ITEA Cyber Security Day Exchange on Best Practices and Challenges

Welcome to session I Exchange on best practices and challenges ITEA cyber Security Day Exchange on best practices and challenges

Dr. Eric Armengaud

AVL List GmbH (Headquarters) Confidential A V L C O M P A N Y P R E S E N T A T I O N

Facts and Figures

Founded Employees Worldwide Of Turnover Invested in Inhouse R&D

Global Footprint Years of Experience Engineers and Scientists Granted Patents in Force

Represented in 26 countries

45 Affiliates divided over 93 locations

45 Global Tech and Engineering Export Quota Centers (including Resident Offices) A V L C O M P A N Y P R E S E N T A T I O N

ENGINEERING SERVICES INSTRUMENTATION AND TEST ADVANCED SIMULATION SYSTEMS TECHNOLOGIES

▪ Design and development services for all elements ▪ Advanced and accurate simulation and testing ▪ We are a proven partner in delivering efficiency of ICE, HEV, BEV and FCEV powertrain systems solutions for every aspect of the powertrain gains with the help of virtualization development process ▪ System integration into vehicle, stationary or ▪ Simulation solutions for all phases of the marine applications ▪ Seamless integration of the latest simulation, powertrain and vehicle development process automation and testing technologies ▪ Supporting future technologies in areas such as ▪ High-definition insights into the behavior and ADAS and Autonomous Driving ▪ Pushing key tasks to the start of development interactions of components, systems and entire vehicles ▪ Technical and engineering centers around the globe A V L C O M P A N Y P R E S E N T A T I O N

ELECTRIFICATION ADAS AND AUTONOMOUS DRIVING ZERO-IMPACT EMISSION

VEHICLE ENGINEERING DATA INTELLIGENCE From road transportation to smart mobility

ERTRAC, Strategic Research Agenda, Input to 9th EU Framework Programme, March 2018, www.ertrac.org

Confidential / 5 Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 | Holistic dependability engineering for collaborative, autonomous systems Runtime Design Time

www.deis-project.eu

Confidential / 6 Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 | A V L C O M P A N Y P R E S E N T A T I O N

We Owe It to the Planet

It is our duty as an organization to contribute to the resolution of social, cultural and global issues – especially with regards to environmental protection, sustainability and global emission reduction. Thank you

HANS-LIST-PLATZ 1, 8020 GRAZ

w w w.av l.c o m [email protected] Rennes

Smart mobility and cybersecurity

contacts: F. Bodin ([email protected]) Paul-André Pincemin ([email protected])

15 January 2021 Introduction

• The implementation of smart mobility services is a driver for metropolises development

– Transportation is an important part of the metropolis budget

• Smart mobility increases the potential for cyber attacks

• The development of a metropolitan reference framework objective is

– To allow reasonable risk-taking (x4 in France since 2019, src: ANSSI)

– To help build an effective remediation capacity

– To set up experimental and simulation capabilities

• The general point of view taken is that of the metropolitan organising authority

• Rennes Metropolis’ action is included in the French program CSF "Territory of Trust". Smart mobility -1

• Covers many sectors* – Accessibility for people with reduced mobility – Mobility assistance – Transport management – The fight against climate change – Active modes, shared and alternative transports – Data sharing and protection – Protection of the environment, air quality – Road safety – Safety in transport – Etc.

*http://www.mobilite-intelligente.com Smart mobility -2

• Focus on synergies between transport modes

• Involves numerous infrastructures – Operated by different entities

• Based on the collection and exchange of data – From sensors, operators, etc. – As well as personal data

• Is framed by numerous standards and norms – But approaches to deal with transversal issues not well defined yet for smart mobility An illustration of the systems involved What is specific to smart city cybersecurity? -1

• Operates many vital services (e.g. water) • In a mix of legacy and new infrastructures • Preserving citizen’s trust is critical

• Combines SI and IoT cybersecurity issues • IoT devices are usually weak on security, can be stolen, etc. • Many open buildings (e.g. city hall) • Convergence of physical and cyber spaces

• Detains many citizen private data • Video surveillance data, tax data, service users’ data,… • Integration of numerous services

• Very large attack surface with “chain reactions” difficult to identify What is specific to smart city cybersecurity? -2

• Many infrastructures interdependencies • Communication network • Infrastructure remote control • Backups and restoration not always optimal • Small and large cities with very different capabilities

