19 March 2020TLP WHITE Disclosure and distribution is not limited
Auto-ISACMonthly Community Call
March 2020
29 March 2020TLP WHITE Disclosure and distribution is not limited
Agenda
Time (ET) Topic
1100Welcome Why wersquore here Expectations for this community
1105Auto-ISAC Update Auto-ISAC overview Heard around the community Whatrsquos Trending
1115 DHS CISA Community Update
1120 Featured Speakers - NHTSA Data Analytics for Vehicle Cybersecurity Research Project
1145 Around the Room Sharing around the virtual room
1155 Closing Remarks
Welcome
39 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome - Auto-ISAC Community CallWelcome
Purpose These monthly Auto-ISAC Community Meetings are an opportunity for you our Members amp connected vehicle ecosystem partners to
Stay informed of Auto-ISAC activities Share information on key vehicle cybersecurity topics Learn about exciting initiatives within the automotive
community from our featured speakers
Participants Auto-ISAC Members Potential Members Partners Academia Industry Stakeholders and Government Agencies
Classification Level TLP GREEN may be shared within the Auto-ISAC Community and ldquooff the recordrdquo
How to Connect For further info questions or to add other POCs to the invite please contact Auto-ISAC Staff (staffautomotiveisaccom)
49 March 2020TLP WHITE Disclosure and distribution is not limited
Engaging in the Auto-ISAC Community
Join If your organization is eligible apply for Auto-ISAC membership If you arenrsquot eligible for membership connect with us as a partner Get engaged ndash ldquoCybersecurity is everyonersquos responsibilityrdquo
Participate Participate in monthly virtual conference calls (1st Wednesday of month) If you have a topic of interest connect with Auto-ISAC Staffndash
staffautomotiveisaccom Engage amp ask questions
Share ndash ldquoIf you see something say somethingrdquo Submit threat intelligence or other relevant information Send us information on potential vulnerabilities Contribute incident reports and lessons learned Provide best practices around mitigation techniques
Welcome
12Innovator Partners
19Navigator Partners
Coordination with 23critical infrastructure ISACs through the National ISAC
Council
Membership represents 99of cars on the road in North
America
20OEM Members
38 Supplier ampCommercial
Vehicle Members
59 March 2020TLP WHITE Disclosure and distribution is not limited
Auto-ISAC Mission
Mission ScopeServe as an unbiased information
broker to provide a central point of coordination and communication for the global automotive industry through the analysis and sharing of trusted and
timely cyber threat information
Light- and heavy-duty vehicles suppliers commercial vehicle fleets and carriers Currently we are focused on vehicle cyber security and anticipate expanding into ITOT security related to
the vehicle
What We Do
Community DevelopmentWorkshops exercises all hands summits and town halls
Intel SharingData curation across
intel feeds submissions and research
AnalysisValidation context and
recommendations
Best PracticesDevelopment
dissemination and maintenance
PartnershipsIndustry academia
vendors researchers and government
Community DevelopmentWorkshops exercises all hands summits and town halls
ISAC Overview
69 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Board of Directors
Kevin TierneyChair of the
Board of the DirectorsGM
Josh DavisVice Chair of the
Board of the DirectorsToyota
Jenny GilgerSecretary of the
Board of the DirectorsHonda
Tim GeigerTreasurer of the
Board of the DirectorsFord
Todd LawlessChair of the
Advisory BoardContinental
2020 Advisory Board (AB) Leadership
Todd LawlessChair of the
Advisory BoardContinental
Brian MurrayVice Chair of the Advisory Board
ZF
Kevin WalkerChair of the SAG
Aptiv
Larry HilkeneChair of the CAG
Cummins
Executive Committee (ExCom)
2020 BoDAB Leadership
79 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Auto-ISAC StaffStaff
Faye FrancyExecutive Director
fayefrancyautomotiveisaccom
Josh PosterProgram Operations Manager
joshposterautomotiveisaccom
Jessica EttsSenior Intel Coordinator
jessicaettsautomotiveisaccom
Jake WalkerCyber Intel Analyst
jacobwalkerautomotiveisaccom
Lisa D ScheffenackerBusiness Administrator
lisascheffenackerautomotiveisaccom
Julie KirkFinance
juliekirkautomotiveisaccom
Linda RhodesLegal Counsel Mayer Brown
lrhodesmayerbrowncom
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
29 March 2020TLP WHITE Disclosure and distribution is not limited
Agenda
Time (ET) Topic
1100Welcome Why wersquore here Expectations for this community
1105Auto-ISAC Update Auto-ISAC overview Heard around the community Whatrsquos Trending
1115 DHS CISA Community Update
1120 Featured Speakers - NHTSA Data Analytics for Vehicle Cybersecurity Research Project
1145 Around the Room Sharing around the virtual room
1155 Closing Remarks
Welcome
39 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome - Auto-ISAC Community CallWelcome
Purpose These monthly Auto-ISAC Community Meetings are an opportunity for you our Members amp connected vehicle ecosystem partners to
