Connected vehicles will communicate vast amounts of sensitive data over networks, but securing these systems faces unique challenges. Hackers could potentially cause accidents, track drivers, or disable safety features. The automotive industry lacks the security expertise of IT, and adding security slows development. However, vehicle-to-vehicle communication shows promise for accident prevention if privacy and security are prioritized through new protocols, like changing identifiers frequently while authenticating messages through a certificate management system. Governments are now mandating security standards for connected cars to address these risks.
Securing future connected vehicles and infrastructure
Slides from a keynote I gave at AZ Infragard. Since this was a keynote, I tried to dazzle the audience by talking more about technology and portraying security only as part of the underlying architecture of cognitive autonomous systems.
Will Future Vehicles Be Secure?
There is active work within the automotive community to build security into the future connected and highly autonomous vehicles and several organizations are working on cybersecurity standards. Is it going to be enough to secure future vehicles?
Join me to explore the intricacies of securing cyber-physical systems. Challenge the notion that today's tools and best practices are enough to protect connected vehicles and transportation infrastructure. Finally, discover what the industry can do to take security research to the next level and ensure a safe, secure future of transportation.
In the last few years there have been increasing interest in security of modern vehicles with several high profile demonstrations of controlling breaking and steering of a vehicle remotely across large distances. A modern vehicle already consists of up to 100 ECUs and has 100 million lines of code and the complexity is only expected to increase. There have already been suggestions that we will see 300 million lines of code in a vehicle in 5 years. With the growth in complexity we will also see growth of the attack surface. Comparing to other digital or digitized industries such as datacenters, PC, mobile, Industrial Control Systems, automobiles have not yet been actively exploited, however vulnerabilities already have bene demonstrated by security researchers and when that happens such vulnerabilities quickly get weaponized opening door to consistent exploits. With the vehicles that weigh several tons and move such proposition is very scary and there is pressing need to advance security technology to prevent malicious actors from endangering human life.
Learning Outcomes:
Understand vehicle ECU and network architecture and challenges securing Highly Automated and Connected Vehicles
Describe modern end-to-end security architecture for connected vehicles
Understand evolution of the future security technologies
This document provides an overview of key topics in automotive software and security:
1. Cars now contain over 1 gigabyte of software code due to increasing automation, connectivity and data analytics capabilities.
2. As vehicles become more connected and automated, software complexity and security risks will continue growing substantially over the next 10-20 years.
3. Developing highly reliable and secure automotive software requires addressing challenges across computing, embedded systems, and functional safety.
1) Autonomous vehicles require balancing supercomputing complexity, real-time performance, and functional safety.
2) Cyber-physical systems rely on four pillars: connectivity, monitoring, prediction, and self-optimization.
3) Ultra-reliable systems require qualities like self-healing, where the system can autonomously change its structure to maintain behavior despite failures.
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion
This document discusses security and safety requirements for Intel systems. It describes performing threat analysis and risk assessment (TARA) along with hazard analysis and risk assessment (HARA) to define security and safety goals. Additionally, it proposes adding security mechanisms such as checking for file tampering and application trust when monitoring graphics systems to protect against threats.
The Top 20 Cyberattacks on Industrial Control Systems
Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
Systems architecture with the functional safety/security emphasis
Systems Architecture with the Functional Safety-Security emphasis
I was asked to give a talk on the unification of Functional Safety (FuSa) and Security for which I replied that two disciplines cannot be viewed separately from Systems Engineering. Instead of talking about safety/security interop, I explained how to build complex systems and how these systems fail. Only when you understand that we do not know how to build absolutely reliable systems and that eventually anything you create fails, you can understand how to add reliability and security mechanisms to your solutions. The summary of the presentation is:
Envision how your solution will be operated
Design for maintainability
Add safety concept
Add security mechanisms
Build for failure
When it comes to Software Defined Networking (SDN) Security there are two sides of the story. This webinar addresses both sides – what security vulnerabilities exist in modern SDN technologies and how SDN technologies can create new security protections. Also included are use cases that SDN solutions can provide and the new applications of SDN that can secure modern enterprise and data center environments.
