智能網(wǎng)聯(lián)車輛的信息安全

Security

for

Connected/Autonomous

Carhttp://www.cleantech.com/isolated-car-to-connected-car-transportation-from-the-20th-to-the-21st-century/http://www.nanalyze.com/2017/04/10-connected-car-technology-startups/Security

for

Connected

Car2http://www.rcrwireless.com/connected-cars-2/harman-connected-car-services-trends-tag6-tag99Security

for

Connected

Car3‘All

That

Connections’

ofConnected

CarV2I

(Vehicle-to-Infra)I2V

(Infra-to-Vehicle)V2H(Home)V2V(Vehicle-to-Vehicle)V2D(Vehicle-to-Nomadic

Device)TelCo

(Mobile

Manufacturer)GovernmentTelCoTelematicsV2N

(Vehicle-to-Network)V2S

(Vehicle-to-Service)Security

for

Connected

Car4ManufacturerV2P(Vehicle-to-Pedestrian)Extended

Vehicle(ISO

20077

&20078)Security

for

Connected

Car5“Cars

aremobile

devices.”Feature

PhoneSmart

PhoneConnected

CarSmart

CarConnectivity

(constrained)Pre-installed

SWConnectivity

(no-constrained)User-selected

SWPersonalizedOnline

ServicesAutonomous

DrivingSecurity

for

Connected

Car6Connected

Car

Technologies

&

Serviceshttps://www.strategyand.pwc.com/reports/connected-car-2016-study

(2016.09)Security

for

Connected

Car7Value

Shiftsin

the

Auto

Industry,

2015-2030https://www.strategyand.pwc.com/reports/connected-car-2016-study

(2016.09)Security

for

Connected

Car8Hacking

IncidentsUniversity

security

researchers

hack

a

Corvettevia

aOBD-IIdongle

by

using

SMS

from

an

Android

toexecute

commands

to

the

car’s

CAN

bus–manipulatingthe

brakes

and

windshield

wipers9“Safety

begins

with

Security”The

existing

cyber

threats

that

riskedmonetary

or

physical

loss

are

now

beingapplied

toVehicles

which

canplace

severeliability

to

a

person’s

life.Hack

into

cardealership

securitysystem

remotelydisables

a

car’s

ignitionsystem

and

causeshorn

to

honk.Remote

ShutdownTelematics

HackingThieves

use

kits

tocreate

new

keys

todrive

off

with

BMWsusing

OBD-IItoolmeant

to

diagnosisvehicle

issues.Stolen

CarsAn

Android

smartphone

app

allowedremote

hackers

tohackinto

a

car’s

ECUviathe

smart

phone

as

acommunication

bridgeHackvia

SmartPhone

AppChinese

white

hathackers

are

able

toremotely

hack

intoTesla

ModelStocontrol

its

doors,windows,etc.ElectricCar

HackWhite

hat

hackers

remotelyhack

into

a

Jeep

Cherokee

viaaUconnect

vulnerability

bring

toserious

potential

dangers

(cutengine

while

inmotion

onhighway,disable

brakes,

etc.)Remote

HackSecurity

for

Connected

Car9March2010July2012September2012July2014July2015August2015Security

ThreatsDC:

Drive

ComponentsTMS

:

TelematicsADAS

:

Advanced

Driver

Assistance

SystemAVN

:

Audio,

Visual&

NavigationIVI:

In-Vehicle

InfotainmentNIC

:

Network

Interface

ControllerTelematics

Hacking

(JeepCherokee)Type

A:

Packet

Injectionvia

ExternalNetworkHackvia

Smart

PhoneAppType

B:

Malware

Injectionvia

SD/USB

portInternalNetworkChassis

DCInternalNICV2XTMSADASAVN/IVIExternalNICGatewayStolen

CarsType

C:

PacketInjectionvia

OBD

dongleExternalNetworkControl

UnitPowertrainDCBodyDCThe

number

of

vehicular

related

hacking

incidents

become

more

present

to

the

public

as

timegoes

by.Vehicular

vulnerabilities

will

continue

to

grow

asthe

varietyofcar

models

increase.Securitywillplay

an

evermore

important

role

in

this

evolving

society

of

connected

vehicles.Security

for

Connected

Car10“SPYCAR”

(Security

and

Privacy

in

Your

Car)

Act

(2015.07)Security

for

Connected

Car11?

