Predicting Automotive Cyber-Security Responses – Insight from Other Industries – Part 3 of 6
Examining industry responses to cyber-security events in IT and operational technologies ICS and SCADA sheds light on what to expect for the automotive industry. Part 3 of 6.
In our first post in October, we walked through a brief introduction of the history of connectivity and networking in IT, and ICS/SCADA industries. Last month’s post looked at historical initial, decisive and critical cyber-security events in these areas, and how they can be used to predict potential upcoming attacks on the automotive industry.
This month we tackle the impact and response from industry to these formative events.
Impact, and Industry Cyber-Security Responses
As a reaction to the increase in attacks, cyber-security detection and prevention systems were developed. These are now extremely common and widely used both by the industry, and the general public. As time goes by, the scale of computers and networks grows exponentially, and their vulnerabilities grow to match.
The International Standards Organization’s (ISO) Open System Interconnect (OSI) project specifies 7 layers which can be protected by a variety of mechanisms. Physical layers 1 and 2 can benefit from encryption and authentication. Layers 3 and 4 can use common tools like firewalls, to the less publicly known, such as application layer and reverse proxies, content filtering, data diodes, honeypots, and deception tools. We need to keep in mind that in IT the item we protect is data. Impacts are non-tangible and are mainly financial in nature. Events might include (among many others) theft of customer information, theft of money, or reputation/character assassination by the divulgence of personal or corporate secrets.
Currently, any network is pre-engineered with cyber-security in mind. Servers are designed for security from the initial design phase and are tested from a cyber-security perspective. This is in addition to regular functional and legacy performance testing. Software, too, is developed and tested for security breaches. Initially, the IT industry called this process the Software Development Life-Cycle (SDLC). Now the term used is Secured Software Development Life-Cycle (SSLDC) and is referred to, when abbreviated, as the Secured SDLC to emphasis security’s importance.
Cyber-security plans are implemented throughout all organization and periodically reviewed. Dedicated personnel are assigned to this task, namely a Chief Information Security Officer (CISO) who leads a professional team. Each organization has a dedicated Security Operations Center (SOC) run by a professional Cyber Event Response Team (CERT). They are equipped with Security Information and Event Management (SIEM) software and ready to react to any event. Yet despite this, there is still much more work be done as hackers have yet to lay down their arms (and fingers).
The aftereffect of the high-profile events described in the previous chapter was a rapid industry and regulatory response. Note that since ICS/SCADA relates to the real physical world, the concern here is about safety and reliability, not data protection and privacy as in IT. Attacks on critical infrastructure could potentially result in loss of life and physical damage. Shutting down power to a hospital or routing CO2 to Oxygen pipes could cause patients to die. Activating a railway junction – causing a northbound train to crash into a southbound train – would have devastating results. Opening dams protecting the Netherlands during high tide would flood large parts of the county. One can only imagine the damage that could be caused by such attacks.
There are two main paths for protection:
For existing networks, a secure overlay was added. This took the form of secure device configuration where possible, as well as the introduction of Intrusion Detection (IDS) and Intrusion Preventions Systems (IPS). Since the industry is traditionally very conservative, the preference historically has been for IDS. This is based on the claim that from the moment of network penetration there will be a long period of lateral movement as actors infiltrate and spread malware. They expect such an attack to be due to strategic events such as military or political conflict. As such it is assumed the CERT will have more than enough time to react before harm is done. Some claim it is important to let the intruder disclose its methods, targets and intentions by laying honeypots (traps). They argue that some, limited, damage is a price worth paying for the opportunity to study the attacker’s processes.
For new networks, a layered approached is employed, like that used in IT. Examples include secured devices such as the Schneider Electric Modicon M580 cyber-secured PLC, as well as others such as hardened servers and workstations, secured networks with firewalls, data diodes, IDS/IPS, security policy and education. Rapid-response drills which include red and blue teams are held on dedicated sites that consist of real and simulated devices. SOC and CERTs are recruited and trained. This is a slow process and who should hold authority is not always obvious. There is often disagreement and misunderstanding between engineering people, who do not understand cyber, and IT/cyber people who often mistakenly try to address OT network cyber-security issues with IT tools that are destined to eventually fail.
In the automotive industry, the core drive behind the interest in cyber-security is saving lives, but there is also a desire to prevent the huge costs that addressing cyber-security vulnerabilities could incur. Currently, any fault or vulnerability requires the recall of a huge number of vehicles. We should also consider the impact of high associated costs in regards to legal liability, as well as the damage to a firm’s brand and reputation.
For FCA the direct and indirect costs of the Jeep Cherokee incident is estimated over $1 billion. The industry has reacted in a similar manner to ICS/SCADA, working on a combination of defenses: ECU hardening, segregated network architecture using gateways, secure software development, the inclusion of IDS/IPS, and so on. In this market – as in the ICS/SCADA case – solution providers have discovered the market before the customers.
Here there are also two paths for protection:
For the aftermarket, target customers would typically be large fleet operators (such as mobility companies or emergency services) that would integrate cyber-security solutions into their vehicles. Because of the specific needs of each fleet, and the potential mix of vehicles, off-the-shelf products would not be suitable, and each customer will need a personalized solution.
For new cars, cyber-security solution suppliers will need to prove their capability to the Original Equipment Manufacturer (OEM) – a.k.a. the vehicle integrator which is the vendor that owns the brand (such as Ford Motors) – and work in parallel with Tier-1 component manufacturers such as Bosch. Vehicle manufacture is a long process relative to the shorter development cycles of the IT-tech industry. Any planned cyber-security solution might not appear in vehicle models for at least 2-3 years.