RSS_Auto_Poster
Well-known member
Written by Paul Weissler
The 2016 SAE Congressforum on Connectivity sounded like a meeting in a war room peppered with terms like "notificationof attack" and "assets deployed" along with talk of "new alliances" and "global risks." And in a sense, it was such a discussion. The urgency of the cybersecurity topic hascreated the need for advanced approaches to defense. The auto industry hasformed an overarching answer that is similar to what already has been done inaviation an Information Sharing and Analysis Center (ISAC). The aviation ISACis a framework to collect for analysis, anonymously, anything that couldattack all OE architectures, explained Faye Francy, executive director. The automotive equivalent, which has justbecome operational, also will serve as a central hub for gathering intelligenceto track cyber threats and identify weaknesses in vehicle electronics that arecommon to more than one manufacturer. Auto-ISAC, formed by two industry associations, has 22 members. "We"re all getting attacked at somelevel," Francy said. The openness ofthe automobile to malware intrusion was one issue addressed indifferent ways by the forum panelists. The threat of hackers "drives a wedge into people"strust," said Brian Murray, ZF TRW Global Director of Safety and SecurityExcellence. If there"s a perception thatsomething is not safe, it doesn"t matter to the public, even if there is nophysical or kinetic damage to date, added Dan Massey, program manager oncybersecurity at the U.S. Department of Homeland Security (DHS). And when there isdamage, the absolute numbers often aren"t important, claimed Doug Britton, CEOof Kaprica Security. "A smallnumber is enough; you don"t need 50,000," Britton noted. "You could do it with 10." ABS service command an issue A serious issuecould be posed by so common a vulnerability as the command to disable the vehicle"s ABS (anti-lock brakes) actuator,noted Andrew Weimerskirch, cybersecurity researcher at the University ofMichigan. Automotive service technicianshave had to use this command for many years to permit bleeding the ABS sectionof the hydraulic brake system, particularly when a new brake pressure modulatorvalve assembly is installed, so as to purge any air and fill the circuits withbrake fluid. The ABS disablingcapability is routinely built into all but the most basic scan tools, and ahacker accessing it through an OBD II gateway or an installed dongle could raise it to the level of athreat. "This command should not exist," Weimerskirch said. However, withcurrent ABS control configurations, isolating is not necessarily simple on manycars. And it"s just one example. Theentire problem of secure service access was observed by ZF TRW"s Murray. He told the attendees that electronic servicedecisions and trouble code modifications typically come late in the vehicle designcycle, when warranty concerns may be raised. The present levelof built-in vulnerability was raised by the DHS"s Dan Massey. "Sometimes my fifth grade daughter hasbeen able to pair her phone with another car," he reported. Effect of Right-to-Repair laws The effect ofRight-to-Repair laws, such as the impending one in Massachusetts, means thataccess to problematic commands will be available to all garages, not just independent ones effectively to anyone willing to pay the access fees. Although the dealer technician may be"more trustworthy," cybersecurity specialists includingWeimerskirch have made it clear that the protection must be based on passingthrough packets of needed OE information without an externally-inserted abilityto change it. However, thecybersecurity specialists must deal with the issue of the commandsthemselves. Under Right to Repair,Volkswagen for example, would have to release the software that permitsoperating the electric power steering rack and shutting off the engine. The remotekey fob, an established entry point, also has become a serious vulnerability, ZF TRW"s Murray said. "If you lose the keys to a car, you caneffectively turn it into a "brick,"" he told the audience. There are many ideas to improve automotivecybersecurity, Weimerskirch told the session. But first a test platform is needed, to enable researchers tovalidate them. A related issue was citedby Kaprica"s Britton: it"s important that the flow of ideas"doesn"t also translate into a big bill of materials."
Date written: 19-Apr-2016 03:57 EDT
More of this article on the SAE International Website
ID: 3039
The 2016 SAE Congressforum on Connectivity sounded like a meeting in a war room peppered with terms like "notificationof attack" and "assets deployed" along with talk of "new alliances" and "global risks." And in a sense, it was such a discussion. The urgency of the cybersecurity topic hascreated the need for advanced approaches to defense. The auto industry hasformed an overarching answer that is similar to what already has been done inaviation an Information Sharing and Analysis Center (ISAC). The aviation ISACis a framework to collect for analysis, anonymously, anything that couldattack all OE architectures, explained Faye Francy, executive director. The automotive equivalent, which has justbecome operational, also will serve as a central hub for gathering intelligenceto track cyber threats and identify weaknesses in vehicle electronics that arecommon to more than one manufacturer. Auto-ISAC, formed by two industry associations, has 22 members. "We"re all getting attacked at somelevel," Francy said. The openness ofthe automobile to malware intrusion was one issue addressed indifferent ways by the forum panelists. The threat of hackers "drives a wedge into people"strust," said Brian Murray, ZF TRW Global Director of Safety and SecurityExcellence. If there"s a perception thatsomething is not safe, it doesn"t matter to the public, even if there is nophysical or kinetic damage to date, added Dan Massey, program manager oncybersecurity at the U.S. Department of Homeland Security (DHS). And when there isdamage, the absolute numbers often aren"t important, claimed Doug Britton, CEOof Kaprica Security. "A smallnumber is enough; you don"t need 50,000," Britton noted. "You could do it with 10." ABS service command an issue A serious issuecould be posed by so common a vulnerability as the command to disable the vehicle"s ABS (anti-lock brakes) actuator,noted Andrew Weimerskirch, cybersecurity researcher at the University ofMichigan. Automotive service technicianshave had to use this command for many years to permit bleeding the ABS sectionof the hydraulic brake system, particularly when a new brake pressure modulatorvalve assembly is installed, so as to purge any air and fill the circuits withbrake fluid. The ABS disablingcapability is routinely built into all but the most basic scan tools, and ahacker accessing it through an OBD II gateway or an installed dongle could raise it to the level of athreat. "This command should not exist," Weimerskirch said. However, withcurrent ABS control configurations, isolating is not necessarily simple on manycars. And it"s just one example. Theentire problem of secure service access was observed by ZF TRW"s Murray. He told the attendees that electronic servicedecisions and trouble code modifications typically come late in the vehicle designcycle, when warranty concerns may be raised. The present levelof built-in vulnerability was raised by the DHS"s Dan Massey. "Sometimes my fifth grade daughter hasbeen able to pair her phone with another car," he reported. Effect of Right-to-Repair laws The effect ofRight-to-Repair laws, such as the impending one in Massachusetts, means thataccess to problematic commands will be available to all garages, not just independent ones effectively to anyone willing to pay the access fees. Although the dealer technician may be"more trustworthy," cybersecurity specialists includingWeimerskirch have made it clear that the protection must be based on passingthrough packets of needed OE information without an externally-inserted abilityto change it. However, thecybersecurity specialists must deal with the issue of the commandsthemselves. Under Right to Repair,Volkswagen for example, would have to release the software that permitsoperating the electric power steering rack and shutting off the engine. The remotekey fob, an established entry point, also has become a serious vulnerability, ZF TRW"s Murray said. "If you lose the keys to a car, you caneffectively turn it into a "brick,"" he told the audience. There are many ideas to improve automotivecybersecurity, Weimerskirch told the session. But first a test platform is needed, to enable researchers tovalidate them. A related issue was citedby Kaprica"s Britton: it"s important that the flow of ideas"doesn"t also translate into a big bill of materials."
Date written: 19-Apr-2016 03:57 EDT
More of this article on the SAE International Website
ID: 3039
