Posts

How to implement an Information Security Management System (ISMS)

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework.

If you haven’t read what a cybersecurity framework means, then you should read article: https://www.sorinmustaca.com/demystifying-cybersecurity-terms-policy-standard-procedure-controls-framework/ .

An ISMS is typically based on the ISO 27001 standard, which provides a framework for establishing, implementing, maintaining, and continually improving information security within an organization.

Establishing a cybersecurity framework is usually achieved together with, or while implementing an Information Security Management System (ISMS) based on a standard like ISO 27001. So, before going to the NIS2 Step 3, I must explain why is it important to have a “good” ISMS.

This article will guide you through the steps to create a solid foundation for the ISMS which uses a cybersecurity framework.

 

Here are the steps you must follow to implement your ISMS:

  1. Get Top Management Support
    • Before you start, synchronize with the top management in order to define company’s goals in this regard. Usually it should be clear, since the company strives to receive a certification like ISO 27001, ISO 16949, TISAX, CSMS, etc..
    • Then secure the commitment and support of senior management by helping them understand the necessary resources and efforts.
    • In all standards that require an ISMS it is imperative to have the commitment of the management because their feedback and support are required in several places along the way.
  2. Scope Definition
    • Define the scope of your ISMS: determine which assets, processes, and locations will be covered by the ISMS.
    • This will help in setting boundaries for your security efforts. Some certifications require an assessment per location and scope, so this needs to be developed properly and in accordance with company’s goals.
  3. Risk Assessment
    • Create policies that help identify and assess information security risks.
    • This involves:
      • How to identifying assets: List all the information assets your organization handles, such as data, hardware, software, and personnel, intellectual property.
      • How to identify threats and vulnerabilities: Determine potential risks and vulnerabilities that could impact your assets.
      • How to assess risks: Analyze the likelihood and potential impact of these risks.
      • How to calculate risk levels: Prioritize risks based on their severity.
  4. Risk Treatment
    • Develop a policy for risk treatment plan:
      • How to implement controls: Select and implement security controls and measures to mitigate identified risks.
      • Document policies and procedures that enforce the creation of security controls.
      • Allocate responsibilities: Assign roles and responsibilities for managing and monitoring security measures.
      • Set risk acceptance criteria: Determine which risks can be accepted, mitigated, or transferred.
  5.  Establish the ISMS Framework
    • Establish the ISMS framework based on ISO 27001:
      • Define information security objectives.
      • Develop an information security policy.
      • Create a risk assessment methodology.
      • Define criteria for risk acceptance.
      • Develop and implement security controls.
  6. Implementation
    • Execute the ISMS based on the established framework:
      • Train employees: Provide information security training to all staff members.
      • Implement security controls: Put in place the technical, administrative, and physical controls identified in your risk treatment plan.
      • Monitor and review: Continuously monitor the effectiveness of your controls and review your risk assessment.
  7. Measurement and Evaluation
    • Regularly measure and evaluate the performance of your ISMS to ensure that it remains effective and aligned with your objectives.
      • Conduct internal audits.
      • Perform security testing (e.g., penetration testing, vulnerability scanning).
      • Analyze security incident data.
  8. Management Review
    • Conduct regular management reviews to assess the ISMS’s performance and effectiveness.
      • Ensure that the ISMS is aligned with the organization’s strategic goals.
      • Make improvements based on review findings.
  9. Continual Improvement
    • Use the results of audits, reviews, and incidents to continually improve the ISMS.
      • Update policies and procedures as needed.
      • Enhance security controls based on new threats and vulnerabilities.
      • Maintain employee awareness and training.
  10. Certification (Optional):
    • If your organization desires ISO 27001 or any other certification, engage an accredited certification body to perform an external audit and certification assessment.
    • Be careful because several certification require a pre-certification or pre-assessment performed either with in-house auditors (internal) or external auditors.
  11. Documentation
    • Maintain detailed documentation of all ISMS activities, including policies, procedures, risk assessments, and audit reports.
    • Maintain a log of all changes in time, because this demonstrates continual improvement and usage.
  12. Training and Awareness
    • Continuously educate and raise awareness among employees regarding information security policies and best practices.
  13. Incident Response and Recovery
    • Develop an incident response plan to address security incidents promptly and effectively.