I.Cybersecurity

StandardsHacking

protection:

all

access

points

in

the

carshouldbeequipped

with

reasonablemeasures

toprotectagainsthacking

attacks,

including

isolation

ofcritical

software

systems

andevaluated

using

bestsecuritypractices,

suchaspenetration

testing;Data

security:

allcollected

information

should

besecured

toprevent

unwanted

access—whilestored

on-board,in

transit,

and

stored

off-board;

andHacking

mitigation:

thevehicleshould

beequipped

with

technologythat

candetect,

report

andstophacking

attempts

in

real-time.?

II:

Privacy

standardsTransparency:

owners

aremadeexplicitly

aware

of

collection,transmission,

retention,

anduse

ofdrivingdata;Consumer

choice:

owners

areabletoopt

out

ofdata

collectionandretention

withoutlosing

access

tokeynavigation

or

otherfeatures

(when

technically

feasible),

exceptfor

in

the

caseof

electronicdata

recordersor

other

safetyor

regulatory

systems;

andMarketing

prohibition:

personal

drivinginformationmay

notbeusedfor

advertising

ormarketing

purposeswithouttheowner

clearlyopting

in.?

III:

Cyber

dashboardNHTSA,

in

consultation

with

FTC,

should

establisha

“cyber

dashboard”

that

displays

anevaluation

ofhowwelleachautomobile

protects

boththesecurity

andprivacy

of

vehicleowners

beyondthoseminimumstandards.

Thisinformation

should

bepresented

in

a

transparent,

consumer-friendly

form

on

thewindowsticker

of

all

newvehicles.http://www.markey.senate.gov/news/press-releases/sens-markey-blumenthal-introduce-legislation-to-protect-drivers-

from-auto-security-privacy-risks-with-standards-and-cyber-dashboard-rating-system“SPYCAR”

(Security

and

Privacy

in

Your

Car)

Act

(2017.03)?

I.Cybersecurity

StandardsProtectionagainstHacking

:

equipped

with

reasonable

measures

to

protectagainst

hacking

attacks.Isolation

Measures

:

toseparate

critical

software

systems

from

noncritical

software

systems.Evaluation

:

evaluated

forsecurity

vulnerabilitiesfollowingbestsecurity

practices,including

appropriate

applications

oftechniques

such

as

penetration

testing.Adjustment

:

adjusted

and

updated

basedon

the

results

ofthe

evaluationSecurityof

Collected

InformationAlldriving

data

collected

by

the

electronic

systems

that

are

built

into

motorvehiclesshall

be

reasonably

secured

to

preventunauthorized

access

–

(a)stored

onboard,

(b)

transit

to

another

location,and

(c)

offboard

storage

or

use.Detection,

Reporting,and

Responding

toHackingAny

motorvehicle

that

presents

an

entry

point

shall

be

equipped

with

capabilities

to

immediately

detect,

report,

andstopattempts

to

intercept

driving

data

or

controlthe

vehicle.?

II.

Cyber

Dashboardinform

consumers,

through

aneasy-to-understand,standardized

graphic,about

the

extent

towhichthemotorvehicle

protects

thecybersecurity

and

privacy

ofmotor

vehicle

owners,

lessees,

drivers,

andpassengers

beyondthe

minimum

requirements.?

III.

Privacy

Standards

for

MotorVehiclesCont’dhttps://www.congress.gov/bill/115th-congress/senate-bill/680Security

for

Connected

Car12“SPYCAR”

(Security

and

Privacy

in

Your

Car)

Act

(2017.03)https://www.congress.gov/bill/115th-congress/senate-bill/680Security

for

Connected

Car13?

III.