• Silos-based organization but transversal infrastructures • cybersecurity is a holistic issue • Incremental development on a long period, lack agility • Many external operators • Internal threat underestimated, low budget,…

• Mutualisation of CERT and other shared approach possible • Easier to share attack (real-time) information • Help smaller cities Rennes Metropolis current composition of the reflection committee

With support from Anssi Identified roadblocks

• No pre-production system usually available • Definition of contingency modes / operations • Availability of operational data • Securing exchange of data • Large data volume and complex analysis • Simulation and analysis capacity • Managing complexity and implementation limitations • Lacking interoperability cybersecurity-wise Works status in Rennes

• Effort to set up a structuring framework of the metropolitan landscape around an experimental "lab" which associates: – cybersecurity for SMEs – Industrial users – Research laboratories

• Identification of structuring technical projects – Interoperability of systems / tools – Department-wide supervision / risk assessment

• Collaboration with the data portal project RUDI of the metropolis • https://rudi.datarennes.fr/ The « CyberLab » setup • Objectives • Ensure interoperability and cybersecurity of the smart-city architectures and provide a platform to the players in the Rennes metropolitan area that is representative of the infrastructure of a smart city • Key players: road infrastructure providers, transport/services companies, IT equipment manufacturers, industrialists, etc. • First outcome of the reflections in 2020 with AMOSSYS, KEREVAL and WALLIX – Create a CyberLab, the first French software-testing platform designed to assess the Cyber resilience of intelligent mobility solutions, and more generally, the smart city – Implementing a defensive, joint, and anticipatory approach – Need to manage the acceptability of residual risks – With the support of Rennes Metropolis and Irisa Secure Operations Ensuring Cybersecurity to enable Industrial IoT

Unrestricted © Siemens Mobility GmbH siemens.com/dcu Leading global companies joined forces to encourage security in a networked world.

Protecting the data of individuals 1 and companies Preventing damage from people, 2 companies and infrastructures

Establishing a reliable foundation on which confidence 3 in a networked, digital world can take root and grow Evolving Landscape

1950s – 1960s 1980s 1999 2010s 2015 Military, governments and Computers make their The globeis Cloudcomputing Industry 4.0, Internet of Things other organizations implement way into schools, homes, connected enters the & Big Data. computer systems business and industry by the internet mainstream

Information Processing Automation Digital Connectivity and Intelligence

1970s 1990s 1991 2000s 2020s Homecomputer Digital enhancement The World Wide Mobile flexibility Smart and autonomous is introduced of electrification and Web becomes systems, Artificial Intelligence automation publicly accessible Industroyer/Chrashoverride Heartbleed WannaCry Melissa Worm Stuxnet Morris Worm ILOVEYOU

AT&T Hack Blue Boxing AOHell NotPetya Cryptovirology Cloudbleed Level Seven Crew hack sl1nk SCADA hacks Infinion/TPM Denial-of-service attacks Meltdown/Spectre Cybersecurity solutions focused on (OT) Security

IT Security OT Security

Confidentiality Availability

3-5 years Asset lifecycle 20-40 years Forced migration (e.g. PCs, smart phone) Software lifecycle Usage as long as spare parts available High (> 10 “agents” on office PCs) Options to add security SW Low (old systems w/o “free” performance) Low (~2 generations, Windows 7 and 10) Heterogeneity High (from Windows 95 up to 10) Standards based (agents & forced patching) Main protection concept Case and risk based Risk vs Budget

Your Risk Your Budget Ever growing risk landscape Wait or use your creativity

? incident

major

Tomorrow

a a

oday

After

oday

Yesterday

Tomorrow Y …costly impacts on operations

$1-2M / day $38-88M 225,000 $300M Economic impact of Average annual spend Customers without Cost of NotPetya ransom buying energy to replace on unplanned downtime2 power due to Black ICS attack to single energy production Energy attack, 20153 industrial company in capabilities1 20174

Sources: 1)Richmond Times, 2)GEOilandGas, 3)E-ISAC, 4)CNBC Structure by IEC 62443 IEC 62443 - Roles and Scope IEC 62443 - Roles and Scope Cybersecurity Concepts for Mobility

Defense in Depth - IEC 62443 …”for future deployments, with products with built-in cybersecurity features”

Perimeter protection & IDS

…”installed base (legacy) and automation products without built-in cybersecurity” Cybersecurity goal IEC 62443 Security Levels