 

Remember, and make sure that your management remembers as well, that implementing and maintaining an ISMS is an ongoing process. Even if certifications are renewed only after 3 years (usually) it is important that in these 3 years the ISMS is lived.

Regularly update your risk assessments and adapt your security controls to evolving threats and business needs. Continuous improvement is key to the success of your ISMS.

 

The post How to implement an Information Security Management System (ISMS) first appeared on Sorin Mustaca on Cybersecurity.

How-To: NIS2 EU Directive

The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016.

NIS vs. NIS2

While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account

  • the security of supply chains,
  • streamlining reporting obligations,
  • introducing monitoring measures,
  • introducing more stringent enforcement requirements,
  • adding the concept of “management bodies” accountability within companies, and
  • harmonizing and tightening sanctions in all Member States.

To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together:

  • Establish or improve information sharing between member states and a common incident response plan that coordinates with other member state plans
  • Establish a national Computer Emergency Response Team
  • Strengthen cooperation between public and private sector entities

 

In a nutshell, companies can stay compliant with the NIS2 Directive by

  • establishing an effective monitoring system that can detect intrusions, detect suspicious activities, and alert the authorities when necessary
  • developing comprehensive plans that detail how they will respond to an attack and what steps they will take to recover from it.

 

The official website of the EU for the NIS2 Directive has prepared an FAQ with many good questions and answers.

However, what the website is not saying (for good reasons) is how should companies start to prepare for implementing the directive.

 

How to start the compliance path

In order to successfully start implementing the requirements, the following steps should be implemented in this order. We will publish articles about pretty much each of these topics.

 

1.Conduct a gap analysis

Assess your company’s current cybersecurity practices, policies, and infrastructure against the requirements of the NIS2 directive.

Identify any gaps or areas that need improvement to comply with the directive.

Dedicated article:  https://www.sorinmustaca.com/nis2-1-perform-a-gap-analysis/

 

2.Designate a responsible person or team

Appoint an individual or a team responsible for overseeing the implementation of the NIS2 directive within your company. This could be a dedicated cybersecurity team or an existing department with relevant expertise.

Dedicated article: https://www.sorinmustaca.com/nis2-2-designate-a-responsible-person-or-team/

 

3.Establish a cybersecurity framework

Develop or update your company’s cybersecurity framework to align with the NIS2 directive. This framework should include policies, procedures, and technical controls to protect your network and information systems effectively.

Dedicated article: https://www.sorinmustaca.com/nis2-3-establish-a-cybersecurity-framework/

 

4.Perform a risk assessment

Conduct a comprehensive risk assessment of your company’s network and information systems. Identify potential threats, vulnerabilities, and risks that may impact the availability, integrity, and confidentiality of critical systems and data. This assessment will help you prioritize security measures and allocate appropriate resources. Risk management and assessments are an ongoing process. Once one risk assessment is carried out, it is important to schedule regular updates to ensure all steps are maintained.

Dedicated article: https://www.sorinmustaca.com/nis2-perform-a-risk-assessment/

 

5.Implement security measures

Based on the risk assessment findings, implement appropriate security measures to mitigate identified risks. This may include network segmentation, access controls, intrusion detection systems, incident response procedures, encryption, employee training, and regular security updates, among others.

Dedicated article:

 

6.Establish incident response capabilities

Develop an incident response plan and establish procedures for detecting, responding to, and recovering from cybersecurity incidents. Ensure the assigned employees are trained on how to recognize and report security breaches promptly. Business continuity is a very complex topic, which must be planned with a lot of time in advance and it requires extra resources (both human and financial).

Dedicated article:

 

7.Continuously Monitor and review

Implement mechanisms to continuously monitor and assess your network and information systems for potential threats. Regularly review and update your cybersecurity measures to adapt to emerging risks and changes in the threat landscape.

Dedicated article:

 

8. Maintain documentation and records

Keep comprehensive documentation of your cybersecurity measures, risk assessments, incident response activities, and any other relevant information. This documentation will serve as evidence of compliance and may be required for regulatory audits or investigations. A good record might save your company legal and regulatory repercussions in case of a major incident (cyber related or not).

