WEBVTT NOTE This file was exported by MacCaption version 7.0.06 to comply with the WebVTT specification dated March 27, 2017. 00:00:06.089 --> 00:00:11.637 align:center line:-1 position:50% size:67% Penetration testing is a process that an automaker or a Tier 1 supplier will go through 00:00:11.637 --> 00:00:15.974 align:center line:-1 position:50% size:38% to verify the security of a component or a vehicle. 00:00:15.974 --> 00:00:21.396 align:center line:-1 position:50% size:67% That vehicle or that component will have somebody creatively trying to circumvent 00:00:21.396 --> 00:00:25.484 align:center line:-1 position:50% size:47% the mitigations that are put in place to prevent unauthorized access 00:00:25.484 --> 00:00:28.487 align:center line:-1 position:50% size:44% to that component or that subsystem of the vehicle. 00:00:28.487 --> 00:00:33.450 align:center line:-1 position:50% size:63% Functional safety and automotive cybersecurity both use the automotive V-model. 00:00:33.450 --> 00:00:37.746 align:center line:-1 position:50% size:67% They both use the automotive V-model in a similar way in that on the left side of that V-model, 00:00:37.746 --> 00:00:42.000 align:center line:-1 position:50% size:57% you are designing in mitigations to prevent something bad from happening, 00:00:42.000 --> 00:00:45.796 align:center line:-1 position:50% size:56% and then on the right side of that V-model, you are testing to verify 00:00:45.796 --> 00:00:48.924 align:center line:-1 position:50% size:36% that those mitigations are in place and functional. 00:00:48.924 --> 00:00:53.136 align:center line:-1 position:50% size:57% With functional safety, you only have to run through that sequence once. 00:00:53.136 --> 00:00:55.055 align:center line:-1 position:50% size:56% The brakes on your car, they do not change 00:00:55.055 --> 00:00:57.975 align:center line:-1 position:50% size:47% from the time that they are designed to the time that you are using them. 00:00:57.975 --> 00:01:01.103 align:center line:-1 position:50% size:45% Cybersecurity, on the other hand, is an ever-changing landscape. 00:01:01.103 --> 00:01:03.272 align:center line:-1 position:50% size:38% New threats are popping up, 00:01:03.272 --> 00:01:07.067 align:center line:-1 position:50% size:44% software updates are introducing potentially new vulnerabilities, 00:01:07.067 --> 00:01:10.279 align:center line:-1 position:50% size:41% and every time you introduce that potential new vulnerability, 00:01:10.279 --> 00:01:15.742 align:center line:-1 position:50% size:61% you have to test to verify that that vulnerability is still secure in your vehicle. 00:01:15.742 --> 00:01:19.162 align:center line:-1 position:50% size:49% In the automotive V-model, when you look at penetration testing, 00:01:19.162 --> 00:01:23.166 align:center line:-1 position:50% size:43% penetration testing is something that you do to verify 00:01:23.166 --> 00:01:27.879 align:center line:-1 position:50% size:47% that a system is not easily hackable. 00:01:27.879 --> 00:01:31.591 align:center line:-1 position:50% size:48% What we are really looking at is verification and validation testing. 00:01:31.591 --> 00:01:34.636 align:center line:-1 position:50% size:45% Verification and validation testing, what you are looking at 00:01:34.636 --> 00:01:38.682 align:center line:-1 position:50% size:59% is you are looking at verifying that those mitigations that you have in place 00:01:38.682 --> 00:01:41.018 align:center line:-1 position:50% size:54% are still in place after a software update, 00:01:41.018 --> 00:01:44.646 align:center line:-1 position:50% size:60% they are still in place after something changed, after a new threat emerged. 00:01:44.646 --> 00:01:50.610 align:center line:-1 position:50% size:58% As part of that iterative process of testing the vehicle or the vehicle's subcomponents 00:01:50.610 --> 00:01:55.574 align:center line:-1 position:50% size:65% after a new threat is introduced or after you have introduced some kind of software update, 00:01:55.574 --> 00:01:59.328 align:center line:-1 position:50% size:55% automation and regression testing is key. 00:01:59.328 --> 00:02:02.956 align:center line:-1 position:50% size:59% Regression testing is looking at all of the things that you have already tested 00:02:02.956 --> 00:02:10.130 align:center line:-1 position:50% size:57% and verifying that those tests are still applicable in the ever-changing landscape. 