Intrusion Detection and Prevention Solution - A Global Legal and Technological Perspective - Automotive Security Research Group
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Intrusion Detection and Prevention Solution A Global Legal and Technological Perspective
Intrusion Detection and Prevention Solution (IDPS)
Agenda ASRG Webinar: A Global Legal and Technological Perspective
1. Welcome and Introduction 4.OEM IDPS Strategies
Subline Typical challenges
2.Legislation and Standards
Another strong argument for IDPS?
5.Conclusion and Outlook
3.In-Vehicle IDPS Technologies
In a nutshell
2 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.com
Welcome and Introduction
3 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.com
ASRG: IDPS - A Global Legal and Technological Perspective
Welcome & Introduction – Presenter
Dr. Jan Holle
Lead Product Manager IDPS (Stuttgart)
▪ Passionate about IoT (incl. automotive) security
▪ Joined ESCRYPT team in 2013
ESCRYPT – Trusted Security Solutions
▪ More than 10 years of automotive security expertise
(Security Researcher, Consultant/PjM/GrL, Product
▪ 16+ years experience in automotive
Manager) cybersecurity
Dr. Siddharth Shukla ▪ 400+ employees in 19 locations
Product Manager for Ethernet Firewall and IDS (Stuttgart)
▪ Passionate about embedded security, real time systems and ▪ Industry pioneer in cybersecurity
wireless sensor networks
▪ 11+ years experience (developer, architect, security analyst,
▪ Leading provider of IT security
product manager) solutions in embedded systems,
Niclas Will consulting and services for enterprise
Trainee in Product Management for IDPS (Stuttgart) security and IT-protected production
▪ Passionate about IT-Security in general and embedded ▪ Working for major OEM’s and Tier’s
security in particular
▪ After his first rotation in consulting now for 5 months part
of the IDPS product management team
4 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.com
ASRG: IDPS - A Global Legal and Technological Perspective
Welcome & Introduction – Increasing threat landscape (remote attack examples)
2016 2018 2019
2015 Key relay attack on 19 Volkswagen Tesla Model 3,
Jeep Cherokee OEMs, 24 cars (Infotainment), BMW JIT (Just in time)
2018
2016 2017 2020
Tesla Model S, Tesla Model X, HMC Mercedes-Benz
Mitsubishi Outlander (Bluelink) (Black Hat 2020)
“As much as possible, we use
network segregation…
More importantly, there needs to be real
time detection and reaction on vehicle.”
5 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Welcome & Introduction – Classification of IDPS components
IDS Distribution Framework
Multiple IDS sensors might be deployed in a vehicle. The IDS
Distribution Framework offers components to collect, aggregate and
manage security events from a ECU, a domain, or the complete
vehicle locally before reporting them to the VSOC. Intrusion prevention system (IPS)
IDS with the ability to respond to
IDS Distribution detected intrusions are typically
Host-based intrusion detection system (HIDS) Framework referred to as an intrusion prevention
A host-based IDS monitors the characteristics of a systems.
single system and the events occurring within that
system for suspicious activity. Backend Link
Log upload,
Host-based IDS command &
control
Vehicle Security
Operations Center (VSOC)
Vehicle Security A Vehicle Security Operations
Network intrusion Operations Center is a managed service for
detection system (NIDS) Center (VSOC) monitoring vehicle fleets to
identify possible cyber attacks
A network-based IDS or security intrusions.
monitors network traffic for
particular network segments
or devices and analyzes Network IDS for Firewall for
network, transport, and CAN/CAN-FD and Automotive
Ethernet/IP Ethernet/IP
application protocols to
identify suspicious activity.
6 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comLegislation and Standards
Another strong argument for IDPS?
7 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comUNECE Regulations UN R155 and R156
The automotive sector is undergoing a profound transformation with the
digitalization of in-car systems that are necessary to deliver vehicle automation,
connectivity and shared mobility. This comes with significant cybersecurity risks.
