The Internet of Things on AWS – Official Blog
Ten security golden rules for connected mobility solutions
Introduction
Connected mobility solutions are driving changes in the automotive industry. With remote commands, sensors, cameras, artificial intelligence, and 5G mobile networks, vehicles have become increasingly smart and connected. While connected mobility solutions deliver significant customer value, they also introduce new risks to security, safety, and privacy that must be properly managed.
Automakers need to consider cybersecurity as an integral part of their core business and securely design vehicle platforms and related digital mobility services from the start. To help automotive original equipment manufacturers (OEMs) and suppliers balance innovation and risk with connected vehicles, AWS published a set of reference architectures for building connected vehicle platforms with AWS IoT. The guidance recommends a multi-layered approach, captured in the following ten security golden rules for connected mobility solutions on AWS.
-
Conduct a security risk assessment with a common framework to address regulatory and internal compliance requirements
- Before taking advantage of IT technologies in connected vehicles, AWS recommends conducting a cybersecurity risk assessment so that the risks, gaps, and vulnerabilities are fully understood and can be proactively managed. Determine the controls needed to meet automotive regulatory requirements (such as the UN Regulations 155 and 156) and your internal requirements. Create and maintain an up-to-date threat model for cloud resources and a Threat Analysis Risk Assessment (TARA) for relevant in-vehicle components. Standards such as ISO 21434, NIST 800-53, and ISO 27001 provide useful guidance.
- Vehicle OEMs should consider the risks of consumers bringing aftermarket devices (e.g. insurance dongles) and personal equipment (e.g. mobile phones) into vehicles and connecting them to vehicle systems through the interfaces manufacturers provide.
- In-vehicle network segmentation and isolation techniques should be used to limit connections between wireless-connected ECUs and low-level vehicle control systems, particularly those controlling safety critical functions, such as braking, steering, propulsion, and power management.
- Always let the vehicle establish connectivity to a trusted endpoint (e.g. MQTT over TLS) to send data and receive commands, and don’t allow incoming connection attempts.
- For closed loop operations where commands are sent from the cloud to the vehicle such as remotely unlocking a vehicle, additional rigor is needed with security controls and testing.
The following resources can be useful:
- AWS Compliance programs and offerings
- Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define.
- AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon VPCs.
- AWS Control Tower to automate the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure.
- How to approach threat modeling blog post on the AWS Security blog
2. Maintain an asset inventory of all hardware and software on vehicles
- Create and maintain an asset inventory for all hardware and software on vehicles which can act as system of record and single source of truth for connected vehicle fleets along with their major characteristics such as make and model, VIN mapped to ECU ID or ESN, and their hardware and software configurations.
- Categorize assets based on their function (safety critical, vehicle control system, vehicle gateway, etc.), if software updates can be applied (patchable vs non-patchable), network design (designed for open or closed networks) so that you are aware of their criticality and ability to support modern security controls. Apply compensating controls to mitigate risk if needed.
- Create and maintain an up to date in-vehicle network architecture showing how these systems are interconnected along with their relationships (asset hierarchies) and conduct a network security architecture review.
- Follow the NHSTA Cybersecurity Best Practices for the Safety of Modern Vehicles, in particular the guidance in Section 4.2.6 on Inventory and Management of Hardware and Software Assets on Vehicle. Maintain a software bill of materials (SBOM) to improve the visibility, transparency, security, and integrity of code in software supply chains using industry standards such as SPDX and CycloneDX.
The following resources can be useful:
- AWS IoT Device Management for devices connected to AWS IoT Core.
- AWS Systems Manager Inventory for cloud instances and on-premises computers.
- AWS IoT Device Management Software Package Catalog for maintaining an inventory of software packages and their versions.
- NHSTA Cybersecurity Best Practices for the Safety of Modern Vehicles
3. Provision each electronic control unit (ECU) with unique identities and credentials and apply authentication and access control mechanisms. Use industry standard protocols for communication between vehicle and cloud services
- Assign unique identities to each ECU and modern IoT devices so that when an ECU/device connects to cloud services, it must authenticate using credentials such as an X.509 certificate and its corresponding private key, security tokens, or other credentials.
- Create mechanisms to facilitate the generation, distribution, validation, rotation, and revocation (such as using OCSP or CRL for X.509 certificates) of credentials.
- Establish Root of Trust by using hardware-protected modules such as Trusted Platform Modules (TPMs) if available on the device. Store secrets such as private keys in specialized protected modules like HSMs.