Stay informed of Auto-ISAC activities Share information on key vehicle cybersecurity topics Learn about exciting initiatives within the automotive
community from our featured speakers
Participants Auto-ISAC Members Potential Members Partners Academia Industry Stakeholders and Government Agencies
Classification Level TLP GREEN may be shared within the Auto-ISAC Community and ldquooff the recordrdquo
How to Connect For further info questions or to add other POCs to the invite please contact Auto-ISAC Staff (staffautomotiveisaccom)
49 March 2020TLP WHITE Disclosure and distribution is not limited
Engaging in the Auto-ISAC Community
Join If your organization is eligible apply for Auto-ISAC membership If you arenrsquot eligible for membership connect with us as a partner Get engaged ndash ldquoCybersecurity is everyonersquos responsibilityrdquo
Participate Participate in monthly virtual conference calls (1st Wednesday of month) If you have a topic of interest connect with Auto-ISAC Staffndash
staffautomotiveisaccom Engage amp ask questions
Share ndash ldquoIf you see something say somethingrdquo Submit threat intelligence or other relevant information Send us information on potential vulnerabilities Contribute incident reports and lessons learned Provide best practices around mitigation techniques
Welcome
12Innovator Partners
19Navigator Partners
Coordination with 23critical infrastructure ISACs through the National ISAC
Council
Membership represents 99of cars on the road in North
America
20OEM Members
38 Supplier ampCommercial
Vehicle Members
59 March 2020TLP WHITE Disclosure and distribution is not limited
Auto-ISAC Mission
Mission ScopeServe as an unbiased information
broker to provide a central point of coordination and communication for the global automotive industry through the analysis and sharing of trusted and
timely cyber threat information
Light- and heavy-duty vehicles suppliers commercial vehicle fleets and carriers Currently we are focused on vehicle cyber security and anticipate expanding into ITOT security related to
the vehicle
What We Do
Community DevelopmentWorkshops exercises all hands summits and town halls
Intel SharingData curation across
intel feeds submissions and research
AnalysisValidation context and
recommendations
Best PracticesDevelopment
dissemination and maintenance
PartnershipsIndustry academia
vendors researchers and government
Community DevelopmentWorkshops exercises all hands summits and town halls
ISAC Overview
69 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Board of Directors
Kevin TierneyChair of the
Board of the DirectorsGM
Josh DavisVice Chair of the
Board of the DirectorsToyota
Jenny GilgerSecretary of the
Board of the DirectorsHonda
Tim GeigerTreasurer of the
Board of the DirectorsFord
Todd LawlessChair of the
Advisory BoardContinental
2020 Advisory Board (AB) Leadership
Todd LawlessChair of the
Advisory BoardContinental
Brian MurrayVice Chair of the Advisory Board
ZF
Kevin WalkerChair of the SAG
Aptiv
Larry HilkeneChair of the CAG
Cummins
Executive Committee (ExCom)
2020 BoDAB Leadership
79 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Auto-ISAC StaffStaff
Faye FrancyExecutive Director
fayefrancyautomotiveisaccom
Josh PosterProgram Operations Manager
joshposterautomotiveisaccom
Jessica EttsSenior Intel Coordinator
jessicaettsautomotiveisaccom
Jake WalkerCyber Intel Analyst
jacobwalkerautomotiveisaccom
Lisa D ScheffenackerBusiness Administrator
lisascheffenackerautomotiveisaccom
Julie KirkFinance
juliekirkautomotiveisaccom
Linda RhodesLegal Counsel Mayer Brown
lrhodesmayerbrowncom
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
39 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome - Auto-ISAC Community CallWelcome
Purpose These monthly Auto-ISAC Community Meetings are an opportunity for you our Members amp connected vehicle ecosystem partners to
Stay informed of Auto-ISAC activities Share information on key vehicle cybersecurity topics Learn about exciting initiatives within the automotive
community from our featured speakers
Participants Auto-ISAC Members Potential Members Partners Academia Industry Stakeholders and Government Agencies
Classification Level TLP GREEN may be shared within the Auto-ISAC Community and ldquooff the recordrdquo
How to Connect For further info questions or to add other POCs to the invite please contact Auto-ISAC Staff (staffautomotiveisaccom)
49 March 2020TLP WHITE Disclosure and distribution is not limited
Engaging in the Auto-ISAC Community
Join If your organization is eligible apply for Auto-ISAC membership If you arenrsquot eligible for membership connect with us as a partner Get engaged ndash ldquoCybersecurity is everyonersquos responsibilityrdquo
Participate Participate in monthly virtual conference calls (1st Wednesday of month) If you have a topic of interest connect with Auto-ISAC Staffndash
staffautomotiveisaccom Engage amp ask questions