Dedicated article:

 

9.Engage with regulatory authorities

Stay informed about any reporting or notification obligations outlined in the NIS2 directive. Establish communication channels with the relevant regulatory authorities and comply with any reporting requirements or inquiries they may have. NIS2 strives to improve EU-wide communication and sharing of cyber events in order to better prepare answers and reactions. Communication has never been more important than now.

Dedicated article:

 

10. Define KPIs for cybersecurity and measures taken based on them

In order to measure the effectiveness of the cybersecurity, you need to define metrics that allow identifying and quantifying changes. Example of metrics are number of incidents, types of incidents,  how many trainings have been made, how many people were trained, how many pentests were made and how many issues were identified, and many more.

Dedicated article:

 

 

 

The post How-To: NIS2 EU Directive first appeared on Sorin Mustaca on Cybersecurity.

Implementing secure over-the-air (OTA) updates in embedded devices

This is a follow up article related to Secure Booting and Secure Flashing. It is the 5th article related to Strengthening the Security of Embedded Devices

Implementing secure over-the-air (OTA) updates in embedded devices requires careful consideration of various security aspects.

Here are some key steps to implement secure OTA updates:

1. Secure Communication Channel
– Use secure protocols such as HTTPS or MQTT over TLS/SSL to establish an encrypted communication channel between the device and the update server.
– Authenticate the server using certificates to ensure the device is communicating with a trusted source.
– Employ strong encryption algorithms to protect the confidentiality and integrity of the update data during transmission.

2. Code and Firmware Integrity
– Digitally sign the firmware updates using a private key and verify the signature using a corresponding public key on the device.
– Implement mechanisms such as checksums or hash functions to verify the integrity of the received update files.
– Use secure boot techniques to ensure that only trusted and authenticated firmware updates are installed on the device.

3. Access Control and Authorization
– Authenticate and authorize the device before allowing it to download and install updates.
– Implement access control mechanisms to ensure that only authorized devices or users can initiate or perform updates.
– Employ secure user authentication methods such as username/password, certificates, or tokens to validate the device’s identity.

4. Incremental Updates and Rollbacks
– Support incremental updates to reduce the data transfer size and minimize the update time, especially for large firmware files.
– Implement mechanisms to handle update failures or rollbacks in case of errors or compatibility issues during the update process.

5. Secure Storage
– Store the downloaded update files securely on the device to prevent unauthorized access or tampering.
– Use encryption and access control mechanisms to protect the firmware updates from extraction or modification by unauthorized entities.

6. Logging and Auditing
– Maintain logs of OTA update activities, including details such as update versions, timestamps, and device identification.
– Implement auditing mechanisms to track and monitor update processes, detecting any suspicious or unauthorized activities.

7. Regular Security Updates and Patch Management
– Continuously monitor for security vulnerabilities and release patches or updates as needed.
– Implement a robust patch management system to ensure timely deployment of security updates to the embedded devices.

8. Testing and Validation
– Conduct thorough testing and validation of the OTA update process, including functional, security, and compatibility testing.
– Perform vulnerability assessments and penetration testing to identify potential weaknesses in the OTA update implementation.

Last, but not least:

You need to have a secure backend that serves the updates. Make sure that you have configured the server correctly, secure and that it is always updated to the latest version.

 

Follow these best practices to establish a secure OTA update mechanism, ensuring that devices receive timely and secure firmware updates while mitigating the risk of unauthorized access, tampering, or exploitation during the update process.

The post Implementing secure over-the-air (OTA) updates in embedded devices first appeared on Sorin Mustaca on Cybersecurity.

Strengthening the Security of Embedded Devices

Embedded devices are specialized computing systems designed to perform specific tasks or functions within a larger system. Unlike general-purpose computers, embedded devices are typically integrated into other devices or systems and are dedicated to carrying out a specific set of functions. They are often characterized by their compact size, low power consumption, and optimized performance for their intended application.

