天天射天天干天天透综合网,国产精品VA在线观看无码,夜夜嗨老熟女av一区,亚洲乱亚洲中文字幕,国产精品资源在线免费观看,91亚洲精品视频在线,欧美 在线 免费 不卡,193在线免费观看黄页网,欧美成人精品色午夜免费观看

在美國西南研究所（SwRI），網(wǎng)絡(luò)安全研究由多個研究部門共同進(jìn)行，因為安全問題本來就不是局限于某一個領(lǐng)域或某個行業(yè)。作為自動化與數(shù)據(jù)系統(tǒng)部門合作系統(tǒng)團(tuán)隊的高級研究工程師，Mark Brooks的主要研究內(nèi)容為自動機(jī)（即任何靠自身動力推動的交通工具或機(jī)器）。Mark在10多年前開始從事網(wǎng)絡(luò)安全與嵌入式系統(tǒng)的研究，當(dāng)時他的一家非公路汽車客戶要求在新推出的ECU（電子控制裝置）平臺上添加安全性能。“我們協(xié)助客戶設(shè)計了這款產(chǎn)品，從此以后我們就開始持續(xù)進(jìn)行嵌入式系統(tǒng)安全功能的研究，包括現(xiàn)有產(chǎn)品的普及性測試、產(chǎn)品設(shè)計研發(fā)的輔助工作，以及尋找全新的安全技術(shù)”。最近《非公路工程期刊》邀約Brooks參與訪談。在訪談中，他不僅提到了去年在SAE商用車工程大會上所討論的“基于特征的加密技術(shù)”，還提到了許多與汽車和機(jī)器相關(guān)的其他網(wǎng)絡(luò)安全技術(shù)。

您在SAE的演講中提到了一種“替代式的”基于不同特征的加密技術(shù)。您能闡述一下它的具體內(nèi)容以及與其他加密技術(shù)的區(qū)別嗎？

基于特征的加密技術(shù)是功能性加密技術(shù)的一種。我們正在和一家客戶開展一系列研究，他們打算將基于特征的加密技術(shù)商業(yè)化。這個技術(shù)的亮點在于，它是根據(jù)特定規(guī)則來加密數(shù)據(jù)的。比如說，你可以設(shè)定一個規(guī)則，規(guī)定該數(shù)據(jù)只能由汽車制造商或技師瀏覽。只要用戶符合規(guī)則所要求的兩個特征中的一種，你就可以瀏覽數(shù)據(jù)。這種是一次加密技術(shù)的應(yīng)用。如果是對稱加密，就必須將同一條信息加密至少兩次，只有這樣才能有效保護(hù)你的信息，不讓任何你想拒之門外的人獲取機(jī)密數(shù)據(jù)。使用不對稱加密技術(shù)也是一樣，你必須使用每個信息實體的公共密鑰，才能保護(hù)數(shù)據(jù)。因此基于特征的加密的優(yōu)勢就在于，你可以基于職位職責(zé)，甚至是內(nèi)容來設(shè)置規(guī)則，有效控制數(shù)據(jù)的訪問，也就是說要看內(nèi)容是什么，才能決定誰可以瀏覽。而且你也不需要像使用不對稱或?qū)ΨQ加密技術(shù)一樣，進(jìn)行許多額外的秘鑰管理或采取獨立的加密措施，才能保護(hù)數(shù)據(jù)。