Share ndash ldquoIf you see something say somethingrdquo Submit threat intelligence or other relevant information Send us information on potential vulnerabilities Contribute incident reports and lessons learned Provide best practices around mitigation techniques
Welcome
12Innovator Partners
19Navigator Partners
Coordination with 23critical infrastructure ISACs through the National ISAC
Council
Membership represents 99of cars on the road in North
America
20OEM Members
38 Supplier ampCommercial
Vehicle Members
59 March 2020TLP WHITE Disclosure and distribution is not limited
Auto-ISAC Mission
Mission ScopeServe as an unbiased information
broker to provide a central point of coordination and communication for the global automotive industry through the analysis and sharing of trusted and
timely cyber threat information
Light- and heavy-duty vehicles suppliers commercial vehicle fleets and carriers Currently we are focused on vehicle cyber security and anticipate expanding into ITOT security related to
the vehicle
What We Do
Community DevelopmentWorkshops exercises all hands summits and town halls
Intel SharingData curation across
intel feeds submissions and research
AnalysisValidation context and
recommendations
Best PracticesDevelopment
dissemination and maintenance
PartnershipsIndustry academia
vendors researchers and government
Community DevelopmentWorkshops exercises all hands summits and town halls
ISAC Overview
69 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Board of Directors
Kevin TierneyChair of the
Board of the DirectorsGM
Josh DavisVice Chair of the
Board of the DirectorsToyota
Jenny GilgerSecretary of the
Board of the DirectorsHonda
Tim GeigerTreasurer of the
Board of the DirectorsFord
Todd LawlessChair of the
Advisory BoardContinental
2020 Advisory Board (AB) Leadership
Todd LawlessChair of the
Advisory BoardContinental
Brian MurrayVice Chair of the Advisory Board
ZF
Kevin WalkerChair of the SAG
Aptiv
Larry HilkeneChair of the CAG
Cummins
Executive Committee (ExCom)
2020 BoDAB Leadership
79 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Auto-ISAC StaffStaff
Faye FrancyExecutive Director
fayefrancyautomotiveisaccom
Josh PosterProgram Operations Manager
joshposterautomotiveisaccom
Jessica EttsSenior Intel Coordinator
jessicaettsautomotiveisaccom
Jake WalkerCyber Intel Analyst
jacobwalkerautomotiveisaccom
Lisa D ScheffenackerBusiness Administrator
lisascheffenackerautomotiveisaccom
Julie KirkFinance
juliekirkautomotiveisaccom
Linda RhodesLegal Counsel Mayer Brown
lrhodesmayerbrowncom
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
49 March 2020TLP WHITE Disclosure and distribution is not limited
Engaging in the Auto-ISAC Community
Join If your organization is eligible apply for Auto-ISAC membership If you arenrsquot eligible for membership connect with us as a partner Get engaged ndash ldquoCybersecurity is everyonersquos responsibilityrdquo
Participate Participate in monthly virtual conference calls (1st Wednesday of month) If you have a topic of interest connect with Auto-ISAC Staffndash
staffautomotiveisaccom Engage amp ask questions
Share ndash ldquoIf you see something say somethingrdquo Submit threat intelligence or other relevant information Send us information on potential vulnerabilities Contribute incident reports and lessons learned Provide best practices around mitigation techniques
Welcome
12Innovator Partners
19Navigator Partners
Coordination with 23critical infrastructure ISACs through the National ISAC
Council
Membership represents 99of cars on the road in North
America
20OEM Members
38 Supplier ampCommercial
Vehicle Members
59 March 2020TLP WHITE Disclosure and distribution is not limited
Auto-ISAC Mission
Mission ScopeServe as an unbiased information
broker to provide a central point of coordination and communication for the global automotive industry through the analysis and sharing of trusted and
timely cyber threat information
Light- and heavy-duty vehicles suppliers commercial vehicle fleets and carriers Currently we are focused on vehicle cyber security and anticipate expanding into ITOT security related to
the vehicle
What We Do
Community DevelopmentWorkshops exercises all hands summits and town halls
Intel SharingData curation across
intel feeds submissions and research
AnalysisValidation context and
recommendations
Best PracticesDevelopment
dissemination and maintenance
PartnershipsIndustry academia
vendors researchers and government
Community DevelopmentWorkshops exercises all hands summits and town halls
ISAC Overview
69 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Board of Directors
Kevin TierneyChair of the
Board of the DirectorsGM
Josh DavisVice Chair of the
Board of the DirectorsToyota
Jenny GilgerSecretary of the
Board of the DirectorsHonda
Tim GeigerTreasurer of the
Board of the DirectorsFord
Todd LawlessChair of the
Advisory BoardContinental
2020 Advisory Board (AB) Leadership
Todd LawlessChair of the
Advisory BoardContinental
Brian MurrayVice Chair of the Advisory Board
ZF
Kevin WalkerChair of the SAG
Aptiv
Larry HilkeneChair of the CAG
Cummins
Executive Committee (ExCom)
2020 BoDAB Leadership