The two new UN Regulations require that measures be implemented across
4 distinct disciplines to tackle these risks by establishing clear performance
and audit requirements for car manufacturers:
1) Managing vehicle cyber security
2) Securing vehicles by design to mitigate risks along the value chain
3) Detecting and responding to security incidents across vehicle fleet
4) Providing safe and secure software updates and ensuring vehicle safety is not
compromised, introducing a legal basis for O.T.A. updates to on-board vehicle
software
Deadline for Jul. 2024 Deadline for
Applied to first
Aug. 2019 Jun. 2020 new vehicle Jul. 2022 registrations (EU) Vehicle
all vehicle
End of Adoption types Applied to new vehicle types must be developed registrations
test phase by WP.29 types (EU) acc. to CSMS
2019 2020 2021 2022 2023 2024
8 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIDPS - A Global Legal and Technological Perspective 7.2.2.2.
Legislations and Standards - Relevant Requirements from UN R155 The vehicle manufacturer shall demonstrate that
the processes used within their Cyber Security
Management System […] include:
How does an IDPS help in (g) The processes used to monitor for, detect and
respond to cyber-attacks, cyber threats and
fulfilling the requirements? vulnerabilities on vehicle types and the processes
used to assess whether the cyber security
▪ Detect and monitor the attacks measures implemented are still effective in the
“The vehicle manufacturer shall implement using in-vehicle IDS sensors light of new cyber threats and vulnerabilities that
measures for the vehicle type to: have been identified.
combined with backend data (h) The processes used to provide relevant data to
(a) Detect and prevent cyber-attacks against
aggregated in the VSOC support analysis of attempted or successful cyber-
attacks.
vehicles of the vehicle type;
(b) Support the monitoring capability of the ▪ Prevent and respond to the attacks
vehicle manufacturer with regards to using the expert knowledge in the
detecting threats, vulnerabilities and The vehicle manufacturer shall report […] the
VSOC to immediately find outcome of their monitoring activities, as defined
cyber-attacks relevant to the vehicle type;
adequate responses (e.g., software in paragraph 7.2.2.2.(g), this shall include relevant
(c) Provide data forensic capability to enable
analysis of attempted or successful cyber- updates) information on new cyber-attacks. The vehicle
manufacturer shall also report and confirm to the
attacks. Approval Authority or the Technical Service that
▪ The aggregated data allows data the cyber security mitigations implemented for
forensic and the analysis of their vehicle types are still effective and any
additional actions taken.
attempted of successful
cyberattacks
7.3.7. 7.4.1.
IDPS is not explicitly required by R155, but the requirements are hard to fulfill without
9 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Legislations and Standards - Mandatory Mitigations […] The mitigations implemented shall include all mitigations referred
to in Annex 5, Part B and C which are relevant for the risks identified.
However, if a mitigation referred to in Annex 5, Part B or C, is not
relevant or not sufficient for the risk identified, the vehicle
manufacturer shall ensure that another appropriate mitigation is
Which IDPS component support the mitigation of which threat? implemented […].(7.3.4.)
Network-based IDS and firewall Holistic solution
Malicious Diagnostic access (e.g. Man in the Denial of service, for example …
internal (e.g., dongles in OBD port) middle attack / this may be triggered on the
CAN) messages used to facilitate an session internal network by flooding • Report security events
attack hijacking a CAN bus from the mitigation
measures via the
distributed IDS
approach
• E.g., report violations to
Host-based IDS and distributed IDS access control policies,
events from the
Unauthorized Introduce Man in the Sending a large number of … validation/verification of
deletion/manipulati malicious middle attack garbage data to vehicle SW updates, etc.
on of system event software or / session information system, so that it
logs malicious hijacking is unable to provide services
software activity in the normal manner
10 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Legislations and Standards - China legislation and standards
Legislations Standards
▪ Laws from Chinese Authorities like MIIT (Ministry of ▪ Published by different committees
Industry and Information Technology of the People’s ▪ Most relevant committees for automotive
Republic of China) which are mandatory to follow cybersecurity:
▪ Often refer to standards and thereby make them
▪ TC114: National Technical Committee of Automotive
mandatory
Standardization
▪ TC260: National Technical Committee of Information
Security Standardization
▪ Differentiation between GB’s (mandatory) and
Legislations and Standards related to
GB/T’s (recommendary) automotive security
Process for standard publication Status # Legislations # Standards
Published 5 8
Under 4 17
Development
Planned 2 72
Total 11 97
11 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Legislations and Standards - MIIT ICV Type Approval
▪ Cybersecurity requirements are very similar to R155 and R156
▪ Mandatory law in CN for ICV type approval, possibly will take effect in 2022 in CN
▪ Current draft is on a high level and more detailed requirements will follow soon
▪ It can be expected that several GB/T’s will be cited in this legislation and thereby made mandatory
Main Articles
Relevant requirements in current draft: Article 01: Defines the scope of application: Intelligent connected
vehicle (ICV) production and their products with high automation
Article 3 capabilities
ICV manufacturing enterprises shall […] take technical and other measures as Article 10: Responsible Authority: MIIT (Ministry of Industry and
necessary to […] protect vehicles and networking facilities from attacks, intrusion, Information Technology of the People’s Republic of China)
interference and damage. Article 02: Requirement for organization/manufacture , related to
Annex1.
