scalable automotive intrusion detection systems
TRANSCRIPT
V1.1 | 2021-10-07
From the ECU to the VSOC
Scalable Automotive Intrusion Detection Systems
2
Motivation
Onboard Detection and Data Gathering
Reporting and Refinement of Data
Analysis and VSOC Operation
Summary
Agenda
3
IDS Big Picture: Detection and Mitigation of Security IncidentsMotivation
Attack
2. ReportTransmit data on security related events
4. AnalyzeAnalyze security event data for single vehicles and the whole fleet(e.g. impact analysis, root cause analysis)
5. Decide & DevelopDevelop threat response (e.g. identification, implementation and test of countermeasures)
6. DeployDeploy software updates to mitigate threats
Security Operations Center (SOC) with
SIEM solution
1. DetectGather and record data on security related events
3. Refine DataRefine and enrich transmitted security event data
4
Security Event Sensor
Fundamental ConceptsOnboard Detection and Data Gathering
Security Event Sensor
Intrusion Detection System Manager (IdsM)
Intrusion Detection System
Reporter (IdsR)
Security Event Memory (SEM)
Security Event (SEv)
Qualified Security Event
(QSEv)
SOC
5
Deployment OptionsOnboard Detection and Data Gathering
SSEM
IdsM
SOC
Intrusion DetectionSystem Reporter
(IdsR)IdsR
Security Sensors
Security Event Memory (Sem)
Intrusion DetectionSystem Manager
(IdsM)SSem
IdsM
6
Deployment OptionsOnboard Detection and Data Gathering
SSEM
IdsM
SOC
Intrusion DetectionSystem Reporter
(IdsR)IdsR
Security Sensors
Security Event Memory (Sem)
Intrusion DetectionSystem Manager
(IdsM)SSem
IdsM
7
COM
Interaction of IdsM With Other AUTOSAR BSW ModulesOnboard Detection and Data Gathering
DIAG CRYPTO MEM
SYS
IdsM
RTE
Csm
Dcm
Reconfigure SEv specific parameters
Dem Persist QSEv
StbM Provide system time used for timestamping
Sensor BSW Mod.
Sensor CDD
Report SEv
PduR Send QSEvto IdsR
NvM Persist SEv specific parameters
Prepare signature
Timestamp SWC
Provide custom timestamp (Alternative instead of StbM)
Sensor SWC
Report SEv
8
IDS Big Picture: Detection and Mitigation of Security IncidentsReporting and Refinement of Data
Attack
2. ReportTransmit data on security related events
4. AnalyzeAnalyze security event data for single vehicles and the whole fleet(e.g. impact analysis, root cause analysis)
5. Decide & DevelopDevelop threat response (e.g. identification, implementation and test of countermeasures)
6. DeployDeploy software updates to mitigate threats
Security Operations Center (SOC) with
SIEM solution
3. Refine DataRefine and enrich transmitted security event data
1. DetectGather and record data on security related events
9
Detection + Reporting
Vehicle-side
Adaptive-ECU
Classic-ECU
Receiving + Processing Analysis + Reaction
Backend-side (VSOC)
OTA-Link
System OverviewReporting and Refinement of Data
IdsM (CP)
C API
Images: Designed by Freepik
IdsM (AP)
Sensor Lib (AP)
C++ API
IPC
Further data sources,e.g. AUTOSAR
specifications (ARXML)
SIEM system
Syslog Server
REST/JSON
…
…
Syslog
OEMDatalake
OEMWebfrontend
…
SIEM: Security Incident and Event Management
JDBC/SQL
Sensor-SWCSensor-SWCSensor (CP)
Sensor-SWCSensor-SWCSensor (AP)
IdsR (AMSR)
IDS PRS
TCU
IDS PRS
vConnectIDSL
Event ProcessingPipeline
IdsM: Intrusion Detection System ManagerIdsR: Intrusion Detection System ReporterIdsL: Intrusion Detection System Listener
UnethicalHacker
UnethicalHacker
10
IDS Big Picture: Detection and Mitigation of Security IncidentsAnalysis and VSOC Operation
Attack
2. ReportTransmit data on security related events
4. AnalyzeAnalyze security event data for single vehicles and the whole fleet(e.g. impact analysis, root cause analysis)
5. Decide & DevelopDevelop threat response (e.g. identification, implementation and test of countermeasures)
6. DeployDeploy software updates to mitigate threats
Security Operations Center (SOC) with
SIEM solution
3. Refine DataRefine and enrich transmitted security event data
1. DetectGather and record data on security related events
• Largest enterprise cybersecurity provider
• Leader in 12 security market segments
• 8.000+ security employees
• 17.000+ clients
• 9 global IBM X-Force Command Centers(SOC, Training, Research, Exec. Briefing)
• 70B+ security events monitored per day
IBM Security: Who We Are
1Vector Automotive Cybersecurity Symposium / © 2021 IBM Corporation
General Regulatory Landscape in Automotive
2
AUTOMOTIVE
AUTOMOTIVE
V2X
GENERAL
ISO 20078
AUTOSAR (402, 438, 654, 664)
SEIS
SAE (J3061, J3101)
Risk Assessment Methods: TRVA, OCTAVE
ISO 26262
ISO/SAE21434
EVITA HEAVENS
Coding Rules: MISRA, CERT
ISO/TC 204 (ISO 2121x..)
