By taking the above discussion around the technical discovery and classification of issues, and combining with traditional professional services models, several potential service offerings arise, providing different levels of insight into the security of a system.
As discussed within this document, there are various communications technologies and networks that will be used by a connected vehicle, and testing each of these is important. The offerings outlined below primarily target the C-V2X realm of communication:
• These communications are based on IP-based networking; tooling for such testing is mature and can be automated
• Most of these communications leave the vehicle over some form of radio data network (3G/4G/LTE/5G)
• Testing facilities, such as Millbrook, are uniquely placed to offer insight into mobile network systems. Millbrook has a licence to operate a private mobile network and has the equipment. Furthermore, that equipment can be isolated from the publicly available networks, this will significantly aid the testing process.
The proposed method via which to assess the C-V2X or V2C communications of a ‘black box’ system, is to perform a passive MITM capture of traffic using a private mobile network. With the CAV deliberately connected to the private network, all communications to and from the
connected vehicle can be captured and inspected. The proposal is for this information to be captured in a standard format such as a ‘.pcap’ packet capture file, that can be processed automatically, as well as manually reviewed.
The expectation is that the packet captures will be analysed to look for security issues pertaining to the protocols in use by the system, as well as its general resilience to a hostile network environment. These technical findings will be used to create a technical report.
However, a technical report in isolation is rarely the best way to offer insight to security issues. It is important to contextualise the technical report with the client, for them to gain the most insight from the findings. In Table 23 three tiers of assessment methodology are proposed:
Table 23. Levels of Cyber Security Testing Services
Cost/Time Description Deliverables
Base • Automated analysis of C-V2X and
V2C comms as part of a professional services or consultancy engagement
• Technical report with contextualising additions
• Discussion/workshop/presentation around work conducted
Medium • Automated analysis of C-V2X and
V2C comms as part of a professional services or consultancy engagement
• Comprehensive threat modelling of the system assessed
• Technical report with contextualising additions • Threat model document
• Discussion/workshop/presentation around work conducted
High (variable) • Automated analysis of C-V2X and V2C comms as part of a
professional services or consultancy engagement
• Comprehensive threat modelling of the system assessed
• Further (manual) assessment of any facet of the system in agreement with the client
• Technical report (of automated C- V2X and V2C testing) with contextualising additions • Threat model document • Technical report of the manual
assessment performed
• Discussion/workshop/presentation around work conducted
The above is structured such that a client can choose the appropriate level of service, without this having an impact on the delivery of existing work.
In all cases the ’professional services engagement’ is a discussion with the client prior to the testing about their black box system and its purpose. This is for the service to provide the context necessary to fully discuss the technical issues identified. Another discussion will take place after the testing has been conducted in order to discuss the results as well as to answer any questions the client may have.
It is important to note that for the high cost service offering, the cost will vary depending on the amount of manual testing required.
13.2. Handling an Identified Vulnerability (Table-top Exercise)
Whilst technical reports and contextualised security insight are useful to an organisation, without taking any action, this does nothing to improve a system’s security. The way in which an organisation deals with any vulnerability, determines how much improvement to security occurs. Indeed, certification processes (see Section 14) will require evidence of audits and exercise of company procedures to ensure proficiency in addressing identified vulnerabilities, including the current management of security incidents.It is proposed to offer a ’vulnerability workshop’ exercise as a standalone/add-on to the above services. This would, at a high level, revolve around various representatives of an organisation discussing how they would respond to a proposed scenario. This allows an organisation to better understand their processes and procedures in such a situation, to build relationships with key individuals that will have to work together in difficult circumstances, as well as to identify where individual’s responsibility may end, overlap, or be entirely absent.
In a ‘table-top exercise’ (conducted onsite at the testing facility), where the appropriate
representatives of the client organisation are presented with a variety of cyber security incident scenarios, to which they must respond as an organisation.
Examples of such scenarios could include:
• The remediation of issues from a technical report (which could be from the previously discussed services)
• The appearance of a zero-day exploit on the system, discovered via social media • Leaking of customer data from what appears to be an internal system
• A denial of service condition, caused by an issue with a third-party supplier
The organisation will respond to the situation (being prompted by the consultant), which will evolve as the scenario progresses. Given the nature of the scenarios that can be used, a wide range of representatives from an organisation should be present, which can include:
• System engineers • Management • Security • Network Operations • Legal • Human Resources • Public Relations • Customer Support
The workshop will highlight any strengths or weaknesses in an organisation’s current policies and procedures, as well as gaps which require additional investment. It will also serve as a “fire drill” for such policies. At the end of the workshop, the organisation should have a much better idea of how well equipped it is to deal with a range of cyber security scenarios, as well as how it could improve its response in the case of any future, real, incidents.
13.3. Ongoing Testing and Diagnosis
Most of the standards, best practices and guidelines recommend the ongoing test and diagnosis, for example, PAS 1885124 and ENISA46 best practice. It is well-recognised that
security assessment is not a one-time process as the security situations including the threat landscape and security objectives evolve.
Evaluation on the security posture of a system relies heavily on the knowledge of attack surface and threat landscape. Therefore, any updates in this knowledge can change the assessment significantly. For example, attackers can find a new method to make a low- likelihood threat more feasible. New vulnerabilities on software or hardware can also create novel surfaces for attackers to exploit the system. Given the relations between the attack surfaces, the occurrences of any new low-risk threats may lead to significant security attacks. Consequently, it is important to understand the security knowledge that the risk assessment is based on. This can be done firstly by maintaining a database of threats as well as their
relations through Attack Trees. The database should provide essential information regarding
the potential techniques to launch a threat or a set of threats (via Attack Trees); which impacts they can create on the system; and the relevant mitigations. Secondly, any changes with the research literature should be reflected in the database. For example, any new threats on system assets; any new combination between the threats to create a significantly increased attack impact; any new techniques that lower the barriers to launch threats; or any new method that makes a mitigation invalid or less efficient. Ideally version management, or version control, of any knowledge base or database is maintained. Then, security assessment of a system can be mapped to a knowledge base version to aid analytics, testing traceability and reporting. Testing should indicate that security assessment of the system is based on a certain version of the knowledge base. Version control is important for the maintenance of other vulnerability databases such as CWE or NVD; however, the difference in the vehicular domain is that the knowledge base maintains only attacks that have significant impacts on CAV ecosystem security. Furthermore, the security assessment target vehicles will be recorded, as a cyber security risk profile, which contains all the relevant information for the risk assessment, such as the list of the critical assets, their functions, operating requirements, and the relevant threats. When there are updates in the knowledge database, the risk profiles need to be scanned to see whether the previous risk assessment assumptions are still hold. The overall attack surfaces should be reassessed to identify any new risks. Meanwhile, the impacts of relevant threats, assets, functions, and mitigation also need to be reconsidered. If there are significant changes in the risk assessment results, the testing centre needs to inform the relevant entities (manufactures, vehicle owner, service providers, application developer, etc.) that the previous risk assessment is not valid anymore. The testing centre can suggest an update of the new risk assessment if a theoretical analysis is reliable; or it can schedule a reassessment if needed. When maintaining the vulnerability databases and risk profiles, the number of test cases will grow, possibly exponentially. Automated software can be used to manage the proactive threat monitoring procedure. It is also essential to represent the system architecture, threat and risk assessment by a standard modelling language (see Section 4.2.5) so that it can be useful for the software.