Presented by GTRI CTO, Scott Hogg, in a webinar on June 9, 2016. For more information, visit http://www.gtri.com/.
This document contains a CISSP CBK review exam with 55 multiple choice questions covering various topics in cybersecurity. Some of the questions test knowledge of risk management, access controls, cryptography, security operations and incident response. The exam is assessing understanding of fundamental cybersecurity concepts as defined in the Common Body of Knowledge for the CISSP certification.
This presentation provides overview about the different threat modeling approach with examples from Automotive. This presentation was given in IEEE VTS Event on 4 Sep - "Safe and Secure Automotive" Workshop
This document summarizes a CISSP mentor program session on security assessment and testing. It includes a 10 question quiz on topics like regression testing, fuzzing, static vs dynamic testing, and types of penetration testing. It also discusses a scenario about hiring a security firm to conduct a security assessment and penetration test of a bank's new web application. Key points covered include using a "flag" file instead of real data in a penetration test, the benefits of partial knowledge vs zero knowledge tests, and the proper response if an active compromise is discovered during a test.
Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings.
- The types of attacks that have been targeting Ukraine for the past few months
- The results of analysis on destructive attacks and malware (HermeticWiper, etc...)
- How organizations can defend themselves against cyberattacks
GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.
This document provides an overview of various tools that can be used for hardware hacking and analysis. It discusses tools for tasks like information gathering, device teardown, interface monitoring and analysis, and firmware extraction. Specific tools covered include oscilloscopes, logic analyzers, protocol analyzers, the Bus Pirate, USB-to-serial adapters, software defined radios, soldering equipment, device programmers, debug tools, and imaging equipment like x-rays and electron microscopes. Examples are given of how several of these tools have been used in past hardware analyses and attacks. The document concludes by encouraging the reader to set up a hardware hacking lab and collaborate with others to stay up-to-date on new tools and techniques.
Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analys...
This document proposes an analysis contracts approach to address inter-domain vulnerabilities in cyber-physical systems. It describes analyzing a braking subsystem to determine sensor trustworthiness and secure control. Formal analysis contracts specify inputs, outputs, assumptions and guarantees for failure mode analysis, trustworthiness analysis and secure control analysis. The contracts approach aims to verify analyses are correctly executed to prevent vulnerabilities introduced offline from being exploited online. Future work includes developing richer behavioral and probabilistic contracts and validating the approach on other systems.
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
Ed Adams, CEO of Security Innovation joins forces with Neil Lakomiak of Underwriters Laboratories and Doug Pluta of Cisco to discuss the Internet of Things (IoT) from a safety and security perspective. From an executive panel presentation at Connected Security Expo 2016
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
The document discusses mobile commerce (m-commerce) and security perspectives. It defines m-commerce as commerce conducted on mobile devices, which is growing rapidly and expected to reach $700 billion by 2017. The document outlines the m-commerce ecosystem and various security challenges at each layer from infrastructure to applications. It emphasizes the importance of end-to-end security and compliance with the PCI security standard to help protect users and businesses in the complex mobile commerce space.
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
1) The document discusses decentralized applications (dApps) and compares their security to web applications.
2) dApps have some security advantages like being undestroyable and transactions being cryptographically signed. However, expectations of their security do not always match reality due to vulnerabilities.
3) The document introduces SCSVS, the Smart Contract Security Verification Standard, which provides a checklist similar to OWASP ASVS for securing dApps across the entire software development lifecycle.
This document discusses safety considerations for next-generation autonomous vehicles and how RTI's data distribution service (DDS) middleware can help address them. DDS ensures reliable data availability in real-time across complex systems, facilitates integration of diverse components, and enables flexible deployment. Its use of a common data model simplifies safety certification processes.
What is IoT (Internet of Things)
Is Canada falling behind IoT
Security
Issues facing IoT
ISP Speed Canada
Business Climate / Canada
Groups / Partnerships
Market Update
Hacking your Connected Car: What you need to know NOW
Cars these days are 90% controlled by electronics and 10% using mechanics. The average new car already contains around 20 individual processors to monitor and control various functions — everything from the transmission’s shift points to the operation of the defroster — with about 60 megabytes of software code.
