Tech.AD Europe 2024 Bosch

00:00

yeah so uh welcome to all of you my name

00:04

is Neils I'm a group manager for cyber

00:09

security at uh the Bosch engineering uh

00:12

group and uh the ESS stands for

00:16

engineering Safety and Security so I

00:19

will always touch both on security and

00:23

safety in this

00:24

presentation and uh the leading question

00:29

why do we have to care for cyber

00:31

security simple answer uh ad systems

00:36

have a much greater attx surface what do

00:39

I mean by that so basically what we are

00:42

tackling in cyber security is uh the CIA

00:48

abbreviation meaning confidentiality of

00:51

data and privacy of data Integrity of

00:54

data so that it's uh the real data and

00:58

availability so that the data is

01:00

available on time and uh most of the

01:05

presentations in this conference deal

01:07

with imperfections of sensor uh un u

01:13

uneasy

01:14

situations and uh quite a lot comes in

01:19

if we factor in the human factor and

01:23

that's what we do in cyber security and

01:26

today uh I want to show you briefly what

01:29

we do at Bosch engineering just that you

01:32

get a picture uh What uh experience we

01:36

have then I'm going to talk about cyber

01:38

security and safety challenges for ad

01:41

systems and then how we tackle them in

01:45

our domain and uh one thing uh that I

01:49

also wanted to mention before I came

01:51

into cyber security which is now four

01:53

years ago I also worked on automation of

01:57

construction and agricultural machinery

02:00

so I actually know Both Worlds so a few

02:03

words about my

02:05

company what we uh mainly do is we do

02:09

Passenger cars uh hyper cars so sports

02:13

cars but also trucks and Power Sports

02:18

and uh robotics we are also into that

02:22

domain marine and uh of Highway like I

02:27

mentioned but also General avation and

02:31

Motorsports so uh the insights that I

02:34

can give you are not only for uh

02:38

Passenger cars but all all of these

02:41

domains are handled by my group and um

02:45

what we basically uh offer as an

02:49

engineering service on the one hand we

02:51

do software we work in hardware and we

02:55

do Engineering Services so on the

02:57

software side we deal with the

02:59

middleware so also uh working on topics

03:03

like software defined vehicles that come

03:06

now into play uh application software

03:09

but also connected services on the

03:11

hardware side uh we deal uh with uh the

03:17

control unit with uh the connectivity

03:21

and uh zone ecus for centralized

03:24

architectures and on the Engineering

03:27

Services we deal with training consult

03:30

ing uh modelbased system engineering

03:33

like we heard from luxoft at the

03:35

beginning and uh also integration and

03:38

validation and verification and in cyber

03:42

security uh my group uh starts at the

03:45

beginning with security by Design in the

03:47

development phase here we do risk

03:50

management uh setting up of

03:52

infrastructure for example key

03:54

infrastructure and verification and

03:57

validation then we go on to produ tion

04:00

where we uh set up a secure production

04:03

chain and then in the field we look at

04:07

things like uh incidents where somebody

04:11

is using vulnerabilities in the system

04:14

to tamper with it or uh then we go on uh

04:19

regarding service architecture and being

04:22

able to update systems and in the end

04:25

decommissioning and revocation of uh

04:28

authorizations is also an very important

04:31

part one example you all know if you uh

04:35

order a rental car and connect your

04:38

mobile phone with it and synchronize the

04:41

contacts um you will probably see that

04:44

the person before you also did this and

04:46

that you have a lot of new

04:49

friends and uh if we now look at cyber

04:53

security for ad systems there uh

04:56

typically at Bosch we have three groups

04:59

sense think act and here I want to focus

05:04

on and uh if we look in the sense domain

05:09

so uh we heard from our colleague the

05:12

presentation on the radar data and uh

05:15

how to interpret it and with cyber

05:19

security then the topic is spoofing of

05:22

sensor data because I could either

05:25

manipulate the sensor itself or I can

05:29

manipulate the signals coming out of it

05:32

or the surroundings as well same goes

05:36

for location data and uh here uh it's

05:40

quite important on which lane you are at

05:43

the moment and uh also secure vehicle to

05:47

X communication because uh there uh if

05:52

you use for example data from the

05:54

infrastructure to plan your trajectory

05:57

then it's uh most certainly necessary

06:01

that it's reliable data and all those

06:05

connectivity parts or uh gateways and uh

06:10

access points uh offer you new entry

06:13

points for attacks uh one thing being

06:17

for example somebody taking out the

06:19

radar to get access to the uh uh canbas

06:25

and then injecting commands in it has

06:28

happened uh couple of years ago and on

06:31

the safety side we had uh safety of the

06:34

intended function mentioned today uh

06:37

where we deal with functional

06:39

insufficiencies and uh need to take that

06:43

into account but also sensor field of

06:46

view uh like we heard uh you all know

06:49

the cruise example where the sensors

06:51

were not able to detect the person under

06:54

the vehicle or the mode of the sensor so

06:58

uh for example with lighter it's quite

07:00

hard to see glass walls with ultrasonic

07:04

it's easier and therefore we do this

07:06