SL 1 SL 2 SL 3 SL 4

Protection against Protection against Protection against Protection against deliberate attacks with simple intentional attackswith intentional attacks with unintentional or accidental means advanced means advanced resources attacks

Attacker type Attacker type Attacker type Script Kiddie Criminal organization Nations / Agencies Cybersecurity Pillars

IDS JRS / SPX DCU CONFIDENTIAL

DCU Data Capture Unit (Data Diode)

Critical network Open network

Tx Electromagnetic induction Tx Rx Rx PHY Tx Rx Tx Tx Rx Rx PHY

▪ Guarantees protection and network isolation via hardware design that lacks the vulnerability of firewalls Siemens 4 DCU ▪ Reliable - MTBF +16yrs

▪ Galvanic isolation & physical separation ensures only one-way communication Connectivity Concept

3. Cloud

Vendor Deploy Security Patches Cloud App VPN – Worldwide Device Management

Rollout Applications Router + FW and Updates 2. IT Network – Worldwide Cloud Connector

OWG App Storage Industrial Edge Runtime Diagnostics and Connectors Local data storage - OWG receiver Rail Operator DCU 1. OT Network (SIG) 0% risk of customer operation disruption OWG – DCU

Real-time data collection OCC – OWG sender TVD IXL Designed to be modular

3. Cloud

Vendor

Cloud App Asset Management VPN

2. IT Network Router + FW

OWG - Receiver

Rail Operator DCU

1. OT Network (SIG)

OWG - Sender

SCADA / Interlocking USP´s

Safety assessment 0% risk Vendor neutral SL3 - IEC 62443 4- 2 operation disruption Standard protocols CONFIDENTIAL

IDS Intrusion Detection System

Topology with DCU

IT/Enterprise network

IDS Server

Syslog

IDS Sensor IDS Sensor

Security

Security logs Port Port logs mirror mirror

Security logs Security logs OT / Signaling (safety) network Industrial Switches Industrial Switches Endpoints Endpoints JRS Juridical Recording System & Encryption

What Why

JRS collects, stores and validates all critical Data from juridical recorders is needed for all SIG system data. legal or formal investigations of accidents or “near-miss” situations. JRS provides “Proof” that the stored data is unaltered and complete (integrity intact). CENELEC 50701 will require data integrity tools for new railway systems. JRS prevents the alteration and/or deletion of data acc. to IEC 62443 security concept: • Components • Communication Main features

1. Modular juridical recorder - Based on X.509 Certificates (PKI)

2. RAID 6 - High performance and reliable of data storage

3. Secure OS – S2L2 with Certificates, Secure Boot and Whitelisting.

4. IEC 62443 4-2 SL3 - Compliant

5. Interference Free – Compatible with DCU Funtionality

1 | Data collection 2 | Data Storage 3 | Evaluation & Validation 4 | Data Extraction

IXL

Components

DCU / Diagnostic PCs RAID 6 JRS software Customer or Siemens WORKING FORA POLLUTION-FREE TOMORROW …ONE JOURNEY AT ATIME

SIEMENS Mobility Disclaimer

Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested performance features are binding only when they are expressly agreed upon in the concluded contract.

All product designations may be trademarks or other rights of Siemens AG, its affiliated companies or other companies whose use by third parties for their own purposes could violate the rights of the respective owner.

Page 26 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02 Contact

Published by Siemens Mobility GmbH

Andres G. Guilarte Global Product Manager SMO RI PR SD Germany

E-mail [email protected]

Page 27 Unrestricted | © Siemens Mobility 2020 | Andres G. Guilarte | SMO RI PR | 2020-12-02 Security for the Internet of Lights

Sandeep Kumar R&D Group Manager IoT Security Signify Research Signify is the world leader in lighting We provide high-quality energy efficient lighting products, systems and services

Light sources Luminaires Systems and Services

No. 1 €6.2bn 37,000 No. 1 Connected, LED, sales in 2019, people in 74 countries Industry Leader Conventional ~ 75% professional Dow Jones Sustainability Index 2017-2019 #1 smart home lighting system to light your home and garden smarter

68 The Internet of Lights It all began with LEDIFICATION

ENERGY EFFICIENCY LONG LASTING BETTER QUALITY The next revolution: BEYOND Lighting

REMOTE CONTROLS SENSORS CONNECTIVITY MANAGEMENT Indoor Positioning There is more to Perfect light, precise location lighting beyond illumination determine the real-time and exact position and orientation of a shopper using visual light communication