Many new cars are as “wired” as a home office — with onboard GPS navigation and wireless communications networks including Bluetooth, Wi-Fi or Internet run on Embedded OS's which run on converged Electronics to control these actions.
What if modern car’s onboard electronics be “hacked” or infected by a computer virus introduced through a wireless device that might corrupt or disable or controlled by a Hacker sitting at home?
The software does come with built in security but this is not enough and there is a need to offer a full Security package along with Car to guarantee Car's security. Life of people is more important than a gadget and people will pay and buy this package with a new car or upgrade to ensure that their car is not hacked by Hackers to malfunction or be used for other pervert interests.
This document discusses using JavaScript for Internet of Things (IoT) applications. It describes IoT as physical objects embedded with electronics, software and sensors that can collect and exchange data. It provides examples of IoT use cases and discusses common IoT protocols, sensors, embedded software tools and platforms. It also covers topics like security, communicating with microcontrollers using Firmata and building IoT projects with Johnny-Five and Node-RED.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Visualizing Threats: Network Visualization for Cyber Security
How Cyberflow Analytics have used KeyLines’ network visualization functionality to develop the next generation of cyber security analytics platform – built for the scope and scale of the Internet of Things.
This document summarizes the key findings of a survey conducted by the Ponemon Institute regarding automotive cybersecurity. Some of the main points from the survey include:
- There is a growing concern among automakers and suppliers that hackers are actively targeting modern connected vehicles. However, organizations are not prioritizing security.
- A lack of skilled security personnel and pressure to meet deadlines are hindering secure development practices. Cryptography use and legacy systems are also issues.
- While security responsibility is unclear, respondents believe the most challenging aspects of securing vehicles are the expenses involved, the time added to development, and lack of formal requirements and policies.
This document provides an overview of certificate management protocols for 1609.2 certificates used in vehicle-to-everything (V2X) communication. It describes the terminology, topology, interfaces, and lifecycles involved in issuing and managing different types of certificates within the Security Credential Management System (SCMS). The document outlines the processes for enrolling to receive certificates, requesting operational certificates, downloading certificates, and handling revocation. It also discusses the ASN.1 module structure used to specify the protocols and packet data units for each interface.
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
An industrial control system was hacked through a multi-stage attack. An attacker first spearphished a user to gain access to the network. They then used remote desktop and remote access software to access the HMI and manipulate control points, disrupting industrial processes. The attack demonstrated tactics like phishing, credential dumping, lateral movement, and control manipulation. Improving security monitoring, hardening systems, limiting access, and increasing user awareness could help prevent similar attacks.
Securing future connected vehicles and infrastructureAlan Tatourian
Slides from a keynote I gave at AZ Infragard. Since this was a keynote, I tried to dazzle the audience by talking more about technology and portraying security only as part of the underlying architecture of cognitive autonomous systems.
Will Future Vehicles Be Secure?
There is active work within the automotive community to build security into the future connected and highly autonomous vehicles and several organizations are working on cybersecurity standards. Is it going to be enough to secure future vehicles?
Join me to explore the intricacies of securing cyber-physical systems. Challenge the notion that today's tools and best practices are enough to protect connected vehicles and transportation infrastructure. Finally, discover what the industry can do to take security research to the next level and ensure a safe, secure future of transportation.
In the last few years there have been increasing interest in security of modern vehicles with several high profile demonstrations of controlling breaking and steering of a vehicle remotely across large distances. A modern vehicle already consists of up to 100 ECUs and has 100 million lines of code and the complexity is only expected to increase. There have already been suggestions that we will see 300 million lines of code in a vehicle in 5 years. With the growth in complexity we will also see growth of the attack surface. Comparing to other digital or digitized industries such as datacenters, PC, mobile, Industrial Control Systems, automobiles have not yet been actively exploited, however vulnerabilities already have bene demonstrated by security researchers and when that happens such vulnerabilities quickly get weaponized opening door to consistent exploits. With the vehicles that weigh several tons and move such proposition is very scary and there is pressing need to advance security technology to prevent malicious actors from endangering human life.
