www.cranfield.ac.uk
Dr Hongmei He
Cybersecurity & Privacy of Connected Autonomous Vehicles
2
Outline
Cyber-Physical System (CPS) vs. IoT
Benefits and Cyber Threats in IoT
Classic Cyber Attacks and Cyber Intelligence
Security of Modern Vehicles
NIST Framework of CPS Trustworthiness
Privacy of CAVs
3
What is a Cyber Physical System?
Cyber-Physical Systems (CPS) ---- integrations of computation, networking,
and physical processes. Embedded computers and networks monitor and
control the physical processes, with feedback loops where physical
processes affect computations and vice versa.
https://ptolemy.berkeley.edu/projects/cps/
4
Cyber-Physical Systems
Examples:
A smart gird,
A self-driving car,
A smart manufacturing plant,
An intelligent transportation system,
A smart city, and
Internet of Things (IoT) instances
connecting new devices for new data
streams and new applications.
The Framework for Cyber-Physical Systems, released by the NIST CPSPWG on May 26, 2016
system-of-systems
system
device
humancyber
physical
5
Internet of Things (IoT)
Internet of Things ---- the technology enabling the inter-connection of
all types of devices through the internet to exchange data, optimize
processes, monitor devices in order to generate benefits for the
industry, the economy, and the end user. It is composed of network of
sensors, actuators, and devices, forming new systems and services.
6
CPS and IoT
C1 C2 Cn
P1 P2 Pn
Cyber Space
Physical Space
IoT
(for ubiquitous
connection)
Internet
CPS
(for harmonious interaction)
Cyber Space: C=C1 ∨ C2 ∨ … ∨ Cn
Physical Space: P=P1 ∨ P2 ∨ … ∨ Pn
7
CPS vs. IoT: Motion Activated Light
Sensors
INs
OUTs
Communication
Channel
(Network)
Aggregator
(Fusion)
Computation
(e-utility) Decision
(Software) Actuators
OUTs
INs
CPS
IoT Scope of Research
Model of
Motion
Framework Schema: Phys-Log-Log-Log-Log-Phys
Testbed: Experiment, Measurement and Assurance
Challenges: Interoperability, Composition and Composition Types, Trustworthiness, etc.
Physical Interaction
Logical Interaction
8
Internet of Things (IoT)
@Internet
9
Benefits
Real time information and management
Improvement of data exchange and communications
Improvement of productiveness
Improvement of decision making
Business intelligence supported by big data
Increased market competitiveness
10
Threats
The boundary of an enterprise is disappearing, hence, the risk
landscape becomes unbounded.
Integrating IT capabilities into manufacturing organisations and
systems implied incorporating IT vulnerabilities.
Various vulnerabilities open the doors to cyber crime,
hacktivism, risks, and threats
Exploitation and abuse of networks and Internet technologies
11
IoT Security Threat Map
IoT Threat Map
12
Top 10 Cyber Attacks
A cyberattack is any type of offensive
maneuver:
Who: individuals or whole organizations
Targets: computer information systems,
infrastructures, computer networks,
and/or personal computer devices
Methods: various means of malicious
acts
Source: anonymous source that either
steals, alters, or destroys a specified
target by hacking into a susceptible
system.
---wiki
DoS & DDoS MitM Attack
(Spear)
Phishing
Attacks
Drive-by-
download
Attack
Password
Attack SQL injection
attack
Eavesdropping
attack
A MitM attack occurs when a
hacker inserts itself between the
communications of a client and a
server: Session hijacking, IP
Spoofing, Replay
Phishing attack is the practice of
sending emails that appear to be from
trusted sources with the goal of
gaining personal information or
influencing users to do something.
Social engineering, malware attached
email, link to illegitimate web. Drive-by download attacks are a
common method of spreading
malware. Hackers look for insecure
websites and plant a malicious script
into HTTP or PHP code on one of
the pages.
Password attacks is to obtain
access of password by looking
around the person’s desk, ‘‘sniffing’’
the connection to the network to
acquire unencrypted passwords,
using social engineering, gaining
access to a password database or
outright guessing.
SQL injection attack
occurs when a malefactor executes a
SQL query to the database via the
input data from the client to server.
Birthday
attack
Malware
attack
XSS attack
Cross-site scripting (XSS) attacks
use third-party web resources to run
scripts in the victim’s web browser or
scriptable application.
