© ZF Friedrichshafen AG

Automotive Cybersecurity Validation Strategy

2020-12-10 | Nico Vinzenz | ZF Friedrichshafen AG

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 2

Why do we need an Automotive Validation Strategy?

© ZF Friedrichshafen AG

Obligatory “Jeep in the ditch”-Picture

• Jeep Cherokee Hack

➢2015 by Miller and Valasek

3

© ZF Friedrichshafen AG

But the List goes on..

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 4

Tesla (2015): Remote vehicle unlock and start

Nissan (2016): Remote instrument panel control

Hyundai (2017): Remote vehicle unlock and start

Mercedes-Benz (2019): Remote vehicle unlock and start

© ZF Friedrichshafen AG

Emerging Challenge – V2X Connectivity

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 5

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 6© ZF Friedrichshafen AG

Emerging Challenge – AD Functionality

© ZF Friedrichshafen AG

Emerging Challenge – E/E Architecture

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 7

© ZF Friedrichshafen AG

Further Cybersecurity Challenges

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 8

Lifetime of

15+ YearsHardware

RestrictionsCompetitive

Profit Margins

Insecure Programming

Languages

© ZF Friedrichshafen AG

Agenda

01 Automotive Development Process

02 Security Validation Strategies

03 Practical Application

04 Reducing Risks in the Future

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 9

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 10

01Automotive Development Process

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 11

SYS.2

System

Requirements

Analysis

SYS.5

System

Qualification Test

SYS.3

System

Architectural

Design

SYS.4

System

Integration and

Integration Test

SWE.1

Software

Requirements

Analysis

SWE.2

Software

Architectural

Design

SWE.3

Software Detailed

Design and Unit

Construction

SWE.4

Software Unit

Verification

SWE.5

Software

Integration and

Integration Test

SWE.6

Software

Qualification Test

Standard V-Model

© ZF Friedrichshafen AG

Cybersecurity V-Model

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 12

TARA• Threat Analysis and Risk Assessment (TARA)

➢Input: System Assets

➢Output: Security Goals

• Security Validation Strategies

➢Validate Security Goals

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 13

02Security Validation Strategies

© ZF Friedrichshafen AG

TARA

Overview

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 14

© ZF Friedrichshafen AG

TARA

Overview

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 15

Fuzz Testing

Penetration

Testing

Vulnerability

Scanning

Functional

Testing

Testing against the “known”

Testing against the “unknown”

© ZF Friedrichshafen AG

• Requirement-based Approach

➢Translate functional requirements into test cases

➢Easy to find intended but not implemented behavior

➢Hard to find implemented but notintended behavior

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 16

TARA

Fuzz Testing

Penetration

Testing

Vulnerability

Scanning

Functional

Testing

Functional Testing

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 17

Functional Testing

Intended Behaviour(Requirements)

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 18

Functional Testing

Implemented Behaviour(Program Code)

Intended Behaviour(Requirements)

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 19

Functional Testing

Easy:Positive Test Cases

Intended Behaviour(Requirements)

Implemented Behaviour(Program Code)

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 20

Functional Testing

Easy:Positive Test Cases

Hard:Negative Test Cases

Intended Behaviour(Requirements)

Implemented Behaviour(Program Code)

© ZF Friedrichshafen AG

• Knowledge-DB Approach

➢Static/dynamic code analysis finds weaknesses

➢CVE-matching on Bill of Materials (BoM) finds vulnerabilities

➢Port scanner finds configuration mistakes

➢Oblivious to zero-day and product-unique exploits

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 21

TARA

Fuzz Testing

Penetration

Testing

Vulnerability

Scanning

Functional

Testing

Vulnerability Scanning

© ZF Friedrichshafen AG

• Testing into the Void

➢Interface supplied with semi-valid data

➢System monitored for suspicious behavior

➢Can find unknown vulnerabilities

➢Challenging to configure correctly and generate “evidence”

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 22

TARA

Fuzz Testing

Penetration

Testing

Vulnerability

Scanning

Functional

Testing

Fuzz Testing

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 23

Fuzz Testing

Fuzz TestingTool

Software/System

Interfaces

Malformed Input

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 24

Fuzz Testing

Fuzz TestingTool

Software/System

Interfaces

Malformed Input External Instrumentation

In-bandInstrumentation

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 25

Fuzz Testing

Fuzz TestingTool

Software/System

Monitor

Interfaces

Feed-back Channel

Malformed Input External Instrumentation

In-band Instrumentation

© ZF Friedrichshafen AG

• Authorized Cyberattack

➢Security expert tries all available techniques within scope

➢Can find unknown vulnerabilities

➢High demand on effort and expertise makes it expensive

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 26

TARA

Fuzz Testing

Penetration

Testing

Vulnerability

Scanning

Functional

Testing

Penetration Testing

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 27

Penetration Testing Large Budget

•Multiple experts

•High-tech lab for SCA

•Months of work

Small Budget

•“Script kiddies”

•Generic vulnerability scanner/fuzzer

•Days of work

© ZF Friedrichshafen AG

• Iterative Process

1. Findings flow back into the TARA

2. Adaption of security goals and requirements

3. Adaption of security validation strategies

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 28

Iterative Process

TARA

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 29

03Practical Application

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 30

Functional Testing

Hardware in the Loop (HiL)

• Execute test cases on …

➢SiL (Software in the Loop)

➢HiL (Hardware in the Loop)

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 31

Vulnerability Scanning

Developer PC

Static/DynamicCode Analysis

BoM CVE-Matching

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 32

Vulnerability Scanning

Incident Response Process

•Interface to supplier and “Responsible Disclosure” researcher

•PSIRT (Product Security Incident Response Team) ensures appropriate reaction

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 33

Fuzz Testing

Software Unit Fuzzing

•X.509 certificates

•Custom written parser

•Data input

•Config files

System Interface Fuzzing

•CAN (FD)

•UDS

•Ethernet Stack

•IP, TCP, TLS/DTLS

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 34

Penetration Testing

Project

ProjectStart

Start ofProduction

Security FeaturesFunctional

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 35

Penetration Testing

Project

ProjectStart

Start ofProduction

Security FeaturesFunctional

© ZF Friedrichshafen AG2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 36

04Reducing Risks in the Future

© ZF Friedrichshafen AG

• Upcoming regulation

➢UNECE WP.29 and ISO/SAE 21434

• CEP (Cybersecurity Engineering Process)

• Holistic Cybersecurity Concept

• LTS (Long Time Support)

2020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy 37

Reducing Risks in the Future

© ZF Friedrichshafen AG© ZF Friedrichshafen AG© ZF Friedrichshafen AG

Thank you!Questions?

ZF Friedrichshafen AG behält sich sämtliche Rechte an den gezeigten

technischen Informationen einschließlich der Rechte zur Hinterlegung von

Schutzrechtsanmeldungen und an daraus entstehenden Schutzrechten im

In- und Ausland vor.

ZF Friedrichshafen AG reserves all rights regarding the shown technical

information including the right to file industrial property right applications and

the industrial property rights resulting from these in Germany and abroad.

nico.vinzenz@zf.com

382020-12-10 | Nico Vinzenz | Automotive Cybersecurity Validation Strategy