Learning Outcomes:
Understand vehicle ECU and network architecture and challenges securing Highly Automated and Connected Vehicles
Describe modern end-to-end security architecture for connected vehicles
Understand evolution of the future security technologies
This document provides an overview of key topics in automotive software and security:
1. Cars now contain over 1 gigabyte of software code due to increasing automation, connectivity and data analytics capabilities.
2. As vehicles become more connected and automated, software complexity and security risks will continue growing substantially over the next 10-20 years.
3. Developing highly reliable and secure automotive software requires addressing challenges across computing, embedded systems, and functional safety.
1) Autonomous vehicles require balancing supercomputing complexity, real-time performance, and functional safety.
2) Cyber-physical systems rely on four pillars: connectivity, monitoring, prediction, and self-optimization.
3) Ultra-reliable systems require qualities like self-healing, where the system can autonomously change its structure to maintain behavior despite failures.
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion
Functional Safety and Security process alignmentAlan Tatourian
This document discusses security and safety requirements for Intel systems. It describes performing threat analysis and risk assessment (TARA) along with hazard analysis and risk assessment (HARA) to define security and safety goals. Additionally, it proposes adding security mechanisms such as checking for file tampering and application trust when monitoring graphics systems to protect against threats.
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
Systems architecture with the functional safety/security emphasisAlan Tatourian
Systems Architecture with the Functional Safety-Security emphasis
I was asked to give a talk on the unification of Functional Safety (FuSa) and Security for which I replied that two disciplines cannot be viewed separately from Systems Engineering. Instead of talking about safety/security interop, I explained how to build complex systems and how these systems fail. Only when you understand that we do not know how to build absolutely reliable systems and that eventually anything you create fails, you can understand how to add reliability and security mechanisms to your solutions. The summary of the presentation is:
Envision how your solution will be operated
Design for maintainability
Add safety concept
Add security mechanisms
Build for failure
SDN Security: Two Sides of the Same CoinZivaro Inc
When it comes to Software Defined Networking (SDN) Security there are two sides of the story. This webinar addresses both sides – what security vulnerabilities exist in modern SDN technologies and how SDN technologies can create new security protections. Also included are use cases that SDN solutions can provide and the new applications of SDN that can secure modern enterprise and data center environments.
Presented by GTRI CTO, Scott Hogg, in a webinar on June 9, 2016. For more information, visit http://www.gtri.com/.
This document contains a CISSP CBK review exam with 55 multiple choice questions covering various topics in cybersecurity. Some of the questions test knowledge of risk management, access controls, cryptography, security operations and incident response. The exam is assessing understanding of fundamental cybersecurity concepts as defined in the Common Body of Knowledge for the CISSP certification.
This presentation provides overview about the different threat modeling approach with examples from Automotive. This presentation was given in IEEE VTS Event on 4 Sep - "Safe and Secure Automotive" Workshop
This document summarizes a CISSP mentor program session on security assessment and testing. It includes a 10 question quiz on topics like regression testing, fuzzing, static vs dynamic testing, and types of penetration testing. It also discusses a scenario about hiring a security firm to conduct a security assessment and penetration test of a bank's new web application. Key points covered include using a "flag" file instead of real data in a penetration test, the benefits of partial knowledge vs zero knowledge tests, and the proper response if an active compromise is discovered during a test.
A look at current cyberattacks in UkraineKaspersky
Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings.
- The types of attacks that have been targeting Ukraine for the past few months
- The results of analysis on destructive attacks and malware (HermeticWiper, etc...)
- How organizations can defend themselves against cyberattacks
GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.
Tools Of The Hardware Hacking Trade FinalPriyanka Aash
This document provides an overview of various tools that can be used for hardware hacking and analysis. It discusses tools for tasks like information gathering, device teardown, interface monitoring and analysis, and firmware extraction. Specific tools covered include oscilloscopes, logic analyzers, protocol analyzers, the Bus Pirate, USB-to-serial adapters, software defined radios, soldering equipment, device programmers, debug tools, and imaging equipment like x-rays and electron microscopes. Examples are given of how several of these tools have been used in past hardware analyses and attacks. The document concludes by encouraging the reader to set up a hardware hacking lab and collaborate with others to stay up-to-date on new tools and techniques.
Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analys...Ivan Ruchkin
This document proposes an analysis contracts approach to address inter-domain vulnerabilities in cyber-physical systems. It describes analyzing a braking subsystem to determine sensor trustworthiness and secure control. Formal analysis contracts specify inputs, outputs, assumptions and guarantees for failure mode analysis, trustworthiness analysis and secure control analysis. The contracts approach aims to verify analyses are correctly executed to prevent vulnerabilities introduced offline from being exploited online. Future work includes developing richer behavioral and probabilistic contracts and validating the approach on other systems.
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
Ed Adams, CEO of Security Innovation joins forces with Neil Lakomiak of Underwriters Laboratories and Doug Pluta of Cisco to discuss the Internet of Things (IoT) from a safety and security perspective. From an executive panel presentation at Connected Security Expo 2016
The Internet of Things: We've Got to ChatDuo Security
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
Mobile Commerce: A Security PerspectivePragati Rai
The document discusses mobile commerce (m-commerce) and security perspectives. It defines m-commerce as commerce conducted on mobile devices, which is growing rapidly and expected to reach $700 billion by 2017. The document outlines the m-commerce ecosystem and various security challenges at each layer from infrastructure to applications. It emphasizes the importance of end-to-end security and compliance with the PCI security standard to help protect users and businesses in the complex mobile commerce space.
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
1) The document discusses decentralized applications (dApps) and compares their security to web applications.
2) dApps have some security advantages like being undestroyable and transactions being cryptographically signed. However, expectations of their security do not always match reality due to vulnerabilities.
3) The document introduces SCSVS, the Smart Contract Security Verification Standard, which provides a checklist similar to OWASP ASVS for securing dApps across the entire software development lifecycle.
This document discusses safety considerations for next-generation autonomous vehicles and how RTI's data distribution service (DDS) middleware can help address them. DDS ensures reliable data availability in real-time across complex systems, facilitates integration of diverse components, and enables flexible deployment. Its use of a common data model simplifies safety certification processes.
What is IoT (Internet of Things)
Is Canada falling behind IoT
Security
Issues facing IoT
ISP Speed Canada
Business Climate / Canada
Groups / Partnerships
Market Update
Hacking your Connected Car: What you need to know NOWKapil Kanugo
Cars these days are 90% controlled by electronics and 10% using mechanics. The average new car already contains around 20 individual processors to monitor and control various functions — everything from the transmission’s shift points to the operation of the defroster — with about 60 megabytes of software code.
Many new cars are as “wired” as a home office — with onboard GPS navigation and wireless communications networks including Bluetooth, Wi-Fi or Internet run on Embedded OS's which run on converged Electronics to control these actions.
What if modern car’s onboard electronics be “hacked” or infected by a computer virus introduced through a wireless device that might corrupt or disable or controlled by a Hacker sitting at home?
The software does come with built in security but this is not enough and there is a need to offer a full Security package along with Car to guarantee Car's security. Life of people is more important than a gadget and people will pay and buy this package with a new car or upgrade to ensure that their car is not hacked by Hackers to malfunction or be used for other pervert interests.
This document discusses using JavaScript for Internet of Things (IoT) applications. It describes IoT as physical objects embedded with electronics, software and sensors that can collect and exchange data. It provides examples of IoT use cases and discusses common IoT protocols, sensors, embedded software tools and platforms. It also covers topics like security, communicating with microcontrollers using Firmata and building IoT projects with Johnny-Five and Node-RED.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
How Cyberflow Analytics have used KeyLines’ network visualization functionality to develop the next generation of cyber security analytics platform – built for the scope and scale of the Internet of Things.
The presentation on Security Testing / IoT Testing in Real World was done during #ATAGTR2017, one of the largest global testing conference. All copyright belongs to the author.
Author and presenter : Aditya Upadhya
The document discusses risks related to the Internet of Things (IoT) and strategies to manage those risks. It notes that IoT involves connecting many devices which generates large amounts of data. Key risks include lack of security in IoT standards, physical attacks on devices, and ensuring identity and privacy as billions of objects come online. The document recommends approaches like access control, encryption, network segmentation, threat intelligence, and data analytics to help secure the complex IoT environment as it continues to grow dramatically in coming years.