- Use industry standard protocols like MQTT, which is a lightweight messaging protocol designed for constrained devices.
- Where possible, use TLS versions 1.2 or 1.3 for encryption in transit to get enhanced security.
The following resources can be useful:
- Security and Identity for AWS IoT
- Amazon Cognito is a service that provides authentication, authorization, and user management for your web and mobile apps.
- AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely.
- Guidance on updating changing certificate requirements with AWS IoT Core.
- AWS Private CA – AWS Private CA enables creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA.
4. Prioritize and implement vulnerability management for connected vehicles and define appropriate update mechanisms for software and firmware updates
- As the adoption and complexity of software increases, so does the number of defects, some of which will be exploitable vulnerabilities. While addressing vulnerabilities, prioritize by criticality (CVSS score, for example), patching the most critical assets first.
- Have a mechanism to push software and firmware to devices in vehicles to patch security vulnerabilities and improve device functionality.
- Verify the authenticity and integrity of the software before starting to run it ensuring that it comes from a reliable source (signed by the vendor) and that it is obtained in a secure manner.
- Ensure that software updates can only be performed when the vehicle has entered a safe state and are additionally confirmed by the user.
- Maintain an inventory of the deployed software across your connected device fleet, including versions and patch status.
- Monitor status of deployments throughout your connected vehicle fleet and investigate any failed or stalled deployments as well as notify stakeholders when your infrastructure can’t deploy security updates to your fleet.
- Be aware of the scope and requirements of regulations such as UNR 156 on vehicle software update and standards like ISO 24089 on software update engineering.
The following resources can be useful:
- Amazon FreeRTOS Over-the-Air (OTA) Updates
- AWS IoT Greengrass Core Software OTA Updates
- AWS IoT jobs to define a set of remote operations that you send to and execute on one or more devices connected to AWS IoT.
- AWS Key Management Service (KMS) enables you to easily create and control the keys used for cryptographic operations in the cloud. You can use an asymmetric private key stored in AWS KMS to sign software packages and signatures can be verified by the ECU using the corresponding public key.
- AWS IoT Device Management Software Package Catalog for maintaining an inventory of software packages and their versions and integrates with AWS IoT jobs.
5. Protect data in the vehicle and in the cloud by encrypting data at rest and create mechanisms for secure data sharing, governance, and sovereignty
- Encrypt data at rest on the vehicle and in the cloud to reduce the risk of unauthorized access, when encryption and appropriate access controls are implemented.
- Identify and classify data collected throughout your connected vehicle system based on the risk analysis discussed previously.
- Monitor and apply integrity checks to production data at rest to identify potential unauthorized data modification.
- Consider privacy and transparency expectations of your customers and corresponding legal requirements in the jurisdictions where you manufacture, distribute, and operate your connected vehicles.
The following resources can be useful:
- AWS Data Privacy
- Protecting data at rest in the Security Pillar of the AWS Well Architected Framework.
- Amazon Macie to discover and protect sensitive data at scale.
- AWS Compliance programs and offerings
6. Whenever possible, encrypt all data in transit, and when using insecure protocols in-vehicle, the gateway ECU can be used as a secure bridge to the cloud.
- In addition to transport layer security, consider encrypting sensitive data client-side before sending it to back-end systems.
- Protect the confidentiality and integrity of inbound and outbound network communication channels that you use for data transfers, monitoring, administration, provisioning, and deployments by selecting modern internet native cryptographic network protocols.
- If possible, limit the number of protocols implemented within a given environment and disable default network services that are unused.
- Should the vehicle not be online when needed (e.g. to save battery), consider implementing alternative methods of triggering the vehicle to establish a connection to a trusted endpoint.
The following resources can be useful:
- AWS IoT SDKs to help you securely and quickly connect devices to AWS IoT.
- FreeRTOS Libraries for networking and security in embedded applications.
- AWS Encryption SDK – The AWS Encryption SDK is a client-side encryption library which can be used to encrypt vehicle data client-side using keys in AWS KMS before sending the data to the cloud.
- AWS KMS enables you to easily create and control the keys used for cryptographic operations in the cloud.
7. Harden all connected resources – especially internet connected resources – and establish secure connections to cloud services and remote access to connected vehicles.
- Internet connected network resources such as ECUs and IoT devices need to be hardened per best practices such as Auto ISAC secure design principles.
- Limit the use of network services on vehicle ECUs to essential functionality only.
- Use device certificates and temporary credentials instead of long-term credentials to access AWS services and secure device credentials at rest using mechanisms such as a dedicated crypto element or secure flash. Devices need to support hardware root of trust and secure boot.