Embedded devices can be found in various domains and industries, including consumer electronics, automotive, healthcare, industrial automation, telecommunications, and IoT (Internet of Things). Examples of embedded devices include:

  1. Smartphones and tablets: These devices integrate multiple functionalities such as communication, multimedia, and internet access into a portable form factor.
  2. Home appliances: Devices like refrigerators, washing machines, and thermostats may contain embedded systems that control their operations and offer smart features.
  3. Industrial control systems: Embedded devices are widely used in manufacturing plants and industrial environments to monitor and control processes, machinery, and equipment.
  4. Automotive systems: Embedded devices are essential components in modern vehicles, managing functions such as engine control, entertainment systems, safety features, and navigation.
  5. Medical devices: Embedded systems are utilized in various medical equipment, such as patient monitoring devices, implantable devices, and diagnostic tools.
  6. IoT devices: These are interconnected devices that gather, transmit, and process data. Examples include smart home devices, wearable devices, and environmental sensors.

Embedded devices typically consist of hardware components (such as microprocessors, memory, and sensors) and software (including operating systems, firmware, and application software) tailored to perform specific tasks efficiently. They are designed to operate reliably in often resource-constrained environments and are subject to specific security and safety considerations based on their application domain.

Overall, embedded devices serve as the backbone of numerous technological advancements, enabling automation, connectivity, and enhanced functionality in various sectors.

Embedded devices have become an integral part of our daily lives, powering everything from smartphones and smart home devices to critical infrastructure and industrial systems. However, their proliferation also brings forth significant security concerns. Ensuring the security of embedded devices is of paramount importance to protect against potential vulnerabilities and mitigate the risks of cyber threats. This article explores the key challenges surrounding the security of embedded devices and highlights the measures needed to fortify their defenses.

The Unique Security Challenges:
Embedded devices face several unique security challenges that differentiate them from traditional computing systems:

1. Resource Constraints: Many embedded devices have limited computational power, memory, and energy resources. This poses challenges in implementing robust security mechanisms without impacting the device’s performance or battery life.

2. Long Lifecycles: Embedded devices often have long lifecycles, meaning they remain in operation for extended periods. Ensuring security over such durations necessitates proactive measures, including regular software updates and patch management.

3. Diverse Ecosystems: Embedded devices interact with a diverse range of software and hardware components, creating a complex ecosystem that requires careful consideration of security across all layers, from hardware to firmware and software.

Enhancing Security in Embedded Devices:
To bolster the security of embedded devices, the following measures should be implemented:

1. Secure Booting: Enforcing secure booting mechanisms ensures that only trusted and authenticated software components are loaded during the boot process. This prevents the execution of unauthorized or malicious code, establishing a foundation of trust in the device’s software stack.

2. Code and Data Encryption: Implementing strong encryption algorithms safeguards sensitive data stored on embedded devices, as well as the communication channels they utilize. Encryption helps protect against unauthorized access and data breaches, ensuring the confidentiality and integrity of the device and its data.

3. Robust Authentication: Strong authentication mechanisms, such as multifactor authentication or biometrics, should be employed to verify the identity of users or external systems attempting to access or interact with the device. This prevents unauthorized access and reduces the risk of compromise.

4. Regular Software Updates: Timely and regular software updates are crucial for patching security vulnerabilities and addressing emerging threats. Embedded device manufacturers should provide updates throughout the device’s lifecycle, ensuring that security patches and fixes are deployed promptly.

5. Secure Communications: Implementing secure communication protocols, such as Transport Layer Security (TLS) or Virtual Private Networks (VPNs), protects data transmitted between embedded devices and external systems, safeguarding against interception and tampering.

6. Vulnerability Management: Regular vulnerability assessments and penetration testing should be conducted to identify and address potential weaknesses in embedded devices. This proactive approach helps identify and remediate vulnerabilities before they can be exploited by attackers.

7. Secure flashing: regular software updates don’t bring too much if there are no mechanisms to ensure that the updates are authentic. This mechanisms checks that the delivered updates are signed by the producer of the device and therefor secure to deploy.

We will be addressing in several articles some of these unique challenges they present : secure booting, implementing encryption and authentication, software updates, secure flashing, secure communications, vulnerability management.

 

The post Strengthening the Security of Embedded Devices first appeared on Sorin Mustaca on Cybersecurity.