Understanding what is IoT security
What is the scope of IoT security
Uses of IoT and where do we see it in our daily life
Possible attack surface and likelihood of IoT-related attacks
IoT specific security assessment (understanding approach, IoT protocols, how it is a combination of different type assessments)
The myths of IoT security and the way it has progressed in past few years and how far fetched it can be.
Available Resources and Tools
- Embedded systems now contain sensitive personal data and perform safety-critical functions in devices like mobile phones, cars, and medical equipment. Unless embedded system security is adequately addressed, it could impede adoption.
- There are many challenges to security in embedded systems and IoT devices, including vulnerabilities in hardware, software, and networks. Effective security requires building security in at all stages of the design process.
- Various attacks like physical intrusion, side channel attacks, software exploits, and denial of service attacks threaten embedded systems. Countering these threats requires mechanisms at different levels including prevention, detection, and recovery techniques applied in hardware, software, and networks.
Task Force on IoT Security
About CISO Platform
Largest DDOS Attack Against DYN
How can we minimize the risk?
IoT Architectural Layers
Components of an IoT Node
In this session, Distinguished Engineer, James Gosling, discusses how AWS innovates in the Internet of Things. James shares stories and experiences in deploying IoT systems, and how AWS thinks of scalability in IoT. In addition, James shares his experiences in engineering Java embedded systems in IoT.
Presentation describes what security challenges automotive industry encounter with towards autonomous driving. What security threats appear and why. Who are the threat agents and what are their objectives. It presents end-to-end data path security threats based on the recent automated driving hardware architectures and propose defense-in-depth to solve approach on ECU and intra-ECU level to mitigate those threats
Similar to Connected Cars: What Could Possibly Go Wrong (20)
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Bert Blevins
Today’s digitally connected world presents a wide range of security challenges for enterprises. Insider security threats are particularly noteworthy because they have the potential to cause significant harm. Unlike external threats, insider risks originate from within the company, making them more subtle and challenging to identify. This blog aims to provide a comprehensive understanding of insider security threats, including their types, examples, effects, and mitigation techniques.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
Connected Cars: What Could Possibly Go Wrong
1. Connected Cars
What Could Possibly Go Wrong?
William Whyte
Chief Scientist, Security Innovation
Mozilla Privacy Lab
October 20, 2016
2. About Security Innovation
• Software Security Experts
• 15 years research on software vulnerabilities
• Security testing methodology adopted by SAP,
Symantec, Microsoft, and McAfee
• Co-Created STRIDE and DREAD threat management methodologies
• Authors of 18 books; 10 co-authored with Microsoft
• Securing the Connected World
• Security Assessments
• Design Consulting
• Developer Training
• IoT, Mobile, Web, Automotive, Cloud
3. Automotive Center of Excellence
Seattle
Our Connected Vehicle Credentials
• Technical author of the IEEE 1609.2 protocol
• US/EU Harmonization Task Group
• US Safety Pilot SCMS Model Deployment
• Aerolink security library – industry first
• NTRU Crypto Libraries – post quantum security
• Transportation Infrastructure Consulting
• Conformance testing
• Automotive penetration testing
• Embedded secure design consulting
• Embedded developer training
2017 Cadillac CTS
4. Cars are Part of the Internet of Things (IoT)
The network of physical objects or
"things" embedded with electronics,
software, sensors, and network
connectivity, collecting and
exchanging data
6. Relative Complexity
F22 RaptorS-Class Mercedes
1.7 Million LoC6.5M Million LoC 100 Million LoC
787 Dreamliner
with
up to 100 ECUs
50 antennas, 15 frequencies
5 Networks
2 miles of cable
10+ Operating Systems
Exabyte of data per year
9. Entry Points for Hackers
External
• Bluetooth
• Internet
• Wi-Fi
• Key fob
• LIDAR
• Digital broadcasts
• Tire Pressure Monitors
• Tail light
• DSRC
Internal
• Diagnostic Port
• CD/DVD
• USB/SD card
• Aux input
• CAN Bus
• Other networks
• Mobile phone
11. Mindset Change
• Development time measured in months
• Hardware easily upgraded
• Virus and malware protection runs daily
with no end user disruption
• Easy to physically secure, single CPU
with limited external access
• Mature tools, little impact on speed
• Development time over 5 years
• Computing resources are fixed for life of
car
• Updating software cannot rely on
persistence of connectivity. Car must be
parked for safety.