Privacy

Standards

for

MotorVehiclesTransparency

:

Eachmotorvehicleshall

provide

clear

and

conspicuous

notice,in

clear

and

plain

language,totheowners

or

lesseesof

suchvehicle

of

the

collection,transmission,

retention,

and

useofdriving

datacollectedfrom

suchmotorvehicle.Consumer

Control

:

theoption

of

terminating

the

collection

and

retention

ofdrivingdata.Access

toNavigation

Tools

:If

a

motorvehicleowner

or

lessee

decides

to

terminate

thecollectionandretention

ofdriving

data,

theowner

or

lesseeshall

notlose

access

to

navigation

tools

or

other

features

orcapabilities,

totheextent

technically

possible.Exception

:not

apply

todrivingdata

stored

aspart

of

the

electronicdata

recorder

system

or

other

safetysystemson

boardthe

motor

vehicle

that

are

required

for

post

incident

investigations,

emissions

history

checks,crash

avoidanceor

mitigation,

or

other

regulatory

complianceprograms.Limitation

on

Use

of

PersonalDrivingInformationA

manufacturer

(including

anoriginal

equipment

manufacturer)

may

not

use

anyinformation

collected

by

amotorvehiclefor

advertising

or

marketingpurposes

without

affirmative

express

consentby

the

owneror

lessee.Consent

requests

shall

be

clear

and

conspicuous.Consent

requests

shall

be

made

in

clear

and

plain

language.Consent

requests

may

not

be

be

acondition

for

the

use

ofanynonmarketing

feature,

capability,

orfunctionality

of

the

motorvehicle.“Federal

Automated

Vehicles

Policy”

(2016.09)https://www.transportation.gov/AV/federal-automated-vehicles-policy-september-2016/Security

for

Connected

Car14“Federal

Automated

Vehicles

Policy

(2016.09)Security

for

Connected

Car15Cybersecurity

Best

Practices

(2016.10)https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdfSecurity

for

Connected

Car16Cybersecurity

Best

Practices

(2016.10)Security

for

Connected

Car17?

Self-AuditingRisk

AssessmentPenetration

Testing

and

DocumentationSelf-Review?

Fundamental

Vehicle

Cybersecurity

ProtectionsLimitDeveloper/Debugging

Access

in

Production

DevicesControlKeysControlVehicle

Maintenance

DiagnosticAccessControlAccess

toFirmwareLimit

Ability

toModify

FirmwareControlProliferation

of

Network

Ports,

Protocols

and

ServicesUse

SegmentationandIsolationTechniques

in

Vehicle

Architecture

DesignControlInternal

Vehicle

CommunicationsLogEventsControlCommunicationtoBack-EndServersControlWireless

InterfacesDeclaration

ofAmsterdamhttps://english.eu2016.nl/documents/publications/2016/04/14/declaration-of-amsterdamSecurity

for

Connected

Car18Joint

AgendaSecurity

for

Connected

Car19?

a.

Coherent

international,

European

and

national

rulesTheaim

istowork

towards

theremovalofbarriersandtopromote

legal

consistency.The

legalframeworkshouldoffer

sufficientflexibilitytoaccommodate

innovation,facilitatethe

introduction

of

connected

andautomated

vehicleson

themarketand

enable

their

cross-border

use.?

b.

Use

of

dataData

generated

through

theuse

of

connected

andautomated

vehicles

can

serve

public

and

privatevalue-added

services.

Clarificationisneeded

on

theavailability

for

public

andprivate

use

andresponsibilities

oftheparties

involved.?

c.

Ensure

privacy

and

data

protectionRespecting

existinglegislation

on

privacy

and

data

protection,

theconditions

for

the

(re-)

useand

sharingofdata

generated

by

connected

andautomated

vehiclesneedtobeclarified.?

d.Vehicle-to-vehicle

(V2V)and

vehicle-to-infrastructure

(V2I)

communicationInorder

tomaximizebenefits

in

road

safetyand

environmental

performance,

it

isessential

toensure

thatnew

servicesandsystemsarecompatible

and

interoperable

at

European

level

andtocoordinateinvestments

towards

reliable

communicationcoverage,

exploitthe

full

potential

of

hybridcommunications,whererelevant,

and

improve

the

performance

of

location

accuracy,benefiting

in

particular

from

theuseofGALILEO

and

EGNOS.Joint

AgendaSecurity

for

Connected

Car20?

e.