79 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Auto-ISAC StaffStaff
Faye FrancyExecutive Director
fayefrancyautomotiveisaccom
Josh PosterProgram Operations Manager
joshposterautomotiveisaccom
Jessica EttsSenior Intel Coordinator
jessicaettsautomotiveisaccom
Jake WalkerCyber Intel Analyst
jacobwalkerautomotiveisaccom
Lisa D ScheffenackerBusiness Administrator
lisascheffenackerautomotiveisaccom
Julie KirkFinance
juliekirkautomotiveisaccom
Linda RhodesLegal Counsel Mayer Brown
lrhodesmayerbrowncom
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
59 March 2020TLP WHITE Disclosure and distribution is not limited
Auto-ISAC Mission
Mission ScopeServe as an unbiased information
broker to provide a central point of coordination and communication for the global automotive industry through the analysis and sharing of trusted and
timely cyber threat information
Light- and heavy-duty vehicles suppliers commercial vehicle fleets and carriers Currently we are focused on vehicle cyber security and anticipate expanding into ITOT security related to
the vehicle
What We Do
Community DevelopmentWorkshops exercises all hands summits and town halls
Intel SharingData curation across
intel feeds submissions and research
AnalysisValidation context and
recommendations
Best PracticesDevelopment
dissemination and maintenance
PartnershipsIndustry academia
vendors researchers and government
Community DevelopmentWorkshops exercises all hands summits and town halls
ISAC Overview
69 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Board of Directors
Kevin TierneyChair of the
Board of the DirectorsGM
Josh DavisVice Chair of the
Board of the DirectorsToyota
Jenny GilgerSecretary of the
Board of the DirectorsHonda
Tim GeigerTreasurer of the
Board of the DirectorsFord
Todd LawlessChair of the
Advisory BoardContinental
2020 Advisory Board (AB) Leadership
Todd LawlessChair of the
Advisory BoardContinental
Brian MurrayVice Chair of the Advisory Board
ZF
Kevin WalkerChair of the SAG
Aptiv
Larry HilkeneChair of the CAG
Cummins
Executive Committee (ExCom)
2020 BoDAB Leadership
79 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Auto-ISAC StaffStaff
Faye FrancyExecutive Director
fayefrancyautomotiveisaccom
Josh PosterProgram Operations Manager
joshposterautomotiveisaccom
Jessica EttsSenior Intel Coordinator
jessicaettsautomotiveisaccom
Jake WalkerCyber Intel Analyst
jacobwalkerautomotiveisaccom
Lisa D ScheffenackerBusiness Administrator
lisascheffenackerautomotiveisaccom
Julie KirkFinance
juliekirkautomotiveisaccom
Linda RhodesLegal Counsel Mayer Brown
lrhodesmayerbrowncom
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
69 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Board of Directors
Kevin TierneyChair of the
Board of the DirectorsGM
Josh DavisVice Chair of the
Board of the DirectorsToyota
Jenny GilgerSecretary of the
Board of the DirectorsHonda
Tim GeigerTreasurer of the
Board of the DirectorsFord
Todd LawlessChair of the
Advisory BoardContinental
2020 Advisory Board (AB) Leadership
Todd LawlessChair of the
Advisory BoardContinental
Brian MurrayVice Chair of the Advisory Board
ZF
Kevin WalkerChair of the SAG
Aptiv
Larry HilkeneChair of the CAG
Cummins
Executive Committee (ExCom)
2020 BoDAB Leadership
79 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Auto-ISAC StaffStaff
Faye FrancyExecutive Director
fayefrancyautomotiveisaccom
Josh PosterProgram Operations Manager
joshposterautomotiveisaccom
Jessica EttsSenior Intel Coordinator
jessicaettsautomotiveisaccom
Jake WalkerCyber Intel Analyst
jacobwalkerautomotiveisaccom
Lisa D ScheffenackerBusiness Administrator
lisascheffenackerautomotiveisaccom
Julie KirkFinance
juliekirkautomotiveisaccom
Linda RhodesLegal Counsel Mayer Brown
lrhodesmayerbrowncom
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
79 March 2020TLP WHITE Disclosure and distribution is not limited
2020 Auto-ISAC StaffStaff
Faye FrancyExecutive Director
fayefrancyautomotiveisaccom
Josh PosterProgram Operations Manager
joshposterautomotiveisaccom
Jessica EttsSenior Intel Coordinator
jessicaettsautomotiveisaccom
Jake WalkerCyber Intel Analyst
jacobwalkerautomotiveisaccom
Lisa D ScheffenackerBusiness Administrator
lisascheffenackerautomotiveisaccom
Julie KirkFinance
juliekirkautomotiveisaccom
Linda RhodesLegal Counsel Mayer Brown
lrhodesmayerbrowncom
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
89 March 2020TLP WHITE Disclosure and distribution is not limited
Recent ActivitiesAuto-ISAC Update
Highlights of Key Activities in February New Hire ndash Ricky Brooks Intelligence OfficerRicky brings 11 years of experience as an intelligence professional with comprehensive background in cyber and physical security intelligence analysis Ricky previously served in the US Coast guard as a Senior Intelligence Officer and Command Duty Officer Prior to joining the Auto-ISAC Ricky was the Senior Intel Analyst at the Northern Virginia Regional Intel (Fusion) Center working as the Centerrsquos cyber analyst analyzing cyber threats to federal state local and private sector critical infrastructure connecting stakeholders with technical experts and resources and serving as the communications bridgetranslator between technical and non-technical professionals
