车辆概念设计阶段的网络安全与风险评估ppt课件.pptx

《车辆概念设计阶段的网络安全与风险评估ppt课件.pptx》由会员分享，可在线阅读，更多相关《车辆概念设计阶段的网络安全与风险评估ppt课件.pptx（41页珍藏版）》请在三一办公上搜索。

1、,October 28, 2019,Revision: October 28, 2019,John T. KrzeszewskiChief Engineer, Cybersecurity Governance, Risk, Compliance and ArchitectureChair, “PG1: Risk Assessment” in ISO-SAE 21434,Cybersecurity in the V-cyclePurpose and components of a risk assessmentRelationships between components or riskRis

2、k calculation/mappingRisk assessment stepsIdentification of assets/damage scenarioImpact ratingsThreat scenario identificationAttack Feasbility EstimationCase StudiesGroup activity,Agenda,CS Steps and Reviews,Concept,Requirements and Architecture,Detailed,Design,IMPLEMENTATION,“TARA”= output Risk le

3、vel, relative to threat/damage scenario (Impact and Attack feasibility)Derive CS goals=CS concept=initial requirements; allocate to preliminary architecture,Refine & verify CS requirements, architecture, design: selection of controls (considering interfaces)Allocation of requirements to architectura

4、l elementsIdentify and manage vulnerabilities,Riskassessment,Risk assessment in cybersecurity is used to determine what negative actions could occur and their associated likelihood, resulting in an overall risk value.Risk value is then assessed by the business and based on the associated risk tolera

5、nce of the organization, the following options are selected:Accept (do nothing)Transfer (to another entity, e.g. insurance)Reduce (mitigate)Avoid (remove the source of the risk e.g. remove the feature)In the case of “Reduce”, the appropriate cybersecurity controls and/or processesare designed and im

6、plementedThe residual risk should then be assessed to determine if it has been lowered sufficiently.,PurposeofRisk Assessment,IQPC Risk Assessment | 28OCT19 | Aptiv Public,4,Asset IdentificationIdentify objects whose cybersecurity properties1 could be violated = damage scenarioNote this is independe

7、nt of how the damage scenario could be realizedWe document what damage could happen, but not the various methods that could cause the damageImpact RatingDetermine the level of impact if the damage scenario were to be realized.Impact to the stakeholders in regards to Safety, Operational, Financial, a

8、nd PrivacyThreat Scenario IdentificationIdentify way(s) in which a damage scenario could occur.,ComponentsofaRisk Assessment,IQPC Risk Assessment | 28OCT19 | Aptiv Public,5,1 Confidentiality, Integrity, Availability,Vulnerability AnalysisIdentify potential flaws and weaknesses in the product that co

9、uld be used in an attacki.e. needed to realize a particular threat scenarioAttack Path AnalysisIdentify the steps required to realize a threat scenarioAttack Feasibility Analysis i.e. related to likelihood of the attackEstimate the feasibility to carry out the steps of a particular attack pathRisk i

10、s determined by impact of the threat and associated “likelihood” of theattack and these components are utilized to derive this informationThese components can be performed in the order most beneficial to the organizationE.g. brainstorm threats and then determine what are the associated assets and th

11、eir damage scenarios;another option is to identify assets and their damage scenarios and then brainstorm threat scenarios that can realize a damage scenario,ComponentsofaRisk Assessment,RelationshipBetweenComponentsofRisk,Asset(C, I, A properties),Damage Scenario,Vulnerability,Impact Rating,AttackFe

12、asibility,Risk Value,Vulnerability,ThreatScenario,Attack Path,7,IQPC Risk Assessment | 28OCT19 | Aptiv Public,Calculate risk of realization of a particular threat scenarioRisk calculation based on impact of the threat and associated attack feasibilityOverall risk value can determined by a heat map-

13、One axis is the Impact and the other axis the Attack FeasibilityMapping of impact rating and associated attack feasibility to a risk value is up to the organization:,RiskCalculationExampleofan alternative mapping,Security Goals,8,IQPC Risk Assessment | 28OCT19 | Aptiv Public,Risk calculation heat ma

14、ps are up to the organizationSome organizations may consider anything critical that is eitherHigh Attack Feasibility with Impact greater than or equal to MajorThe fact that the attack is quite feasible increases riskSevere impact with Attack Feasibility greater than or equal to MediumThe fact that t

15、hat is has maximum impact and a relatively high attack feasibility,RiskCalculationExampleofan alternative mapping,Security Goals,9,IQPC Risk Assessment | 28OCT19 | Aptiv Public,Different approaches are possible, based on whatever makes sense for the particular application or organization e.g.Identif

