Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
111 October 2018TLP Green: May be shared within the Auto-ISAC Community.
Master of Ceremony Summit MC
Steven Center Vice President, Connected & Environmental Business Development, American Honda Motor Co., Inc.
Executive Board Member of Directors of the American Honda Foundation
Executive Board Member of the Los Angeles County Economic Development Corporation
Executive Board Member the College of Business Administration, San Diego State University Advisory Board
Past Positions Vice-President of the Acura Division at American Honda
Founder of the eBusiness Division at American Honda
Chief Marketer at American Honda
Guest lecturer at Stanford University, New York University, San Diego State University, and more
Education Master of Business Administration from University of Southern California
Bachelor of Science in Economics, Finance, and Business Administration from University of New York
211 October 2018TLP Green: May be shared within the Auto-ISAC Community.
Keynote Speaker Featured Speaker
Heidi King Deputy Administrator of the National Highway Traffic Safety Administration
Past Positions Global Director of Environmental Risk at General Electric (GE)
Senior Manager of Management Science at Pfizer Inc.
Chief Economist on the House Committee on Energy and Commerce
Regulatory Policy Analyst, White House's Office of Management and Budget (OMB)
Emergency Medical Technician for the Chatham Emergency Squad
California State Park Ranger
Education California Institute of Technology
University of California, Irvine
311 October 2018
Hi All,
Please find attached the Weekly Automotive Industry Report covering April 3April 8.
This week’s report includes articles on:Toyota partnering with Microsoft on a new cloud-based division led by the CIO,Intel acquiring a semiconductor manufacturer that builds chips for self-driving cars,Hyundai unveiling its connected vehicle “roadmap,” and,Toyota planning to open a new autonomous vehicle research center in Michigan.
You can find past reports on site.
Please let me know if you have any questions. Have a great weekend.
Incident Response Panel – Who’s on First?
Auto-ISAC Summit, Detroit, MISeptember 25-26, 2018
411 October 2018
Meet the Moderator Moderator
Current PositionDirector, Business Development North America, Automotive Cyber
Security – HARMAN
Vice Chair of Auto-ISAC Affiliate Advisory Board
Past PositionsDirector of Sales for Atmel’s Automotive Business in the Americas
Global Sales Director at Freescale Semiconductor
Leadership and Engineering for International Rectifier, Mitsubishi Semiconductor and the US Navy
EducationBachelor of Science in Electrical Engineering at Grand Valley State
UniversityGeoff Wood
511 October 2018
Meet The Panelists
611 October 2018
Meet the Panelists Panelist
Current PositionDirector, National Cybersecurity and Communications Integration Center (NCCIC)
Past PositionsDirector of Cyber and Intelligence Strategy for HP Enterprise Services
Deputy Commander of Coast Guard Cyber Command and Commander of U.S. Coast Guard Cryptologic Group
executive assistant to the Director of Coast Guard Intelligence
EducationBachelor of Science at Ithaca College
Master of Arts in Public Administration from the Maxwell School of Citizenship and Public Affairs at Syracuse UniversityJohn Felker
711 October 2018
Meet the Panelists Panelist
Current PositionSenior Technical Expert at Robert Bosch LLC
Cybersecurity Leader of regional cross-divisional team at Robert Bosch LLC
Auto-ISAC 2018 Supplier Affinity Group Chair
Past PositionsEngineer at Chrysler designing powertrain controllers
Space Physics Research Lab at U of M
EducationBachelor of Science in Electrical Engineering and Computer Science
from the University of MichiganRobert Kaster
811 October 2018
Meet the Panelists Panelist
Current PositionGM Product Cybersecurity Incident Response Coordinator
Vice-Chair of Auto ISAC’s Information Sharing Standing Committee
Past PositionsCyberthreat Intelligence Analyst at the U.S. Department of Defense
EducationM.S. Strategic Intelligence (National Intelligence University)
Advanced Computer Security Certificate (Stanford University)
Nick Reddig
911 October 2018
Meet the Panelists Panelist
Current PositionAutomotive Cyber Security Senior Manager, Mitsubishi Electric
Automotive America
Past PositionsGlobal Vehicle Cyber Security Governance & Communications Lead
at Fiat Chrysler Automobiles (FCA)
Senior Program Manager at MAHLE Powertrain, LLC, a powertrain consulting company that works with OEMs, upfitters, start ups, government organizations, and others
EducationBachelor of Science in Mechanical and Electrical Engineering,
Kettering UniversityKristie Pfosi
1011 October 2018
Incident Response Panel – Who’s on First? Panelists
Geoff Wood
Moderator
Director Business
DevelopmentHARMAN
Kristie Pfosi
Senior Manager MEAA
Robert Kaster
John Felker
Senior Tech. ExpertBOSCH
DirectorNCCIC
Nick Reddig
Intelligence Analyst GENERAL MOTORS
1111 October 2018
Audience Questions?