Annex 2
Article 09: Requirement for product and process, related to Annex2.
3.3 Regarding the product development, realize capabilities to prevent and respond
to security risks and network vulnerability, in an attempt to satisfy targets of and And requirement for testing, related to Annex3.
requirements for vehicle cybersecurity. Annex1:
4.1 Security threats during information transmission can be addressed. The threats Organization/manufacture Annex3:Testing requirements
include false information intrusion, unauthorized modification to codes and data, requirements
session hijacking, replay attacks, unauthorized access to sensitive data, denial of
service (DoS) attacks, access to vehicle privilege control, viruses, and malicious Annex2:Product & Process
Annex4:Terms
messages. requirements
12 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Legislations and Standards - Further UN Regulation Related Standards
GB Security technical requirements and test GB Cyber security technical requirements for GB/T Road vehicles – Cybersecurity
methods for automobiles (mandatory) vehicle software update system (mandatory) engineering
Equivalent to R155 Equivalent to R156 Equivalent to ISO/SAE 21434
Scope: Probably Passenger Cars (M+N) Scope: Probably Passenger Cars (M+N) Scope: not known yet
Status: In drafting, estimated to be published Status: In drafting, estimated to be published Status: In drafting, estimated to be published
Q4 2022 Q4 2022 in 2023
IDPS related requirements in current draft: IDPS related requirements in current draft: IDPS related requirements in current draft:
▪ Detection and prevention of cyberattacks ▪ Security events regarding the update ▪ Not known yet
on vehicles process must be logged
▪ Monitoring capability
▪ Analysis of attempted or successful attacks
13 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Legislation and Standards - Very specific: Gateway GB/T
▪ “Technical Requirements for Cybersecurity of Vehicle Gateway“
▪ Recommended standard, but could be made mandatory through regulations
▪ Status: In examination, estimated to be published end of 2021
▪ Scope: Cybersecurity vehicle gateway products
▪ Specifies explicit security requirements for CAN/CAN-FD and Ethernet Gateways,
covered by an IDPS solution:
CAN Ethernet
• Denial of Service (DoS) attack detection • A firewall or ACL (Access control list) should
• Signal value and DLC field validity check be used following default denial principle
• Data Frame transmission frequency • Denial of Service (DoS) attack detection
• Signal value plausibility • Protocol state detection
• “Normal” UDS channel detection http://www.catarc.org.cn/upload/202004/26/202004261535165624.pdf
14 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Legislations and Standards - Further GB/T’s
GB/T Technical requirements for GB/T Technical requirements for information GB/T General technical requirements for
cybersecurity of remote service and security of electric vehicle charging system vehicle cybersecurity
management system for electric vehicles
Scope: Electric Vehicles Scope: Electric Vehicles Scope: Intelligent Connected Vehicles (ICV)
(category N) (category N) Status: In examination, estimated to be
published end of 2021
Status: In examination, estimated to be Status: In examination, estimated to be IDPS related requirements:
published end of 2021 published end of 2021 ▪ The in-vehicle software system should have
the ability to perceive the security events
IDPS related requirements: IDPS related requirements: that it is attacked and perform responses
▪ For on-board interface: ▪ Firewall/ACL for on-board unit network ▪ In-vehicle communication system
interface
▪ Determine to allow or refuse the access of data ▪ Border access control mechanisms
pack
▪ Perceive abnormal messages
▪ Carry out intrusion detection
15 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
In a nutshell
16 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
Classification of In-Vehicle IDPS components
In-vehicle distributed IDS
Collects security incidents,
performs pre-analysis and
communicates with the backend
IDS Sensors
Identify security incidents
on host and network level
Distributed vehicle IDS architecture
Vehicle Computer
(e.g. AUTOSAR Adaptive) Telematics Control Unit
▪ IDS-CAN, IDS-ETH and ETH firewall act as smart
IDS-R sensors aggregating and pre-selecting potential
IDS IDS-M
Sensors security events (SEV) to enable a fast and correct