Looking Ahead to March
Auto-ISAC SafeRide Webinar (Members Only)
Application of AI Technology for Intrusion Detection in Vehicle Networks
Auto-ISAC Analyst workshop (March 16-17 - Members Only)
Auto ISAC Incident Response TTX (March 18 ndash Members Only)
Auto-ISAC Board of Directors Quarterly Meeting (March 19 ndash Members Only)
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
99 March 2020TLP WHITE Disclosure and distribution is not limited
Researchers have recently published several vulnerabilities in Advanced Driving Assistance Systems (ADAS) and commonly-used wireless communication protocols
-Phantom Attacks Against Advanced Driving Assistance Systems The absence of deployed vehicularcommunication systems which prevents the advanced driving assistance systems (ADASs) and autopilots ofsemifully autonomous cars to validate their virtual perception regarding the physical environment surroundingthe car with a third party has been exploited in various attacks suggested by researchers We show howattackers can exploit this perceptual challenge to apply phantom attacks and change the abovementionedbalance without the need to physically approach the attack scene by projecting a phantom via a droneequipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces theInternet and is located near roads (Link)-Tesla Cars Tricked Into Speeding by Electrical Tape on a Sign In a practical test as demonstrated by theMcAfee team Tesla cars with driver assistance features were fooled into misreading traffic signs causing themto speed or disobey warnings A piece of black electrical tape extending the numeral three on a 35mph (56kmh)speed limit sign had the computer misreading its as an 85mph (136 kmh) sign confusing the automatic cruisecontrol feature and pushing the car to dangerous speeds (Link)-IMP4GT IMPersonation Attacks in 4G NeTworks In mobile networks mutual authentication ensures that thesmartphone and the network can verify their identities In LTE mutual authentication is established on thecontrol plane with a provably secure authentication and key agreement protocol However missing integrityprotection of the user plane still allows an adversary to manipulate and redirect IP packets The IMP4GT(IMPersonation Attacks in 4G NeTworks) (ˈɪmˌpaeligk(t)) attacks exploit the missing integrity protection andextend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards thenetwork and vice versa (Link)-SweynTooth Unleashing Mayhem Over Bluetooth Low Energy SweynTooth captures a family of 12vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of six majorsystem-on-a-chip (SoC) vendors The vulnerabilities expose flaws in specific BLE SoC implementations thatallow an attacker in radio range to trigger deadlocks crashes and buffer overflows or completely bypass securitydepending on the circumstances (Link)
Auto-ISAC IntelligenceWhatrsquos Trending Jake Walker(Auto-ISAC)
Whatrsquos Trending
For more information or questions please contact analystautomotiveisaccom
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CISA RESOURCE HIGHLIGHTS
10
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE)
Released on February 14 2020 by DHS CISA and the FBI
The names associated with these reports are HOPLIGHT BUFFETLINE ARTFULPIE HOTCROISSANT CROWDEDFLOUNDER SLICKSHOES and BISTROMATH
The reports are a result of analytic efforts between the DHS the FBI and the DOD
The reports provide technical details on the tools and infrastructure used by cyber actors of the North Korean government
11
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity
If there is any valuable information that is discovered related to these reports please provide that input back to CISA at CISAServicedeskcisadhsgov
URLs to the reports follow on the next slides
12
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Collective page httpswww[]us-cert[]govnorthkorea
Malware Analysis Report (10265965-1v1 AR20-045A) ndashNorth Korean Trojan BISTROMATH httpswww[]us-cert[]govncasanalysis-reportsar20-045a
Malware Analysis Report (10265965-2v1 AR20-045B) ndashNorth Korean Trojan SLICKSHOES httpswww[]us-cert[]govncasanalysis-reportsar20-045b
13
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued Malware Analysis Report (10265965-3v1 AR20-045C) ndash
North Korean Trojan CROWDEDFLOUNDER httpswww[]us-cert[]govncasanalysis-reportsar20-045c
Malware Analysis Report (10271944-1v1 AR20-045D) ndashNorth Korean Trojan HOTCROISSANT httpswww[]us-cert[]govncasanalysis-reportsar20-045d
Malware Analysis Report (10271944-2v1 AR20-045E) ndashNorth Korean Trojan ARTFULPIE httpswww[]us-cert[]govncasanalysis-reportsar20-045e
14
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Malware Analysis Reports (MARs) - North Korean Malicious Activity (TLP WHITE) - continued
Malware Analysis Report (10271944-3v1 AR20-045F) ndashNorth Korean Trojan BUFFETLINE httpswww[]us-cert[]govncasanalysis-reportsar20-045f