• Hard to physically secure, multiple CPUs
all accessible via OBD2 port.
• Immature tools and slower processors
12. Application Security Practices
in the Automotive Industry
Agree* Disagree
My company makes secure software a priority 54% 46%
Hackers are actively targeting automobiles 52% 20%
Automakers know less about security than others 39% 32%
It is possible to build a nearly hack-proof car 17% 55%
My company has enough trained security experts 49% 23%
Should carmakers be held liable for vulnerabilities 44% 49%
August 2016 survey
527 respondents
OEM 192
Suppliers 325
* “Unsure” responses omitted
35%
39%
18%
7%
1%
Very difficult
Difficult
Somewhat difficult
Not difficult
Easy
How difficult is it to secure automotive applications ?
15. Challenges to Secure Automobile Software
0% 10% 20% 30% 40% 50% 60% 70% 80%
Too expensive
Adds too much time
Lack of requirements
Lack of company policy
Insufficient resources
Pressure to release
Lack of skilled people
2016
2015
“Pick Top 3 challenges”
16. Who’s responsible for Security?
23%
17%
18%
11%
12%
19%
CIO
CISO
Partner
QA
Developer
No One!
18. Traffic Safety
• 32,000 US road deaths, and 3,800,000 injuries
• Fatalities and injuries = $300B/year
• Congestion = $230B/year
• Leading cause of death for ages 15-34 in US
Technology Evolution
Passive Active Proactive
19. A Most Promising Solution – V2X
• Vehicle-to-Vehicle (V2V) Communication
• Vehicle-to-Infrastructure (V2I)
• Vehicle-to-RSE (road-side equipment)
• Vehicle-to-AMD (after-market device)
• Vehicle-to- VRU (vulnerable road user)
20. V2X
• New technology but 10 years in the making
• Allows cars to avoid invisible danger
• Uses short-range DSRC radio
• 10 situational messages per second/car
• Plan for mandatory adoption by 2020
• Privacy and Security are critical success
factors
21. Our main setting: Vehicle-to-Anything
(V2X)
Illustrations from https://www.itsconnect-pc.org/en/about_its_connect/service.html
22. V2X Sample Use Cases
• Intersection Movement Assist
• Emergency Brake Light notification
• Forward Collision warning
• Rain, Ice, Fog and Pothole warnings
• Do Not Pass warning
• Eco driving
• Truck platooning
23. V2X Executive Commentary
“The most important safety improvement in
automobiles since the seatbelt”
- Transportation Secretary Anthony Foxx
“There is no safety without security”
- Jose Manuel Barrosa
Former President of the European Commission
24. V2V: the worries
• Security
• Will hackers be able to take
control of my car?
• Will terrorists be able to cause
mass havoc
• Privacy
• Will the government be able to
track my every move?
• Will I be issued automatic
speeding tickets everywhere?
25. V2X Design Imperatives
• V2X must not compromise the cybersecurity
of the vehicle
• All V2X messages must be trustworthy
• The system must protect the identity of all
users except emergency vehicles
• The world’s largest PKI infrastructure
o Over 1 Billion certificates per year
o Pseudonym Certificates to provide anonymity
o Misbehavior reporting to revoke credentials
26. Authenticity and privacy in tension
• Cars need to authenticate
messages
• Safety messages are broadcast
so need to be signed
• Signing means certificates
• [deep crypto aside: or group
signatures but they’re too big]
• And if I use the same certificate
in many different places…
• You can track me!
27. Authenticity and privacy in tension
• Cars need to authenticate
messages
• Safety messages are broadcast
so need to be signed
• Signing means certificates
• [deep crypto aside: or group
signatures but they’re too big]
• And if I use the same certificate
in many different places…
• You can track me!