ETSI TS 103 097IEEE 1609 2
ETSI TS 102 940C2C - CC
ETSI TS 102 941
PRESERVE SEVECOM
Certification and Lifecycle:CC – ISO/IEC 15408, ISO/IEC 2700x..Microsoft SDL, Open SAMM, RFC 2196ETSI TR 102 893
IEC 61508
ISO/AWI 24089AUTOSIGUNECE WP29
NHTSA
PCI DSS
Production OT ISO 27001ISA/IEC-62443 CSF
Draft 2021Publication 2022New models 2022
All models 2024
Draft 2020Publication 2021
Vector Automotive Cybersecurity Symposium / © 2021 IBM Corporation
IBM Connected VehicleOffering Components
3
In-VehiclePlatform
Context Mapping
Geospatial Analytics
IBMHybrid Cloud
WeatherTwitter
TranslationConversationPersonality
InsightsContent Manager
...PMQ
Global Business Services (GBS)(Cognitive Application Innovation, Cognitive Process Transformation, Digital Strategy and iX)
Security Services & Products(Security Operation Center, SIEM, Identity and Access Management, Encryption, Secure Storage, ...)
Global Technology Services (GTS) (Cloud Infrastructure, Networks, Managed Operations)
AI & Applications(Connected Vehice Insights CVI, Engineering Lifecycle Management, Maximo, Watson)
VehicleDevice
Hub
Asset Mgmt.
Streaming Analytics
API Connect
Driver BehaviorBigData
IBM IoTDevice
Platform
VehiclePlatform
Services Platform
CVI SaaS(IBM IoTConnectedVehicle Insights)
Collect Connect Service Engage
In-Vehicle Security(Security Event Detection)
Vector Automotive Cybersecurity Symposium / © 2021 IBM Corporation
All required solution architecture elements need to be assembled consistently to enable a unified control in the Vehicle Security Operation Center (VSOC)
Trusted Identity of all involved entities
Secure Data Storage within vehicle
Access Control and Management
Communication Encryption
Intrusion Detection and Prevention System
Security Intelligence
Security Operation Center
4Vector Automotive Cybersecurity Symposium / © 2021 IBM Corporation
Onboard Security Controls (e.g. Intrustion Detectionand Protection Systems)
On Cloud and On Premise
How a Vehicle SOC works
5
Collect and forward securityevents from the vehicleFilters, combines, aggregatesfrom heterogeneous log sources
Provides best-of-breedsecurity intelligence• Near real-time visibility• AI-based anomaly detection• Proactive security analytics• Prioritizing of alerts• Automation & Orchestration• Guided workflows
& dynamic playbooks• Cross-fleet analysis
IBM QRadar SIEM Security PlatformThreat & Anomaly Detection and Analysis
SupplierR&D
Software Patchese.g. OTA Updates,Notifications
IBM IoT Connected Vehicle InsightResponsive, scalable & secure connectivity
Vector Automotive Cybersecurity Symposium / © 2021 IBM Corporation
Cloud Pakfor
SecurityIBM Resilient & Red Hat AnsibleAutomated & Orchestrated incident response
*) Indicator of Compromise
Detect, Analyze, Prioritize
Connect, Scale, Secure
Orchestrate, Automate, Respond
IBM X-Force Threat IntelligenceAutomotive & geography specific IoC* feeds
Inform, Enrich, Advise
Onboard Security Controls (e.g. Intrustion Detectionand Protection Systems)
On Cloud and On Premise
How a Vehicle SOC works
6
Collect and forward securityevents from the vehicleFilters, combines, aggregatesfrom heterogeneous log sources
Provides best-of-breedsecurity intelligence• Near real-time visibility• AI-based anomaly detection• Proactive security analytics• Prioritizing of alerts• Automation & Orchestration• Guided workflows
& dynamic playbooks• Cross-fleet analysis
IBM QRadar SIEM Security PlatformThreat & Anomaly Detection and Analysis
SupplierR&D
Software Patchese.g. OTA Updates,Notifications
IBM IoT Connected Vehicle InsightResponsive, scalable & secure connectivity
Vector Automotive Cybersecurity Symposium / © 2021 IBM Corporation
Cloud Pakfor
SecurityIBM Resilient & Red Hat AnsibleAutomated & Orchestrated incident response
*) Indicator of Compromise
IBM X-Force Threat IntelligenceAutomotive & geography specific IoC* feeds
16
Motivation
Onboard Detection and Data Gathering
Reporting and Refinement of Data
Analysis and VSOC Operation
Summary
Agenda
17
IDS Big Picture: Detection and Mitigation of Security IncidentsSummary
Attack
2. ReportTransmit data on security related events
4. AnalyzeAnalyze security event data for single vehicles and the whole fleet(e.g. impact analysis, root cause analysis)
5. Decide & DevelopDevelop threat response (e.g. identification, implementation and test of countermeasures)
6. DeployDeploy software updates to mitigate threats
Security Operations Center (SOC) with
SIEM solution
3. Refine DataRefine and enrich transmitted security event data
1. DetectGather and record data on security related events
18
User a standardized technical framework for implementing distributed onboard IDS
Scalable approach to balance available ressources and reporting needs
Configurable detection and reporting behavior to meet OEM needs and constraints of vehicle E/E-architecture
Allows reuse of existing tool chains for specifying qualified security events
Usage of established and enterprise level SOC and SIEM solutions
Adoption of the framework can drive down costs for implementing onboard IDS
BenefitsSummary
19
Impressions from joint Demonstrator at IAA 2021Summary
20 © 2019. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.1 | 2021-10-07
Author:Justus Reich IBM GermanyDr. Eduard Metzker Vector Informatik Germany
For more information about Vectorand our products please visit
www.vector.com