Automotive Cybersecurity Test and Evaluation (T&E) Training

Automotive Cybersecurity Test and Evaluation (T&E) Training

As the automotive industry adds more software and connections into vehicles, it simultaneously increases the probability of cyberattacks due to vulnerabilities.

Attackers can exploit software vulnerabilities in automotive software to take control of a vehicle and potentially cause serious safety damage by, for example, disabling the brakes.

Right now, the average car has about 100 million lines of software code and 100 electronic control unit (ECUs), both of which provide hackers with a vast attack surface. And those two numbers are expected to expand over the next several years.

While connected cars offer abundant opportunities for consumers, automakers and their suppliers need to consider what the connected car means for consumer privacy and security. As more connected vehicles hit the roads, software vulnerabilities become accessible to malicious hackers using cellular networks, Wi-Fi, and hardline connections to exploit them.

The potential for hackers to gain unauthorized remote access to the vehicle network and compromise critical safety systems puts at risk not just users’ personal information but their physical safety as well.

Cybersecurity professionals are pretty much in agreement on this point: Vehicle manufacturers need to adopt a cybersecurity approach that addresses not only obvious exposures in their car’s software, but also the hidden vulnerabilities that could be introduced by open source or third-party  components in that software.

Test and evaluation in regards to automotive cybersecurity is essential. Static analysis (SAST) for instance is an important tool for software developers in the auto industry to detect security bugs such as SQL injection, cross-site scripting, and buffer overflows—in their proprietary code.

SAST, also known as white box testing, scans an application before the code is compiled.

Since it doesn’t require an application to be run or code to be executed, SAST can take place early in the software development life cycle (SDLC).

One of the most common concerns is the risk of a cyberattack on a vehicle that’s connected to a cloud or mobile platform. That’s another reason why automotive cybersecurity testing is critical to detect the vulnerability of a system’s architecture. It helps to safeguard vehicles from unauthorized access to steering controls or advanced driver assistance systems (ADAS) via over-the-air updates, infotainment systems, or mobile apps.

For example, interactive application security testing (IAST) helps automotive organizations identify and manage security risks associated with vulnerabilities discovered in running applications using dynamic testing (often referred to as runtime testing) techniques.

Some IAST solutions integrate software composition analysis (SCA) tools to address known vulnerabilities in open source components and frameworks.

Automotive Cybersecurity Test and Evaluation (T&E) Training by Tonex

Automotive Cybersecurity Test and Evaluation (T&E) Training course covers a variety of topics in cybersecurity test and evaluation such as: Introduction to cybersecurity, cybercrime, automotive security, information security, concept of test and evaluation, developmental, operational and interoperability cyber testing, software testing considerations, computer security and incident handling, wireless and server testing, information security testing and assessment, risk management framework (RMF), test and evaluation, and automotive standard for cybersecurity testing.

Tonex as a leader in industry and academia with high quality conferences, seminars, workshops, and exclusively designed courses in cybersecurity area, is pleased to announce a complete training course on Cybersecurity Test and Evaluation (T&E) which helps you identify the automotive cybersecurity requirements and ensures testability of cybersecurity requirements.

Learning Objectives

Upon completion of the Cybersecurity Test and Evaluation (T&E) training course, the attendees are able to:

• Learn the cybersecurity issues related to automotive domain
• List vulnerabilities, importance of data protection and approaches for cyber management
• Learn about the concept of Test and Evaluation (T&E) for cybersecurity systems applied to automotive
• Explain T&E processes and be able to implement T&E for information systems
• Differentiate the developmental, operational, and interoperability cyber testing approaches
• Describe roles and responsibilities of T&E for cybersecurity
• Explain testing considerations and challenges for automotive software or IT
• Learn about computer security, computer incidents and approaches to manage incidents
• Describe standards for wireless security and approaches to secure servers from cybercrimes based on NIST standard
• Apply different information security testing and assessment approach for DoD IT and resolve the related issues
• Apply Risk Management Framework (RMF) to information system based on NIST and DoDI publications

Course Outline

Cybersecurity Test and Evaluation (T&E) training course consists of the following lessons, which can be revised and tailored to the client’s need:

Cybersecurity Applied to Automotive

• Embedded system’s critical information
• Application code and surveillance data
• Unauthorized entities
• Integrity
• Availability and mission objectives
• Cyber Risks applied to Embedded Systems
• Principles and practices designed to safeguard your embedded system
• Hacking tools and entry points
• Encryption and authentication
• Data Integrity
• Vulnerability analysis 101
• Mitigation 101
• Networking and network attacks
• Role of wireless networks in the embedded systems
• Embedded hardware and firmware analysis and reverse engineering
• Embedded system security Threats
• Intrusion
• Virus, Worm, Trojan Horse (Malware)
• Spyware
• DoS
• Secure software fundamentals
• Introduction to Embedded Systems and their Applications in Automotive
• Automotive Cybersecurity Strategies
• ISO 21434 implementation
• Automotive Embedded System Vulnerability Analysis
• Automotive Cybersecurity and Layers of Protection
• Cybersecurity Best Practices for Modern Vehicles
• Standards Development and Best Practices

Securing Automotive Embedded Systems Interfaces and Protocols

• Embedded Systems Communication Protocols
• Universal Asynchronous Receiver/Transmitter (UART)
• Serial Peripheral Interface (SPI)
• Joint Test Action Group (JTAG)
• Inter-integrated Circuit (I2C)
• I2C bus
• CAN bus
• FireWire bus
• USB
• Parallel protocols
• PCI bus
• ARM bus
• Wireless protocols