Sensor Fusion as you all uh know and uh

07:11

if I now have contradicting sensor

07:14

information then it gets interesting

07:17

because then I have to find out which

07:19

one's true and uh which ones to rely on

07:23

and weo presented this morning the

07:26

person uh waving for uh regulating the

07:30

traffic um how do we establish trust in

07:33

this person that he's authorized to

07:36

regulate the traffic also quite an

07:39

interesting problem on the think side um

07:43

for example if I Tempo with the

07:45

software uh then uh my functions will

07:48

not work anymore I could do it either as

07:51

an Insider of a company where I modify

07:54

software before it gets rolled out I can

07:57

attack the roll out server or uh even

08:01

become a man in the middle and corrupt

08:04

the data during the transmission and uh

08:07

that's one thing to disrupt

08:10

functionality the other one would be

08:12

denial of service attacks um one thing

08:16

that uh Toyota experienced just

08:19

recently uh where uh somebody modified a

08:22

Bluetooth speaker and uh this sent so

08:25

many commands that uh the Gateway in the

08:28

system got over flooded and the safe

08:31

State then was to open up the doors and

08:35

so people got easy access to the vehicle

08:38

and if you are in the vehicle then it's

08:40

quite easy uh for the next steps and uh

08:44

another kind of attack are ransomware

08:47

attacks uh you know quite well from

08:50

hospitals from uh different companies

08:53

that have their topic with uh ransomware

08:57

but uh I expect in the the future also

09:00

for vehicle fleets uh ransomware attacks

09:03

where uh oems have to pay for using

09:08

their vehicles again or even

09:11

individuals and with that you can also

09:14

uh for example create service

09:16

interruptions and tempering with Target

09:19

location uh it's quite important that

09:21

you know where you want to go to and if

09:24

you temper with that then your car may

09:27

work perfectly but you simply arrive at

09:30

the wrong

09:31

location and uh regarding safety

09:34

functional safety I think everybody

09:36

knows about it we have to uh ensure the

09:39

safety Integrity of our functionalities

09:43

here and if we think in the ACT category

09:47

there is this unwanted triggering of

09:49

safety functions one example is

09:51

automated emergency break if I do it on

09:55

a highway on the left lane then it's

09:58

probably leading to an accident so this

10:01

needs to be avoided at uh all means

10:05

possible but also prevention of action

10:08

so if I have safety functions but they

10:11

cannot be executed due to denial of

10:14

service attacks or due to Signal

10:17

suppression then uh my safety functions

10:21

become invalid or code modification I

10:24

also mentioned this on the think

10:26

category and regarding safety there I

10:30

have to uh avoid safety critical

10:34

situations like the famous train

10:37

crossing where my vehicle remains still

10:41

and I have to move it manually or even

10:45

the trigging Ring of functions needs to

10:47

be insured in time and so this was just

10:52

uh a small selection of problems I could

10:55

go on for hours but I think uh it's

10:59

better to show some solutions as well

11:02

and uh just uh what you should take out

11:06

of the segment cyber security is an

11:09

integral part uh an attacker uh having

11:13

in mind here when you design your

11:14

functions is always a good idea and uh

11:18

it makes the world quite complicated and

11:22

this is why we have uh dealt with this

11:25

topic on the one hand with uh deriving

11:29

methods that I'm going to present in

11:32

some detail then uh a dedicated tool set

11:36

for cyber security and

11:40

organizational uh topics as well and uh

11:44

let me start with safety security

11:47

co-engineering so what's the idea behind

11:50

it the idea is that we uh do not

11:54

separate uh like we are used to uh

11:58

between say safety analysis and security

12:01

analysis of a system but rather use the

12:05

synergies behind them uh use the same

12:08

system definitions use a permanent

12:11

alignment here and uh even reuse

12:16

mechanisms from one domain for the other

12:18

domain and uh for that I want to show

12:22

you one example here rather at the

12:26

bottom uh when we go into to security

12:30

concept and uh valid verification of the

12:34

security concept here um I want to show

12:38

you secure onboard communication with

12:41

which is a

12:42

technology uh to secure a can

12:46

communication and uh from a security

12:48

perspective it's uh rather simple uh

12:53

rather simple um what you do is that you

12:58

uh authentic indate via a message code

13:02

your uh data that is being

13:04

transferred the same can also be used

13:07

from a safety perspective because it

13:09

shows you that the signal has the right

13:13

integrity and uh you can

13:16

inure or uh detect errors as well here

13:21

so uh this allows a reuse of this

13:25

mechanism for both domains and uh since

13:29

uh latency is always an issue then it's

13:34

great if you can reuse mechanisms from

13:39

uh for both domains because otherwise

13:43

you would have on the one hand uh a CLC

13:47

code for the safety and uh secc for the

13:52

security perspective and spend a lot

13:55

more computation than it's actually

13:58

needed

13:59

another thing that I wanted to introduce

14:01

you to is uh how to analyze a system

14:06

because we are used to analyzing a

14:09

component and then saying well the sum

14:12

of all components uh must be our car it