10/11/2018 Red Balloon Security Proprietary - Do Not Distribute 12
Dr. Ang CuiCEO & Chief ScientistRed Balloon Security
About US
Dr. Ang Cui
Embedded Security Researcher
10/11/2018 13Red Balloon Security Proprietary - Do Not Distribute
PhD, Columbia University
10/11/2018 14
About US
Dr. Ang Cui
Red Balloon Security Proprietary - Do Not Distribute
DARPA/USAF/NAVY/DHS Funded Researcher
10/11/2018 15
About US
Dr. Ang Cui
Red Balloon Security Proprietary - Do Not Distribute
Chief Executive Officer,Red Balloon Security
10/11/2018 16
About US
Dr. Ang Cui
Red Balloon Security Proprietary - Do Not Distribute
Brief Historical Context
10/11/2018 17Red Balloon Security Proprietary - Do Not Distribute
Hands-on automotive exploitation
10/11/2018 18Red Balloon Security Proprietary - Do Not Distribute
Automotive Security Problems
10/11/2018 19Red Balloon Security Proprietary - Do Not Distribute
AutomotiveEmbedded Security Problems
10/11/2018 20Red Balloon Security Proprietary - Do Not Distribute
Embedded Security Solutions
10/11/2018 21Red Balloon Security Proprietary - Do Not Distribute
Red Balloon Security Proprietary - Do Not Distribute10/11/2018 22
Scannell, Ed. "Central Point Software Poised for Expansion." InfoWorld 14 Jan. 1991: 30. Print.
1991, on the future of
antivirus.
10/11/2018 23Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 24
Project GUNMANv1: 1980s TechDeclassified on Jan 2011
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 25
https://www.youtube.com/watch?v=U3QXMMV-Srs&vl=en
2017
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 26
2006 Style!
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 27Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 Red Balloon Security Proprietary - Do Not Distribute 28
https://academiccommons.columbia.edu/catalog/ac:153271
Red Balloon Security Proprietary - Do Not Distribute
1903 Style!
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 30
2015
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 31
2011
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 32
https://recon.cx/2016/resources/slides/RECON-0xA-A_Monitor_Darkly.pdf
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 33
https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-BADFET.pdf
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 34Red Balloon Security Proprietary - Do Not Distribute
McNamera: Our nukes are locked down!SAC: Yes they are. The password is 00000000
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 36
2016
Red Balloon Security Proprietary - Do Not Distribute
2008
Red Balloon Security Proprietary - Do Not Distribute
RBS Proprietary - Do not distribute
2008
Red Balloon Security Proprietary - Do Not Distribute
Red Balloon Security Proprietary - Do Not Distribute
What did we learn?
10/11/2018 41Red Balloon Security Proprietary - Do Not Distribute
What did we learn?
10/11/2018 42
1 Defend against attackers from the
future, not the past.
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 43
What did we learn?
1Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 44
What did we learn?
1.1Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 45
What did we learn?
1.1 Security will be valuedas a premium feature, not just as insurance
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 46
What did we learn?
2 ConvertAbstract Security
ProblemConcrete Security
Problem->
Do it yourself, at least once.
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 47
ConvertAbstract Security
Problem->
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 48
ConvertAbstract Security
Problem->
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 49
ConvertAbstract Security
Problem->
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 50
Convert
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 51
ConvertAbstract Security
ProblemConcrete Security
Problem->
Do it yourself, at least once.Red Balloon Security Proprietary - Do Not Distribute
https://sandbox.redballoonsecurity.comRed Balloon Security Proprietary - Do Not Distribute
10/11/2018 53
What did we learn?
