Welcome to session I Exchange on best practices and challenges ITEA cyber Security Day Exchange on best practices and challenges
Dr. Eric Armengaud
AVL List GmbH (Headquarters) Confidential A V L C O M P A N Y P R E S E N T A T I O N
Facts and Figures
Founded Employees Worldwide Of Turnover Invested in Inhouse R&D
Global Footprint Years of Experience Engineers and Scientists Granted Patents in Force
Represented in 26 countries
45 Affiliates divided over 93 locations
45 Global Tech and Engineering Export Quota Centers (including Resident Offices) A V L C O M P A N Y P R E S E N T A T I O N
ENGINEERING SERVICES INSTRUMENTATION AND TEST ADVANCED SIMULATION SYSTEMS TECHNOLOGIES
▪ Design and development services for all elements ▪ Advanced and accurate simulation and testing ▪ We are a proven partner in delivering efficiency of ICE, HEV, BEV and FCEV powertrain systems solutions for every aspect of the powertrain gains with the help of virtualization development process ▪ System integration into vehicle, stationary or ▪ Simulation solutions for all phases of the marine applications ▪ Seamless integration of the latest simulation, powertrain and vehicle development process automation and testing technologies ▪ Supporting future technologies in areas such as ▪ High-definition insights into the behavior and ADAS and Autonomous Driving ▪ Pushing key tasks to the start of development interactions of components, systems and entire vehicles ▪ Technical and engineering centers around the globe A V L C O M P A N Y P R E S E N T A T I O N
ELECTRIFICATION ADAS AND AUTONOMOUS DRIVING ZERO-IMPACT EMISSION
VEHICLE ENGINEERING DATA INTELLIGENCE From road transportation to smart mobility
ERTRAC, Strategic Research Agenda, Input to 9th EU Framework Programme, March 2018, www.ertrac.org
Confidential / 5 Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 | Holistic dependability engineering for collaborative, autonomous systems Runtime Design Time
www.deis-project.eu
Confidential / 6 Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 | A V L C O M P A N Y P R E S E N T A T I O N
We Owe It to the Planet
It is our duty as an organization to contribute to the resolution of social, cultural and global issues – especially with regards to environmental protection, sustainability and global emission reduction. Thank you
HANS-LIST-PLATZ 1, 8020 GRAZ
w w w.av l.c o m [email protected] Rennes
Smart mobility and cybersecurity
contacts: F. Bodin ([email protected]) Paul-André Pincemin ([email protected])
15 January 2021 Introduction
• The implementation of smart mobility services is a driver for metropolises development
– Transportation is an important part of the metropolis budget
• Smart mobility increases the potential for cyber attacks
• The development of a metropolitan reference framework objective is
– To allow reasonable risk-taking (x4 in France since 2019, src: ANSSI)
– To help build an effective remediation capacity
– To set up experimental and simulation capabilities
• The general point of view taken is that of the metropolitan organising authority
• Rennes Metropolis’ action is included in the French program CSF "Territory of Trust". Smart mobility -1
• Covers many sectors* – Accessibility for people with reduced mobility – Mobility assistance – Transport management – The fight against climate change – Active modes, shared and alternative transports – Data sharing and protection – Protection of the environment, air quality – Road safety – Safety in transport – Etc.