Malware Analysis Report (10135536-8v3 AR20-045G) ndashNorth Korean Trojan HOPLIGHT httpswww[]us-cert[]govncasanalysis-reportsar20-045g
15
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Activity Alert - AA20-049A - Ransomware Impacting Pipeline Operations (TLP WHITE) Activity Alert (AA) associated with a cyberattack affecting
control and communication assets on the operational technology (OT) network of a natural gas compression facility
The AA provides technical details associated with networks and assets affected planning and operations and mitigations
Available for review at httpswww[]us-cert[]govncasalertsaa20-049a
Feedback and additional information can be provided at CISAServiceDeskcisadhsgov
16
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
17
For more informationcisagov
QuestionsCISAServiceDeskcisadhsgov
1-888-282-0870
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
189 March 2020TLP WHITE Disclosure and distribution is not limited
Community Speaker SeriesFeatured Speaker
Why Do We Feature Speakers These calls are an opportunity for information exchange amp learning Goal is to educate amp provide awareness around cybersecurity for the connected
vehicle
What Does it Mean to Be Featured Perspectives across our ecosystem are shared from members
government academia researchers industry associations and others
Goal is to showcase a rich amp balanced variety of topics and viewpoints Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How Can I Be Featured If you have a topic of interest you would like to share with
the broader Auto-ISAC Community then we encourage you to contact our Auto-ISAC (staffautomotiveisaccom)
1800+Community Participants
25 Featured Speakers to date
7 Best Practice Guides
available on website
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
199 March 2020TLP WHITE May be distributed without restriction
Community Speakers
Urban Jonson NMFTA Heavy Vehicle Cybersecurity Working Group (April 2018)
Ross Froat American Trucking Association ATA Cyberwatch Program (Oct 2018)
Katherine Hartman Chief ndash Research Evaluation and Program Management ITS Joint Program Office US DOT (August 2019)
Joe Fabbre Global Technology Director Green Hills Software (October 2019)
Oscar Marcia CISSP Eonti Device Authentication in Auto-ISAC as a Foundation to Secure Communications (November 2019)
Amy Smith the Manager of Pre-College Educational Programming at SAE International (January 2020)
Example of Previous Community Speakers
Community Call Slides are located at wwwautomotiveisaccomcommunitycalls
Featured Speakers
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
209 March 2020TLP WHITE Disclosure and distribution is not limited
Welcome to Todayrsquos SpeakersFeatured Speaker
NHTSA Data Analytics for Vehicle Cybersecurity Research ProjectIntroductionPrimer
Emerging ADAS and ADS technologies have the potential to significantly reduce the number and severity of vehicle crashes However if not architected designed tested and deployed diligently the application of these technologies may also carry unacceptable risk in the form of cyber vulnerabilities and associated threats As part of a broad-based research agenda to develop tools methods and best practices that may be useful to industry stakeholders in addressing cybersecurity risks NHTSA is interested in determining the applicability of modern cybersecurity risk management and response methods and technologies to the vehicle environment One emerging area in this field is cybersecurity data analytics
The Data Analytics for Vehicle Cybersecurity (DACS) project was initiated to assist NHTSA as well as industry stakeholders in developing an understanding of the potential opportunities for enhancing vehicle cybersecurity through applications of leading-edge data analytic techniques The project is not meant to provide any specific solutions via the use of data analytics for vehicle cybersecurity but rather to research and evaluate solutions that may be used as guidance for stakeholders in the consideration of future development of data analytics applications
Multiple Speakers for the project
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Data Analytics for Vehicle Cybersecurity
(DACS)NHTSA-sponsored Project
March 4 2020Auto-ISAC Community Call
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Intersection of Modern Vehicles and Cyber Data Analytics
Vehicles represent a unique collection of sensors peripheral devices and systems control devices and user interfaces all of which can be evaluated using Cyber Data Analytics (CDA)bull Identifying potential threats to the vehiclebull Mitigating targeted attacks of the vehiclebull Preventing or reducing the creation of additional
vulnerabilities in the automotive space
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
DACS Project Goalsbull Identify data and criteria to determine if a modern
vehicle has been compromised through exploit of a cybersecurity vulnerability
bull Assess how data analytics can help understand the safety implications of the compromise after a successful exploit