3 Cheat!
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 54
What did we learn?
3 Cheat!• Use past strategies to guide
future design
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 55
What did we learn?
3 Cheat!• Use past strategies to
guide future design• Don’t repeat past
mistakes/pitfalls
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 56
What did we learn?
3 Cheat!• Use past strategies to
guide future design• Don’t repeat past
mistakes/pitfalls
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 57
What did we learn?
3 Cheat!• Use past strategies to
guide future design• Don’t repeat past
mistakes/pitfalls• Borrow security solutions
from other verticalsRed Balloon Security Proprietary - Do Not Distribute
Red Balloon Security Proprietary - Do Not Distribute10/11/2018 58
10/11/2018 59Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 60
What did we learn?
Suppose we had the solution to automotive security
Didn’t we also just solve
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 61
What did we learn?
Suppose we had the solution to automotive security
Didn’t we also just solveICS security
Telecommunications securEnergy/Utilities securityAviation/Mobility security
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 62
What did we learn?
Suppose we had the solution to automotive security
Didn’t we also just solveICS security
Telecommunications securEnergy/Utilities securityAviation/Mobility security
EMBEDDED securityRed Balloon Security Proprietary - Do Not Distribute
10/11/2018 63
https://academiccommons.columbia.edu/download/fedora_content/download/ac:208420/content/Cui_columbia_0054D_12978.pdf
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 64
Cheat!• Security inside the endpoint. We
will all eventually get there. Let’s start now.
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 65
Cheat!• Security inside the endpoint. We
will all eventually get there. Let’s start not.
• Host-based defense in DEPTH. No single XYZ will not save you, XYZ={linux, trustzone, tpm, sgx, uefi, etc}
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 66
Cheat!Attestation is better than Verification
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 67
Cheat!Attestation is better than Verification
Knowing is better than Guessing
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 68
Cheat!Attestation is better than Verification
Knowing is better than GuessingMitigating is better than Detecting
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 69
Cheat!Attestation is better than Verification
Knowing is better than GuessingMitigating is better than Detecting
Defense in Depth is better than Isolation
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 70
Cheat!Attestation is better than Verification
Knowing is better than GuessingMitigating is better than Detecting
Defense in Depth is better than Isolation
This technology already exisRed Balloon Security Proprietary - Do Not Distribute
Universally Compatible Endpoint Security For Every Embedded Device• OS-agnostic, no source-code required, binary injection into firmware• Full-spectrum host-based runtime attestation & mitigation for all embedded sy• Largest third-party embedded security vendor in the world• Tested, Red Teamed and Deployed within DoD/USG• Drives HP printing security today• 25 Billion hours of continuous error-free operation
Red Balloon Security is:
HP Announces World’s Most Secure Printers: http://www8.hp.com/us/en/hp-news/press-release.html?id=2083105#.Wc1NqBNSx
Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 72Red Balloon Security Proprietary - Do Not Distribute
Red Balloon Security Proprietary - Do Not Distribute
Not just technology. We helped transform an industry.
10/11/2018 73
From First Symbiote Paper Publication to Product
From 0 to 1 Million Symbiote Devices In the World
Hours of Symbiote operation without a single documented failure
10/11/2018 74Red Balloon Security Proprietary - Do Not Distribute
10/11/2018 Red Balloon Security Proprietary - Do Not Distribute 75
Dr. Ang CuiCEO & Chief ScientistRed Balloon Security
7711 October 2018TLP Green: May be shared within the Auto-ISAC Community.
Featured Speaker Featured Speaker
Amy Chu Senior Director, Automotive Cybersecurity at HARMAN
Past Positions Director of Program Management for HARMAN
Various leadership and Engineering roles while working for Magna Electronics and Tellabs, Inc.
