Policies and Guidelines

From OpenGarages
Jump to: navigation, search

Policy and Guidelines

Automotive policies around security are still relatively new. While several groups have been working on fleshing out what they will entail, many of the details didn't become public until 2014. This section highlights some of these policies and guidelines and how they currently relate to the automotive industry.

National Highway Traffic Safety Administration (NHTSA)

The NHTSA is US department that was established in 1970 by the Highway Saftey Act. NHTSA is statutorily directed by Congress to issue standards to address safety need identified by the agency. The NTSTA has had to evolve along with the changing technology. In 2012 a new division was formed with the main focus of:* Safe Reliability

  • Cybersecurity
  • Emerging Technologies (Automated Vehicles)


The NHTSAs goal is to provide research to develop Industry Standards, Guidelines, and Regulations that would be adopted and used for certifications. They work as a liaison to standards organizations such as Society of Automotive Engineers (SAE), National Institute of Standards and Technology (NIST) and the International Organization of Standards (ISO). NHTSA is open to the public and releases pre-drafts that are open to anyone to read and comment on.

Federal Motor Vehicle Safety Standards: Vehicle-to-Vehicle (V2V) Communications

A pre-release proposal from the NHTSA for V2V communications was released in August 2014. The general scope of this proposal is:

This document initiates rulemaking that would propose to create a new Federal Motor Vehicle Safety Standard (FMVSS), FMVSS No. 150, to require vehicle-to-vehicle (V2V) communication capability for light vehicles (passenger cars and light truck vehicles (LTVs)) and to create minimum performance requirements for V2V devices and messages.”
URL: https://federalregister.gov/a/2014-19746
Summary: This request for comment inquires on the feasibility of using Public Key Infrastructure (PKI) for vehicle to vehicle communication. This draft is a collection of research papers on V2V technology which is worth a detailed read. Especially if you like the V2V section of this manual.

Automotive Electronic Control Systems Safety and Security

Another request for comments from the NHTSA was released in October of 2014. The general scope of the proposal is:

the agency is presenting its progress in conducting an examination of the need for safety standards and seeking comments on its findings thus far. The agency is directed to conduct this examination and report its findings to Congress by the Moving Ahead for Progress in the 21st Century Act (MAP-21).”
URL: https://federalregister.gov/a/2014-23805
Summary: Congress has requested an examination of the need for safety standards in regards to electronic systems in passenger motor vehicles. This request targets security of unauthorized access as well as basic interaction of electrical components. There is a strong understanding for automotive cyber security in this request for comments.

SAE J3061 - Cybersecurity Guidebook for Cyber-Physical Automotive Systems

As of the end of 2014 this is a WIP Standard that was released Jan 14, 2014 with the following scope:

“Create Cybersecurity Guidebook for Cyber-Physical Automotive Systems - Consistent with risk methodology in ISO 26262 Functional Safety Standard - Contains automotive Cybersecurity framework and processes - Evaluates Threat Analysis and Risk Assessment (TARA) methods - Simple approach to allow effective implementation across the automotive industry - Contains elements of existing industry security standards - Definitions, acronyms, and sample templates provided”
URL: http://standards.sae.org/wip/j3061/
Summary: Unfortunately this WIP document is open to public review at this time.

ISO 26262 - Road vehicles – Functional safety

This safety standard was published in November, 2011. The scope of this standard is:
ISO/DIS 26262 is the adaptation of IEC 61508 to comply with needs specific to the application sector of E/E systems within road vehicles. ISO 26262 covers functional safety aspects of the entire development process (including such activities as requirements specification, design, implementation, integration, verification, validation, and configuration). The standard provides guidance on automotive safety lifecycle activities
URL: http://www.parasoft.com/products/article.jsp?articleId=3161
Summary: This standard has been around for a while and is heavily adopted by the auto industry. It does not directly refer to security standards. It is a risk based safety standard. While it does not directly talk about security it could be possible to use the Automotive Safety Integrity Level (ASIL) defined in the standard, to rank your Threat Model. See the Threat Model section of this manual for more information.
Below is the ASIL ranking system:


PROBABILITY / EXPOSURE
E1 E2 E3 E4
Duration - <1% of operating time 1-10% of operating time >10% operating time
Frequency Occur less than once a year Situation that occurs a few times a year Situation that occurs once a month Situations that occur almost every drive
Examples Driving downhill with engine off Driving on unsecured steep slope Slippery roads Braking

Table 2-1: ASIL Probability / Exposure


SEVERITY
S1 S2 S3
Description Light and moderate injuries Severe injuries, possibly life threatening, survival probable. Life threatening injuries, survival uncertain, fatal injuries
Example Collision with tree < 20 kpm Collision with tree 20-40 kpm Collision with tree > 40 kpm

Table 2-2: ASIL Severity


CONTROLABILITY
C1 C2 C3
Description Simply controllable Normally controllable Difficult to control or uncontrollable
Definition All drivers will be able to avoid it 90% of all drivers will be able to avoid it 10% of all drivers will be able to avoid it
Example Starting a vehicle with locked steering Stopping a vehicle in case of light failure Loss of breaks

Table 2-3: ASIL Controllability


Severity Probability Controllability
C1 C2 C3
S1 E1 QM QM QM
E2 QM QM QM
E3 QM QM A
E4 QM A B
S2 E1 QM QM QM
E2 QM QM A
E3 QM A B
E4 A B C
S3 E1 QM QM A
E2 QM A B
E3 A B C
E4 B C D