Eavesdropping attacks occur through the
interception of network traffic. By eavesdropping,
an attacker can obtain passwords, credit card
numbers and other confidential information that a
user might be sending over the network.
Eavesdropping can be passive or active.
Birthday attacks are made against hash
algorithms that are used to verify the
integrity of a message, software or digital
signature. It refers to the probability of
finding two random messages that
generate the same MD when processed
by a hash function.
Malicious software (Malware) can be
described as unwanted software that is
installed in your system without your
consent: Macro viruses , File infectors
, System or boot-record infectors ,
Polymorphic viruses, Stealth viruses ,
Logic bombs , Worms, Droppers,
Ransomware, Adware, spyware.
DoS overwhelms a system’s
resources so that it cannot respond
to service requests, DDoS
launches from a large number of
other host machines that are
infected by malicious software
controlled by the attacker.
https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/
13
Layer Specific Attacks on CPS
14
Create Cyber Threat Intelligence in Enterprises
Identify threat
agents to be
covered
Identify
threats
originating
from agents
Identify
relevant
assets/vulner
abilities
Remove
vulnerabilities
Find
implemented
security
controls
Check the
efficiency of
security
controls
Analyse/Plan/
Implement
corrective
actions
Possible Audit Actions
Security Objectives
15
To Mitigate Cyber-Threats
• To install/update security tools
• To update systems with advanced security techniques
• To secure traditional protocols (e.g. CAN bus in vehicles) (security
by design)
Techniques
• To improve security awareness of manufacturing operators
• To improve human capacity in cyber security
• To improve the performance of incident response
Human
• To create security metrics of enterprises in terms of security objectives
• To develop integrated strategies and counter-measures based on
existing cyber intelligence tools.
Strategies
16
Standards
Cybersecurity Standards
• North American Electric Corporation (NERC) cybersecurity standards for electric systems
• NERC is authorized to enforce compliance to these standards, and expects all electric utilities are fully compliant with these standards
NIST (National Institute of Standards and Technology)
• SP 800-53 – “Security and Privacy Controls for Federal Systems and Organizations”, the guideline for security best practices which federal agencies should meet
• Guide to industrial control systems security
ISA (International Society of Automation)
ISA SP99: A security standard to be used in manufacturing and general industrial controls
ETSI (European Telecommunications Standards Institute)
SACAD – Supervisory Control And Data Acquisition
• Standardization efforts with respect to access control and key management in wireless sensor networks
17
A 4G in-Vehicle Solution
https://www.zcomax.co.uk/4g-in-vehicle-networking.html
18
Modern & Future Automobiles
Highly computerised, with wireless interfaces: improving safety and efficiency
Tele-
Matrice
s
DASH Engine
Control
Lighting
system
Brake
Control
Wheel
Sensor Internal Wired
Computer
Network
Diagnostic
Port
Other Cars
XM/FM/AM
Radio
Remote Door
Lock/Unlock and Car
Start
Cellular
Bluetooth
Wireless Tire
Pressure
Sensor
TED: Security vulnerability, threats and attacks in real world, Avi Robin, John Hopkins University.
19
Modern & Future Automobiles
TED: Security vulnerability, threats and attacks in real world, Avi Robin, John Hopkins University.
Tele-
Matics
DASH Engine
Control
Lighting
system
Brake
Control
Wheel
Sensor Internal Wired
Computer
Network
Diagnostic
Port
Other Cars
XM/FM/AM
Radio
Remote Door
Lock/Unlock and Car
Start
Cellular
Bluetooth
Wireless Tire
Pressure
Sensor
Key question: What could attackers do if they obtain access to a car’s internal network?
20
Two American researchers and a journalist , July 2015
An Example: JEEP HIJACKED BY HACKERS
Demonstration of remotely taking
the control of a connected vehicle.
Stop the vehicle at 63mph.
Take the control of the steer.
Hackers penetrate directly into the
information systems ……
https://www.youtube.com/watch?v=ysAam9Zmdv0
21
Software Security Is Not Keeping Pace with Technology in the Auto Industry
Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices
22
Firewalls and Gateways -- Most Common Security Controls Incorporated into Vehicles.
Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices
23
A typical Architecture of a Modern Vehicle
Jonathan Petit and Steven E Shladover. Potential cyberattacks on automated vehicles. IEEE Transactions on Intelligent Transportation Systems, 16(2):546–556, 2015
24
Networks and Challenges [2]
Intra-Vehicle Network
Vehicle-to-Vehicle Communication
Vehicle-to-Cloud Communication
Vehicle-to-Roadside Infrastructure Communication
[2] Shusuke Morimoto, Cybersecurity in Autonomous Vehicles, Carnegie Mellon University, Technical Report · May 2017, DOI: 10.13140/RG.2.2.31503.23207
25
Attack Vectors on CAVs
26
Advantages of Integrating Security
into Product Development (Security By Design) [3]
Integrating security concepts into product design achieves higher security than
applying security controls post production.
Risks and vulnerabilities are identified early, and appropriate security controls
can be applied.
This is a vastly more efficient way to apply limited cybersecurity resources and
normalizes cybersecurity costs as a critical piece of the product development
discipline.
[3] Shusuke Morimoto, Fang Wang, Ranchao Zhang, Jinghui Zhu, Cybersecurity in Autonomous Vehicles, Technical Report, 2017
27
AI for Intrusion Detection [3]
28
Acceptance Model of CAVs
29
NIST CPS Framework Facets
Aspe
cts
Conceptualization Realization Assurance
Functional
Business
Human
Trustworthiness
Timing
Data
Boundaries
Composition
Lifecycle
Activities Artifacts
Use Case,
Requirements, …
Model of a CPS
Design / Produce /
Test / Operate
CPS
Argumentation,
Claims,
Evidence
CPS Assurance
Manufacturing
Transportation
Energy
Healthcare
. . . Domain
Domains
30
30 Towards Trustworthiness of CPS Functions C
PS
Function
Function/Feature
AES
OAuth
A secure, privacy protected CAN BUS Message may consist of these properties:
{Trustworthiness.Security.Cybersecurity.Confidentiality.Encryption.AES, Trustworthiness.Privacy.Predictability.Controls.Authorization.OAuth}
Generate
‘Properties’
Redundant Torque
Request for ASIL>QM
Concern 2
Concern 1
Tru
stw
ort
hin
ess Safety
Reliability
Security
Resilience
Privacy
Cyber Security
Physical Security
Confidentiality Integrity
Availability
Predictability
Manageability
Dissociability
Controls
Transparency
Innovation
Concern 1
Concern 2
Authorization
Encryption
SME Taxonomies
Functional Safety
Concern1
Concern2
Severity
Frequency
Controllability Hazard
Apply Aspects/Concerns
31
AEB – vehicle provides automated collision safety function
AEB – vehicle provides/maintains safe stopping
AEB –braking function reacts as required
AEB – friction function provides appropriate friction
AEB – stopping algorithm provided safe stopping
AEB – distance and speed info is understood by braking
function
AEB – messaging function receives distance to
obstacles and speed from propulsion function
Safety “Properties” of a Function: Auto Emergency Braking (AEB)
Generate System
Properties
Applying CPS Framework to Decomposition
Apply
Aspects/Concerns
Functio
nal D
ecom
positio
n/A
llocatio
n
Business Case
Use Case
‘feature’
CPS (Therm,
HVAC,Sensor)
Physical
Logical
Msg
Info
CPS/Function Types
Influence
Energy
32
(NIST-SAE) Applying CPS Framework to Autonomous Vehicles
Automotive
Trustworthiness
Framework
Automotive
Trustworthiness
Testbed Pilot
Enumerate, define,
document
Automotive System
Trustworthiness
Concerns
NIST/SAE/OEM
Define Mapping of
System Properties to
Assurance Processes
(standards, etc.)
SAE/OEM
Enumerate, define,
document
Automotive System
Properties
NIST/SAE/OEM
Specify Automotive
UCEF Testbed with
SIM-Wrappers and
Configuration
NIST/SAE/OEM
Select targeted Use
Cases (Automotive
Systems) and Test
Cases
NIST/SAE/OEM
DRAFT System
Trustworthiness
Report and
integrate into J3061
SAE/OEM
Update Automotive
System
Development
Process
SAE/OEM
• Models and
Simulations
• Experiment
Design
• Run and
Publish
SAE/OEM
Annotate System
Trustworthiness
Report
SAE/OEM
Go/No-Go: Evaluate potential for Pilot
Evaluate potential
for additional CPS
Aspects beyond
Trustworthiness
Repeat above for
selected Aspects
Extend Automotive
CPS Framework
Model Go/No-Go
NIST/SAE/OEM (Optional)
33
UM
L M
od
el
of
Fra
me
wo
rk
Realization
34
CPS Facets FacetClass
35
Aspects and Concerns AspectClass
36
Data Generated by CAVs
37
Sensor Generated Data
38
Increasing Sensitive Data in CAVs
39
Who Want the Data in CAVs?