SecurityInthelightof

the

increase

incyber-threats

andseriousvulnerabilities,

itisessential

toensuresecurity

andreliability

of

connected

andautomated

vehiclecommunications

andsystems.

Common

trust

models

andcertification

policies

should

bedeveloped

toprevent

risks

and

supportcybersecurity,whilst

ensuring

safeandinteroperable

deployment.?

f.

Public

awareness

and

acceptanceIt

isimportant

tomanage

societal

expectations,

toraiseawareness

andincrease

acceptanceandappreciation

of

connected

andautomated

vehicletechnologies.?

g.Common

definitions

of

connected

and

automated

drivingCommon

definitions

of

connected

and

automated

drivingshould

bedeveloped

and

updated,

based

on

theSociety

of

Automotive

Engineering

levels

(SAElevels)asastarting

point.?

h.

International

cooperationIt

isimportant

todevelop

andmaintain

closecooperation

withotherregions,

particularly

the

US

andJapan,towork

towardsa

global

framework

and

international

standards

for

connected

and

automated

vehicles.ENISA–CyberSecurity

and

Resilience

ofSmart

Carshttps://www.enisa.europa.eu/publications/cyber-security-and-resilience-of-smart-cars/Security

for

Connected

Car21ENISA–CyberSecurity

and

Resilience

ofSmart

CarsSecurity

for

Connected

Car22ENISA–CyberSecurity

and

Resilience

ofSmart

CarsSecurity

for

Connected

Car23https://wiki.unece.org/pages/viewpage.action?pageId=40829521Security

for

Connected

Car24Threats

for

AutonomousDrivingTraffic

Management

SystemRoad

Side

EquipmentEnvironmentSW

Delivery/UpdateCritical

SystemNon-Critical

SystemService

CloudUserDeviceSecurity

for

Connected

Car25Adaptive

Security

Architecture

(Gartner)IoTSecurity26Inputs

into

the

Adaptive

Protection

ArchitectureFS-ISAC,

US-CERTIoTSecurity27Adaptive

Security

Architecture

-

LifecycleIn-line,real

time(sub-second)Nearreal

time(seconds

~minutes)Retrospective

AnalysisDetailed

Historical

Data

Full

Packet

CapturePost-incident(minutes

~months)Whitelisting,

Data

Encryption,

Patch

Mgmt.,

SandboxingWasting

hacker’s

time

(Honeypot,

…)Signature/Behavioral

Signature

+“Threat

Intelligence”Detecting

Indicators

ofCompromise

(IOC)-

Pervasive

Monitoring,

Behavior

Analytics,

Change

MonitoringInternal/External

Context

Risk

to

Enterprise

Visually

PresentedIsolating

thecompromised

system/network,

account,

process,

…Changes

are

implemented/pushed/orchestratedChanges

to

policies

or

controlsAdjusting

security

strategies/policies/controlsAnticipating

future

attacks

and

targetsNew

systems/applicationsIoTSecurity28Adaptive

Security

&

AutonomousCarExternalNetworkGatewayInternalNetworkECUDevice,

Infrastructure,

Vehicle,Cloud,Diagnostics,Person(Owner,

Driver,

Pedestrian),

etc.Security

for

Connected

Car29Cybersecurity

Conceptfor

Connected

CarSecurity

for

Connected

Car30ExternalNetworkGatewayInternalNetworkECUDevice,

Infrastructure,

Vehicle,Cloud,Diagnostics,Person(Owner,

Driver,

Pedestrian),

etc.S4.SecurePlatformS3.

Secure

InternalCommunicationS2.

SecureGatewayS1.