00:02:10.130 --> 00:02:15.344 align:center line:-1 position:50% size:64% The automation piece is a way that you can incorporate that regression testing, 00:02:15.344 --> 00:02:19.056 align:center line:-1 position:50% size:41% work that you have already done, in a way that is easy to do 00:02:19.056 --> 00:02:24.936 align:center line:-1 position:50% size:65% and it does not require a guide to do the same test day after day, update after update. 00:02:24.936 --> 00:02:30.734 align:center line:-1 position:50% size:60% Having a database of threats and controls is a way that automakers and Tier 1 suppliers 00:02:30.734 --> 00:02:36.865 align:center line:-1 position:50% size:54% can look at what has already been done in the realm of cybercrime. 00:02:36.865 --> 00:02:40.285 align:center line:-1 position:50% size:55% Cybercriminals are intelligent individuals. 00:02:40.285 --> 00:02:44.289 align:center line:-1 position:50% size:68% They understand that a lot of the things that they want to do has already been done before, 00:02:44.289 --> 00:02:48.335 align:center line:-1 position:50% size:39% and so they will go to these types of repositories 00:02:48.335 --> 00:02:52.798 align:center line:-1 position:50% size:45% and they will find ways to use that to break into a vehicle. 00:02:52.798 --> 00:02:56.176 align:center line:-1 position:50% size:51% The automaker and the Tier 1 supplier, having already verified 00:02:56.176 --> 00:02:58.970 align:center line:-1 position:50% size:41% that those types of repositories are secured against, 00:02:58.970 --> 00:03:01.598 align:center line:-1 position:50% size:44% makes it that much more difficult for the cybercriminal 00:03:01.598 --> 00:03:03.934 align:center line:-1 position:50% size:50% to have an effect on their bottom line. 00:03:03.934 --> 00:03:06.686 align:center line:-1 position:50% size:44% Verification and validation testing 00:03:06.686 --> 00:03:10.857 align:center line:-1 position:50% size:54% is one of the most important aspects of a cybersecurity management system, 00:03:10.857 --> 00:03:15.612 align:center line:-1 position:50% size:58% and it is something that, as we have discussed already, is an iterative process. 00:03:15.612 --> 00:03:20.867 align:center line:-1 position:50% size:60% Being able to iterate that in some kind of way that does not involve a human being, 00:03:20.867 --> 00:03:25.580 align:center line:-1 position:50% size:41% having an automation platform that is capable of testing 00:03:25.580 --> 00:03:28.291 align:center line:-1 position:50% size:39% against the vulnerabilities that you already know about, 00:03:28.291 --> 00:03:30.794 align:center line:-1 position:50% size:46% the vulnerabilities that you have already tested against, 00:03:30.794 --> 00:03:33.213 align:center line:-1 position:50% size:41% on an update-by-update basis, 00:03:33.213 --> 00:03:36.591 align:center line:-1 position:50% size:64% is crucial to having an effective cybersecurity management system. 00:03:36.591 --> 00:03:39.719 align:center line:-1 position:50% size:43% As cars become more and more electronically controlled, 00:03:39.719 --> 00:03:43.807 align:center line:-1 position:50% size:61% a vehicle test bench is something that we are seeing being used in the industry today. 00:03:43.807 --> 00:03:47.102 align:center line:-1 position:50% size:41% A vehicle test bench has all of the electronics control units, 00:03:47.102 --> 00:03:52.357 align:center line:-1 position:50% size:52% telematics control units, and networks that exist within a vehicle 00:03:52.357 --> 00:03:54.276 align:center line:-1 position:50% size:36% in a compact environment. 00:03:54.276 --> 00:03:57.988 align:center line:-1 position:50% size:48% The biggest thing that the vehicle test bench provides 00:03:57.988 --> 00:04:03.910 align:center line:-1 position:50% size:52% that a full-size vehicle does not provide is a way to do testing in a small space. 00:04:03.910 --> 00:04:06.037 align:center line:-1 position:50% size:57% When we talk about stuff like type approval 00:04:06.037 --> 00:04:09.249 align:center line:-1 position:50% size:38% and having type approval for the different levels of car, 00:04:09.249 --> 00:04:13.795 align:center line:-1 position:50% size:43% as your car's trim level goes up, its vehicle type might change. 00:04:13.795 --> 00:04:17.841 align:center line:-1 position:50% size:44% Using a test bench, we can test against cyber threats 00:04:17.841 --> 00:04:22.345 align:center line:-1 position:50% size:52% without having the full vehicle available at any given time.