14:17

certainly is not uh true uh because it

14:22

uh will ask you to be more strict than

14:26

it's actually necessary and if we look

14:29

at the picture on the right hand side

14:32

you see in purple this attack path so I

14:35

have an entry point here symbolized by

14:38

the connectivity then I go to a

14:41

connectivity control unit from there to

14:44

a Central Gateway for example and then

14:47

into another canbas system and so

14:51

attacking uh the green uh element is

14:55

much more complicated than directly

14:58

connect to the inputs of this device and

15:02

uh therefore uh what we suggest here is

15:07

that the attack visibility on the one

15:09

hand uh depends on the entry point that

15:13

you have to the vehicle uh that you have

15:16

to have a look at the in vehicle attack

15:19

path uh the so-called hops to overcome

15:23

from one domain to another or one

15:26

component to another and also the attack

15:28

Target so if it's not a high value

15:31

Target it should also uh go into your

15:35

damage scenarios and uh especially uh

15:40

how uh harmful those damage scenarios

15:43

are should be just judged from a vehicle

15:47

perspective as well and uh if we look

15:52

into a bit more detail on the workflow

15:55

here then you see uh first of all we

15:59

have to have a common understanding

16:02

about the system definition there uh we

16:06

then derive uh which assets we have in

16:10

our system assets being things that I

16:13

want to protect those can have uh things

16:17

like private data like uh uh important

16:21

functionality and so on and from there I

16:26

derive uh threat scenarios and and

16:29

attack path to the component and uh then

16:33

I collect all entry points and if I now

16:36

want to evaluate uh the likelihood then

16:40

I determine all attack paths between the

16:43

different entry points and uh take the

16:47

most vulnerable paths on the one hand or

16:50

uh can also count just the number of

16:53

possible attack paths and so a component

16:56

with a lot of attack paths

16:59

uh assigned to it should be paid special

17:02

attention to and

17:06

uh this for sure is something nobody can

17:10

do by hand anymore and this is why we

17:13

decided to uh uh develop a dedicated

17:18

tool for uh cyber security analysis

17:22

because we said

17:24

um like most people in the domain we

17:27

started out with

17:29

then we added some Vis and in the end

17:32

ended up with a system analysis tool

17:35

that took uh around 45 minutes to open

17:40

and after then uh finding out it was the

17:42

wrong one uh it took again 30 minutes to

17:46

close again and this is why we said no

17:49

we need a server-based solution that can

17:51

simply be used in a browser and this is

17:54

what you see here and uh what we uh uh

17:59

do here in the middle is simply

18:02

collecting all information for the

18:05

security case so starting at the

18:08

beginning with a security relevance

18:11

assessment uh finding out how relevant

18:14

security really is for this application

18:17

then going on to an interface agreement

18:20

who is responsible for what and then uh

18:23

continuing with a threat assessment and

18:26

risk analysis and then

18:29

uh defining a security concept and

18:31

coming out uh into a solution uh where

18:36

we then implement it have a testing

18:40

scheme for it and then uh go on to the

18:45

realization of the system and in the end

18:48

we collect all security artifacts here

18:51

and um what I also wanted to uh share

18:56

with you is our approach uh regarding uh

19:00

the security analysis itself so uh like

19:05

many the industry we call it defense in

19:08

depth so that means first of all we

19:11

secure the vehicle parameter and then

19:15

the vehicle itself uh the different

19:18

networks in the vehicle and the

19:20

individual ECU and this really helps us

19:23

to uh make sure that uh the component

19:28

which is uh able to address the problems

19:31

can really do it so uh and last but not

19:37

least what we also do uh when we create

19:42

uh such an analysis we analyze all the

19:46

artifacts and uh also have gained quite

19:50

a lot of experience there and uh

19:53

implemented a lot of checklists to

19:56

address the most common problems so

19:59

to sum up uh the challenges for the a

20:02

systems we see it either on the sense

20:06

side I mentioned uh assortive uh

20:09

scenarios spoofing or secure vehicle to

20:13

X commmunication on the think side there

20:17

I see the secure update management the

20:20

denial of service attacks ransomware and

20:23

safety Integrity of levels and on the

20:27

ACT side The Unwanted triggering of the

20:31

functionalities prevention of actions

20:34

and uh avoiding critical

20:36

scenarios and uh the answers that we are

20:40

currently using on the methods side it's

20:43

the system uh threat assessment and risk

20:47

analysis that I presented with the

20:49

different hops between the different

20:52

control units in safety security Co

20:54

engineering reusing of functionality

20:57

like in the secure onboard communication

21:00

case tools for uh the analysis as

21:04

dedicated tooling easy to use and uh

21:09

really appreciate by the colleagues and

21:11

from the organizational side uh we deal

21:15

with the defense in depth Paradigm and

21:18

uh also perform the security and safety

21:22

Assessments in combination and with that

21:26

I like to close my presentation today so

21:30

if you want to get in contact there's a

21:32

QR code or now I'm open for your

21:36

questions