IDS IDS-M
Sensors analysis
▪ IDS-M collects, analyses, aggregates, persists,
and reports raised security events to the IDS-R
Gateway (e.g. AUTOSAR Classic) ▪ IDS-R reports the security events from the
IDS Sensors vehicle to the VSOC
IDS CycurIDS-M
Sensors ▪ Host-based IDS for risk-based monitoring of
IDS for ETH, CAN,
ECUs
IDS-CAN
Host based IDS
IDS-ETH
Ethernet firewall
17 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
Network IDS for CAN and CAN-FD
Monitor forwarded CAN traffic and detect potential
attacks like e.g. messages injected by an attacker
Rule based and Machine learning based – supervised/un-supervised
Specify known good behavior and anomalies in terms of rules
▪ Take advantage of tremendous OEM invest in specification of in-vehicle Detected anomalies: frequency
communication and diagnosis request
▪ Generate effective and efficient in-vehicle implementation
Sample detection features Vehicle CAN communication
▪ Observe message frequency to detect „message injection“
▪ Compare all messages on the buses with a whitelist to detect unspecified messages
Vehicle CAN
▪ Detect malicious diagnostic requests while driving, e.g., detect attempts to shut database
down certain ECU information
Config. IDS rule set Log file
parameters
IDS configuration Configuration
process
▪ Using vehicle CAN database information (DBC/ARXML files) for initial configuration CAN traffic
Gateway module
and recorded CAN traffic (w/ and w/o anomalies) during simulation to fine-tune the
configuration (reduce false-positives, improve detection rate).
18 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
Network IDS Terminologies for Ethernet
Firewall: blocks illegitimate communication to individual ECUs or to the entire network
Router: enforces Ethernet communication flow
Intrusion detection system: detects anomaly and creates intrusion report
ETH message ETH message
Normal message flow
• No hard timing requirements
ETH message ETH message
Timestamp
ETH message
Event report
• Hard latency deadlines
Firewall
• Clear identification of
Allow
• Focus is on pattern/
messages is required
behaviour analysis
message
right and wrong
ECU
Ethernet IDS
Drop message,
create event report ECU
Firewall Intrusion detection system
19 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
Firewall for Ethernet
Inspect incoming/outgoing Ethernet messages
and block or allow them within bounded Prioritization Intrusion
latency
Firewall Firewall Deep Packet Smart
(Fast vs Logging Detection
(Stateless) (Stateful) Inspection Charging
Normal) System
Maintain and enforce the separation of network segments ISO
using VLANs Application
15118-1
SOME/IP SD
DHCP v4/v6
PDU Filter
UDP-NM
Presentation
Bonjour
HTTP(S)
Establishes and preserves communication domains on all
SecOC
IEEE 1722.1
HSFZ
gPTP (IEEE 802.1AS)
DoIP
DNS
XCP
SSH
AVTP (IEEE 1722)
ICMP v4/v6
RTP (IEEE 1733)
layers of Ethernet and IP stack
ARP/RARP
NDP
Session
ISO
▪ Stateless Packet filter 15118-2
Transport UDP UDP/TCP
▪ Stateful Packet Inspection (SPI)
▪ Deep Packet Inspection (DPI) Network IP Version 4, 6 DPI
Association of vehicle context to offer state aware policing Data
VLAN (IEEE 802.1Q)
Port Tagged Private Subnet Protocol
PNAC (IEEE 802.1 X) Per Stream Filtering and Policing
IEEE 802.1 Qci
MACsec (IEEE 802.1AE)
ISO
Communication policy enforcement based on authentic 15118-3
rule sets and allow both filters Physical 100(0) BASE – T1/TX
▪ Whitelist – Only explicitly defined communication flows
▪ Blacklist – Prevent known attacks
20 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
Network IDS for Ethernet
Layer Each packet anomaly detection level
Physical Source/Destination switch port
Monitor ethernet traffic and detect potential
Link Link Link Link
Ethernet Source/Destination MAC Address, VLAN TAG, EtherType,
attacks by focusing on behavior analysis checksum calculation
Define all legal behavior Network IPv4/IPv6 header inspection, checksum calculation
▪ Unauthorized message detection - data validation
Transport UDP header & TCP stateful inspection, checksum calculation
▪ Access control - Malformed frame detection
Application Example:
▪ Whitelisting based on Packet header specification, stateful behavior
SOME/IP inspection based on Service ID, Method ID, Length,
of protocols such as TCP, timeouts, payload and higher-layer
Client ID, Method ID and payload, etc.; DoIP inspection based
protocols information such as DoIP, SOME/IP etc.