28. Privacy
Devices can change identifiers
from time to time, disrupting
linking by all but the most
powerful eavesdroppers
• This is enabled by issuing many
different certificates
to each device
• Of course, this means a CA could
link if it knows which certificates go
to which device
29. Privacy
Devices can change identifiers
from time to time, disrupting
linking by all but the most
powerful eavesdroppers
• This is enabled by issuing many
different certificates
to each device
• Of course, this means a CA could
link if it knows which certificates go
to which device
• … so the (US) system “blinds” the
CA, preventing insiders as well as
outsiders from linking
30. Certificate issuance
• Secure Credential Management
System (SCMS – think PKI-on-
steroids) for V2V includes privacy-
preserving mechanisms
• Shuffle at RA to protect against CA
learning certificates
• Linkage authorities to allow tracing
misbehaving devices without
revealing their identity, and
revoking in a way that only allows
them to be tracked after
revocation
• Organization separation ensures
no single insider / no single
database breach can track any car
31. (Shuffle at the RA)
• RA receives requests from
multiple end-entity devices
• Combines requests so that PCA
doesn’t know that two individual
cert requests received at the
same time come from the same
vehicle
• Tracks responses so they can
be sent to the right device
• (All this is transparent to the
end-entity – doesn’t affect
interfaces)
31
32. Revocation and misbehavior reporting
Å
Å
p(imax,jmax) p(imax,jmax)
p(imax,2) p(imax,2)p(imax, 1) p(imax, 1)plv1(imax,0) plv2(imax,0)
p(1,j) p(1,j)
Åp(1,2) p(1,2)p(1, 1) p(1, 1)plv1(1,0) plv2(1,0)
p(0,j)
p(0,2)p(0, 1)plv1(i=0, j=0)
k1(i = 0)
k1(1)
k1(2)
k1(imax)
p(0,j)
p(0,2)p(0, 1)plv2(i=0,j=0)
k2(i = 0)
k2(1)
k2(2)
k2(imax)
...
lv(0,0)
lv(0,1)
lv(0,2)
lv(0,j)
lv(1,j)
lv(1,2)lv(1,1)lv(1,0)
lv(imax, jmax)
lv(imax,2)lv(imax,1)lv(imax,0)
Å
Å
Å
Å
...
...
ÅÅÅ
...
ÅÅÅ
Linkage Seed
sequence 1
Pre-linkage value
sequence 1
Linkage Seed
sequence 2
Pre-linkage value
sequence 2
Linkage values
• Certificates contain “linkage values”
• These are generated by XORing
together two pre-linkage values from
series generated by two LAs
• Pre-linkage values are generated via a
hash from a linkage seed
• Linkage seed is itself generated via a
hash chain
• To determine if two misbehaving
messages came from the same
vehicle, need only consult one LA
• Interfaces being defined for this that
preserve privacy
• To revoke, reveal both seeds
• Allows receivers to calculate all linkage
values going forward in time, but not
backwards
33. V2X Pilots
• Ann Arbor Safety Pilot extended to
30,000 vehicles
• New York, 10,000 vehicles testing city safety
• Tampa, better freeway management
• Wyoming, improving I80 trucking efficiency
• Many EU and Asia Pacific pilots
• All major manufacturers engaged
• Standards set but plenty of room to
innovate and add value
35. Government Takes Action
The Security and Privacy in Your Car (Spy) Act
Cybersecurity Standards
• Hacking protection
• Data security
• Hacking mitigation
Privacy standards
• Transparency
• Consumer choice
• Marketing prohibition
Cyber dashboard
• A window sticker showing how well the car
protects the security and privacy of the owner.
36. What We’ve Learned from Traditional IT
• Importance of an educated development team and a robust SDLC
• Significance of threat modelling
• Value of automated and manual penetration testing
• Requirement for third party or “Red Team” involvement
• Hardware roots of trust (TPMs or HSMs)
• Strong encryption, preferably quantum-safe
38. Remaining Challenges
• PKI governance and ownership
• Equipment and infrastructure certification
• Multi-application operations
• Standardization
• Cross-border issues and harmonization of
trust
• Autonomous Vehicle Considerations
Driver = Operator = Personal Liability “Driver” = Freight = Product Liability
39. Final Thoughts
• It is still hard to hack cars en-mass
• Useful parallels to traditional IT
• Car makers are being pro-active
• Pilot programs proving efficacy