Feb 12 2024

Integrating cybersecurity into vehicle design and manufacturing

Category: cyber security,Security Architecturedisc7 @ 10:12 am

In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles.

Edan highlights the challenges of technological advancements and outlines strategies for automakers to address cyber threats effectively. Additionally, he emphasizes the importance of consumer awareness in ensuring vehicle security.

Can you describe the state of cybersecurity in the automotive industry, especially in the context of electric and connected vehicles?

The automotive industry is experiencing a digital breakthrough transforming how vehicles are designed, manufactured, and used, primarily driven by the introduction and popularity of electric and autonomous vehicles. Technological advancements have been introduced and integrated throughout the vehicle life cycle. This brings numerous benefits like enhanced safety and improved efficiency to the cars we drive daily, but it also brings new and pressing cybersecurity challenges.

Now that our vehicles are becoming increasingly connected to the internet can go through Over-the-Air (OTA) updates, use remote management, contain Advanced Driver Assistance Systems (ADAS), and employ AI, the potential avenues for cyberattacks have expanded for threat actors to exploit in a significant way.

What steps are automakers taking to address cybersecurity challenges in their latest vehicle models?

We use different forms and increasing amounts of software in our vehicles. The first challenge is in the supply chain, not just in terms of who provides the software; the issue penetrates each layer. Automakers need to understand this from a risk management perspective to pinpoint the onset and location of each specific risk. Suppliers must be involved in this process and continue to follow guidelines put in place by the automaker.

The second challenge involves software updating. As technology continues to evolve and more features are added, cybercriminals find new ways to exploit flaws and gaps in systems that we may not have been aware of because of the newness of the technology. Regular software updates must be administered to products to patch holes in systems, improve existing vulnerabilities and improve product performance.

In order to address these challenges, automakers need to conduct an initial risk assessment to understand what kind of threats and the type of threat actors are active within each layer of the product and supply chain in the automotive industry. From the experience gained from the initial risk assessment, a procedure must be put in place to ensure each internal and external employee and supplier knows their role in maintaining security at the company.

The procedure determines which types of threat actors are active within the automotive industry, where they are located, and each threat’s severity. This is complicated because threat actors reside worldwide in large numbers, and each group uses various forms of attacks to various degrees. Automakers use the information collected daily to help protect their assets. Additionally, audits must be conducted regularly to evaluate each supplier and employee to verify the procedures are followed correctly, don’t need to be updated, etc.

Can you explain how vehicle manufacturers integrate cybersecurity into the design and development process?

Once you have a factory line running, the first step to integrate cybersecurity into the manufacturing process is to secure the operation technology (OT) policy by understanding the risk and how to close the gaps. Manufacturers must deal with OT threats, which involve thousands of unique threats coming from the product lines, sensors, and other equipment involved in the manufacturing process, instead of systems like computers.

These threats can be especially dangerous if left ignored because of the simplicity of the equipment used in this stage. Suppose you are a threat actor and you want to damage an automaker. In that case, it is much more difficult to conduct a cyberattack on the cloud or the employees of an automaker. Still, the factory line is easier to attack because it uses equipment that is easier to breach and actions are less detected. This is a very common area for threat actors to target.

What key strategies are you recommending for protecting connected and electric vehicles against cyber threats?

Automotive companies must take a proactive approach to addressing cybersecurity threats instead of being reactive. This allows security teams to avoid threats instead of responding later once the damage has already been done. A few proactive strategies I’d recommend for companies are the following.

  • Conduct a risk assessment to understand and prioritize current and future risks.
  • Develop company-wide security policies and procedures so all employees know their roles in maintaining security.
  • Hold regular security training and awareness programs to educate employees.
  • Implement strong network security measures, including firewalls, detection systems, and encryption, to monitor your network traffic for any anomalies regularly.
  • Regularly backup critical data and store it in secure locations.
  • Develop a comprehensive incident response plan outlining steps to be taken during a cyberattack.
  • Conduct periodic security audits to evaluate the effectiveness of security measures and identify improvement areas.

Cybersecurity is an ongoing process that requires constant vigilance and adaptation – current strategies will likely become outdated and need to be reworked as new threats emerge.

What role do regulatory bodies play in shaping cybersecurity standards for electric and connected vehicles?

Regulatory bodies play a role in shaping cybersecurity standards, but they do not help you secure your products directly – that is up to each individual player in the automotive supply chain. The goal of regulatory bodies is to provide automakers with best practices on steps to take in the event of a cyber hack, what players to communicate with, and how deep to reach depending on the severity of the threat.

Once an automaker is compliant with certain regulatory rules, they will then ask the regulatory bodies to come to conduct an onsite visit, where they conduct an audit for months at a time, trying to hack each layer they can and look for any areas of weakness, to identify what needs to be patched up. This process needs to be repeated until the automaker is fully compliant.

What are the best practices that consumers should be aware of to ensure the cybersecurity of their electric or connected vehicles?

