The Problem

Computers control steering and brakes usually nowadays, and "smart" features increase a vehicle's attack surface and occasionally introduce vulnerabilities.
Even a combination of seemingly minor vulnerabilities can undermine a vehicle's cybersecurity.
Securing automotive Information Technology (IT) is expensive and challenging, even for leading tech companies.
Compared to corporate IT, this challenge arises from a) the safety-criticality, b) homologation obligations, and c) the IT diversity within each vehicle.
[a] Safety criticality: ECUs (Electronic Control Units) cannot stay indoors with air-conditioning but must work safely and reliably outdoors in the scorching sun and on freezing winter nights, from deserts to the Arctic.
Such extreme conditions demand special software requirements, which can interfere with security patching.
[b] Homologation obligations: Securing ECUs with swift patches can be hindered by governmental homologation obligations, as patches must not interfere with certifications, e.g., for exhaust purification or crash safety.
[c] IT diversity: ECUs are challenging to secure due to their diversity, as they usually do not communicate homogeneously via TCP/IP (Transmission Control Protocol / Internet Protocol) but rather via a combination of CAN (Controller Area Network), MOST (Media Oriented Systems Transport), LIN (Local Interconnect Network), BroadR-Reach, and FlexRay. ECUs usually do not incorporate x86 CPUs but rather a combination of TriCore, Super-H, PowerPC, ARM, V850, and even less-widely known chips, as this obtains maximum dependability, energy efficiency, and sustainability.

How does this help? Who will benefit?

AutoSAlfER's automatic evaluation boosts people's productivity for a more sustainable automotive cyber security:
- Architects can automatically evaluate their designs, recheck changes for surprising attack combinations, and shape network topologies toward more security.
- Penetration testers ("red teams") get a head-start on the riskiest and most significant targets and network connections.
- Risk managers can extend their calculations onto a sound model for more precisely and reliably calculated risk reserves.
- Incident handlers ("blue teams") can enrich their situation report regarding what targets and assets could be compromised next and how acutely they are at stake.
- All stakeholders get orientation on anticipated neuralgic points and their impact on adequately prioritizing cybersecurity investments.
- Ultimately, we all gain more security and, thus, safety in and around autonomous, connected, electrified, and shared vehicles.

Why are you a good person to tell us this?

I initiated, planned, designed, implemented, documented, tested, and evaluated the Automotive Security Analyzer for Exploitability Risks (AutoSAlfER).

Agenda
1) Motivation and Survey
2) Data and Models
a. System Model, Attacker Profile, and Exploit Model
b. Attack Surface Exploitability Quantification
c. Implementation / Tech Stack
3) Practical Demo
4) Algorithms for Attack Graphs
a. Single-Path Attack Graph Algorithm (PI + PII)
b. Implementation and Evaluation of PI + PII
5) Algorithms for Total Risk
a. Probabilistic Model
b. Multi-Path Attack Graph Algorithm (P3Salfer)
c. Bayes Network Unsuitability Finding
d. Design and Implementation of an Alternative Algorithm with Bayesian Networks (P3Bayes)
e. Implementation and Evaluation of the Multi-Path Attack Graph Algorithm (P3Salfer)
6) Future Work
7) Further Material
a) Book
b) Papers, an Article, and Posters
c) Open-Source Software