- Isolate network traffic from the internet by establishing private connections to the cloud using private cellular networks and AWS IoT Core VPC endpoints.
The following resources can be useful:
- NIST Guide to General Server Security
- AWS IoT Greengrass hardware security
- Auto ISAC Security Development Lifecycle
- AWS PrivateLink for private connectivity to AWS services.
- AWS IoT Core Credentials Provider VPC endpoints
8. Deploy security auditing and monitoring mechanisms and centrally manage security alerts across connected vehicles and the cloud
- Implement mechanisms to detect and respond to threats and vulnerabilities in vehicle and cloud resources that may impact individual vehicles and fleets. In-vehicle networks and connected services produce data that can support detection of unauthorized attempts to access vehicle computing resources.
- Be aware of regulations such as UNR155 that require manufacturers to monitor vehicles for security events, threats, and vulnerabilities.
- Implement a monitoring solution for connected vehicles to create a network traffic baseline and monitor anomalies and adherence to the baseline.
- Perform periodic reviews of network logs, access control privileges, and asset configurations.
- Collect security logs and analyze them in real-time using dedicated tools, for example, security information and event management (SIEM) class solutions such as within a vehicle security operation center (VSOC).
The following resources can be useful:
- AWS IoT Device Defender to monitor and audit your fleet of IoT devices in connected vehicles.
- AWS Config to assess, audit, and evaluate the configurations of your AWS resources.
- Amazon GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
- AWS Security Hub to automate AWS security checks and centralize security alerts.
- Amazon CloudWatch and AWS CloudTrail for monitoring AWS resources.
9. Create incident response playbooks and build automation as your security response matures to contain events and return to a known good state
- Maintain and regularly exercise a security incident response plan to test monitoring functionality.
- Collect security logs and analyze them in real-time using automated tooling. Build playbooks of unexpected findings.
- Create an incident response playbook with clearly understood roles and responsibilities. Incident response playbooks should also include preparation steps, identification/triage, containment, response, recovery, and lessons learned.
- Test incident response procedures on a periodic basis with gamedays and tabletop exercises.
- As procedures become more stable, automate their execution but maintain human interaction.
The following resources can be useful:
- AWS Security Incident Response Guide
- AWS Systems Manager provides a centralized and consistent way to gather operational insights and carry out routine management tasks.
- AWS Step Functions – AWS Step Functions allows you to create automated workflows, including manual approval steps, for security incident response related to vehicle attacks.
- AWS Security Hub to respond and contain vehicle specific findings ingested by AWS services, partners or other sources.
- Automated Security Response on AWS solution
10. Follow best practices for secure software development such as outlined in NIST publications, and ISO/SAE 21434
- Practice secure code practices by “shifting left.” Conduct code reviews, use static code analysis, and dynamic application security testing when deploying and testing code in your pipeline. Apply cybersecurity controls and mechanisms as early as possible in the product lifecycle and continuously automate testing through the development and release cycle until product end of life.
- Due to the dynamic and continuously evolving nature of cybersecurity, it is important for the members of the automotive industry to stay abreast of the available cybersecurity guidance, best practices, design principles, and standards based on or published by SAE International, ASPICE framework based on ISO/IEC 33601, other ISO standards, Auto-ISAC, NHTSA, Cybersecurity Infrastructure Security Agency (CISA), NIST, industry associations, and other recognized standards-setting bodies, as appropriate.
- Institutionalize methods for accelerated adoption of lessons learned (e.g., vulnerability sharing) across the industry through effective information sharing, such as participation in Auto-ISAC.
The following resources can be useful:
- Choosing a Well-Architected CI/CD approach
- AWS Well-Architected Framework Application Security
- Amazon CodeGuru -Amazon CodeGuru Security is a static application security tool that uses machine learning to detect security policy violations and vulnerabilities
- Check out this Complete CI/CD blog post to understand AWS CI/CD services
- AWS Well-Architected Framework, IoT Lens to design, deploy, and architect IoT workloads aligned with architectural best practices.
Conclusion
This blog post reviewed some of the best practices for keeping your connected mobility solutions secure using AWS’s multilayered security approach and comprehensive security services and features. AWS’s connected vehicle security is built on open standards and well recognized cyber security frameworks. Automotive companies have lots of choices with AWS security services and the flexibility to choose from a network of security focused partner solutions for automotive workloads offered by AWS Security Competency Partners. To learn more, go to AWS for Automotive.