The Automotive industry’s inadequate approach towards software (in the cars)

Introduction

The automotive industry has witnessed a paradigm shift with the increasing integration of software in vehicles.

Modern cars are no longer just mechanical devices with a motor, wheels and steering; they are now sophisticated machines having dozens of CPUs (called ECU), entire computers, high speed network to connect them (called CAN-bus) and relying on complex highly distributed software systems.

In my opinion, the industry fails to adapt to this new reality and fully embrace the concept of cars as hardware running software has significant consequences.

This may sound contradictory at first, on one side they have these complex systems, on the other side they fail to adapt to this reality.

In this article, I will explore how the automotive industry is not dealing correctly with this transformation and its potential implications.

 

Limited Focus on Software Development and Updates

Traditionally, the automotive industry has primarily focused on hardware design and manufacturing, treating software as a necessary mean to make the hardware work.

This approach results in a lack of emphasis on software development practices and updates capabilities.

While cars are becoming more connected and dependent on software for various functionalities, manufacturers often overlook the importance of continuous software improvements and security updates.

How often do you update the software of your car? Maybe once a year in the best case, usually once every several years or not at all.

It’s not all bad, but think of how many times does Open SSL get updated in a year. Theoretically you should see an update every few months.

 

Insufficient Over-the-Air (OTA) Update Capabilities

Related to updates, Over-the-Air (OTA) updates have gained prominence in the software industry as an efficient means of delivering software fixes, updates, and new features directly to users.

However, the automotive industry has been slow to adopt OTA capabilities on a widespread scale out of their own will.

Limited OTA functionality not only hampers the ability to address software vulnerabilities promptly but also restricts the potential for delivering new features and enhancements to vehicles post-purchase.

Fortunately, there are many initiatives to solve this and even legislation (UNECE R 155 and R 156) that started to make software updates mandatory for releasing new car types.

 

Slow Adoption of Agile SW Development Processes

Agile software development methodologies have become the norm in the software industry due to their flexibility and iterative nature.

However, the automotive industry lags behind in adopting these practices. And this is politically correct formulated.

The OEMs are still working with the V-Model, despite the fact that you hear them talking about sprints, iterations, Scrum, XP programming. All these are actually implemented with small V runs and have little to nothing to do with agility.

The slow pace of development and release cycles in the automotive sector hinders the quick implementation of software fixes and feature enhancements.

This delay not only frustrates customers but also puts their safety at risk by keeping potentially critical issues unresolved for extended periods.

Lack of Consumer Education and Awareness

The general public’s understanding of cars as hardware running software is limited. First when TESLA became an important OEM, the entire world  started to understand how important software is in a car.

Immediately after has the automotive industry started to feel threatened by it and they started to invest more in software, more particularly, in improving the user experience of their cars.

If I make a comparison with the mobile phones in the early 2000, the TESLA is the iPhone while the other OEMs were Nokia and the others. We all know what happened to Nokia because they did not move faster.

Consumers must continue to push the OEMs to enhance the software of their cars, but this is a slow process, because the cars with good software are expensive, and people with money usually don’t look first at the software capabilities of their cars.

 

Inadequate Cybersecurity Measures

As cars become increasingly connected and autonomous, they become vulnerable to cyber threats.

Unfortunately, the automotive industry has been sluggish in implementing robust cybersecurity measures to protect vehicles from potential attacks.

Insufficient attention to software security leaves vehicles open to hacking, which can lead to unauthorized access, data breaches, or even physical harm.

The industry must prioritize cybersecurity and invest in proactive measures to safeguard vehicles and their occupants.

Because cybersecurity is hard to implement, very expensive and requires specialized personnel, no OEM was willing improving their cybersecurity.

This is the reason why the UNECE R155 requires now a Cybersecurity Management System (CSMS) audit in order to allow new vehicle types.

 

If you are an OEM or subcontractor (Tier 1-N) then you may want to know that Endpoint Cybersecurity is offering consulting on how to implement such a CSMS and make it auditable.

Lack of standards

Same as for computers, the IT industry started to exponentially increase only after there were good reasons to use computers. Only after the Internet became main stream have businesses, regular people and families started to buy computers.  So communication or inter-communication was and still is a main factor to buy hardware.

