Author | Su Shaobo, Automotive Network Security Team, Shanghai Control Security Institute of Trusted Software Innovation
Source | Jianyuan Lab
Community | Add WeChat ID " TICPShanghai " and join "Shanghai Kongan 51fusa Security Community"
01
overview
1.1 Background
With the continuous advancement of vehicle technology and the improvement of intelligence level, the vehicle industry is undergoing rapid changes and technological progress. The wide application of intelligence and interconnection technology in vehicles makes modern vehicles equipped with a large number of sensors and electronic systems. Vehicle networking eliminates the geographical and distance restrictions for hackers to attack vehicles, and provides the possibility for hackers to remotely attack target vehicles in batches. Vehicle networking The rapid development of globalization has significantly increased the information security risks faced by vehicles.
In order to ensure the safe use and compliant operation of intelligent networked vehicles, a series of standards and regulations have been promulgated at home and abroad to regulate the safety requirements of the entire life cycle of vehicles. The vehicle safety operation center came into being in this context, its main purpose is to better monitor and manage the safety of vehicles, prevent accidents and failures, and take timely measures to solve problems.
1.2 What is a vehicle security operation center
VSOC (Vehicle Security Operation Center) is the abbreviation of Vehicle Security Operation Center. It is a comprehensive operation center responsible for monitoring, managing and protecting vehicle security. It can centrally deal with vehicle security incidents, risks and threats, and take corresponding responses and Defensive measures to ensure the safety of vehicles and passengers. By using advanced technology and security solutions, the vehicle security operation center can monitor the status of vehicles in real time, identify potential security vulnerabilities, and provide early warning and tracking functions to support vehicle security management and ensure the security of the entire vehicle life cycle. The vehicle security operation center plays an important role in the field of vehicle security, helping vehicle manufacturers, service providers and relevant stakeholders to improve vehicle security, respond to security threats and risks, and provide a safer travel experience.
1.3 Relevant standards and regulations
The R155 regulation is "Cyber security and cyber security management system" formulated by the United Nations Economic Commission for Europe (United Nations Economic Commission for Europe). The regulations aim to ensure the security of vehicle networks and electronic systems, prevent potential security threats and attacks, and protect the safety of vehicles and passengers. At the same time, the regulation also requires OEMs to continuously monitor the network security status of vehicles (teams) and respond within a reasonable time after a network security incident occurs.
ISO 21434 is the "Road vehicles - Cybersecurity engineering" standard proposed by the International Organization for Standardization (ISO). This standard aims to provide guidance for vehicle manufacturers, suppliers and relevant stakeholders to ensure the consistency and effectiveness of vehicle information security management. It is necessary to establish a set of systematic information security management methods and processes to protect vehicle information. Security and Privacy.
In general, the background of the R155 regulation and ISO 21434 is based on the concern and demand for vehicle system security and information security to deal with the increasing security threats and risks to protect the safety of vehicles and passengers. As a vehicle safety operation center, one of its tasks is to comply with relevant regulations and standards to ensure the safety and compliance of vehicle systems. The vehicle security operation center can adopt the guidance and requirements provided by the R155 regulations and ISO 21434 to establish corresponding security management measures and processes to deal with the security challenges and risks faced by the vehicle system.
02
basic workflow
Usually, cloud-based VSOC is used in conjunction with vehicle-side IDPS (Intrusion Detection and Prevention System) to improve vehicle security and detection capabilities for potential attacks.
Figure 1 Basic process of IDPS-VSOC security operation
Monitoring and data collection: Vehicle-side IDPS collects information about vehicle safety by monitoring the data traffic, logs and events of the vehicle's internal network and systems. This information can include network communication data, operating system logs, sensor data, and more.
Threat detection and analysis: Vehicle IDPS analyzes the collected data, uses specific detection algorithms and rules to identify possible security threats or abnormal behaviors, and detects potential risks such as network intrusion, malware, and unauthorized access.
