I attended and spoke at escar Asia (embedded security in cars) the last two days in Tokyo. Obviously the Miller/Valasek Jeep hack was referenced in almost every session and gave the event a sense of urgency.
There were some very positive developments in the auto community including a number of programs, such as escrypt or JASPAR, to add authentication to the CAN protocol and projects to segment the auto the car’s network to restrict communication between modules. This is a much faster response than seen in other sectors with the same problems. The issue is will these projects move from research / pilots to being deployed in new cars in 3 or 4 years.
I couldn’t get that Die Hard “Welcome to the party, pal” line out of my head over the two days as I heard the auto sector beginning to internalize the realities of the situation and deal with the challenges that other sectors have been trying to tackle for the past decade.
My presentation, see below, focused on facts and lessons learned from 15 years of ICS security in other sectors and how they compare to the present situation and recommended path for the auto sector.
A few items I found interesting:
- There was literally no focus on the back end. The conference focused on the security in the car, but we know the big win would be to attack the back end where the vendor or service provider has a server authorized to communicate with a fleet of vehicles. While this is a better known problem and solution, we saw from the Progressive example that the same lack of concern to security of this closed system can exist on the server side with much greater consequences.
- The “100 million lines of code” in your car was repeated over and over with the corresponding stats of vulnerabilities per 100 lines of code. I couldn’t help but thinking of bloat. Are 100 million lines of code necessary? With the additional functionality being planned are we looking at 500 million lines of code in the 2020 models? This is not an informed opinion, just an observation.
- The auto industry discussion of safety is very different than the safety integrated systems (SIS) we see in a typical ICS. Safety in the auto sector appears to be a control system feature that increases passenger and vehicle safety rather than an independent system deployed to prevent catastrophes. They are also focused on mapping their safety techniques to security or finding some way to integrate them. Unfortunately ISA99/IEC 62443 found this to be difficult, and as to date impossible, due to the fact that security has to deal with an attacker rather than a statistically model.
- The key management for some of the component to component authentication in an auto will be an interesting and important challenge. The auto sector should be bringing in crypto and protocol experts to do this. Relying on extremely smart auto talent reading NIST and other documents could lead to a big failure. I’m far removed from my cryptanalyst and banking security standards days, but I do remember that crypto and security protocol work is hard.
If you are in or near Tokyo, you should put escar Asia on your conference list. It’s a strong event.