Education Bachelor of Science in Electrical Engineering from Michigan State
University
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Tier 1 Vulnerability Management Through Information SharingAmy ChuSr. Director, Automotive [email protected] | +1-248-631-9257
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Outline
Introduction
Automotive Culture
Tier 1 Landscape & Challenges
Case Studies (1, 2, 3)
Conclusion
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Introduction
Electrical Engineer
Audio Amplifiers
Rear Cameras
Audio Systems
Infotainment Innovation R&D
Cybersecurity
1999 2018…
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
AUTOMOTIVE CULTURE
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Automotive Culture
82
COMPLIANCE
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Automotive Culture
83
RISK MANAGEMENT
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Vulnerability Management – Sharing is Caring?
84
Identify
Triage
Remediate
Track
Respond
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Tier 1 Landscape:
A Complex Supply Chain
85
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Cybersecurity Teams want to share, but…
86
LEGALCORPORATE COMMUNICATIONS
PRODUCT DELIVERY TEAM & SALES
IP ProtectionNDAContractual obligations
Corporate Image Communications strategy Government RelationsPublic Affairs
Customer RelationshipResource limitationsTiming of SW patchesChallenges sharing within a global organization
OPERATIONSMaterial ProcurementSupplier QualityComplianceContractual Commitments
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Automotive Culture + Cybersecurity
87
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Automotive Culture + Cybersecurity
88
SECURITY
AUTOMOTIVE
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
A Look Into the FutureProtecting the Autonomous Vehicle
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Organizational Approach for Global Teams
Global Security Center
Community of PracticeAwareness & Training
Incident ResponseVulnerability Management
Policy, Process & Governance
Product Security
Team
Product Security Team
Product Security Team
Product Security
Team
Secure Design &
ImplementSecurity Sign-Off
Security Requirements & Threat Analysis
Security Validation & Testing
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
VULNERABILITY SHARINGCASE STUDIES
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
CASE #1 : CRISIS MANAGEMENT
92
Researcher finds vulnerability
!OEM handles without
Tier 1 involvementTier1reacts to
public disclosure
Large global companies still on the
learning curve
Reactive Mode
CONCLUSION:
Tier 1 situational awareness could have
prevented alarm
CHALLENGE: SCENARIO:
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
CASE #2: CONTROLLED SHARING
93
Researcher finds vulnerability
!OEM handles withTier 1 involvement
Tier1notified in advance of public disclosure
CHALLENGE:
Global Teams still on the learning curve
SCENARIO:
Controlled Reactive Mode
CONCLUSION:
Even limited sharing improved response
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
CASE #3: COORDINATED DISCLOSURE
94
Tier1 finds vulnerability in Tier 2 product
!Coordination with Tier2 for
remediation & sharingUpdate shared through
Auto ISAC portal
CHALLENGE:
Multiple OEMs affectedMultiple Tier1s affected
SCENARIO:
Multiple Supplier Tiers involved in coordinated
disclosure of remediation
CONCLUSION:
Auto ISAC was a useful channel to guide all parties &
build trust
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
SUMMARY
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
Key Takeaways
96
Awareness is not enough – we must build alliance1
Building trust and continued sharing across the automotive ecosystem is paramount
2
Practice! 3
© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED© 2018 HARMAN INTERNATIONAL INDUSTRIES, INCORPORATED
97
THANK [email protected]
9811 October 2018
Hi All,
Please find attached the Weekly Automotive Industry Report covering April 3April 8.
This week’s report includes articles on:Toyota partnering with Microsoft on a new cloud-based division led by the CIO,Intel acquiring a semiconductor manufacturer that builds chips for self-driving cars,Hyundai unveiling its connected vehicle “roadmap,” and,Toyota planning to open a new autonomous vehicle research center in Michigan.
You can find past reports on site.
Please let me know if you have any questions. Have a great weekend.
Josh
Cyber Training & Research PanelCyber Talent is the Fuel for Safe Modern Transportation – So
Where is the Gas Station?