bull Develop understanding of how data analytics could be used to trigger real-time recovery modes after a successful exploit
bull Enable approaches and techniques to forensically analyze post-exploit data to facilitate potential system improvements
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
DACS Project Overview End Product
bull Identify the state-of-the-art in cyber data analytics for cyber-physical systems and other domains for use by the automotive industry to develop best practices standards and refine general data analytics and cyber programs
bull Develop potential automotive industry-specific cyber data analytics approaches for use in on-board and off-board vehicle systems
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
DACS Project Task Overviewbull Task 1 Project Managementbull Task 2 Problem Understand (due March 2020)
bull 2a Conduct literature surveymarket research bull 2b Conduct stakeholder meetings and SME interviewsbull 2c Prepare a problem understanding interim report
bull Task 3 Evaluations of Approaches amp Techniques (August 2020)bull 3a Identify relevant approachestechniques amp potential indicatorsbull 3b Develop data and operational information taxonomybull 3c Assess feasibility of applying approachestechniques for vehicles
bull Task 4 Evaluation of Recovery Modes and Post-Exploit Analysis (February 2021)
bull 4a Identify potential recovery modes and data needsbull 4b Identify post-exploit analysis needs data typesbull 4c Identify post-exploit analysis needs data collection and storage
bull Task 5 Final Report (March 2021)
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Potential for CDA within the Automotive Industry
bull CDA approaches generalized to apply to on-board the vehicle and within off-board systems that manage vehicle data
bull Within these categories there are many sources of data (non-exhaustive) that could be leveraged for CDA purposes
Example On-board Vehicle Data Sources
Example Off-board Peripheral Systems
Sensors Fleet Management Sys
ECUs Telematics SysServices
Head Unit Supply Chain Sys
Communication Buses OTA Networks
Wireless Interfaces DealerVehicle Lifecycle Sys
Aftermarket hard software
Third-party services
We would like to engage OEMssuppliers for a better understanding of activity in this space We are also reviewing CDA approaches in other domains and potential applicability within automotive
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Generalized High-level IT CDA and Security Operation Center (SOC) Activities
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
CDA within Cyber-Physical Systems (CPS)
Differences between IT and CPSbull Fewer standards in the types of
and processes of data in CPSbull Contain physical interfaces
sensors and actuatorsbull Higher availability requirementsbull Methodologies may not scale to
varying CPS network protocols applications and topologies
bull Pushing cyber data analytics approaches to the edge
Application of CDA to CPSbull Datasets are used to establish
baseline models for normal behavior to detect anomalies
bull Models must consider physical degradation and maintenance schedules
bull Sensor fusion algorithms can provide attack-resiliency for CPS
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Potential Use Cases for ICS Threat Monitoring and Detection
VPN Suspicious Geographical LoginAnomalous Stateful ConnectionsAttempts for Unauthorized Stateful ConnectionsBlacklisted IP Access Attempthellip
External Boundary Activity
Packet Payload Size IncreaseSuspicious Network Scanning ActivityRogue Network Device Detection Physical Changes to PLCRTU (eg IO card)Substantial Increase in TrafficSuspicious PLCRTU Communication Port Accesshellip
Internal Network Activity
Status amp Trend Information
OS Patch Status (eg up to date)Application Patch StatusPLC Firmware Patch StatusHMI Firmware Patch StatusAnti-Malware StatusAnti-Virus StatusHIDS StatusDevice Inbound Traffic (Host Volume) Trend AnalysisDevice Outbound Traffic (Host Volume) Trend AnalysisUnauthorized Remote Tools on Host (eg RDP VNC)Other Behavioral Model Trend Analysishellip
OT Device MonitoringPLC Firmware ChangesHMI Firmware ChangesPLC Status Mode ChangesPLC Response Times LatencyPLC Scan Rate FrequencyPLCRTU Log Mods Statshellip
Account InformationOS Account CreationPLCRTU Account ModificationOS Group AssignmentServer Account LockoutServer Failed Login Attemptshellip
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
High-level Discussion Topics for Automotive StakeholdersMonitoringData Collectionbull How and for what purposes from
vehicles and edge devices bull How are you protecting storing and
disposing of this dataDetectionbull What cyber data analytics capabilities do
you have to determine if a vehicle has been compromised
bull Do your capabilities focus on the ability to detect anomalous activities on-board the vehicle within peripheral off-board systems or both
bull How do you manage threat intel feeds and integrate them into your CDA solutions