Threat response and blocking: Once the vehicle-side IDPS detects a potential security threat, it will trigger the corresponding response mechanism, including but not limited to alarm notification, logging, blocking network connections or taking other emergency measures to deal with the threat, and Potential damage may be mitigated.
Security event processing and analysis: The vehicle security operation center receives and processes security events and alarms generated by the vehicle-side IDPS. It analyzes, classifies, and prioritizes events, and takes appropriate measures to deal with security threats. The measures may include alarms for operation and maintenance personnel and enterprises, early warnings for car owners and vehicles, traceability of attack events, and IP analysis. Or a combination of means such as cooperation with other service providers for in-depth investigation and response.
Security vulnerability repair and upgrade: According to the detection results of vehicle-side IDPS and the analysis of VSOC, vehicle manufacturers or related parties can repair security vulnerabilities and upgrade the system. This can include measures such as software patches, firmware updates or configuration changes to improve the vehicle's security and defense capabilities. In addition, automatic module updates can also be realized by configuring the OTA update service.
Through the joint use of VSOC and vehicle-side IDPS, vehicles can detect and respond to potential security threats in a timely manner to protect the safety of vehicle systems and passengers. This process can help vehicle manufacturers and operators implement comprehensive security management and response measures to improve vehicle security. credibility and reliability.
03
Other functions of VSOC
In addition to the basic security incident handling process and basic functions mentioned above, it should also be able to monitor the overall security status in real time and discover potential threats. Here are some other important features of the security operations phase:
3.1 Data statistics and data analysis
A complete process should also include some data processing and statistical analysis capabilities, such as monitoring of fleet status and analysis of safety incidents, etc.:
Fleet status monitoring: VSOC monitors the security status and network connection status of each vehicle in the fleet to understand the security status of the entire fleet in real time. It can collect real-time data of the vehicle, such as network communication status, system operation status, safety incident report, etc. By monitoring the status of the fleet, VSOC can detect abnormal behavior or potential security threats in time, and take corresponding measures to deal with them.
Statistics and analysis of security incidents: VSOC will conduct statistics and analysis of vehicle security incidents to obtain a deeper understanding of security threats. It can collect information such as the type, frequency of occurrence, and scope of impact of security incidents, and analyze and mine these data. Through statistics and analysis of security incidents, VSOC can identify common attack patterns, vulnerability exploitation methods, and security vulnerabilities existing in the fleet, and provide corresponding suggestions and measures to improve overall security.
Security policy update and optimization : VSOC can update and optimize security policies based on the results of fleet status monitoring and security event statistics. It can adjust the vehicle's security configuration and defense measures based on the latest security threat intelligence and vulnerability information. This may include updating security rules, strengthening access controls, optimizing encryption mechanisms, etc. to improve vehicle security and reduce potential risks.
By monitoring the status of the fleet and collecting statistics on safety incidents, VSOC can fully understand the safety situation of the fleet and take timely corresponding measures to protect the safety of vehicles and passengers. This comprehensive monitoring and analysis capability can help fleet managers and safety teams better understand the overall safety posture of the fleet and develop corresponding countermeasures and preventive measures. At the same time, it can also provide valuable data and insights for fleet safety management to support decision-making and continuous improvement.
3.2 Asset Management
VSOC can maintain an asset database that records information about each model, component and supplier in the fleet. This includes vehicle model, configuration, associated parts information, as well as supplier name, contact information, etc. By establishing a detailed asset information database, the vehicle security operation center can quickly query and locate relevant information on specific models and parts, so that when a security incident occurs, it can quickly understand the situation of related assets.
When a security incident occurs, VSOC can use the asset management function to quickly locate the affected models, parts and other relevant information. This helps to quickly identify the scope and impact of the problem, so that it can quickly coordinate and communicate with suppliers to solve the problem together. Through close cooperation and responsiveness with suppliers, the Vehicle Security Operations Center can speed up problem resolution and reduce potential safety risks.