Auto-ISAC Summit, Detroit, MISeptember 25-26, 2018
9911 October 2018
Meet the Moderator ModeratorKarl Heimer Sr. Technical Advisor for Cybersecurity to Michigan Auto Office and Michigan
Defense Center
Owner/Founder of Heimer & Associates
Member Government Fleet Manager’s Steering Committee for Cybersecurity
Member and/or Advisor to several corporate and educational boards
Past Positions Sr. Research Director for Cybersecurity, Battelle
Division Manager, Sparta (cybersecurity products and services for US Government organizations, provably secure products)
Sr. Program Manager, Lockheed Martin (cybersecurity red team, security test and validation lead)
US Army, OIC for US Army Counterintelligence Cyber-forensics Lab (and other roles)
Education M.S., Computer Science
Karl Heimer
10011 October 2018
Meet The Panelists
10111 October 2018
Meet the Panelists Panelist
Current Position Chief Technology Officer Other role: Program Manager of
NMFTA Heavy Vehicle Cyber Security Program
Current Interests Heavy vehicle cybersecurity
Cybersecurity talent development
Autonomous cyber defense of complex systems
Past Experiences Over 30 years of experience in information technology and
complex systems including 20 years as an IT Director and CTOUrban Jonson
10211 October 2018
Meet the Panelists Panelist
Current Position Associate Professor of Mechanical Engineering, University of Tulsa
Founder of Synercon Technologies, LLC
Past Positions Director of University of Tulsa’s Crash Reconstruction Research
Consortium
Co-founder of the CyberTruck Challenge
Certified Professional Engineer
Education Ph.D. Mechanical Engineering
M.S. Mechanical Engineering
Jeremy Daily
10311 October 2018
Meet the Panelists Panelist
Current Position Assistant Professor and Department Chair of Technology Programs at
Walsh College
Professional investigator and cybersecurity professional specializing in digital investigations and information security
Past Experiences Industry Director of Technology and Information Security Leader supporting
25 sites, 3 organizations and thousands of users.
Large core system design and QA/QC for testing and system implementation
Education M.S. Information Systems Management – Advanced Certification
B.S. Information Security & Intelligence, Digital Forensics Concentration
Dave Schippers
10411 October 2018
Meet the Panelists Panelist
Current Position Director, Industrials & Infrastructure Practice Area, SANS INSTITUTE
Directs industry-focused programs and operations that facilitate best-in-class cybersecurity workforce development and training programs.
Past Positions VP, Product Security Strategy for an industrial software company
Director, Product Security & Risk Management, Rockwell Automation
Education and Honors Recognized by the White House for contributions to EO13636 and
the NIST Cybersecurity Framework (CSF)
Recognized with the “SANS People Who Made a Difference inCybersecurity” award in 2013
CISSP (435349); Numerous International Patents; Bachelor of Science Business Administration (BSBA)
Doug Wylie
10511 October 2018
Cyber talent is the fuel for safe modern transportation – so where is the gas station
Panelists
Associate Professor of Mechanical Engineering
University of Tulsa
Jeremy Daily
Chief Technology Officer & Program Manager of Heavy
Vehicle Cyber Security NMFTA
UrbanJonson
Sr. Technical Advisor for Cybersecurityto Michigan Auto
Office and Michigan Defense Center
Karl HeimerModerator
DirectorIndustrials & Infrastructure
Business PortfolioSANS Institute
DougWylie
Dave Schippers
Assistant Professor and Department
Chair of Technology Programs
Walsh College
10611 October 2018
Audience Questions?
10711 October 2018TLP Green: May be shared within the Auto-ISAC Community.
Future Workforce Demonstration
Elaina Farnsworth CEO of The NEXT Education
Serves as Lead Consultant to Michigan Automotive and Defense Cyber Awareness Team (MADCAT)
Director of Global Communications by the Board of Directors of the International Connected Vehicle Trade Association (CVTA)
Past Recognitions 2017 Rule Breaker Award Winners
2015 Techweek100: Top Tech Leaders in Detroit
2014 Crain's Detroit 40 under 40
2013 Elite 40 under 40
Demonstration
10811 October 2018
Tuesday Reception
10911 October 2018
STF Leader
Current PositionManager for Connected and Automated Vehicle Policy at American
Honda Motor Co., Inc.
Past PositionsSafety Research Manager at the Product Regulatory Office of American
Honda
Safety Engineer at Honda R&D Americas
EducationMaster of Science degree in Mechanical Engineering from The Ohio
State University
Bachelor of Science degree in Mechanical Engineering from Case Western Reserve UniversityDoug Longhitano
Summit Task Force Quadrant LeaderVulnerability Management & Incident Response