• The most precious data of a connected car can provide is on driver behaviour and usage information.
• teach driverless cars how to drive, thus building an autonomous vehicles that can safely drive on roads, capable of dealing with any unexpected situations.
Automakers
• Scrape customers’ data through apps, such as GPS record, music, home address, emails, contact numbers, online footprints, etc.
• discover new patterns or the preferences of customers to help improving the performance of infotainment systems.
Manufacturers of infotainment
centers
• May pay good money to find out more about driving habits of users, as the driving record could prove if the driver is (not) a professional driver.
• Cars still allow human driving, even in the age of full automation cars.
Insurance companies
• Collect data through dongles that connect to a port in a car for data analysis to
discover new information from the raw data or any pattern
• Improve performance of traffic management or performance of the CAV.
The third parties
• By tapping into a CAV, a hacker could control the vehicle remotely.
• The personal information taken from CAVs could be sold or leaked to the public. Hackers
40
Risk and Award of Car Data Sharing
41
GDPR
42
GDPR Compliance
43
Automakers’ Responsibility for GDPR Compliance
Need to ensure they can keep using data without violating the data rights of their customers.
Explicit customer permissions is a core principle in GDPR. Auto-makers need to ensure that
connected car data is not captured, processed and shared without a customer proactively opting in.
One of the privacy challenges for auto-makers and manufacturers of infotainment systems of CAVs.
Connected Car initiatives have driven manufacturers to ask customers to sign a Connected Car
Privacy Policy as part of their account set up.
A negotiation between privacy and CAVs could run in a certain period.
44
Two Categories of Data
data that can be used for customer intelligence
data that constitutes personally identifiable information (PII).
45
Personally Identifiable Information (PII)
PII is any information about an individual maintained by an agency, including
1) any information that can be used to distinguish or trace an individual’s identity, such as
name, social security number, date and place of birth, mother’s maiden name, or
biometric records;
2) any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information.
Defined by National Institute of Standards and Technology (NIST)
46
Stakeholders in the Lifecycle of CAVs and Ecosystems
Privacy should be taken into
account throughout the whole
engineering process,
implementing appropriate
technical and organisational
measures at each stage.
Ensure auto-makers or other
stakeholders of CAVs or CAV
ecosystems to secure data at
every stage of the value chain.
47
Data types, size, period, storage
CAV Privacy by Design (PbD)
how much of data should be collected? It should be as small as possible.
how long the data should be stored? it should be as short as possible.
which kinds of data from a CAV or a CAV service belong to PII?
how to store the data? should the personal data be separated with other data?
48
Data Access & GDPR Compliance
CAV Privacy by Design (PbD)
how does the data access comply to regulatory (e.g. GDPR)? GDPR provides restricts to the design solution of CAVs or CAV ecosystems in the development.
what internal policies or strategies need to be developed with privacy implications.
how to share the data with external parties without against the privacy? For example, a third party intends to use the second hand of CAV data for other purposes, the data retrieving system should be able to automatically hidden sensitive data or personal data.
a warning should be provided to the customers, indicating what kinds of personal data will be collected and how they will be used. Hence, the system should not collect data and deal with them before getting the consents of customers.
a Connected Car Privacy Policy, aligning with GDPR or other regulation, should be automatically produced, and allow customers to sign as part of their account set up, as same as all IT services doing.
49
Transparent activities
CAV Privacy by Design (PbD)
creating a dynamic data flow to show the data process activities, where the data is held,
where and how it is transferred and how the data is processed, etc.
an appropriate and structured review process should be in place that involves the relevant
stakeholders, including product development teams, connected-car teams and legal
departments.
it should create an interaction to allowing customers to delete their personal data, or allow
customers to change the agreement in data collection and processing, then the system will
automatically remove the personal data as required by the customers.
50
Thank you very much for your attention!