Connected Cars: What Could Possibly Go Wrong

Slides from a keynote I gave at AZ Infragard. Since this was a keynote, I tried to dazzle the audience by talking more about technology and portraying security only as part of the underlying architecture of cognitive autonomous systems.

Will Future Vehicles Be Secure? There is active work within the automotive community to build security into the future connected and highly autonomous vehicles and several organizations are working on cybersecurity standards. Is it going to be enough to secure future vehicles? Join me to explore the intricacies of securing cyber-physical systems. Challenge the notion that today's tools and best practices are enough to protect connected vehicles and transportation infrastructure. Finally, discover what the industry can do to take security research to the next level and ensure a safe, secure future of transportation. In the last few years there have been increasing interest in security of modern vehicles with several high profile demonstrations of controlling breaking and steering of a vehicle remotely across large distances. A modern vehicle already consists of up to 100 ECUs and has 100 million lines of code and the complexity is only expected to increase. There have already been suggestions that we will see 300 million lines of code in a vehicle in 5 years. With the growth in complexity we will also see growth of the attack surface. Comparing to other digital or digitized industries such as datacenters, PC, mobile, Industrial Control Systems, automobiles have not yet been actively exploited, however vulnerabilities already have bene demonstrated by security researchers and when that happens such vulnerabilities quickly get weaponized opening door to consistent exploits. With the vehicles that weigh several tons and move such proposition is very scary and there is pressing need to advance security technology to prevent malicious actors from endangering human life. Learning Outcomes: Understand vehicle ECU and network architecture and challenges securing Highly Automated and Connected Vehicles Describe modern end-to-end security architecture for connected vehicles Understand evolution of the future security technologies

This document provides an overview of key topics in automotive software and security: 1. Cars now contain over 1 gigabyte of software code due to increasing automation, connectivity and data analytics capabilities. 2. As vehicles become more connected and automated, software complexity and security risks will continue growing substantially over the next 10-20 years. 3. Developing highly reliable and secure automotive software requires addressing challenges across computing, embedded systems, and functional safety.

1) Autonomous vehicles require balancing supercomputing complexity, real-time performance, and functional safety. 2) Cyber-physical systems rely on four pillars: connectivity, monitoring, prediction, and self-optimization. 3) Ultra-reliable systems require qualities like self-healing, where the system can autonomously change its structure to maintain behavior despite failures.

Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion

This document discusses security and safety requirements for Intel systems. It describes performing threat analysis and risk assessment (TARA) along with hazard analysis and risk assessment (HARA) to define security and safety goals. Additionally, it proposes adding security mechanisms such as checking for file tampering and application trust when monitoring graphics systems to protect against threats.

Executive Summary No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers. This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.

Systems Architecture with the Functional Safety-Security emphasis I was asked to give a talk on the unification of Functional Safety (FuSa) and Security for which I replied that two disciplines cannot be viewed separately from Systems Engineering. Instead of talking about safety/security interop, I explained how to build complex systems and how these systems fail. Only when you understand that we do not know how to build absolutely reliable systems and that eventually anything you create fails, you can understand how to add reliability and security mechanisms to your solutions. The summary of the presentation is:  Envision how your solution will be operated  Design for maintainability  Add safety concept  Add security mechanisms  Build for failure

When it comes to Software Defined Networking (SDN) Security there are two sides of the story. This webinar addresses both sides – what security vulnerabilities exist in modern SDN technologies and how SDN technologies can create new security protections. Also included are use cases that SDN solutions can provide and the new applications of SDN that can secure modern enterprise and data center environments. Presented by GTRI CTO, Scott Hogg, in a webinar on June 9, 2016. For more information, visit http://www.gtri.com/.

Domain 5: Identity and Access Management - Review Access Control Methodologies, Access Control Models

This document contains a CISSP CBK review exam with 55 multiple choice questions covering various topics in cybersecurity. Some of the questions test knowledge of risk management, access controls, cryptography, security operations and incident response. The exam is assessing understanding of fundamental cybersecurity concepts as defined in the Common Body of Knowledge for the CISSP certification.

This presentation provides overview about the different threat modeling approach with examples from Automotive. This presentation was given in IEEE VTS Event on 4 Sep - "Safe and Secure Automotive" Workshop

This document summarizes a CISSP mentor program session on security assessment and testing. It includes a 10 question quiz on topics like regression testing, fuzzing, static vs dynamic testing, and types of penetration testing. It also discusses a scenario about hiring a security firm to conduct a security assessment and penetration test of a bank's new web application. Key points covered include using a "flag" file instead of real data in a penetration test, the benefits of partial knowledge vs zero knowledge tests, and the proper response if an active compromise is discovered during a test.

Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings. - The types of attacks that have been targeting Ukraine for the past few months - The results of analysis on destructive attacks and malware (HermeticWiper, etc...) - How organizations can defend themselves against cyberattacks GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.

This document provides an overview of various tools that can be used for hardware hacking and analysis. It discusses tools for tasks like information gathering, device teardown, interface monitoring and analysis, and firmware extraction. Specific tools covered include oscilloscopes, logic analyzers, protocol analyzers, the Bus Pirate, USB-to-serial adapters, software defined radios, soldering equipment, device programmers, debug tools, and imaging equipment like x-rays and electron microscopes. Examples are given of how several of these tools have been used in past hardware analyses and attacks. The document concludes by encouraging the reader to set up a hardware hacking lab and collaborate with others to stay up-to-date on new tools and techniques.

This document proposes an analysis contracts approach to address inter-domain vulnerabilities in cyber-physical systems. It describes analyzing a braking subsystem to determine sensor trustworthiness and secure control. Formal analysis contracts specify inputs, outputs, assumptions and guarantees for failure mode analysis, trustworthiness analysis and secure control analysis. The contracts approach aims to verify analyses are correctly executed to prevent vulnerabilities introduced offline from being exploited online. Future work includes developing richer behavioral and probabilistic contracts and validating the approach on other systems.

Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans

Ed Adams, CEO of Security Innovation joins forces with Neil Lakomiak of Underwriters Laboratories and Doug Pluta of Cisco to discuss the Internet of Things (IoT) from a safety and security perspective. From an executive panel presentation at Connected Security Expo 2016

BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014 Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly

Understanding the security implications of IoT transformation, with real world examples including the Chrysler Jeep Hack

The document discusses mobile commerce (m-commerce) and security perspectives. It defines m-commerce as commerce conducted on mobile devices, which is growing rapidly and expected to reach $700 billion by 2017. The document outlines the m-commerce ecosystem and various security challenges at each layer from infrastructure to applications. It emphasizes the importance of end-to-end security and compliance with the PCI security standard to help protect users and businesses in the complex mobile commerce space.

1) The document discusses decentralized applications (dApps) and compares their security to web applications. 2) dApps have some security advantages like being undestroyable and transactions being cryptographically signed. However, expectations of their security do not always match reality due to vulnerabilities. 3) The document introduces SCSVS, the Smart Contract Security Verification Standard, which provides a checklist similar to OWASP ASVS for securing dApps across the entire software development lifecycle.

This document discusses safety considerations for next-generation autonomous vehicles and how RTI's data distribution service (DDS) middleware can help address them. DDS ensures reliable data availability in real-time across complex systems, facilitates integration of diverse components, and enables flexible deployment. Its use of a common data model simplifies safety certification processes.

What is IoT (Internet of Things) Is Canada falling behind IoT Security Issues facing IoT ISP Speed Canada Business Climate / Canada Groups / Partnerships Market Update

Cars these days are 90% controlled by electronics and 10% using mechanics. The average new car already contains around 20 individual processors to monitor and control various functions — everything from the transmission’s shift points to the operation of the defroster — with about 60 megabytes of software code. Many new cars are as “wired” as a home office — with onboard GPS navigation and wireless communications networks including Bluetooth, Wi-Fi or Internet run on Embedded OS's which run on converged Electronics to control these actions. What if modern car’s onboard electronics be “hacked” or infected by a computer virus introduced through a wireless device that might corrupt or disable or controlled by a Hacker sitting at home? The software does come with built in security but this is not enough and there is a need to offer a full Security package along with Car to guarantee Car's security. Life of people is more important than a gadget and people will pay and buy this package with a new car or upgrade to ensure that their car is not hacked by Hackers to malfunction or be used for other pervert interests.

This document discusses using JavaScript for Internet of Things (IoT) applications. It describes IoT as physical objects embedded with electronics, software and sensors that can collect and exchange data. It provides examples of IoT use cases and discusses common IoT protocols, sensors, embedded software tools and platforms. It also covers topics like security, communicating with microcontrollers using Firmata and building IoT projects with Johnny-Five and Node-RED.

Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.

Originally presented on September 08, 2016. Watch on-demand: http://ecast.opensystemsmedia.com/672

How Cyberflow Analytics have used KeyLines’ network visualization functionality to develop the next generation of cyber security analytics platform – built for the scope and scale of the Internet of Things.

DTS Solution - ISACA UAE Chapter - ISAFE 2014 Event - RU PWNED - Living a Life as a Penetration Tester