Report provides a series of lessons learned for developing security systems around Connected Vehicles.
Institute Security by Design Processes and Standards. All stakeholders developing components within the CV ecosystem should implement components based on a secure system engineering lifecycle that incorporate threat modeling activities that lay out the unique threats to a particular product.
Implement Proper Cryptographic Controls. At both the system level and individual device level, it is critical to use proper cryptographic controls including strong entropy sources and vetted random number generators.
Properly Secure the Vehicle Platform
- Use strong segmentation/boundary defense on the Controller Area Network (CAN) busses for safety-critical features.
- Ensure that software configuration options are understood and as restrictive as possible. Secure the software updates by having rollback process, doing field testing and certifications, and preventing updates during vehicle operation.
- Security interface controls should include filtering of all interface traffic to perform actions like prevent malformed messages from being transmitted to the CV software. Defining and bounding the types of data that can be included in messages is also important.
- Secure protocol implementations by following Government organizations guidance about secure implementations of communication technologies used by CVs.
- Protect against aftermarket device APIs, access controls and mobile applications that have not been thoroughly vetted for security.
- Use data integrity best practices by protecting against any spoofing or manipulation of the data entering the CV ecosystem through DSRC.
- Provide privacy protection by ensuring driver’s habits and vehicle locations are protected with the frequent changing of certificates.
Properly Secure the Traffic Infrastructure
- Manage data by securing the interface between the CV infrastructure by using default secure configurations, password and Secure Shell (SSH) key management, secure software updates, secure remote management, and secure OS operations.
- Audit and monitor system logging to track for unauthorized attempts of physical or SSH access, privilege escalation, access to restricted file access, and GET/SET requests.
- Conduct device and software inventory management by keeping track of all authorized devices. Traffic management centers should keep an inventory of all roadside units (RSUs) and keep metadata about those devices up-to-date. Metadata can include: software version, firmware version, location, the responsible party, trusted applications installed, etc.
- Setup malware defenses by monitoring vehicle activities with malware detection techniques to help detect anomalous behavior and filter out potential malicious events.
- Implement wireless access controls. Organizations should implement identity-based protections (machine identity) to perform access controls prior to allowing devices to communicate on transportation networks. This should include all security-relevant endpoints to which the RSU connects.
- Use redundancy controls or fallback mechanisms to deal with the denial of expected communications. For example, The Traffic Management Centers could leverage the display and sensors within the vehicle itself to help mitigate the impact.
- Define boundary protections; segmentation of Internet of Things (IoT) devices from other Information Technology (IT) devices is critical to ensure a safe security system.
- Implement policies and procedures that are detailed and enforced. Policies such as password lengths and role-based access controls should be considered by managers responsible for local/remote maintenance. Such protocols should also include removing test fixtures from devices before field deployment.