Space Management

Optimize office space through occupancy and space usage data collected over the smart lighting system Internet of Lights

the most dense sensor largest attack surface of network on the planet remotely connectable devices Security: Challenges and Best Practices Challenges

1. MINDSET: Build security into formerly analog world Best practice Secure Development Lifecycle (SDL) Process Requirem Implement Verificati Respons Design Release ents ation on e • Security Risk • Security • Secure code • Functional • Security • Software Assessment Architecture review Security Review updates (SRA) Review • Hardening Testing • Incident • Responsible • Privacy • 3rd party code • Penetration Response Disclosure Impact analysis Testing Plan • Security Assessment Monitoring (PIA)

Security Training across Organization

Not just build, but keep it secure: monitoring, patching, vulnerability management Challenges

2. LIFECYCLE: Managing over multiple technology waves

COMMISSIONER VERY LONG BASED LIFETIME WORKFLOW

HUGE DEPLOYMEN T SIZEs Best practice Security lifecycle – security from cradle to grave Key generation and storage

Authenticity (and Manufactured Confidentiality) Authorization

Authentication & Authorization Key updates Installed Software update Decommissioned Key storage

Commissioned Reconfigured Removed & replaced Secure communication Reownership & Application Running Application Running recommissioned

Bootstrapping Operational Maintenance & Operational Maintenance & re-bootstrapping re-bootstrapping Challenges

3. TECHNOLOGY and REGULATIONS: Finding the right balance

UNIQUE FOR LIGHTING: DEVICE Latency, CONSTRAINTS Synchronicity, ..

GLOBAL STANDARDS

Best practice Our compliance wishlist

1 1

- 4 - Professional Professional

lighting systems lighting services IEC62443

Consumer smart home Secure Software Development Lifecycle Lifecycle Development Software Secure lighting systems 80

Investor Presentation

Security Challenges of Telecom Industry Dr. Emin İslam Tatlı Turkcell Cyber Security Director ITEA Cyber Security Day, 15th January 2021

82 Investor Presentation About Turkcell

STRATEGIC Digital Services Digital Business Solutions Techfin Services FOCUS AREAS

Telecom Services

Security Security Infrastructure Identity&Access Security Monitoring Management Security Management Testing (SOC)

CYBER SECURITY

83 83 Investor Presentation Turkcell Managed Security Services

DDoS Attack Phishing Pentest SOC Identity&Access Cyber Threat Simulation Simulation (+Forensics) Mng. Intelligence Consultancy

Turkcell Digital Diameter FW Security Service SOC SOAR SEPP Cont. Vulnerability Scan GUI & Product

Turkcell Anti-Fraud SOC Log Archive SOC EDR 84 84 Investor Presentation The New Challenges

• Security complexity of Telecom Industry has increased: o Past: access network security, core network security o Today: web security, mobile app security, security testing, 5G security (IoT security, IIoT security), fintech security, DevSecOps

• Penetration Testing has become insufficient, new concepts are needed: o Red-teaming, Purple-teaming o Attack Surface Analysis o Continuous Security Testing o Paper-based reporting is no more adequate.

85 85 Investor Presentation The New Challenges (cont.)

• Vulnerability & Patch Management have become the number one issue of cyber security: o More and more critical vulnerabilities are published per week-month. o Critical vulnerabilities are exploited in 1-2 days via large-scale analysis. o Patching hundreds of systems in time is difficult, priority plan is needed. o Backdoors, Supply-chain attacks

• DevSecOps/Secure SDLC o Secure SDLCs (e.g. SAMM, BSIMM etc.) need to be integrated into Developer IDE and DevOps platforms. o Outsourced software development has become riskier.

86 86 Investor Presentation The New Challenges (cont.)

• Authentication o Username-password still alive o Behaviour-based authentication o Can CAPTCHA be replaced with ML?

• DDoS (Distributed Denial of Service) o More and more enterprises and SMEs exploit Telco-grade DDoS mitigation. o Number and size of pps-based attacks are rapidly growing compared to bps-attacks. o Multiple customers are explicitly attacked at the same time. o Machine learning should be better exploited, especially for clean traffic

profiling. 87 87 Investor Presentation

Thank You!

Twitter: @eitatli Linkedin: https://www.linkedin.com/in/tatli/

88 88