17^th escar Europe - The World's Leading Automotive Cyber Security Conference

The workshops and the tutorial are taking place November 19th, 09:00am - 12:00am.
They are held parallel to our social program and are not overlapping with the presentations. The conference starts November 19th 01:00pm.

In order to guarantee a good workshop atmosphere and for you to be able to gain new insights or deepen your knowledge successfully the number of participants is limited to 35 in each workshop.

Workshop / Tutorial Fee
EURO 299,00 (plus VAT 19%)

Please note: the workshops are not included in the conference fee.

 

Workshop 1: Practical In-Vehicle Communications Hacking (Henrik Ferdinand Nölscher, Javier Vazquez)

Most of the focus in current in-vehicle communication security is either demonstrating in-security by performing comparatively entry-level attacks on the communication buses like simple replays or on adding encryption to communications to mitigate these kinds of attacks. This leaves many aspects that are related to security behind a curtain where they still exist, but they are usually overlooked.

Examples of such aspects include the vast functionality that diagnostic services provide, but also bugs that can exist in the implementation of CAN-based protocols. In our workshop, we will talk about some of these aspects, what impact they have, and how to use a specialized automotive security tool, the CANBadger, to discover and exploit some of them.

In particular, the following topics will be addressed:

• CAN layers 1-3
• Errors in CAN and how to exploit them
• Penetration testing on Diagnostics implementation(UDS and ISO-TP)
• Introduction to the CANBadger V2

After completing this workshop, the attendees will be aware of many factors that are important to vehicle security not only from the application layer, but as well as in the protocols, implementation, topology and routing of the networks that exist inside vehicles. The workshop will offer both theory and practical challenges based on real-world vehicle systems on a communications level.

In order to make the most of this workshop, a computer (mac or pc) is required. Each participant will receive a CanBadger V2. Optionally, the attendees might want to bring their own PC-CAN interface (P-CAN, ValueCAN...). Should you bring your own CAN interface, please make sure that you have all the nececssary software installed prior to the workshop. Due to restricted time, no support for the installation of tools and libraries can be provided during the workshop.

Workshop 2: Hands on Cryptography - A Practical Tutorial to Encryption, Digital Signatures, and Certificates (Prof. Dr.-Ing. Jan Pelzl, University Hamm-Lippstadt)

Implementing industrial security requires both theoretical and practical knowledge about cryptographic algorithms and the corresponding applications. A huge variety of different security tools and libraries support us in our daily work. Security for some standard applications such as web services might easily be configured whereas, e.g., securing embedded applications can be quite challenging.
Within this workshop we will cover both the theoretical side of cryptography as well as the practical part. The workshop features an introductory part covering cryptography and data security including most prominent standards and its implementation on conventional platforms as well as on embedded systems. In the practical part of the workshop, we will use security tools/ libraries which are widely used and available for free (e.g., OpenSSL and mbedTLS). In industry, such tools and libraries are widely used for, e.g., creating reference implementations. OpenSSL is a very comfortable tool and library which implements a vast variety of cryptographic algorithms and protocols and can be used, e.g., to generate certificates and CA structures. The mbedTLS library offers efficient cryptographic primitives and can be used to implement, e.g., a TLS layer with low footprint. Participants are encouraged to bring their own notebooks. In the practical part of the workshop, time and guidance will be provided for implementing basic examples.

Workshop outline:

• Introduction to Cryptography and Data Security
  • Cryptographic algorithms and protocols
  • Standards and choice of parameters
  • Key management
• Introduction to OpenSSL
  • Symmetric encryption
  • Asymmetric primitives
• Certificates and CAs with OpenSSL
• Introduction to mbedTLS

Prerequisites:

All participants are encouraged to bring their own devices to follow the practical part. Kindly note that no notebooks/ laptops will be provided. Due to restricted time, no support for the installation of tools and libraries can be provided during the workshop. For the examples, we will use simple command line options and/ or text editors. No IDE is required. However, participants are free to use their own IDE.

For those who want to implement the examples during the workshop:

• Working copy of OpenSSL (any OS), see https://www.openssl.org for more information on how to download and install OpenSSL
• Working copy of mbedTLS (any OS), see https://tls.mbed.org for more information on how to download and install mbedTLS on your particular platform. For using mbedTLS in the workshop, a standard C library and a compiler is required.

 

 

Tutorial 1: E/E Security in Cars (Ramona Jung, ESCRYPT GmbH)

Securing the E/E architecture of modern vehicles has become a hot topic in the automotive industry. Cutting-edge technology advances not only introduced new business models as, e.g., over-the-air updates and vehicle-specific software activation, but also increased the driving comfort (e.g., by smooth integration of customer end devices and head-up displays), and even enabled vehicles partially overtake human intervention during the driving process.

The new use-cases result in enhanced security requirements on ECUs and E/E architectures. A holistic automotive security concept for E/E architectures considers not only secure communication between external (e.g., backend) or internal (e.g., sensors) components, but as well challenges caused by, e.g., the introduction of automotive Ethernet and new E/E architecture designs. More concretely, automotive security encloses methods used to prevent the malicious deviation of the implemented functionality of the system by guaranteeing the confidentiality, integrity and/or authenticity of relevant assets of the E/E architecture (as e.g. the software). In this workshop, we will give an overview about the state of the art in this area and how security is currently integrated in E/E architectures. A special focus will be devoted to ESCRYPT’s model of multi-layer approach. The multi-layer approach defines security to be implemented at different levels: from single components over secure internal communication and isolation of safety relevant functionality up to secure communication channels to external entities. Concrete measures enabling to protect E/E architecture will be addressed, such as secure boot, secure flash and secure on-board communication. Finally, we will approach upcoming topics, such as Ethernet security, virtualization and service oriented communication.

No special knowledge of automotive security is required for this tutorial. Some experience with basic cryptographic tools is however recommended.

 

  

Tutorial 2: Implementing Cybersecurity Management Systems (Jan-Felix van Dam & Moritz Minzlaff)

The UNECE WP.29 cybersecurity draft regulation and the upcoming ISO/SAE 21434 require OEMs and the supply chain to implement a cybersecurity management system (CSMS), i.e. a risk-based approach to maintain an active and adequate security posture throughout the entire product life-cycle. This tutorial is for everyone who is involved in implementing all or parts of a CSMS, e.g. senior managers, product security governance, quality managers, product managers, security engineers, and others.

In the first part of the tutorial, we discuss the latest status and timelines of relevant regulatory and standardization activities. We also look at the trends that drive many of the security requirements such as increasing connectivity and higher levels of automated driving. Understanding both the requirements and their motivations provides a solid foundation for implementing a CSMS.

In the next and main part of the tutorial, we cover the main process activities and artefacts of a CSMS. A crucial feature is the risk-centered approach in all phases. In fact, developing secure products requires the engineering processes to consider security both before and after SOP. Consequently, this tutorial will cover:

• Risk assessment
• Concept phase
• Development phase
• Post-development incl. incident handling

The final part of the tutorial focuses on a successful rollout of a CSMS across the organization. From gap analyses to trainings, we examine tools and their individual benefits so that you can start implementing your CSMS.