The same is happening with cars: people start to see the need for software in cars and now they start asking for better software. This can only happen if there is a market for software, but to create a market you need standards.

Android Auto and  Apple Car are standards that allow 3rd parties to create apps for the cars, but the offer is extremely small and not really relevant.

In my opinion, only when cars can exchange data either directly (Vehicle to Vehicle communication – V2V) or through some infrastructure (V2I) on a large scale will we see a significant increase in software demand.
Unfortunately, the lack of standards for communication between vehicles is making this process extremely slow.

 

Conclusion

The automotive industry’s failure to fully embrace the concept of cars as hardware running very complex software has far-reaching consequences on the long term.

By neglecting software development, cybersecurity, and collaboration with software experts, OEMs put customer safety and satisfaction at risk. Classical OEMs have started to see too late that better software means more sales and more satisfied customers and reacted too slow to find solutions.

The limited adoption of agile development processes and inadequate OTA update capabilities further hinder progress in this domain.

To address these challenges, the industry must prioritize software as an integral part of vehicle design and manufacturing, invest in cybersecurity measures, foster collaboration with software experts, and educate consumers about the software-driven nature of modern cars.

Only through a comprehensive and proactive approach can the automotive industry truly unlock the potential of cars as hardware running software.

The post The Automotive industry’s inadequate approach towards software (in the cars) first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #2/2: TISAX certification

This is the 2nd post about Automotive Cybersecurity.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

 

First post was about CSMS and ISO 21434 and this one is about TISAX.

 

Query:

Tell me about challenges in TISAX certification 

 

ChatGPT:

“TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector.

There are several challenges associated with TISAX certification:

  • Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification.
  • Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses.
  • Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements.
  • Cost: The cost of TISAX certification can be significant, and this may be a challenge for companies with limited budgets.
  • Maintenance: TISAX certification must be maintained, and companies must continually evaluate and improve their security controls to stay certified. This can be a challenge, as the threat landscape is constantly evolving and new risks emerge.

Overall, TISAX certification requires a substantial investment of time, resources, and expertise, but it is considered an important aspect of information security for companies operating in the automotive sector.”

 

So, I have to say that this impressed me a bit …

I have always difficulties explaining to my customers why is it so hard to pass the TISAX audit.

It is all true, and actually it is quite a challenge to get companies to commit to a long term cooperation with a consulting company, which can help them understand the requirements and teach them how to apply them.

 

Conclusion: 

I will get back to ChatGPT from time to time and try to get such short descriptions for various things I need.

The post ChatGPT and automotive cybersecurity #2/2: TISAX certification first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer.  ( No, this post is not written by ChatGPT: 🙂   )

 

Here it is:

 

Query:

Tell me about CSMS from ISO 21434

 

ChatGPT:

CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector.
CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats.

It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity.

The framework covers a range of cybersecurity-related activities, including:

  • Threat identification and assessment
  • Risk management
  • Security controls and measures
  • Incident management
  • Continuous improvement

CSMS is designed to be flexible and adaptable, allowing organizations to tailor the framework to meet their specific needs and requirements.

The standard also provides a basis for certification, enabling organizations to demonstrate their commitment to cybersecurity and their ability to effectively manage cybersecurity risks.

In summary, CSMS from ISO 21434 provides a comprehensive framework for managing cybersecurity and is an important aspect of information security for organizations operating in the automotive sector.”

 

This text is not returned by a google search. If I search the exact same terms, google returns me a bunch of links and ads (4 Ads, 9 links, 1 ad) and some Youtube videos.

So, is this text relevant?

Yes, it is a very good summary. I will actually use it in the offerings of my company.

 

 

Part #2 is about “TISAX certification”.

 

The post ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434 first appeared on Sorin Mustaca on Cybersecurity.