on protocol version, inverse protocol version, payload type,
State/context-aware whitelisting e.g. message to flash ECU payload length, DoIP payload including UDS information etc.
not allowed when vehicle is running
Time-based statistical analysis
+
▪ message frequency/rate check A
▪ very high or low message rate can define abnormal behavior --------
B
-------
▪ rate of change of signal
C
Other checks like message size and message sequence etc.
Vehicle state Time/rate Sequence
21 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
Host Based IDS
Customized solution with the possibility to adapt to any scope of
monitoring depending on security risk 2.
Monitori
ng Harden
Risk Based Security Monitoring of Automotive ECUs
▪ Analyze security of your system
▪ Harden your System 1. 3.
Analyze Configure
▪ Configure Standard Monitoring
▪ Identify, define & implement system specific monitoring points
▪ Collect, Aggregate & Report Events from different sources
Main targets: systems with rich operating systems and external interfaces, but also applicable for 5. 4.
Appraise Develop
small ECUs Process
Example: monitoring network access, bluetooth monitoring, wireless monitoring, malware
detection and filesystem & system call monitoring etc.
Selection of tools from a toolbox and exploitation of existing monitoring, logging, and security
features of the system with possibility to integrate third party IDPS components
22 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
IDS Distribution Framework
Standard (AUTOSAR) compliant solution that is designed VSOC
to be flexibly extended to cover any customer
aggregation, persistence or reporting strategy
Comes in two parts:
▪ IDS-M: IDS manager component for deeply embedded ECUs and for larger Adaptive AR ECU
platforms IDS-R
▪ IDS-R: IDS reporter component
IDS
IDS-M
IDS Manager Sensors
▪ Aggregate security events on ECU, domain, zone or vehicle level
▪ Communicates security events to IDS Reporter or other Managers Classic AR ECU Adaptive AR ECU
▪ Persistent storage of security events on vehicle level, domain, zone or vehicle level IDS
IDS-M
IDS IDS-M
Sensors Sensors
IDS Reporter
IDS
▪ Communicates security events to the Vehicle Security Operation Center
Firewall
23 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comIn-Vehicle IDPS Technologies
Insight into future zonal EE-architecture from In-Vehicle IDPS perspective
M
Firewall use-cases on:
▪ Vehicle computer/server
Vehicle
▪ Ethernet Switch Computer
/Server
▪ End ECUs for applications like EV
charging Domain
M R Controller/
Zonal
Network IDS use-cases on: Gateways
ECU
Vehicle computer/server
▪
M
Domain controllers
M
▪ Sensor/
Actuator
▪ End ECUs
A Ethernet Switch
E Ethernet
IDS Manager use-cases on: LIN
▪ Vehicle computer/server CAN
▪ Domain controller B C D
▪ End ECU
IDS reporter use-case on: M IDS-M collects, aggregates,
and persist the security events R
IDS-R reports the security
events to the VSOC
IDS for CAN and Ethernet
▪ Vehicle computer/server
Variant for deeply embedded ECUs, i.e., Variant for larger platforms i.e., μPs Firewall for Ethernet
μCs with classic AUTOSAR or RTOS running adaptive AUTOSAR and/or
24 Public | ETAS-SEC/PRM-IDS | 8/20/2021 some POSIX OS
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comOEM IDPS Strategies
Typical challenges
25 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
OEM IDPS Strategies – There is a (widely accepted) silver bullet, but no easy path!