*http://www.mobilite-intelligente.com Smart mobility -2
• Focus on synergies between transport modes
• Involves numerous infrastructures – Operated by different entities
• Based on the collection and exchange of data – From sensors, operators, etc. – As well as personal data
• Is framed by numerous standards and norms – But approaches to deal with transversal issues not well defined yet for smart mobility An illustration of the systems involved What is specific to smart city cybersecurity? -1
• Operates many vital services (e.g. water) • In a mix of legacy and new infrastructures • Preserving citizen’s trust is critical
• Combines SI and IoT cybersecurity issues • IoT devices are usually weak on security, can be stolen, etc. • Many open buildings (e.g. city hall) • Convergence of physical and cyber spaces
• Detains many citizen private data • Video surveillance data, tax data, service users’ data,… • Integration of numerous services
• Very large attack surface with “chain reactions” difficult to identify What is specific to smart city cybersecurity? -2
• Many infrastructures interdependencies • Communication network • Infrastructure remote control • Backups and restoration not always optimal • Small and large cities with very different capabilities
• Silos-based organization but transversal infrastructures • cybersecurity is a holistic issue • Incremental development on a long period, lack agility • Many external operators • Internal threat underestimated, low budget,…
• Mutualisation of CERT and other shared approach possible • Easier to share attack (real-time) information • Help smaller cities Rennes Metropolis current composition of the reflection committee
With support from Anssi Identified roadblocks
• No pre-production system usually available • Definition of contingency modes / operations • Availability of operational data • Securing exchange of data • Large data volume and complex analysis • Simulation and analysis capacity • Managing complexity and implementation limitations • Lacking interoperability cybersecurity-wise Works status in Rennes
• Effort to set up a structuring framework of the metropolitan landscape around an experimental "lab" which associates: – cybersecurity for SMEs – Industrial users – Research laboratories
• Identification of structuring technical projects – Interoperability of systems / tools – Department-wide supervision / risk assessment
• Collaboration with the data portal project RUDI of the metropolis • https://rudi.datarennes.fr/ The « CyberLab » setup • Objectives • Ensure interoperability and cybersecurity of the smart-city architectures and provide a platform to the players in the Rennes metropolitan area that is representative of the infrastructure of a smart city • Key players: road infrastructure providers, transport/services companies, IT equipment manufacturers, industrialists, etc. • First outcome of the reflections in 2020 with AMOSSYS, KEREVAL and WALLIX – Create a CyberLab, the first French software-testing platform designed to assess the Cyber resilience of intelligent mobility solutions, and more generally, the smart city – Implementing a defensive, joint, and anticipatory approach – Need to manage the acceptability of residual risks – With the support of Rennes Metropolis and Irisa Secure Operations Ensuring Cybersecurity to enable Industrial IoT
Unrestricted © Siemens Mobility GmbH siemens.com/dcu Leading global companies joined forces to encourage security in a networked world.
Protecting the data of individuals 1 and companies Preventing damage from people, 2 companies and infrastructures
Establishing a reliable foundation on which confidence 3 in a networked, digital world can take root and grow Evolving Landscape
1950s – 1960s 1980s 1999 2010s 2015 Military, governments and Computers make their The globeis Cloudcomputing Industry 4.0, Internet of Things other organizations implement way into schools, homes, connected enters the & Big Data. computer systems business and industry by the internet mainstream
Information Processing Automation Digital Connectivity and Intelligence
1970s 1990s 1991 2000s 2020s Homecomputer Digital enhancement The World Wide Mobile flexibility Smart and autonomous is introduced of electrification and Web becomes systems, Artificial Intelligence automation publicly accessible Industroyer/Chrashoverride Heartbleed WannaCry Melissa Worm Stuxnet Morris Worm ILOVEYOU
AT&T Hack Blue Boxing AOHell NotPetya Cryptovirology Cloudbleed Level Seven Crew hack sl1nk SCADA hacks Infinion/TPM Denial-of-service attacks Meltdown/Spectre Cybersecurity solutions focused on (OT) Security
IT Security OT Security
Confidentiality Availability