A brief history of software vulnerabilities in vehicles (Update 2023)

Updated in 2023:

  • 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    • Kia, Honda, Infiniti, Nissan, Acura
      • Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
      • Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
      • Ability to lock users out of remotely managing their vehicle, change ownership
        • For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car
    • Mercedes-Benz
      • Access to hundreds of mission-critical internal applications via improperly configured SSO, including…
        • Multiple Github instances behind SSO
        • Company-wide internal chat tool, ability to join nearly any channel
        • SonarQube, Jenkins, misc. build servers
        • Internal cloud deployment services for managing AWS instances
        • Internal Vehicle related APIs
      • Remote Code Execution on multiple systems
      • Memory leaks leading to employee/customer PII disclosure, account access
    • Hyundai, Genesis
      • Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address
      • Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address)
      • Ability to lock users out of remotely managing their vehicle, change ownership
    • BMW, Rolls Royce
      • Company-wide core SSO vulnerabilities which allowed us to access any employee application as any employee, allowed us to…
        • Access to internal dealer portals where you can query any VIN number to retrieve sales documents for BMW
        • Access any application locked behind SSO on behalf of any employee, including applications used by remote workers and dealerships
    • Ferrari
      • Full zero-interaction account takeover for any Ferrari customer account
      • IDOR to access all Ferrari customer records
      • Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system
      • Ability to add HTTP routes on api.ferrari.com (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers)
    • Spireon
      • Multiple vulnerabilities, including:
        • Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware
        • Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon
        • Ability to fully takeover any fleet (this would’ve allowed us to track & shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”)
        • Full administrative access to all Spireon products, […]
        • In total, there were…
          • 15.5 million devices (mostly vehicles)
          • 1.2 million user accounts (end user accounts, fleet managers, etc.)
    • Ford
      • Full memory disclosure on production vehicle Telematics API discloses
        • Discloses customer PII and access tokens for tracking and executing commands on vehicles
        • Discloses configuration credentials used for internal services related to Telematics
        • Ability to authenticate into customer account and access all PII and perform actions against vehicles
      • Customer account takeover via improper URL parsing, allows an attacker to completely access victim account including vehicle portal
    • Reviver
      • Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles. An attacker could perform the following:
        • Track the physical GPS location and manage the license plate for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
        • Update any vehicle status to “STOLEN” which updates the license plate and informs authorities
        • Access all user records, including what vehicles people owned, their physical address, phone number, and email address
        • Access the fleet management functionality for any company, locate and manage all vehicles in a fleet
    • Porsche
      • Ability to send retrieve vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service
    • Toyota
      • IDOR on Toyota Financial that discloses the name, phone number, email address, and loan status of any Toyota financial customers
    • Jaguar, Land Rover
      • User account IDOR disclosing password hash, name, phone number, physical address, and vehicle information
    • SiriusXM
      • Leaked AWS keys with full organizational read/write S3 access, ability to retrieve all files including (what appeared to be) user databases, source code, and config files for Sirius

Car Hacking News Timeline 2017-2019 [1]

  • 2019: Hack of an OEM’s automotive cloud via third-party services and tier-1 supplier network
  • 2019: Memory vulnerability at a cloud provider exposed data incl. passwords, API keys, and tokens
  • 2019: A malware infection caused significant production disruption at a car parts manufacturer
  • 2019: Vehicle data exposed during registration allowed for remote denial-of-service attacks on cars
  • 2019: Malware infected the back end, making laptops installed in police cars unusable
  • 2018: An ex-employee breached the company network and downloaded large volumes of personal information
  • 2018: Cloud servers hacked and used for cryptomining
  • 2018: Researchers exploited vulnerabilities of some infotainment systems and gained control of microphones, speakers, and navigation systems
  • 2018: Security issues discovered in 13 car-sharing apps
  • 2018: Researchers demonstrated >10 vulnerabilities in various car models, gaining local and remote access to infotainment, telematics, and CAN buses
  • 2018: EV home chargers could be controlled by accessing the home Wi-Fi network
  • 2017: Rental car companies exposed personal data
  • 2017: Ransomware caused the stop of production across several plants

Car Hacking News Timeline 2002-2015 [2]

 

 

 

Sources:

  1. McKinsey – Cybersecurity in automotive
  2. https://www.iamthecavalry.org/domains/automotive/
  3. https://smart.gi-de.com/automotive/brief-history-car-hacking-2010-present/

Portfolio Items