Cyber security matters. Products are hacked, in order to misuse, abuse and confuse. Unlike other technologies which are mastered by specific teams and functions, security is a base technology which belongs to the body of knowledge of each single software developer. I have try to ponder on / about some best practices for security engineering in this blog. This is also a thought of continuous improvement & evolving process for a given enterprise.
Sophisticated functionality and ever-increasing perfection of embedded and distributed IT systems have been made possible through an increasing amount of interconnected components. Open interfaces, standardized platforms, and a variety of heterogeneous networks drive complexity and security risks. For any given system it is only a question of time before the resulting security vulnerabilities are systematically identified and exploited at the harm and expense of users and manufacturers.
Security is a quality attribute which interacts heavily with other such attributes, including availability, safety, and robustness. It is the sum of all of the attributes of an information system or product which contributes towards ensuring that processing, storing, and communicating of information sufficiently protects confidentiality, integrity, and authenticity. Cyber security implies that it is not possible to do anything with the processed or managed information which is not explicitly intended by the specification of the embedded system.
Currently used security engineering concepts, such as proprietary subsystems, the protection of components, firewalls between components, and the validation of specific features are necessary basics but insufficient to ensure end-to-end security at the systems-level. Intelligent attack scenarios evolve from different directions, such as attacks on unprotected networks, introduction of dangerous code segments through open interfaces, changes to configurations, and prove that security has to become a topic throughout the entire organization and with high management attention.
Cyber security needs evolve fast with the advent of the Internet of Things (IoT). Let us look to modern automotive systems as an example of connectivity and IoT. Distributed networks such as inside cars and from car to roadside are an essential part for our today’s modern infrastructures with their needs for safety and comfort. Besides the further development of innovative sensors like radar and camera systems and the analysis of the signals in highly complex systems, the connected cars will be a driving factor for tomorrow‘s innovation. Internet connections will not only provide the need for information to the passenger - functions like eCall, communication between cars, and car to infrastructure (vehicle2x) shows high potential for revolutionizing the individual traffic. The advantages are obvious, such as improvement of the traffic flow controlled by intelligent traffic lights, warnings from roadside stations, or brake indication of adjacent cars towards enhanced driver assistant systems and automated driving. But the connection to the outer world also bears the risk for attacks to the car.
Based on our experiences with clients worldwide, we show which security engineering activities are required to create secure systems and how these activities can be performed efficiently in the automotive domain. Key points in the development of protected systems are the proper identification of security requirements, the systematic realization of security functions, and a security validation to demonstrate that security requirements have been met. Here some obvious items from the cyber security checklist:
· Standardized process models for a systematic approach which is anchored in the complete development process. This starts in the requirements analysis phase, and continues through the design and development to the test and integration of components and the network.
· Quick software updates to close vulnerabilities in the deployed and operational software.
· Reliable protocols that are state-of-the-art and meet long-term security demands. Related to security, this is often combined with cryptographic keys. So a key management over the lifecycle of the vehicle must be maintained.
· In-vehicle networks and a system architecture that provide flexibility and scalability and are designed with consideration of security aspects.
Dependability requirements are a good starting point to identify relevant security requirements and to guide elicitation of further functional requirements that will mitigate security risks. The same technique as outlined here can be applied for other scenarios – always starting with attacker motivation or functional risks due to the system architecture. Our guidance: Do not limit exposure to known incidents and defects as some textbooks suggest. Security analysis is not a checklist approach. It has to consider attack motivations of persons thinking differently than the usual engineer. However, utilizing an engineering approach, we can more easily identify vulnerabilities in our architectures.
The results of security risk and hazard analysis starting with asset identification to misuse, abuse and confuse cases and the entire security protection scheme should be well-documented. It is of utmost interest to understand the approach specifically when modifications are made at a later point. Form a legal perspective complete and maintained documentation is necessary for governance and compliance reasons. Security threats and resulting damages impact the safety of products and the integrity of private data, and are thus directly endangering the financial health of a company. Our guidance: Document the security case similarly to the safety case by means of a ALM/ PLM environment. Maintain the related documentation and enhance it with regression test scenarios for future updates.
Security requires an end-to-end perspective. Security engineering must start with a clear focus on security requirements and related critical quality requirements, such as safety, footprint, or performance and how they map to functional requirements. Software component suppliers and integrators first define the key functional requirements. These requirements are then analyzed for security risks and impacts. Security requirements are expanded into further functional requirements or additional security guidelines and validation steps. Security concepts are subsequently and consistently (i.e. traceable) implemented throughout the development process. Finally, security is validated on the basis of previously defined security requirements and test cases.
Today, cyber security by design is in the foreground due to safety, legislative and intellectual property concerns. We recommend a life-cycle perspective which takes a systems engineering perspective and drives security starting with security requirements and the related test cases, while stepwise and comprehensively building the security case in line with the impacted functional requirements and quality requirements. After all it does not help much if transactions are piecemeal encrypted and thus slow down performance.
Many security attacks are the result of poorly managed software updates and uncontrolled complexity growth. Architectures, systems, and protocols must be developed with security in mind (i.e., design for security). Competences have to be developed around security engineering, and employees have to be trained how to design, verify, and sustain security throughout the product’s life-cycle. Only with continuous measurements on their effectiveness the value of security measures improves.
Contact me at ravindrapande@gmail.com for more information or to discuss these trends.