Consumers need to make sure the data collected in the vehicle stays private. For example, if you have an electric vehicle (EV) and you need to charge it, you might visit a public charging station. Not many people know this, but your vehicle data can be easy to hack at public charging stations because you are not only transferring electricity but also data.

To prevent this from happening, vehicle owners need to ask the right questions. Owning an EV is no different than when a homeowner goes to buy a large kitchen appliance, for example. The right questions need to be asked, including – who made it, whether the company has a cybersecurity procedure in place, whether it is currently compliant with regulatory body requirements, etc. Making sure that all software is regularly up to date is also essential. EV users must download official software from trusted brands using a secure network.

Along with automakers, consumers are partially responsible for their own security, which needs to be stressed to the general public more. Without this knowledge, consumers are left highly vulnerable to hacks from cybercriminals.

 InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: auto security, Car Security, Connected cars


Aug 10 2022

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see

Here’s this week’s BWAIN, our jocular term for a Bug With An Impressive Name.

BWAIN is an accolade that we hand out when a new cybersecurity flaw not only turns out to be interesting and important, but also turns up with its own logo, domain name and website.

This one is dubbed Ă†PIC Leak, a pun on the words APIC and EPIC.

The former is short for Advanced Programmable Interrupt Controller, and the latter is simply the word “epic”, as in giantmassiveextrememegahumongous.

The letter Æ hasn’t been used in written English since Saxon times. Its name is æsc, pronounced ash (as in the tree), and it pretty much represents the sound of the A in in the modern word ASH. But we assume you’re supposed to pronounce the word ÆPIC here either as “APIC-slash-EPIC”, or as “ah!-eh?-PIC”.

What’s it all about?

All of this raises five fascinating questions:

  • What is an APIC, and why do I need it?
  • How can you have data that even the kernel can’t peek at?
  • What causes this epic failure in APIC?
  • Does the ÆPIC Leak affect me?
  • What to do about it?

What’s an APIC?

Let’s rewind to 1981, when the IBM PC first appeared.

The PC included a chip called the Intel 8259A Programmable Interrupt Controller, or PIC. (Later models, from the PC AT onwards, had two PICs, chained together, to support more interrupt events.)

The purpose of the PIC was quite literally to interrupt the program running on the PC’s central processor (CPU) whenever something time-critical took place that needed attention right away.

These hardware interrupts included events such as: the keyboard getting a keystroke; the serial port receiving a character; and a repeating hardware timer ticking over.

Without a hardware interrupt system of this sort, the operating system would need to be littered with function calls to check for incoming keystrokes on a regular basis, which would be a waste of CPU power when no one was typing, but wouldn’t be responsive enough when they did.

As you can imagine, the PIC was soon followed by an upgraded chip called the APIC, an advanced sort of PIC built into the CPU itself.

These days, APICs provide much more than just feedback from the keyboard, serial port and system timer.

APIC events are triggered by (and provide real-time data about) events such as overheating, and allow hardware interaction between the different cores in contemporary multicore processors.

And today’s Intel chips, if we may simplifly greatly, can generally be configured to work in two different ways, known as xAPIC mode and x2APIC mode.

Here, xAPIC is the “legacy” way of extracting data from the interrupt controller, and x2APIC is the more modern way.

Simplifying yet further, xAPIC relies on what’s called MMIO, short for memory-mapped input/output, for reading data out of the APIC when it registers an event of interest.

In MMIO mode, you can find out what triggered an APIC event by reading from a specific region of memory (RAM), which mirrors the input/output registers of the APIC chip itself.

This xAPIC data is mapped into a 4096-byte memory block somewhere in the physical RAM of the computer.

This simplifies accessing the data, but it requires an annoying, complex (and, as we shall see, potentially dangerous) interaction between the APIC chip and system memory.

In contrast, x2APIC requires you to read out the APIC data directly from the chip itself, using what are known as Model Specific Registers (MSRs).

According to Intel, avoiding the MMIO part of the process â€śprovides significantly increased processor addressability and some enhancements on interrupt delivery.”

Notably, extracting the APIC data directly from on-chip registers means that the total amount of data supported, and the maximum number of CPU cores that can be managed at the same time, is not limited to the 4096 bytes available in MMIO mode.

Tags: Cryptography, Data loss


Nov 02 2021

50% of internet-facing GitLab installations are still affected by a RCE flaw

Cybersecurity researchers warn of a now-patched critical remote code execution (RCE) vulnerability, tracked as CVE-2021-22205, in GitLab’s web interface that has been actively exploited in the wild.

The vulnerability is an improper validation issue of user-provided images the can lead to arbitrary code execution. The vulnerability affects all versions starting from 11.9.

“An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution. This is a critical severity issue (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9). It is now mitigated in the latest release and is assigned CVE-2021-22205.” reads the advisory published by GitLab.

GitLab addressed the vulnerability on April 14, 2021, with the release of 13.8.8, 13.9.6, and 13.10.3 versions.

The vulnerability was reported by the expert vakzz through the bug bounty program of the company operated through the HackerOne platform.