這個技術(shù)能應(yīng)用在產(chǎn)品研發(fā)的哪個階段？

我們的客戶正在與政府開展密切合作，開發(fā)云計算和云數(shù)據(jù)保護(hù)技術(shù)。用基于特征的加密技術(shù)來保護(hù)數(shù)據(jù)，將會促進(jìn)云技術(shù)的發(fā)展。我們希望在汽車領(lǐng)域，包括商用車領(lǐng)域應(yīng)用這項技術(shù)。我們發(fā)現(xiàn)，該技術(shù)與目前汽車領(lǐng)域的需求不謀而合，無論是汽車內(nèi)部還是外部，都有應(yīng)用這一技術(shù)的需求，因為會有人想給汽車植入數(shù)據(jù)，或從車上竊取數(shù)據(jù)，抑或是劫持車輛間的通訊。因此，在目前的研究階段，我們希望確認(rèn)，這個技術(shù)究竟是否能用于汽車領(lǐng)域？根據(jù)計算次數(shù)的要求，在汽車上使用該技術(shù)是否合理？它的計算強(qiáng)度如何，是否能夠安裝在車內(nèi)的控制面板上？這些都是我們正在探索的問題。

在現(xiàn)今的交通運(yùn)輸領(lǐng)域中，有沒有一種格外重視網(wǎng)絡(luò)安全的技術(shù)和標(biāo)準(zhǔn)？

我認(rèn)為，在交通運(yùn)輸領(lǐng)域的各個細(xì)分行業(yè)，都在努力試圖在這方面取得進(jìn)展。不同行業(yè)都有各自的網(wǎng)絡(luò)安全方案和標(biāo)準(zhǔn)，以滿足各自特定的要求。比如，非公路汽車和乘用車在安全性能上的需求就不一樣，它們所適用的法規(guī)也不一樣。因此，在不同領(lǐng)域間做比較是很困難的。據(jù)我了解，在運(yùn)營性的交通運(yùn)輸行業(yè)，已經(jīng)設(shè)立了許多信息共享保障中心（ISAC），汽車行業(yè)和航空航天領(lǐng)域也將仿照這個模式進(jìn)行發(fā)展，總而言之，各個領(lǐng)域都在各盡所能，開發(fā)這方面所需的技術(shù)和標(biāo)準(zhǔn)。

與商用車相比，對乘用車進(jìn)行信息保護(hù)，是否有其特定的挑戰(zhàn)？

非公路汽車上加入了許多自動功能，如果系統(tǒng)不夠堅固，或黑客發(fā)動攻擊，這將會造成潛在的風(fēng)險。此外它們還加入了許多通訊所需的連接功能，這樣車主在野外或偏遠(yuǎn)地區(qū)的時候也能更新信息，而對黑客來說，這又是一個“攻擊機(jī)會”。因此這些都是非公路開發(fā)者希望進(jìn)行保護(hù)的方面。在正式進(jìn)行功能部署之前，他們會開發(fā)解決方案，利用各種入侵偵查系統(tǒng)，并對組件進(jìn)行隔離，通過各種手段建設(shè)防火墻，保護(hù)系統(tǒng)不受攻擊。

無論什么行業(yè)，只要融入了互聯(lián)網(wǎng)，就會遇到特定的挑戰(zhàn)，而且不同行業(yè)的法規(guī)和安全問題也各不相同。乘用車的關(guān)注重點是信息娛樂系統(tǒng)和駕駛員體驗，而這對非公路交通就沒有那么重要了，在這個領(lǐng)域，更關(guān)注車輛的任務(wù)完成效果，以及與此相關(guān)的能力，這些區(qū)別都會導(dǎo)致網(wǎng)絡(luò)攻擊面和潛在漏洞風(fēng)險的不同。

網(wǎng)絡(luò)安全技術(shù)是否已經(jīng)足以保護(hù)現(xiàn)有的無人駕駛汽車？

信息行業(yè)已經(jīng)對如何保護(hù)系統(tǒng)進(jìn)行了數(shù)十年的努力研究，但系統(tǒng)仍然會頻繁遭受攻擊。網(wǎng)絡(luò)安全保護(hù)是不能間斷的，每個人都不能松懈。與我們合作的公司在產(chǎn)品上市前竭盡全力，確保其安全可靠。但由于新技術(shù)不斷出現(xiàn)，因此受攻擊的風(fēng)險也在不斷變化。企業(yè)必須持續(xù)地進(jìn)行監(jiān)控、實施風(fēng)險分析與評估，才能不斷更新軟件并升級產(chǎn)品硬件，應(yīng)對不斷上升的威脅與風(fēng)險。