Introduction to Test and Evaluation

• Introduction to Test and Evaluation (T&E)
• Defense Systems Acquisition Process
• T&E and SE Processes
• Scientific Test and Analysis Techniques (STAT)
• Evaluation Process
• Distinction between Issues and Criteria
• Evaluation Planning
• Evaluating Developmental and Operational Tests

Automotive Developmental, Operational and Interoperability cyber testing

• Introduction to Developmental Test and Evaluation (DT&E)
• DT&E and the System Acquisition Cycle
• DT&E Responsibilities
• Test Program Integration
• Introduction to Operation Test and Evaluation (OT&E)
• Purpose and Scope of OT&E
• Test Participants
• OT&E and DT&E
• Types of OT&E
• Test Planning
• Test Execution
• Test Reporting
• Interoperability Testing
• Agile Development and T&E

Automotive Testing and Penetration Principles

• SAE J3061 Cybersecurity for Cyber-Physical Vehicle Systems
• OWASP Testing Guide (web focused)
• PCI Penetration Testing Guide (payment industry focused)
• Penetration Testing Execution Standard (PTES)
• Penetration Testing Framework
• Information Systems Security Assessment Framework (ISSAF)
• Automotive Risk Assessment and Penetration Testing
• Vulnerability Scanning
• Vulnerability Assessment
• Cybersecurity Software, Firmware and Hardware Penetration Testing
• Network Penetration Testing
• Application Penetration Testing
• Cloud Penetration Testing
• ECM and CAN Bus Penetration Testing
• Ethernet Penetration Testing
• Adaptive Assessment
• Configuration Control
• Secure Boot
• Root of trust analysis for the system
• Hardware Security
• Network Security
• Cloud Security
• PCI DSS and Penetration Testing

Software and Firmware Testing Consideration

• Role of Software Specification Overview
• Software Development Process
• Potential Power of Human-Based Testing
• Black Box versus White Box Testing
• Exhaustive Software Testing
• Software Error Categorization
• Software Measurement with T&E Application
• Independent Verification and Validation (IV&V)
• T&E Issues Associated with Spiral and Agile Development Approaches

Security and Incident Handling

• Events and Incidents
• Incident Response Policy, Plans and Procedures
• Incident Response Team Structure
• Incident Handling
• Detection and Analysis
• Incident Analysis
• Incident Prioritization
• Incident Notification
• Containment, Eradication and Recovery
• Post Incident Activities
• Coordination and Information Sharing
• Information Sharing Techniques
• Incident Response Life Cycle

Wireless and Server Security Testing and Penetration

• NIST SP 800-153
• WLAN Security Configuration
• WLAN Architecture
• WLAN Security Monitoring
• Attack Monitoring
• Vulnerability Monitoring
• Monitoring Tools
• Continuous monitoring Recommendations
• Periodic Assessment Recommendations
• NIST SP 800-53 Security Controls and Publications
• Server Vulnerabilities, Threats and Environments
• Security Categorization of Information Systems
• Server Security Planning
• Security of Server Operating Systems
• Securing the Server Software
• Maintaining the Security of the Server

Data Security Testing and Assessment

• Security Testing and Examination
• Information Security Assessment Methodology
• Technical Assessment Techniques
• Document Review/ Log Review
• System Configuration Review
• Network Sniffing
• File Integrity Checking
• Target Identification and Analysis Techniques
• Network Port and Service Identification
• Vulnerability Scanning
• Wireless Scanning
• Active/Passive Wireless Scanning
• Bluetooth Scanning
• Password Cracking
• Penetration Testing Phase and Logistics
• Social Engineering
• Security Assessment Policy Development
• Assessment Logistics
• Assessment Plan Development
• Security Assessment Execution
• Data Handling
• Post Testing Activities

Automotive Workshops and Labs for Cybersecurity Test and Evaluation Training

• Automotive Developmental Test and Evaluation (DT&E) Case Study

• • Tesla Case Study

• Vulnerability Scanning for Wireless Systems
• OT&E Case Study

• • Tesla Case Study

• Incident Response Experiment on cyber threats, malicious insiders and human error.

• Threat Analysis Risk Assessment (TARA)
• Vulnerability Assessment
• Verification Assessment
• Verification Report
• Testing Tools
• Hardware–Debugging ports / Chip Programmers
• Software–Operating Systems / Applications
• Interface(s)–RF (WiFi, GPS, Bluetooth/BLE, V2X, TPMS, Key Fob, sensors, etc.)
• USB
• Cellular (5G, LTE, 3G, GSM)
• Network(s) (CAN, Ethernet, MOST, etc.)
• Testing Tools
• Vehicle Diagnostic Tool
• Reset vehicle fault/error codes
• Oscilloscope / RF Signal Analyzer / Logic Analyzer
• Signal decoding and interpretation
• Intrepid Vehicle Spy / Vector CANoe/ SAINT
• Vehicle simulation / emulation
• USB Rubber Ducky / Facedancer / USB Kill
• USB interface testing
• Bus Pirate / JTAGulator/ JTAG/SWD Debugger
• Debug port testing
• HackRF/ BladeRF/ YARD Stick One / UbertoothOne / Pineapple / RF Shield
• Radio frequency interface testing
• Linux Test Machines
• Cell Site Simulator
• Cellular Testing
• Protecode SC / Black Duck
• Software Composition Analysis
• Coverity/ Veracode
• Static Code Analysis
• Wireshark / Burp Suite / Fiddler
• Traffic analyzer/manipulator

Automotive Cybersecurity Test and Evaluation (T&E) Training