In his final post of the series, Gilad Bandel, Cerrado's VP of Product, examines supply chain cyber-security in IT and ICS/SCADA industries. Explore the parallels with automotive and what lays ahead for the industry.
Editor’s Note: Watch Gilad giving a full presentation of this topic in a free webinar hosted by the Automotive Security Research Group. The video is available on-demand from the ASRG Youtube page!
The final post of our IT, ICS SCADA series examines the cyber-security vulnerabilities of IT and ICS/SCADA supply chains. We will examine the parallels with the automotive industry and discuss what steps can be taken to avoid making the same mistakes.
Links to previous posts in the series can be found at the bottom of the page.
Ecosystem and supply chain cyber-security
Understanding the basics of how each industries supply chain works gives us a place to start when looking for vulnerabilities to defend.
IT
Manufactured chips and software are integrated into products that are installed on customer’s premises.
ICS/SCADA
In a similar supply chain to the IT industry, manufactured chips and software are integrated into products that are installed on the customer’s premises.
Automotive
Here the process is unique. Tier 3 suppliers such as chip manufactures (e.g. QNX, STMicroelectronics), operating system developers (e.g. Green Hills), nuts, bolts, and other component vendors supply Tier 2 manufacturers.
Tier 2 suppliers generate whole modules such as IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems), navigation systems (i.e. NNG), modules for the power train, parts of the engine, and provide them to Tier 1s.
Tier 1 suppliers manufacture fully integrated modules (e.g. engine, gearbox, gateway, infotainment, telematics, and so forth) i.e. Robert Bosch.
Finally, OEMs (Original Equipment Manufacturers) are the actual vehicle integrators and main brands recognized in the marketplace. Companies such as Ford Motors, Daimler, and Toyota combine Tier 1 products into one running vehicle.
Future of Things
Drawing parallels between the industries enables us to create a general forecast for cyber-security for the automotive industry.
IT
The arms race between attackers and defenders will continue for the foreseeable future. There is wide awareness in the industry and regulators are very active in this field. Huge funds are spent on a yearly basis, and spending figures will only continue to rise as the technology evolves.
ICS/SCADA
It is slow-moving but judging by venture capital investments in startups this is a very hot market and is expected to grow in coming years. Solution providers discovered this market well before their customers.
As a result, there is a price war driving down end-user costs. Eventually, some vendors will close. Others will, or have been acquired and some will reach success on their own. Security will become an inherent part of the ICS/SCADA industry and will be included in all-new, and many existing installations.
Automotive
Judging by the dynamics of the other two fields we can only conclude that this area will follow suit. Due to the high risks involved in liability, recalls, and reputation loss (in the inevitable case of an incident) there is no alternative to massive investment in this field.
Here too, solution providers have developed products and technologies and are now striving to integrate them into new and aftermarket vehicles. Mergers, acquisitions and closures will occur throughout these incumbents until there is widespread adoption of cyber-security by the automotive industry.
Automotive Industry Guidelines for Addressing Cyber-Security Issues
When we understand how other, similar industries have evolved we can begin to see the challenges and pitfalls that lay ahead. This enables us to formulate guidelines to help overcome them.
Secure by design vs. dedicated security components
There is a claim that if a system is secured by design, and all components are designed with security in mind that the system will not require dedicated security functions on its network. While designing the system with security as a prime directive is vital, it is not enough for full security coverage.
For example, a communication channel which is secure, authenticated, encrypted, and immune to tampering is useless as it can potentially serve as a convenient path for spreading malware. Especially if messages from a compromised device can use it unmonitored.
It is necessary to include in the system architecture, an independent, objective, and dedicated function that can monitor and surveil the network to detect and protect against cyber-attack. Components such as IDS should oversee the whole network. It’s important not to skip this layer in the false assumption that a seemingly secure architecture is enough.
IDS vs. IPS
The automotive industry is very conservative, as such, like in ICS/SCADA, we expect it to clearly prefer the passive, non-intrusive IDS rather than the IPS. However, there seems to be some distinction here between the lower layers and the higher ones. Looking at CAN-bus – a secure gateway that selectively forwards messages by ID’s to the designated busses is an active approach that seems to be widely accepted.
Moving to Ethernet, an active firewall operating on ISO OSI layers 1-4 up to TCP/UDP is sure be part of the system. Above this, an application level firewall with IPS function is likely not to be accepted by the industry in the initial phases. Or at least for the short term, In the long term this might change.
Signatures vs. anomalies
IDSs are based on signatures and/or anomalies. Signatures based IDS’s are more reliable in terms of very low rates of false-positive alarms. From the other side, they can protect only against known attack scenarios, unable to detect zero-day attacks, and require frequent updates with newly discovered signatures.
Anomaly-based IDSs establish their own baseline by learning network behavior and will generate an alert if there’s any deviation from that. Anomaly-based IDSs are well suitable for static, predictive, and deterministic networks such as automotive ones. The weak point is that they tend to generate a higher rate of false-positive alarms which are not tolerable in the automotive industry.
Moving forward, a major influencing factor will be automotive Ethernet. While for the CAN-bus, using an anomaly-based IDS is enough, the more complex and sophisticated attack scenarios for Ethernet will drive the industry into using a combination of tools that include both signature and anomaly-based IDSs.
NIDS vs. HIDS
The NIDS (Network IDS) passively listens to the network. On CAN-bus this can be achieved by tapping into CAN busses, listening at the gateway or at the black box. With ethernet, this can be achieved by using port mirroring (a.k.a. SPAN) of the switch, or by running IDS on the switch CPU itself. The HIDS (Host IDS) is end-point protection that runs on the ECUs directly. The industry trend shows a reduction in the number of ECUs present in the vehicle and a general move toward consolidation, with the development of a powerful domain or vehicle controller. This will enable OEMs to deploy extensive security mechanisms on ECUS and domain controllers with sophisticated detection mechanisms. Overall, a combination will be required, providing security to end-points such as secure boot and HIDS. In parallel, and unrelated, a NIDS will be required to independently monitor the network.
Protocols
The move to Ethernet will substantially increase the protocols used. This has two aspects: non-automotive and automotive protocols. Ethernet will bring onboard the common Ethernet and IP protocols such as RSTP, ARP, ICMP, IPSEC, HTTP, HTTPS, FTP, etc. All these protocols and their software implementations will inevitably come with a large number of vulnerabilities and exposures. In addition, new automotive protocols, with as of yet negligible usage experience will join the architecture, such as AVP, SOME/IP, DoIP, etc. Those pose even higher risks since all are brand new and come with first-time software implementations. From past experience, it is clear that such a combination is a heaven for hackers and exposures will be evident.
Pricing
While OEMs will have to pay for the new security requirements imposed by regulation and management, they will make all efforts to reduce these costs. This will be most notable in smaller cars, while high-end, larger vehicles will be less sensitive to pricing. The major gain for security solution providers will be in mass and long-term contracts. This implies such vendors will need deep pockets to survive. The acquisition, merger and liquidation of players’ in the industry is imminent.
Bottom line
Once the picture becomes clear to the automotive industry, the natural conclusion becomes obvious. OEMs and Tier suppliers must address cyber-security concerns sooner rather than later. The answer needs to be an integrated and layered solution that includes a combination of secured network architecture, good end-point protection and IDS (later also IPS) reporting to a well-trained SOC with a CERT ready to act if needed.
*Cerrado previously known as Arilou