Wednesday, October 12, 2016

SECURITY FOR THE AUTOMOTIVE INDUSTRY: From End To End



Bill Boldt
Business Development Manager, Security
Blackberry 
wboldt@blackberry.com

Security is emerging as perhaps the most important factor in the evolution of the connected autonomous car. Due to high profile hacks on cars, it is hard to argue that without security you can have safety. Cars are the most software intensive systems in the universe with far more lines of code than even a state of the art jet fighter. 




With being such complex digital systems they have become prime targets for attack, and that is where cryptographic countermeasures come in. 

Connecting the dots:  in the emerging software-defined world,  safety increasingly comes from security, while security comes from cryptography. Robust cryptographic security implementation is how you increase trust, and in a car every system must be trusted, including inside the car, in the smart  infrastructure, in emerging applications-based ecosystems, and in the manufacturing supply
chain. 


When considering automotive security, many factors come into play. Some are noted here (and were noted in a prior blog, but are worth repeating):
  •  Security assets (e.g.  crypto keys, serial numbers, etc.) must be installed into
    electronic devices such as Electronic Control Units (ECUs), domain/area controllers, and other processors at manufacturing time. This process is called "personalization"
  • Those electronic devices must be distributed to and be installed into vehicles in globally located factories
  • They must be warehoused worldwide for subsequent repairs, and be updateable at dealers and repair shops
  • In addition, aftermarket suppliers must be able to sell and update secure devices, and
    OEMs must have the ability to authorize electronic devices or not (e.g. enforce warranty  policies) 

And, there are many more.
  
To maintain the maximum amount of flexibility, personalization (provisioning) and updating should be moved as close as possible to the very last minute. Each car maker will be faced with the same
situation and will have to design and manage secure device manufacturing systems, secure updating systems, and security certificate management systems that are global and long
term in nature.


The way in which these systems get deployed will have to be designed to the specific logistical and security needs of the manufacturer.

Fortunately, the tools to do that are available from Certicom; namely, the Managed PKI
System and Asset Management System. 



Asset Management System
Certicom’s Asset Management System (AMS) installs cryptographic keys into devices (such as ECUs, domain and area controllers, processors, memory,key storage ICs, etc.) to ensure they are secure from tampering, counterfeiting, cloning, and other bad things that happen to good systems.
 

Personalization using Certicom’s AMS solution automates the secure distribution and tracking of digital assets, especially when used in conjunction with the Managed PKI services. 

Certicom’s Managed PKI Certificate Services helps high volume manufacturers secure devices and securely enforce ecosystem requirements. Authentication is enforced via certificates, which is a method that provides the highest levels of security. 



Mangaged PKI System
 
Certicom’s managed PKI system was initially created for BlackBerry mobile devices, which speaks to high security and volume production scale capabilities. 

Managed PKI performs four essential functions:
  1. ISSUE: Automatically issue certificates tvalidated devices 
  2. MANAGE: Track all of the issued certificates 
  3. RENEW: Automatically renew active devices 
  4. REVOKE: Disable certificates of lost or decommissioned devices






Security Design Consulting
The overall automotive manufacturing blueprint must be designed with best practices in mind right from the start, and BlackBerry Professional Services can help with that.  BlackBerry’s cybersecurity consulting and tools help to:


  • Identify the latest cybersecurity threats
  • Develop risk appropriate mitigation strategies
  • Implement and maintain IT security standards and techniques, and
  • Defend against the risk of future attacks
BlackBerry is making the proprietary security skill sets that made BlackBerry mobile device the most secure in the world available to the open market. BlackBerry's Professional Security Services teams provide design, analysis, response, and testing ("DART") via a range of services, as noted in the table below, among others:



 
With security skills honed in the mobile industry, industry leading cryptographic  expertise, and decades of automotive software experience, you can see that Blackberry brings it all together.

No comments:

Post a Comment