The vulnerability was actively exploited in the wild, researchers from HN Security described an attack one of its customers. Threat actors created two user accounts with admin privileges on a publicly-accessible GitLab server belonging to this organization. The attackers exploited the flaw to upload a malicious payload that leads to remote execution of arbitrary commands.

“Meanwhile, we noticed that a recently released exploit for CVE-2021-22205 abuses the upload functionality in order to remotely execute arbitrary OS commands. The vulnerability resides in ExifTool, an open source tool used to remove metadata from images, which fails in parsing certain metadata embedded in the uploaded image, resulting in code execution as described here.” reads the analysis published by HN Security.

The flaw was initially rated with a CVSS score of 9.9, but the score was later changed to 10.0 because the issue could be triggered by an unauthenticated attackers.

Researchers from Rapid7 reported that of the 60,000 internet-facing GitLab installations:

Git for Programmers

Tags: Gitlab, Gitlab vulnerability


Jun 07 2021

The evolution of cybersecurity within network architecture

Category: Security ArchitectureDISC @ 10:09 am

A decade ago, security officers would have been able to identify the repercussions of an attack almost immediately, as most took place in the top-level layers of a system, typically through a malware attack. Now however, threat actors work over greater lengths of time, with much broader, long-term horizons in mind.

Leaders can no longer assume that their business systems are safe. The only certainty is that nothing is certain. The past year has been evidence of that, as large, well-trusted companies have faced catastrophic breaches, such as the SolarWinds and Microsoft attacks. These organizations were believed to have some of the best systems installed to protect their data, yet they were still successfully infiltrated.

Threat actors are also pervading through underlying networks, passing from router to router and accessing data stored far below the top level in a system. The refinement of their attacks mean that businesses can go unaware of a breach for longer periods of time, increasing the amount of damage that can be done.

Businesses should take all precautions necessary when it comes to security and assume that anything is possible and devise their security plans around the worst-case scenario. This means adopting the attitude that any one employee could be a hacker’s key to access company systems. Anyone could fall for one of the increasingly sophisticated attacks and click on a phishing email, resulting in a rabbit hole of malicious elements.

Visibility and analytics

Moving forwards, visibility and analytics will be instrumental in strengthening a business’ security approach. These elements deliver invaluable insights into a company’s security standpoint and can help identify any vulnerabilities that have gone unnoticed. Where security and connectivity within an organization have been the two main focus points of leaders, visibility and analytics have now become the third and fourth fundamental elements.

The value of this information cannot be overstated. For a company who has identified a breach attempt and shut all systems down, the first challenge is understanding how far the criminals managed to get before being detected, and what data had been accessed.

In the scenario when businesses are faced with threats from ransomware attackers and take part in negotiations, it helps to have an overview of all business systems. For example, if an attack took place over one week and a company is able to see all incoming and outgoing traffic, then they can deduce roughly how far the criminals could have got.

This could be vital in seeing through any deceptions from the hackers, who may claim to have accessed ten terabytes of data, when realistically they may only have secured a couple of files before being shut out. Only with complete visibility will businesses be able to counter a criminal’s threat.

Strengthening the architecture

There are a number of pathways that organizations can take to strengthen their network architecture against threats. Zero-trust approaches are highly recommended for businesses, especially in the age of remote working, as a way of limiting privileged accounts and the general amount of data left easily accessible. Requesting authentication before access not only protects the business’ external perimeter, but also any risks that exist within as well.

A lot of businesses will find themselves needing to re-address the very foundations of their infrastructure before any additional approaches can be taken. Integration is a massive part of strengthening a company’s network architecture as most will have existing technologies that will need to be combined into one fully functioning capability.

Not only will this allow for greater accessibility and flexibility, but it will also simplify the systems so that they are easier to manage. Achieving this integration will provide businesses with greater visibility into their platforms, making it significantly easier to identity and defend against incoming cyber threats.

Ensuring a secure future

Solutions such as Secure Access Service Edge (SASE) can assist in the strengthening of network architecture. SASE is the integration of networking and security solutions, such as zero trust and firewall-as-a-service (FWaaS), into a single service that can be delivered entirely through the cloud. This ability to deploy through the cloud allows for greater flexibility, making it easy to apply security services wherever they are needed. As a lot of applications used are cloud-based, including collaborative communications, seamless and secure transition to and from the cloud are crucial.

Cybersecurity will likely become more of a process model that is part of every new project. It will become imbedded in every business area, regardless of what their main function is. In such an extreme and sophisticated threat landscape, simply educating employees and home workers of security risks cannot be relied upon to protect companies from malicious attacks.

In an era where cybersecurity attacks are inevitable, strong network architecture and end-to-end visibility are the fundamentals to a resilient security posture. Providing a single point of control using solutions such as SASE will enable businesses to create a more streamlined network architecture, whether from remote locations or within the office. Regardless of their current standpoint, all businesses should be working towards one goal – implementing a business approach that combines the three crucial elements: security, network and visibility.

Tags: cybersecurity within network architecture, Network security architecture