16、y assets, associated damage scenarios and then brainstorm as to what threat scenarios could accomplish a damage scenarioBrainstorm possible threat scenarios and by doing so, it identifies assets and theirassociated damage scenariosThreat modeling componentsSystem architecture diagram & associated da

17、ta flows i.e. visualization of assetsDetermine threats to the identified assets which result in a damage scenarioThreats can be identified by brainstorming, using Microsofts STRIDE methodology, etc.Assumptions must be documentedE.g. ECU supplier may not know the potential impact at a vehicle levelIn

18、 absence of this information, the analysis is done “out of context”, such as design of a system beforeengaging customers,Risk Assessment Steps,All connections can be used in an attack,Sensors Gateway (camera, LiDAR,radar, etc.),Autonomous,V2X,Attack PointExamples,Immobilizer/ BCM,Infotainment,Actuat

19、ors,Cloud services,Telematics,Diagnostic port,PODS,Cockpit,system,ExampleCaseStudy1- InfotainmentSystemHighLevelSystem Architecture &Data Flow (partial),IQPC Risk Assessment | 28OCT19 | Aptiv Public,12,1 A hypothetical system, not an actual,The infotainment system has numerous features, such asAbili

20、ty to make online purchases via verbal commands, utilizing credit card and associated personal information that are stored in the infotainment systemAvailability of an API for development of custom applications that interact with the infotainment systemWhat is an asset?Something whose cybersecurity

21、properties could be violated, resulting in a damage scenario- Cybersecurity properties:Confidentiality, Integrity, AvailabilityLets first focus on a potential “damage scenario” to an asset, irrespective of how it can be realized via a particular “threat scenario”What are the assets for the first sys

22、tem feature above and the associated damage scenario(s)?,Identificationof assets,In the use case of the ability to make online purchases via verbal commandsOne obvious asset is the credit card and associated personal information (name, address)This qualifies as an asset as one of its cybersecurity p

23、roperties could be violated: confidentiality, resulting in a damage scenarioFor purposes of this presentation, we will use an impact scale of 4 levels of Severe, Major, Moderate and NegligibleFor a financial impactSevere catastrophic consequences; stakeholder might not overcomeMajor substantial cons

24、equences; stakeholder will be able to overcomeModerate inconvenient consequences; stakeholder can overcome with limited resourcesNegligible no effect, negligible consequences or is irrelevant,Determination ofasset andassociateddamage scenario,If a credit card and required associated information was

25、stolen, it could have a major impact on the user i.e. hit credit cards maximum purchase limitOverall impact rating “Major” but unlikely it would cause bankruptcySo far, we have only assessed the impact of the damage scenario and not themeans by which it can be accomplished i.e. the threatBy breaking

26、 up the analysis into blocks, it makes it easier to brainstorm during risk assessmentNext we will brainstorm ways in which this particular damage scenario to the credit card information could be realizedi.e. how could the credit card and required associated information be stolen?,15,IQPC Risk Assess

27、ment | 28OCT19 | Aptiv Public,Determination ofimpactratingofthedamage scenario,There are multiple ways this damage scenario could be realizedA physical attack of the infotainment system by directly connecting to OBD-II port and getting a command shell and read the files/database containing the credi

28、t card informationA man-in-the-middle (MitM) attack could occur where the information is stolen whilein transit to the destination serverEtc.Lets examine the second threat scenario listed above and determine the attack path and associated attack feasibilityThe ability to remotely attack a system is

29、more serious, compared to attacks requiring physical access to thevehicle,16,IQPC Risk Assessment | 28OCT19 | Aptiv Public,Threatscenarioidentificationtorealizethe damagescenario,One of the biggest challenges with determining risk is estimating attack feasibilityFeasibility of an attack is subjectiv

30、eAttack feasibility changes dynamicallyToday an attack may be considered practically unfeasible with known tools and techniquesAt many hacking conferences, such as DefCon, BlackHat, etc., attacks that were thought of as practically unfeasible are not only feasible, but demonstrated!- The tools and t

31、echniques for those attacks are often shared with the communityIt is important to understand the latest threat intelligence informationThe organization can decide appropriate components of attack feasibilityPerhaps only attack vector is considered (e.g. network, local, physical),SubjectivityofEstima

32、ting Attack Feasibility,ExampleCaseStudy1- InfotainmentSystemHighLevelSystem Architecture &Data Flow (partial),1 A hypothetical system, not an actual,An attack path would be an attacker tapping into a point between the infotainment system and the destination serverWhat is the associated attack feasi

33、bility?Various methods to determine attack feasibility could be used, such as CVSS-based approach or using ISO-18045 attack potential parameters and mapping to attack feasibility- We will use ISO-18045 parameters; most of them are also in the HEAVENS threat modeling methodology and thus most familia