Asset management functions also provide support for supply chain security management. VSOC can track and manage the component suppliers used by the fleet, and record the cooperation relationship and safety assessment with suppliers. It can monitor and evaluate suppliers' security practices, security certifications, vulnerability disclosures, etc. to ensure the security and reliability of the supply chain. When a security incident occurs, VSOC can quickly contact the supplier through the asset management function, jointly solve the problem and take necessary remedial measures.
Through the asset management function, VSOC can realize the centralized management and rapid positioning of important asset information such as models, parts and suppliers. This not only facilitates rapid response and coordination in the event of a security incident, but also supports supply chain security management and continuous improvement. Integrating asset management functions, VSOC can more comprehensively manage fleet safety and improve the efficiency and accuracy of handling safety incidents.
3.3 Vulnerability Management
Vulnerability management is also an important part of dealing with potential threats. VSOC can regularly update and maintain authoritative vulnerability libraries, such as CVE, to obtain the latest vulnerability information. By integrating the data of the vulnerability database, VSOC can understand the severity, scope of impact and existing repair suggestions of each vulnerability. On this basis, regular vulnerability scans are performed on the car-machine system of the vehicle. By using professional vulnerability scanning tools, VSOC can proactively discover potential vulnerabilities and security weaknesses. The scan results will be compared and analyzed with the information in the vulnerability library to determine which vulnerabilities pose a real threat to the vehicle system.
When a security incident occurs, VSOC can combine the vulnerability management function to correlate the incident, asset and vulnerability. By analyzing the characteristics and impact of events, VSOC can speculate on possible vulnerabilities and locate them. Conversely, VSOC can also use the results of vulnerability scanning to confirm security incidents related to specific vulnerabilities.
Vulnerability repair and prevention: When a specific vulnerability is found in an asset, VSOC can track and coordinate the process of vulnerability repair to ensure that the vulnerability is repaired in time to reduce security risks. At the same time, VSOC can also feed back vulnerability information to the asset management module to prevent similar vulnerabilities from appearing on other assets, thereby improving the security of the entire fleet system.
Through the vulnerability management function, VSOC can organically combine security events, assets, and vulnerabilities to realize all-round management of event confirmation, asset vulnerability location, and vulnerability repair and prevention. This comprehensive vulnerability management capability helps improve the security and stability of fleet systems and reduces potential risks caused by vulnerabilities.
Figure 2 Functional Architecture of Automotive Safety Operation Center
As the use scenarios of intelligent networked vehicles become more and more abundant, and the integration of automobile software and hardware becomes closer and closer, car companies have more and more needs to transform from manufacturers to travel service providers. A single security event monitoring VSOC can no longer meet the current needs. Therefore, the establishment of a diversified, multi-dimensional, and wide-coverage VSOC is bound to become a new development trend.
04
challenge
VSOC needs to process huge and complex data, including vehicle status, sensor data, driving behavior, etc., and must be able to process these data quickly and accurately and extract valuable information. At the same time, data privacy and security are also an important consideration, and effective security measures need to be taken to protect the confidentiality and integrity of data.
Secondly, VSOC needs to have cross-departmental and cross-regional collaboration capabilities. There are differences among different manufacturers, vehicle models, and regions. It is necessary to formulate unified data standards and interface specifications to achieve data interoperability and sharing. In addition, coordinating the cooperation and information sharing of all parties is also a challenge, and issues such as permissions, security and compliance of information sharing need to be addressed.
Finally, VSOC also needs to keep pace with the development of technology and changes in standards. With the continuous evolution of autonomous driving technology and the formulation of new safety standards, VSOC needs to update and adapt to new technical requirements in time to provide more efficient and safe vehicle operation management services.
To sum up, the emergence of VSOC is to cope with the rapid development of the automotive industry and new safety management requirements, but it faces challenges in data management, collaboration, technology updates and other aspects during the construction and operation process. By overcoming these challenges, VSOC can play a greater role in improving overall vehicle safety and operational efficiency.