SecureExternalCommunicationCrypto

librarySecure

boot

&

Remote

AttestationSecure

UpdateHW

trust

anchor(HTA)Authentication,

Confidentiality

&

Integrity

of

MessagesKey

ManagementControls

traffic

flowDetects

malicious

trafficData

Security

&

PrivacySecure

communication

to

anythingS1.Secure

External

CommunicationV2I/I2VGovernmentTelematics

on

CloudManufacturerSecurity

:IEEE1609.2Transport

:IEEE1609.3Network:IEEE802.11pCertificateCertificateCross

CertificationSecurity

for

Connected

Car31CertificateAuthority(of

Manufacturer)CertificateAuthority(of

Government)Security

:IEEE1609.2Transport

:IEEE1609.3Network:3GPP(4G/5G)S1.Secure

External

Communication

–TelCo

&

ManufacturerDevice

Info.EnrollmentCertificateInternet

(closed)ManufacturerTelCoAuthentication

via

USIM3GPP

(4G/5G)AuthenticationManagementAuthentication

based

on

CertificateServiceConnectionAuthenticationManagementDevice

Info.SubscriptionInfo.Connection

Ctrl.Service

Ctrl.UserSecurity

for

Connected

Car32S1.Secure

External

Communication

-

Ecosystem

and

Security

InfrastructureService

ProviderCloud

+Big

DataS/W

ProviderVirtual

ConnectionSecurityInfrastructureKey

ManagementAuthentication

ManagementPrivilegeManagementSecurity

for

Connected

Car33S2.Secure

Gateway“VectorCyber

Security

Solutions”,

AUTOSAR

Users

Group

Meeting

–

2016.08.01Security

for

Connected

Car34S2.Secure

Gateway

–Detectsmalicious

trafficAttackerSecure

StorageInternal

GatewayExternalNetworkHeadUnitTMS

ADASAVN

V2XSecure

CommunicationMalicious

CommunicationExternal

NICExternalGatewayExternalFirewallInternalFirewallPowertrain

DCBody

DCChassis

DCAttackerAttackerKMSSecurity

for

Connected

Car35S2.Secure

Gateway

–Controls

traffic

flowSecure

StorageInternal

GatewayExternalNetworkHeadUnitTMS

ADASAVN

V2XAllowed

TrafficDisallowed

TrafficExternal

NICExternal

GatewayExternalFirewallInternalFirewallPowertrain

DCBody

DCChassis

DCKMSSecurity

for

Connected

Car36S2.Secure

Gateway

–Data

Security

&PrivacySecure

StorageInternal

GatewayExternalNetworkHeadUnitTMS

ADASAVN

V2XExternal

NICExternal

GatewayExternalFirewallInternalFirewallPowertrain

DCBody

DCChassis

DCKMSData

Security&

PrivacySecurity

for

Connected

Car37S3.Secure

Internal

CommunicationSecure

StorageInternal

GatewayExternalNetworkHeadUnitTMS

ADASAVN

V2XExternal

NICExternal

GatewayExternalFirewallInternalFirewallPowertrain

DCBody

DCChassis

DCKMSECUECUKMS

:

Key

ManagementSystemSecure

CommunicationKey

ManagementSecurityInfrastructureKey

Management

PolicySecurity

for

Connected

Car38S3.Secure

Internal

Communication

-

Key

ManagementSecurity

Server(Key

Management)In-Vehicle

KMSIn-VehicleBUSECUSecurity

Policy12Key

Distribution(registration)3Secure

Communication(encryption)KMS

:

KeyManagementSystemRoot

KMSSub-KMSKey

Hierarchy

StructureSecurity

for

Connected

Car39S4.Secure

Platform

-

Secure

Boot

&

Remote

AttestationTPM

:

Trusted

Platform

ModuleSecurity

Server(Attestation

Verifier)Remote

AttestationSecure

BootHardwareBootloaderOSApplicationTPMSecurity

for

Connected

Car40S4.Secure

Platform

-

Secure

Flash/UpdateSecurity

Server(Certificate

Authority)Service

Server(update

server)4Certificate

Verification{Data}+

{Code

Sign}1Certificatefor

code

signing2Code

Signing35Security

for

Connected

Car41Sign

Verification&

SW

UpdatingSecurity

Primitives

for

UsecasesSecurity

for

Connected

Car42UsecaseS1S2S3S4A1.Secure

DiagnosticsAuthentication

(GW)Access

Co