要對互聯(lián)程度和自動化程度越來越高的商用車進(jìn)行保護(hù)，主要困難是什么？

商用車所使用的組件，都是復(fù)雜的系統(tǒng)，因此在網(wǎng)絡(luò)安全方面一定會出現(xiàn)問題，同時也有一些東西為我們所忽略。這是非常復(fù)雜的問題。幸運(yùn)的是，在軟件交付給客戶以后，還可以修改，并進(jìn)行補(bǔ)丁程序的編制。但不幸的是，軟件的可修改性也是黑客可能利用的一個方面，所以有必要開發(fā)相應(yīng)的保護(hù)機(jī)制。但我們依然需要時刻保持警惕，了解外界還可能有哪些安全隱患。

我認(rèn)為，還有一個技術(shù)對信息保護(hù)特別重要，那就是信息共享，而ISAC就是一種很好的信息共享方法。如果某個行業(yè)里出現(xiàn)了某種特殊的攻擊，在獲得共享信息后，其他人就有可能找到辦法保護(hù)自己，這樣攻擊就不會蔓延到整個行業(yè)。設(shè)立公司內(nèi)部的安全測試團(tuán)隊也非常重要，這樣不僅可以在產(chǎn)品研發(fā)伊始就重復(fù)考慮安全問題，而且還能時刻掌握威脅信息，及時更新軟件和補(bǔ)丁。

汽車領(lǐng)域的一個難點是汽車長時間在戶外，提供網(wǎng)絡(luò)支持所需的時間會比通過傳統(tǒng)IP地址給電腦軟件提供服務(wù)所用的時間更長，所以公司必須時刻更新信息，并保護(hù)汽車在整個使用壽命中的網(wǎng)絡(luò)安全。

您已經(jīng)介紹了基于特征的加密技術(shù)。您認(rèn)為還有其他領(lǐng)域或技術(shù)有助于提升汽車的網(wǎng)絡(luò)安全性嗎？

美國西南研究所正在研究“LTE/4G”的安全技術(shù)。隨著汽車互聯(lián)程度的提高，LTE會成為車間通訊、車載資訊與控制的信息傳輸層。有一個專門研究嵌入式安全的汽車企業(yè)聯(lián)盟正在研發(fā)風(fēng)險分析建模工具。我們期待汽車企業(yè)能夠獨自實施威脅分析，并希望幫助企業(yè)開發(fā)出功能性的要求與規(guī)范，這樣制造商和供應(yīng)商便可以合作制定出開發(fā)新產(chǎn)品所需的要求，并建立起牢固的技術(shù)基礎(chǔ)。這些都是我們正在研究的課題。

SAE在信息共享方面也扮演著重要的角色。SAE設(shè)立了汽車電器系統(tǒng)安全委員會，我知道這個委員會進(jìn)行了很多信息共享方面的努力，而且他們正在為汽車行業(yè)總結(jié)最佳的實踐經(jīng)驗。在全行業(yè)分享所有信息真的很有用，因為一旦發(fā)現(xiàn)漏洞，大家都可以很快做出反應(yīng)，而不至于讓負(fù)面影響蔓延至整個行業(yè)。

未來的威脅還將繼續(xù)發(fā)展。西南研究院以及汽車行業(yè)將怎樣應(yīng)對這種不確定性？你們是否對威脅進(jìn)行了預(yù)測，還是決定兵來將擋，見招拆招呢？