bull Are you able to share any examples of indicators of attack or compromise
Recoverybull Has your organization ever used
an indicator to trigger a real-time recovery mode or response to mitigate safety risk
Forensicsbull How do you manage forensic
analysis activities after an exploitCDA Implementation and Advancementbull What arewere your challenges in
developing your CDA capabilitiesbull Would you have any suggestions
to government and industry to assist in overcoming these challenges
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
Points of ContactPlease contact us if you are interested in providing feedback on the project and information on your effortsCommunicated information will be attributed to generalized stakeholder groups (eg OEMs Suppliers) and not specific entities
bull Josh Kolleda Kolleda_Joshuabahcom (Booz Allen Hamilton)
bull Loren Stowe LStowevttivtedu (Virginia Tech Transportation Institute)
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
329 March 2020TLP WHITE Disclosure and distribution is not limited
Open DiscussionAround the Room
Any questions about the Auto-ISAC or future topics
for discussion
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
339 March 2020TLP WHITE Disclosure and distribution is not limited
Event Outlook
For full 2019 calendar visit wwwautomotiveisaccom
Closing Remarks
2020 Meetings Conferences Dates and Locations
TechAd Europe March 2-3 Berlin Germany
Connected Vehicles ndash Telematics Wire March 3-5 Bengaluru India
Auto-ISAC Community Call March 4 Telecon
Nullcon Conference March 6-7 Goa India
NDIA Cyber-Physical Systems Security Summit March 10-11 Detroit MI
Women in Cybersecurity Conference March 12-14 Aurora CO
SXSW 2020 March 12-22 Austin TX
SAE AeroTech Americas March 17-19 Pasadena CA
Automotive News World Congress March 24-25 Detroit MI
SAE On Board Diagnostics Symposium Europe March 24-26 Dublin Ireland
IQPC Detroit Automotive Cybersecurity Summit March 30-April 1 Detroit MI
Black Hat Asia 2020 March 31-April 3 Singapore
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
349 March 2020TLP WHITE Disclosure and distribution is not limited
Closing Remarks
If you are an OEM supplier or commercial vehicle company now is a great time to join
Auto-ISAC
How to Get Involved Membership
To learn more about Auto-ISAC Membership or Partnership please contact Auto-ISAC Staff (staffautomotiveisaccom)
Real-time Intelligence Sharing
Development of Best Practice Guides
Intelligence Summaries Exchanges and Workshops
Regular intelligence meetings
Tabletop exercises
Crisis Notifications Webinars and Presentations
Member Contact Directory Annual Auto-ISAC Summit Event
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
359 March 2020TLP WHITE Disclosure and distribution is not limited
Strategic Partnership Programs
NAVIGATORSupport Partnership
- Provides guidance and support
- Annual definition of activity commitments and expected outcomes
- Provides guidance on key topics activities
INNOVATORPaid Partnership
- Annual investment and agreement
- Specific commitment to engage with ISAC
- In-kind contributions allowed
COLLABORATORCoordination Partnership
- ldquoSee something say somethingrdquo
- May not require a formal agreement
- Information exchanges-coordination activities
BENEFACTORSponsorshipPartnership
- Participate in monthly community calls
- Sponsor Summit- Network with Auto
Community- Webinar Events
Solutions Providers
For-profit companies that sell connected
vehicle cybersecurity products amp services
Examples Hacker ONE SANS IOActive
AffiliationsGovernment
academia research non-profit orgs with
complementary missions to Auto-ISAC
Examples NCI DHS NHTSA
CommunityCompanies interested
in engaging the automotive ecosystem
and supporting -educating the community
Examples Summit sponsorship ndash
key events
AssociationsIndustry associations and others who want to support and invest
in the Auto-ISAC activities
Examples Auto Alliance Global Auto ATA
Closing Remarks
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
369 March 2020TLP WHITE Disclosure and distribution is not limited
Focused Intelligence InformationBriefings
Cybersecurity intelligence sharing
Vulnerability resolution
Member to Member Sharing
Distribute Information Gathering Costs across the Sector
Non-attribution and Anonymity of Submissions
Information source for the entire organization
Risk mitigation for automotive industry
Comparative advantage in risk mitigation
Security and Resiliency
Auto-ISAC Benefits
Building Resiliency Across the Auto Industry
Closing Remarks
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
379 March 2020TLP WHITE Disclosure and distribution is not limited 37
Thank you
Thank you
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC
389 March 2020TLP WHITE Disclosure and distribution is not limited
Our contact info
Faye FrancyExecutive Director
20 F Street NW Suite 700Washington DC 20001
703-861-5417fayefrancyautomotiveisaccom
Josh PosterProgram Operations
Manager
20 F Street NW Suite 700Washington DC 20001
joshposterautomotiveisaccom
automotiveisaccomauto-ISAC