3-5 years Asset lifecycle 20-40 years Forced migration (e.g. PCs, smart phone) Software lifecycle Usage as long as spare parts available High (> 10 “agents” on office PCs) Options to add security SW Low (old systems w/o “free” performance) Low (~2 generations, Windows 7 and 10) Heterogeneity High (from Windows 95 up to 10) Standards based (agents & forced patching) Main protection concept Case and risk based Risk vs Budget
Your Risk Your Budget Ever growing risk landscape Wait or use your creativity
? incident
major
Tomorrow
a a
oday
y
T
After
a
rd
e
oday
T
st
e
Yesterday
Tomorrow Y …costly impacts on operations
$1-2M / day $38-88M 225,000 $300M Economic impact of Average annual spend Customers without Cost of NotPetya ransom buying energy to replace on unplanned downtime2 power due to Black ICS attack to single energy production Energy attack, 20153 industrial company in capabilities1 20174
Sources: 1)Richmond Times, 2)GEOilandGas, 3)E-ISAC, 4)CNBC Structure by IEC 62443 IEC 62443 - Roles and Scope IEC 62443 - Roles and Scope Cybersecurity Concepts for Mobility
Defense in Depth - IEC 62443 …”for future deployments, with products with built-in cybersecurity features”
Perimeter protection & IDS
…”installed base (legacy) and automation products without built-in cybersecurity” Cybersecurity goal IEC 62443 Security Levels
SL 1 SL 2 SL 3 SL 4
Protection against Protection against Protection against Protection against deliberate attacks with simple intentional attackswith intentional attacks with unintentional or accidental means advanced means advanced resources attacks
Attacker type Attacker type Attacker type Script Kiddie Criminal organization Nations / Agencies Cybersecurity Pillars
IDS JRS / SPX DCU CONFIDENTIAL
DCU Data Capture Unit (Data Diode)
© Siemens Mobility GmbH2020 Enabling connectivity while keeping networks physically isolated? …Data Diode technology
Critical network Open network
Tx Electromagnetic induction Tx Rx Rx PHY Tx Rx Tx Tx Rx Rx PHY
▪ Guarantees protection and network isolation via hardware design that lacks the vulnerability of firewalls Siemens 4 DCU ▪ Reliable - MTBF +16yrs
▪ Galvanic isolation & physical separation ensures only one-way communication Connectivity Concept
3. Cloud
Vendor Deploy Security Patches Cloud App VPN – Worldwide Device Management
Rollout Applications Router + FW and Updates 2. IT Network – Worldwide Cloud Connector
OWG App Storage Industrial Edge Runtime Diagnostics and Connectors Local data storage - OWG receiver Rail Operator DCU 1. OT Network (SIG) 0% risk of customer operation disruption OWG – DCU
Real-time data collection OCC – OWG sender TVD IXL Designed to be modular
3. Cloud
Vendor
Cloud App Asset Management VPN
2. IT Network Router + FW
OWG - Receiver
Rail Operator DCU
1. OT Network (SIG)
OWG - Sender
SCADA / Interlocking USP´s
Safety assessment 0% risk Vendor neutral SL3 - IEC 62443 4- 2 operation disruption Standard protocols CONFIDENTIAL
IDS Intrusion Detection System
© Siemens Mobility GmbH2020
Topology with DCU
IT/Enterprise network
IDS Server
Syslog
IDS Sensor IDS Sensor
Security
Security logs Port Port logs mirror mirror
Security logs Security logs OT / Signaling (safety) network Industrial Switches Industrial Switches Endpoints Endpoints JRS Juridical Recording System & Encryption
© Siemens Mobility GmbH2020 What & Why
What Why
JRS collects, stores and validates all critical Data from juridical recorders is needed for all SIG system data. legal or formal investigations of accidents or “near-miss” situations. JRS provides “Proof” that the stored data is unaltered and complete (integrity intact). CENELEC 50701 will require data integrity tools for new railway systems. JRS prevents the alteration and/or deletion of data acc. to IEC 62443 security concept: • Components • Communication Main features
1. Modular juridical recorder - Based on X.509 Certificates (PKI)
2. RAID 6 - High performance and reliable of data storage
3. Secure OS – S2L2 with Certificates, Secure Boot and Whitelisting.
4. IEC 62443 4-2 SL3 - Compliant
5. Interference Free – Compatible with DCU Funtionality
1 | Data collection 2 | Data Storage 3 | Evaluation & Validation 4 | Data Extraction
IXL
Components
DCU / Diagnostic PCs RAID 6 JRS software Customer or Siemens WORKING FORA POLLUTION-FREE TOMORROW …ONE JOURNEY AT ATIME
SIEMENS Mobility Disclaimer
© Siemens AG 2020
Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested performance features are binding only when they are expressly agreed upon in the concluded contract.
All product designations may be trademarks or other rights of Siemens AG, its affiliated companies or other companies whose use by third parties for their own purposes could violate the rights of the respective owner.