兩種情況當(dāng)然都會存在。你不能預(yù)見未來的所有情況，所以有時候必須根據(jù)臨時狀況進(jìn)行應(yīng)對。但我們也有一些工具，就像剛才說的，有汽車企業(yè)聯(lián)盟正在研發(fā)一種風(fēng)險建模工具。這種工具有點類似物理安全分析和失效模式分析工件，但現(xiàn)在是將其用于信息安全領(lǐng)域。這一方法首先要考察在過去發(fā)生了什么情況，并思考如果黑客攻擊我們的設(shè)備，會造成什么影響。接著按照“攻擊樹”的軌跡，確定攻擊會對整個組織造成什么影響。企業(yè)可以憑借這種方法，明確應(yīng)該在哪里部署應(yīng)對潛在危機(jī)的策略和相關(guān)設(shè)備，以保護(hù)產(chǎn)品免受攻擊。

作者：Ryan Gehm

來源：SAE 《非公路用車雜志》

Cybersecurity for commercial vehicles

At Southwest Research Institute (SwRI), cybersecurity spans multiple divisions because—after all—security is not confined to any one area or industry. As a Senior Research Engineer in the Automation and Data Systems Division's Cooperative Systems Section, Mark Brooks’ primary focus is on automotive (in the true sense of the word: relating to any self-propelled vehicle or machine). He became involved in cybersecurity and embedded systems more than 10 years ago when an off-highway client wanted to add security capabilities to its new ECU (electronic control unit) platforms. “We assisted them in the design of that product, and ever since then we’ve maintained a presence in embedded systems security—everything from penetration testing of existing products, helping to design and develop products, and researching brand-new security technologies,” he said. Brooks recently spoke with Off-Highway Engineering about “attribute-based encryption,” a topic he discussed at last year’s SAE Commercial Vehicle Engineering Congress, and many other cybersecurity issues affecting vehicles and machines.

In your SAE presentation you discussed an “alternative” encryption method that is attribute-based. Can you explain this method and how it’s different than other methods?

Attribute-based encryption is a subset of functional encryption. This is based on some research we’ve been doing with one of our clients. They are trying to commercialize attribute-based encryption. The nice thing about this method is that it encrypts data based on a policy. For example, you can set a policy saying that this data could be viewed if you are the automotive manufacturer, or if you’re a mechanic. If you satisfy either of those policy attributes, then you’re able to view the data. And this is from an encrypt-once type of situation. In symmetric encryption, you’d have to encrypt the same data at least twice, for anybody that you would want to be able to protect it from. Same thing with asymmetric encryption, you’d have to be able to use the public key from each of those entities to be able to protect it. So the nice thing about attribute-based encryption is that it allows you to do role-based access control or even content-based access control, where based upon what the contents of the data are is who’s allowed to view it. And you don’t have to do a lot of the additional key management, or the separate encryptions, to be able to protect the data as in asymmetric or symmetric key technologies.

Where does this technology stand in terms of product development?

Our client is working closely with the government on cloud-based computing, and for protecting data in the Cloud. You can see how the idea of protecting data with attribute-based encryption might be beneficial for the Cloud. What we’re looking to do is to bring it into automotive [including commercial vehicles]. We saw some synergy with what’s needed in the automotive sector, both possibly within a vehicle and also external to a vehicle—somebody trying to hack the data in and out, or even communications between vehicles. So at this research stage we want to be able to see, does it make sense for the automotive sector? Does it make sense based upon requirements for computation times, how intensive is it, can it fit on the boards on a vehicle? Those are questions we want to answer, so that’s what we’re investigating.

Does any one transportation sector drive cybersecurity technology and standards more than another?

I think that the multiple transportation sectors are all working on this concurrently. They all have separate cybersecurity solutions and standards that are trying to target their specific needs. There are different needs between off-road, for example, and passenger cars in terms of safety and regulations that they have to be able to achieve. So it’s a little hard to compare some of the needs between those sectors. I know that, for example, there are information-sharing assurance centers (ISACs) set up for service transportation; automotive is setting one up; aviation is in the process of getting one. So everybody’s trying to move forward for their respective industries.

Are there unique challenges in protecting passenger vehicles vs. commercial vehicles?