Table 2-4: ASIL Matrix of risk

As you can see from table 2-4, Rankings for ISO 26262 are A, B, C and D. A ranking of QM stands for Quality Management and means that any ranking below ASIL A has no relevance. The ASIL algorithm can be expressed as:
ASIL = Severity x (Exposure x Controllability)
Which means that Exposure and Controllability represents your overall Probability. You combine this with severity to get your overall risk score. If this looks familiar to you, it's probably either because you work in the auto-industry already or you remember this line from Fight Club:
The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

MIL-STD-882E

This safety standard comes from the Department of Defense (DoD). This document is from May 2012 and the scope includes:

“This Standard covers hazards as they apply to systems / products / equipment / infrastructure (including both hardware and software) throughout design, development, test, production, use, and disposal. “
URL: http://www.system-safety.org/Documents/MIL-STD-882E.pdf
Summary: This is similar to the ISO 26262 in that it is a risk based safety standard, however, the DoD's version covers the entire life cycle of the system: design, development, test, production, use, and disposal stages. It also uses a good risk ranking system that could be useful for your own personal Threat Modeling.


SEVERITY CATEGORIES
Description Severity Mishap Result Criteria
Catastrophic 1 Could result in one or more of the following: death, permanent total disability, irreversible significant environmental impact, or monetary loss equal to or exceeding $10M.
Critical 2 Could result in one or more of the following: permanent partial disability,injuries or occupational illness that may result in hospitalization of at least three personnel, reversible significant environmental impact, or monetary loss equal to or exceeding $1M but less than $10M.
Marginal 3 Could result in one or more of the following: injury or occupational illness resulting in one or more lost work day(s), reversible moderate environmental impact, or monetary loss equal to or exceeding $100K but less than $1M.
Negligible 4 Could result in one or more of the following: injury or occupational illness not resulting in a lost work day, minimal environmental impact, or monetary loss less than $100K.

Table 2-5: MIL-STD-882E Severity Rankings


PROBABILITY LEVELS
Description Level Specific Individual Item Fleet or Inventory
Frequent A Likely to occur often in the life of an item. Continuously experienced
Probable B Will occur several times in the life of an item. Will occur frequently.
Occasional C Likely to occur sometime in the life of an item. Will occur several times.
Remote D Unlikely, but possible to occur in the life of an item. Unlikely, but can reasonably be expected to occur.
Improbable E So unlikely, it can be assumed occurrence may not be experienced in the life of an item. Unlikely to occur, but possible.
Eliminated F Incapable of occurrence. This level is used when potential hazards are identified and later eliminated. Incapable of occurrence. This level is used when potential hazards are identified and later eliminated.

Table 2-6: MIL-STD-882E Probability Levels


RISK ASSESSMENT MATRIX
Catastrophic

(1)

Critical

(2)

Marginal

(3)

Negligible

(4)

Frequent

(A)

High High Serious Medium
Probable

(B)

High High Serious Medium
Occasional

(C)

High Serious Medium Low
Remote

(D)

Serious Medium Medium Low
Improbable

(E)

Medium Medium Medium Low
Eliminated

(F)

Eliminated

Table 2-7: MIL-STD-882E Risk Matrix


Five Star Automotive Cyber Safety Program

The public group I Am The Calvary published an open letter in August 2014 at DEF CON, in Las Vegas. This letter was designed to be a guideline for future communication and could be used to grade how the industry was doing in the field of automotive cyber security.

It features 5 principals:
# Safety By Design - Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?
  • Standard Based: Use of vetted ISO, NIST or industry standards.
  • Supply Chain Rigor: Well-governed, traceable hardware and software supply chains.
  • Reduction of Elective Attack Surface & Complexity: Reduction of attack surface lowers exposure.
  • Independent, Adversarial Resilience Testing: Independent, qualified security testing from those outside of the development team.
  1. Third Party Collaboration - Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?
  • Standard Based: Use of vetted ISO standards for vendor side disclosure practices and for internal vulnerability handling.
  • Positive Incentives: Positive “Recognition and Reward” systems to encourage and stimulate participating in bug reporting.
  • Known Interfaces: Independent vulnerability disclosure coordinators.
  1. Evidence Capture - Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?
  • Logging and Legal Standards: Lowest common denominator syntax and verbosity as well as cyber forensics.
  • Improve effectiveness of NHTSA: Collecting and retaining data as recommended for cause analysis in the event of a crash.
  • Privacy Sensitivity: Decoupling logged data from citizens to avoid privacy and surveillance issues.
  1. Security Updates - Can your vehicles be securely updated in a prompt and agile manner?
  • Secure updating System: Authenticity and quality verification on system updates.
  • Service Level Agreements (SLA): Fast Mean Times To Repair (MTTR)
  • Robust Notification/Communication: Public communication should be transparent and forthright.
  1. Segmentation and Isolation - Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems?
  • “Air Gaps”: Physical separation of critical systems.
  • System Integrity/Recovery: Implementation of a safe recovery mode.
  • Enhanced Assurance: Third party review and validation of architecture, implementation and adversary resilience.


URL: https://www.iamthecavalry.org/domains/automotive/5star/
Summary: I Am The Calvary is not a standards group but a public group of security and industry professionals that seek collaboration between security researchers and the industry. Their primary focus as of this writing is not only on automotive security but medical and the larger Internet of Things (IoT) category.

State of the Policies

In 2014 newer proposals directly addressed the automotive cyber threat. Most of these policies and guidelines are still in their proposal stage but there should be real progress in these areas in 2015. The two NHTSA request for comments are great examples of attempting to create informed proposals openly and soliciting the community. The I Am The Calvary proposal was the first non-industry, non-government group to attempt to appeal to the overall community. There is a significant effort underway by both the auto-motive industry as well as regulatory bodies to get ahead of the auto cyber security threat before the bad guys do.