Page 26 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02 Contact
Published by Siemens Mobility GmbH
Andres G. Guilarte Global Product Manager SMO RI PR SD Germany
E-mail [email protected]
Page 27 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02 Security for the Internet of Lights
Sandeep Kumar R&D Group Manager IoT Security Signify Research Signify is the world leader in lighting We provide high-quality energy efficient lighting products, systems and services
Light sources Luminaires Systems and Services
No. 1 €6.2bn 37,000 No. 1 Connected, LED, sales in 2019, people in 74 countries Industry Leader Conventional ~ 75% professional Dow Jones Sustainability Index 2017-2019 #1 smart home lighting system to light your home and garden smarter
68 The Internet of Lights It all began with LEDIFICATION
ENERGY EFFICIENCY LONG LASTING BETTER QUALITY The next revolution: BEYOND Lighting
REMOTE CONTROLS SENSORS CONNECTIVITY MANAGEMENT Indoor Positioning There is more to Perfect light, precise location lighting beyond illumination determine the real-time and exact position and orientation of a shopper using visual light communication
Space Management
Optimize office space through occupancy and space usage data collected over the smart lighting system Internet of Lights
the most dense sensor largest attack surface of network on the planet remotely connectable devices Security: Challenges and Best Practices Challenges
1. MINDSET: Build security into formerly analog world Best practice Secure Development Lifecycle (SDL) Process Requirem Implement Verificati Respons Design Release ents ation on e • Security Risk • Security • Secure code • Functional • Security • Software Assessment Architecture review Security Review updates (SRA) Review • Hardening Testing • Incident • Responsible • Privacy • 3rd party code • Penetration Response Disclosure Impact analysis Testing Plan • Security Assessment Monitoring (PIA)
Security Training across Organization
Not just build, but keep it secure: monitoring, patching, vulnerability management Challenges
2. LIFECYCLE: Managing over multiple technology waves
COMMISSIONER VERY LONG BASED LIFETIME WORKFLOW
HUGE DEPLOYMEN T SIZEs Best practice Security lifecycle – security from cradle to grave Key generation and storage
Authenticity (and Manufactured Confidentiality) Authorization
Authentication & Authorization Key updates Installed Software update Decommissioned Key storage
Commissioned Reconfigured Removed & replaced Secure communication Reownership & Application Running Application Running recommissioned
Bootstrapping Operational Maintenance & Operational Maintenance & re-bootstrapping re-bootstrapping Challenges
3. TECHNOLOGY and REGULATIONS: Finding the right balance
UNIQUE FOR LIGHTING: DEVICE Latency, CONSTRAINTS Synchronicity, ..
GLOBAL STANDARDS
Best practice Our compliance wishlist
1 1
- 4 - Professional Professional
lighting systems lighting services IEC62443
Consumer smart home Secure Software Development Lifecycle Lifecycle Development Software Secure lighting systems 80
Investor Presentation
Security Challenges of Telecom Industry Dr. Emin İslam Tatlı Turkcell Cyber Security Director ITEA Cyber Security Day, 15th January 2021
82 Investor Presentation About Turkcell
STRATEGIC Digital Services Digital Business Solutions Techfin Services FOCUS AREAS
Telecom Services
Security Security Infrastructure Identity&Access Security Monitoring Management Security Management Testing (SOC)
CYBER SECURITY
83 83 Investor Presentation Turkcell Managed Security Services
DDoS Attack Phishing Pentest SOC Identity&Access Cyber Threat Simulation Simulation (+Forensics) Mng. Intelligence Consultancy
Turkcell Digital Diameter FW Security Service SOC SOAR SEPP Cont. Vulnerability Scan GUI & Product
Turkcell Anti-Fraud SOC Log Archive SOC EDR 84 84 Investor Presentation The New Challenges
• Security complexity of Telecom Industry has increased: o Past: access network security, core network security o Today: web security, mobile app security, security testing, 5G security (IoT security, IIoT security), fintech security, DevSecOps
• Penetration Testing has become insufficient, new concepts are needed: o Red-teaming, Purple-teaming o Attack Surface Analysis o Continuous Security Testing o Paper-based reporting is no more adequate.
85 85 Investor Presentation The New Challenges (cont.)
• Vulnerability & Patch Management have become the number one issue of cyber security: o More and more critical vulnerabilities are published per week-month. o Critical vulnerabilities are exploited in 1-2 days via large-scale analysis. o Patching hundreds of systems in time is difficult, priority plan is needed. o Backdoors, Supply-chain attacks
• DevSecOps/Secure SDLC o Secure SDLCs (e.g. SAMM, BSIMM etc.) need to be integrated into Developer IDE and DevOps platforms. o Outsourced software development has become riskier.
86 86 Investor Presentation The New Challenges (cont.)
• Authentication o Username-password still alive o Behaviour-based authentication o Can CAPTCHA be replaced with ML?
• DDoS (Distributed Denial of Service) o More and more enterprises and SMEs exploit Telco-grade DDoS mitigation. o Number and size of pps-based attacks are rapidly growing compared to bps-attacks. o Multiple customers are explicitly attacked at the same time. o Machine learning should be better exploited, especially for clean traffic
profiling. 87 87 Investor Presentation
Thank You!
Twitter: @eitatli Linkedin: https://www.linkedin.com/in/tatli/
88 88