RemediationSI-3 - Malicious Code ProtectionSI-5 - Security Alerts, Advisories, And DirectivesSI-7 - Software, Firmware, and Information IntegritySI-10 - Information Input ValidationSI-16 - Memory Protection

Example Wireless Security Controls

FISMA Compliance / NIST Guidance (“Wireless Security” Controls)

22


Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to:

o Protect Communications Between Devices/Systems• It is recommended that encryption be implemented to protect all communications external to a device

o Protect Firmware on Devices/Systems• It is recommended that the use of digital signatures and encryption are used to both protect firmware on the

device and authenticate and protect updating of firmware to the device

Telematics Recommendation

23


Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to:

o Protect Communications Between Devices/Systems• It is recommended that encryption be implemented to protect all communications external to a device

o Protect Firmware on Devices/Systems• It is recommended that the use of digital signatures and encryption are used to both protect firmware on the

device and authenticate and protect updating of firmware to the device

o Protect Action of Devices/Systems• It is recommended that implementation of the principle of least privilege is implemented on all devices

o Protect Integrity of Devices/Systems• It is recommended that manufacturers and/or maintainers of devices institute a *vulnerability response

program for receiving, implementing, and addressing vulnerabilities discovered or reported in their products

* ISO/IEC 29147:2014 Information technology -- Security techniques -- Vulnerability Disclosure) https://www.iso.org/standard/45170.htmlISO/IEC 30111:2013 (Information technology -- Security techniques -- Vulnerability Handling Processes) https://www.iso.org/standard/53231.html

Telematics Recommendation

24

https://www.iso.org/standard/45170.html

https://www.iso.org/standard/53231.html


Telematics devices/systems are the gateway to the vehicle network and data. To protect the fleet efficiency management system and vehicle it is recommended to:o Protect Communications Between Devices/Systems

• It is recommended that encryption be implemented to protect all communications external to a device

o Protect Firmware on Devices/Systems• It is recommended that the use of digital signatures and encryption are used to both protect firmware on the device and authenticate and protect updating of

firmware to the device

o Protect Action of Devices/Systems• It is recommended that implementation of the principle of least privilege is implemented on all devices

o Protect Integrity of Devices/Systems• It is recommended that manufacturers and/or maintainers of devices institute a vulnerability response program for receiving, implementing, and addressing

vulnerabilities discovered or reported in their products

Example Telematics Cybersecurity Risk Assessment Questionnaire

25


Healing Vulnerabilities to Enhance Software Security and Safety (HEAVENS) is an attacker-centric type of risk analysis tool utilizing STRIDE* threat definitions to correlate threats with security attributes

HEAVENS Risk Assessment Process

26

* Microsoft’s Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DOS) and Elevation of Privileges (STRIDE): https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx


• Telematics Cybersecurity Primer for Agencies (June 2017)

• Telematics Cybersecurity Primer for Agencies – Risk Assessment Questionnaire (June 2017)

• HEAVANS Risk Model and Program Deliverables (April 2016)

Available Documents

27


Volpe Center Automotive Cybersecurity

R&D Showcase

28


• Federal Programs and Labs Vehicle Cybersecurity Workshop (October 18) - Workshop for federally-funded Automotive Cybersecurity Programs (e.g. DHS, NHTSA, DARPA, Army/TARDEC, NIST, TC/DRDC, etc.) and Federal Laboratories (e.g. DOE, DoD, Federally-funded Research and Development Centers-FFRDCs, etc.)

– Bring together Federally Funded stakeholders to share information about and collaborate on ongoing and future Government projects in Automotive Cybersecurity

– Minimize duplication of efforts in Federal Automotive Cybersecurity R&D

– Workshop Report (available on request for Federal or Federal Contractor staff only)

DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016)

29


• Need for continued collaboration between federal laboratories

• Government Vehicles Telematics Cybersecurity Workshop (to be held in DC on December 13th 2017)

• Feasibility study of virtual test vehicles and test benches

Federal Programs and Labs Vehicle Cybersecurity Workshop - Conclusions


• Open Source Automotive Cybersecurity Research Tool Forum (October 19-20) – Many automotive cybersecurity Open Source Software (OSS) research tools are in development. Tools support areas: new hardware interfaces, discovery, injection, sniffing, reverse engineering, fuzzing, software defined radio (SDR) and simulation. Forum goals:– Demonstrate the current state of the art in automotive cybersecurity tools on real automobiles– Foster researcher-to-researcher relationships– Share knowledge about cybersecurity research issues and automation challenges– Incentivize increased academic and security researcher interest in automotive cybersecurity– Connect tool developers with collaborators, end users, and potential funding sources– Workshop Report (available on request)

DHS/Volpe Center Automotive Cybersecurity R&D Showcase (October 18-20, 2016) Cont’d

31


• Virtual workbenches are needed due to limited vehicle access

• A growing proliferation of open source tools

• Open source tools are getting more powerful and sophisticated

• Open source software/hardware significantly lowers the entry barrier for researchers

• “User as developer” model creates positive feedback loop

Open Source Automotive Cybersecurity Research Tool Forum - Conclusions

32


• Development of an Open Source OS Tools Portal for use by Government researchers, and academia

• Continuation of the Automotive Cybersecurity R&D Showcase type of event with more “hands on” activities (e.g. academia training classes)

• Continued outreach to the open source community

Open Source Automotive Cybersecurity Research Tool Forum – Next Steps

33


Questions

34


Chase GarwoodProgram ManagerDepartment of Homeland SecurityScience and Technology (S&T)HSARPA Cybersecurity Division (CSD)

Email: [email protected]: 202-254-6076

Kevin Harnett Cybersecurity Program ManagerU.S. Department of TransportationOffice of Research and TechnologyJohn A. Volpe National TransportationSystems Center (Volpe Center)

Email: [email protected]: 617-699-7086

Contact Information

35

mailto:[email protected]

mailto:[email protected]