Lifetime service – IDPS components needs to
be up to date and VSOC operational until
Most OEMs (esp. in EU & APAC) target vehicle end of life
an comprehensive (In-vehicle IDS +
Internal organization & supply chain – Which
VSOC) IDPS approach, but still … entity maintains IDPS & how to source in-
vehicle IDS components
▪ … targeted scope of in-vehicle Take an End2End view – Not only a technical
detection coverage (e.g. nIDS and/or challenge (integration), also legal, procedural
hIDS) significantly differs and organizational issue
▪ … very different concepts for VSOC Budget – Introduction of IDPS increases cost in
development (licenses, engineering services),
from “simple SIEM” to fully staffed 24/7
but esp. operation
operational global VSOC
Support of legacy platforms – Any IDPS will
▪ … different implementation approaches require additional resources (hardly available in
(make/buy or managed service) legacy systems)
Technical expertise – Esp. in-vehicle intrusion
detection technology is still quite a novel area
26 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
OEM IDPS Strategies – Some typical IDPS conversations
What data shall we gather? What does the data tells us?
▪ There is already a significant amount of data (logs, DTCs, statics, …) collected from the fleet. Can this data also be
used for IDPS use-cases? Surely, it depends! But they are certainly valuable for correlation w/ actual IDS events
How to reduce false-positives?
▪ First: False positives are, as long as they can be remedied during operations, no disaster!
▪ A good IDPS should support (tooling!) the mitigation of false positives as early as possible
in the E2E detection chain (best case in the IDS sensor or the Ids-M, e.g. via a remote
configuration update)
How to maintain IDPS over life-time?
▪ Enable your team to take care: Apply a transparent solution and get your team trained and involved
▪ Ensure transparent technology (no voodoo!) and be able to maintain the IDPS yourself (tooling!)
How to handle vehicle variants?
▪ There is a tradeoff between detection scope of an IDS and its robustness/coverage concerning vehicle variants
▪ In-vehicle IDS components (esp. nIDS) needs do be able to automatically adjust to actual vehicle features
27 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
OEM IDPS Strategies – ESCRYPTs IDPS recommendation
▪ Don‘t wait – Introduction of IDPS will be a huge endeavor
▪ Begin in good time - Make use of IDS in vehicle validation
▪ Collaborate & share – Prepare to contribute
o Sharing of threat information across OEMs will help to remedy
cybersecurity risks across the industry
Five (first) steps
1) Define/select, a comprehensive (vehicles, infrastructure, …) security monitoring solution
2) Conduct a risk-based security analysis of the relevant EE-Architecture(s)
-> Make sure you realize automotive security best practice!
3) Based on i) define/select (a combination) of in-vehicle intrusion detection technologies
4) Realize the necessary infrastructure (source solutions directly or via your Tier1s, don’t forget your IT department!)
5) Train/prepare your organization for continuous monitoring, inspect and adapt regularly!
28 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comConclusion and Outlook
29 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comASRG: IDPS - A Global Legal and Technological Perspective
Conclusion and Outlook: ACT now – to be ready in time and avoid costly quick fixes!
Many upcoming regulations and As the whole industry shares the same
standards contain direct or indirect challenges, we should also share and
requirements referring to IDPS I IV collaborate, to ensure the security of
future automated and connected vehicles
▪ Examples: UN R155, multiple GB at affordable cost
and GB/Ts in China
▪ Many OEMs start to adopt
requirements from such legislation
into their security specifications IDPS: There is a silver bullet. But no easy path!
. II III
But there is a manageable path
Your IDPS approach is specific to your EE-Architecture
▪ You need a flexible framework with different IDS sensors (to cover
different technologies)
▪ Open interfaces, transparent technology and interoperability is key
▪ Whole IDPS approach needs to be defined in an E2E manner (from
IDS sensor to VSOC and back
30 Public | ETAS-SEC/PRM-IDS | 8/20/2021
© 2021 ESCRYPT | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. | info@escrypt.comThank you. ESCRYPT GmbH Headquarters Wittener Straße 45 44789 Bochum Germany Phone: +49 234 43870-200 info@escrypt.com www.escrypt.com
You can also read