Off-road vehicles are adding a lot of autonomy, which provides a potential impact if a vulnerability or if an attack occurs. They’re also adding a lot of connectivity for communication, to be able to update things that are in the field and remote locations, so that’s another ‘attack surface’ that a hacker might be able to exploit. So these are things that they’re working toward protecting, and before they deploy they put solutions in place to build or protect firewalling and systems using various intrusion-detection systems, segregating different components, and things like that.

Each of these [industries] is going to have unique challenges as we get connected, and the regulations are going to be different, safety concerns are going to be different. Passenger cars focused a lot on infotainment driver experience, and that of course is not as much of a concern on the off-road side; it’s more about getting the job done and those capabilities, and those are going to have some differences in attack surfaces and the potential vulnerabilities.

Is cybersecurity at a point where it can properly protect automated vehicles already in operation?

Thankfully the information industry has been working for a long time, for many decades, to try to protect information systems, but it still does fall prey on a daily basis to attacks. Cybersecurity is a continuous process; everybody has to continue working that way. The companies and the businesses we work with are working hard to make sure that a product is secure before it’s deployed. But technology of course keeps increasing, so new attacks do surface. One of the things that companies need to do is to continually monitor, continually perform risk analysis and assessment, to be able to keep updating the software, keep updating the pieces that are in the field as threats are determined and risks arise.

What are the main challenges with protecting increasingly connected and automated commercial vehicles?

These are complex systems and there are going to be issues that arise, especially in the field, and things that just get missed; it’s a very complex problem. Fortunately, software is modifiable and can be patched after it’s delivered. But unfortunately, that software modifiability is another area that attackers might take advantage of, so there needs to be protective mechanisms in place to be able to protect that, and there are. But we need to keep abreast of what security issues might be out there.

One of the key things that I think would be the most beneficial in protecting, too, is information sharing—those ISACs are a good way to help share information. That way within an industry, if there’s a particular attack discovered, that information can be shared so that others might be able to work toward protecting themselves so it doesn’t bring down everybody within that industry. Also having in place internal security test teams, setting up the organization so that security is designed from the ground up for a product, making sure that you test, making sure that you keep active on what’s going on with threats so that you can keep updating your software and updating the patches.

One of the challenges with vehicles is that they are going to be out there for a long time, so sometimes the support ends up being longer than what you would expect with traditional IP with PC software, so they need to be able to keep up to date and keep protecting for the life of the vehicle.

You already mentioned attribute-based encryption. Are there any other areas or technologies you see that can help with cybersecurity for vehicles?

One of the areas that Southwest Research Institute is researching is LTE (Long-Term Evolution) security. As these vehicles are becoming connected, LTE becomes a common transportation layer for their communications and for telematics and control. We actually have an automotive consortium for embedded security that is looking at developing risk-analysis modeling tools. We’re looking at companies being able to perform their own threat analysis; we’re looking at helping to develop functional requirements and specifications so that the manufacturers and the suppliers can work together to have solid requirements and a good foundation for developing new products. Those are some of the areas that we’re directly looking at.

SAE also plays a very large role in information sharing. They’ve got the Vehicle Electrical System Security Committee, and I know they perform a lot of information sharing and they’re working to come up with some best practices and other pieces for the automotive industry. Being able to communicate all this information throughout the industry helps, because then when it is something that’s missed, everybody can react quicker so that it doesn’t have as large of an impact throughout the industry.

In the future, there'll be continually evolving threats. How can SwRI (and industry, in general) attempt to address such uncertainty? Do you anticipate certain threats, or is it more reactionary?

There’s obviously a little bit of both—not everything’s going to get caught, so there’s always going to be a reactionary piece to it. But there are tools available, like I said, part of that consortium is developing a risk modeling tool. Something that’s important for any company to be able to do, similar to what they do for safety and for failure mode analysis but also for security, is looking at what happened, what is the impact if an attacker was able to attack one of our pieces of equipment. And going through the attack tree and being able to determine what the overall impact to the organization is. That helps the company learn where to put in potential countermeasures and pieces to protect their product from that impact.