34、r to the organization doing the threat modeling (elapsed time not part of HEAVENS)The associated attack potential parameters are: Elapsed Time, Expertise, Knowledge of Item, Window of Opportunity, Equipment.We will adopt them for use in automotive by changing some parameter values.Each of these para

35、meters have numeric values associated with the various options in each category.They are summed to derive an overall attack potential value,Attack Path Analysisand Associated Attack Feasibility,IQPC Risk Assessment | 28OCT19 | Aptiv Public,19,Estimate of “Elapsed time” i.e. time to identify a vulner

36、ability and exploit it 3 years (19)Estimate of “Expertise” requiredLayman (unknowledgeable with no particular expertise) (0)Proficient (knowledgeable and familiar with the security behavior) (3)The ability to tap into a port requires proficiency, but not an expertExpert (familiar with the underlying

37、 algorithms, protocols, hardware, etc.) (6)Multiple experts (different fields of expertise is required) (8),Attack FeasibilityDerived from Attack Potential(ISO-18045 adopted to automotive),Estimate of “Knowledge of item”Public information (information available to the public) (0)Restricted Informati

38、on (knowledge within the organization and shared under NDAs) (3)The attacker would need to know where to tap into the network i.e. data flows, as to be able to tap into the trafficfrom the vehicle.Requires knowledge of routingConfidential information (knowledge limited to a smaller set of the organi

39、zation (7)Strictly confidential information (tightly controlled information-accessible by very few) (11),Attack FeasibilityDerived from Attack Potential(ISO-18045 adopted to automotive),IQPC Risk Assessment | 28OCT19 | Aptiv Public,21,Estimate of “Window of Opportunity” requiredUnlimited (can be rea

40、lized any time, anywhere) (0)Easy (Not much effort needed to obtain access) (1)Moderate (Not easy to find access, but possible) (4)The attacker would have to do this when the vehicle is runningDifficult (Very little opportunity to access) (10)Estimate of “Equipment”Standard (equipment readily availa

41、ble) (0)No special equipment is required to be able to tap into a network and log/monitor trafficSpecialized (equipment not typically available) (4)Bespoke (equipment not generally available to the public and specialized) (7)Multiple bespoke (different types of bespoke equipment are required) (9),At

42、tack FeasibilityDerived from Attack Potential(ISO-18045 adopted to automotive),Derivation of Attack Feasibility via mapping of Attack Potential toTotal Attack Potential Value of 10 or “High” Attack Feasibility,Attack FeasibilityDerived from Attack Potential,IQPC Risk Assessment | 28OCT19 | Aptiv Pub

43、lic,23,For the threat of an MitM attack, stealing the credit card and associated information, we have determinedImpact of the damage scenario if “Major”Attack Feasibility is “High”- Per the heat map below, this results in a “High” Risk Value,OverallRiskCalculation,ExampleCaseStudy1- InfotainmentSyst

44、emHighLevelSystem Architecture &Data Flow (partial),25IQPC Risk Assessment | 28OCT19 | Aptiv Public,1 A hypothetical system, not an actual,In the use case of the ability to interact with the system via a custom application on a mobile device via BluetoothThe asset(s) may not be so obvious, so lets b

45、rainstorm what threats could be realizedOne threat scenario is the possibility of causing a buffer overrun and thus inserting malicious code in the system and hijacking program executionThe end goal may be to remotely affect the safety of the vehicles operationThe asset in this point could be safety

46、 related messages on the vehicles communications busThus we select vehicle safety messages as the assetPotential damage scenariosDeleting or injecting false safety related messages, thus affecting Integrity of the message,26,IQPC Risk Assessment | 28OCT19 | Aptiv Public,Determination ofasset andasso

47、ciateddamage scenario,If a safety critical message was deleted, it could result inA message indicating a pending collision is missedE.g. V2X system which indicates another vehicle, which cannot be seen by cameras (i.e. buildings block the view), is about to cross our path, resulting in a collisionIf

48、 a safety critical message was falsified, it could result inAn invalid command to steer the vehicle is injected into the vehicles communications busE.g. the ECU controlling the steering receives a message to steer into oncoming traffic, resulting in a collisionLets consider the damage scenario of in

49、jecting a false safety control messageon the vehicles communications bus,27,IQPC Risk Assessment | 28OCT19 | Aptiv Public,Determination ofimpactratingofthedamage scenario,For both damage scenarios for the asset of vehicle messages, a collision could resultFor safety, our impact scale of 4 levels of

50、Severe, Major, Moderate and Negligible could be mapped as follows1:Severe = S3 (Life threatening injuries where survival is uncertain or fatal injuries)Major = S2 (Severe and life-threatening injuries, where survival is probable)Moderate = S1 (Light and moderate injuries)Negligible = S0 (No injuries