ITEA Cyber Security Day Exchange on Best Practices and Challenges

ITEA Cyber Security Day Exchange on Best Practices and Challenges

Welcome to session I Exchange on best practices and challenges ITEA cyber Security Day Exchange on best practices and challenges Dr. Eric Armengaud AVL List GmbH (Headquarters) Confidential A V L C O M P A N Y P R E S E N T A T I O N Facts and Figures Founded Employees Worldwide Of Turnover Invested in Inhouse R&D Global Footprint Years of Experience Engineers and Scientists Granted Patents in Force Represented in 26 countries 45 Affiliates divided over 93 locations 45 Global Tech and Engineering Export Quota Centers (including Resident Offices) A V L C O M P A N Y P R E S E N T A T I O N ENGINEERING SERVICES INSTRUMENTATION AND TEST ADVANCED SIMULATION SYSTEMS TECHNOLOGIES ▪ Design and development services for all elements ▪ Advanced and accurate simulation and testing ▪ We are a proven partner in delivering efficiency of ICE, HEV, BEV and FCEV powertrain systems solutions for every aspect of the powertrain gains with the help of virtualization development process ▪ System integration into vehicle, stationary or ▪ Simulation solutions for all phases of the marine applications ▪ Seamless integration of the latest simulation, powertrain and vehicle development process automation and testing technologies ▪ Supporting future technologies in areas such as ▪ High-definition insights into the behavior and ADAS and Autonomous Driving ▪ Pushing key tasks to the start of development interactions of components, systems and entire vehicles ▪ Technical and engineering centers around the globe A V L C O M P A N Y P R E S E N T A T I O N ELECTRIFICATION ADAS AND AUTONOMOUS DRIVING ZERO-IMPACT EMISSION VEHICLE ENGINEERING DATA INTELLIGENCE From road transportation to smart mobility ERTRAC, Strategic Research Agenda, Input to 9th EU Framework Programme, March 2018, www.ertrac.org Confidential / 5 Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 | Holistic dependability engineering for collaborative, autonomous systems Runtime Design Time www.deis-project.eu Confidential / 6 Dr. Eric Armengaud | AVL List GmbH | 15 Januar 2021 | A V L C O M P A N Y P R E S E N T A T I O N We Owe It to the Planet It is our duty as an organization to contribute to the resolution of social, cultural and global issues – especially with regards to environmental protection, sustainability and global emission reduction. Thank you HANS-LIST-PLATZ 1, 8020 GRAZ w w w.av l.c o m [email protected] Rennes Smart mobility and cybersecurity contacts: F. Bodin ([email protected]) Paul-André Pincemin ([email protected]) 15 January 2021 Introduction • The implementation of smart mobility services is a driver for metropolises development – Transportation is an important part of the metropolis budget • Smart mobility increases the potential for cyber attacks • The development of a metropolitan reference framework objective is – To allow reasonable risk-taking (x4 in France since 2019, src: ANSSI) – To help build an effective remediation capacity – To set up experimental and simulation capabilities • The general point of view taken is that of the metropolitan organising authority • Rennes Metropolis’ action is included in the French program CSF "Territory of Trust". Smart mobility -1 • Covers many sectors* – Accessibility for people with reduced mobility – Mobility assistance – Transport management – The fight against climate change – Active modes, shared and alternative transports – Data sharing and protection – Protection of the environment, air quality – Road safety – Safety in transport – Etc. *http://www.mobilite-intelligente.com Smart mobility -2 • Focus on synergies between transport modes • Involves numerous infrastructures – Operated by different entities • Based on the collection and exchange of data – From sensors, operators, etc. – As well as personal data • Is framed by numerous standards and norms – But approaches to deal with transversal issues not well defined yet for smart mobility An illustration of the systems involved What is specific to smart city cybersecurity? -1 • Operates many vital services (e.g. water) • In a mix of legacy and new infrastructures • Preserving citizen’s trust is critical • Combines SI and IoT cybersecurity issues • IoT devices are usually weak on security, can be stolen, etc. • Many open buildings (e.g. city hall) • Convergence of physical and cyber spaces • Detains many citizen private data • Video surveillance data, tax data, service users’ data,… • Integration of numerous services • Very large attack surface with “chain reactions” difficult to identify What is specific to smart city cybersecurity? -2 • Many infrastructures interdependencies • Communication network • Infrastructure remote control • Backups and restoration not always optimal • Small and large cities with very different capabilities • Silos-based organization but transversal infrastructures • cybersecurity is a holistic issue • Incremental development on a long period, lack agility • Many external operators • Internal threat underestimated, low budget,… • Mutualisation of CERT and other shared approach possible • Easier to share attack (real-time) information • Help smaller cities Rennes Metropolis current composition of the reflection committee With support from Anssi Identified roadblocks • No pre-production system usually available • Definition of contingency modes / operations • Availability of operational data • Securing exchange of data • Large data volume and complex analysis • Simulation and analysis capacity • Managing complexity and implementation limitations • Lacking interoperability cybersecurity-wise Works status in Rennes • Effort to set up a structuring framework of the metropolitan landscape around an experimental "lab" which associates: – cybersecurity for SMEs – Industrial users – Research laboratories • Identification of structuring technical projects – Interoperability of systems / tools – Department-wide supervision / risk assessment • Collaboration with the data portal project RUDI of the metropolis • https://rudi.datarennes.fr/ The « CyberLab » setup • Objectives • Ensure interoperability and cybersecurity of the smart-city architectures and provide a platform to the players in the Rennes metropolitan area that is representative of the infrastructure of a smart city • Key players: road infrastructure providers, transport/services companies, IT equipment manufacturers, industrialists, etc. • First outcome of the reflections in 2020 with AMOSSYS, KEREVAL and WALLIX – Create a CyberLab, the first French software-testing platform designed to assess the Cyber resilience of intelligent mobility solutions, and more generally, the smart city – Implementing a defensive, joint, and anticipatory approach – Need to manage the acceptability of residual risks – With the support of Rennes Metropolis and Irisa Secure Operations Ensuring Cybersecurity to enable Industrial IoT Unrestricted © Siemens Mobility GmbH siemens.com/dcu Leading global companies joined forces to encourage security in a networked world. Protecting the data of individuals 1 and companies Preventing damage from people, 2 companies and infrastructures Establishing a reliable foundation on which confidence 3 in a networked, digital world can take root and grow Evolving Landscape 1950s – 1960s 1980s 1999 2010s 2015 Military, governments and Computers make their The globeis Cloudcomputing Industry 4.0, Internet of Things other organizations implement way into schools, homes, connected enters the & Big Data. computer systems business and industry by the internet mainstream Information Processing Automation Digital Connectivity and Intelligence 1970s 1990s 1991 2000s 2020s Homecomputer Digital enhancement The World Wide Mobile flexibility Smart and autonomous is introduced of electrification and Web becomes systems, Artificial Intelligence automation publicly accessible Industroyer/Chrashoverride Heartbleed WannaCry Melissa Worm Stuxnet Morris Worm ILOVEYOU AT&T Hack Blue Boxing AOHell NotPetya Cryptovirology Cloudbleed Level Seven Crew hack sl1nk SCADA hacks Infinion/TPM Denial-of-service attacks Meltdown/Spectre Cybersecurity solutions focused on (OT) Security IT Security OT Security Confidentiality Availability 3-5 years Asset lifecycle 20-40 years Forced migration (e.g. PCs, smart phone) Software lifecycle Usage as long as spare parts available High (> 10 “agents” on office PCs) Options to add security SW Low (old systems w/o “free” performance) Low (~2 generations, Windows 7 and 10) Heterogeneity High (from Windows 95 up to 10) Standards based (agents & forced patching) Main protection concept Case and risk based Risk vs Risk Ever Budget growing growing Your risk Risk Yesterday landscape Today Tomorrow ? Wait Wait or use use or Your Yesterday Budget your Today creativity Tomorrow After a major incident …costly impacts on operations $1-2M / day $38-88M 225,000 $300M Economic impact of Average annual spend Customers without Cost of NotPetya ransom buying energy to replace on unplanned downtime2 power due to Black ICS attack to single energy production Energy attack, 20153 industrial company in capabilities1 20174 Sources: 1)Richmond Times, 2)GEOilandGas, 3)E-ISAC, 4)CNBC Structure by IEC 62443 IEC 62443 - Roles and Scope IEC 62443 - Roles and Scope Cybersecurity Concepts for Mobility Defense in Depth - IEC 62443 …”for future deployments, with products with built-in cybersecurity features” Perimeter protection & IDS …”installed base (legacy) and automation products without built-in cybersecurity” Cybersecurity goal IEC 62443 Security Levels SL 1 SL 2 SL 3 SL 4 Protection against Protection

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    70 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us