IARA SECURWARE 2024

I am happy to announce that we will publish various research at the IARA SECURWARE 2024.

Vehicle Security Operations Center for Cooperative, Connected and Automated Mobility

The publication is a result of the EU-funded SELFY project. The work is a summary of the implementation of the Vehicle Security Operations Center (VSOC) we developed in the context of CCAM.

Abstract of the publication

Security Operations Centers (SOCs) are well established in the general IT domain. They provide IT security services, including collecting and correlating data, detecting and analyzing cybersecurity incidents, and applying dedicated reactions to such incidents. With the increasing digital capabilities of modern vehicles, appropriate reactions to cybersecurity incidents for vehicles and their ecosystem should be applied, too. Therefore, we propose a novel architecture for a Vehicle Security Operations Center (VSOC) in a Cooperative, Connected, and Automated Mobility (CCAM) environment. %The architecture consists of four components: an E-box to collect events, a D-box to hold relevant data, an A-box to analyze collected information, and an R-box to apply appropriate reactions to incidents and identified anomalies. To allow participants to consume relevant information, the Vehicle Security Operations Center provides an API to send data to the Vehicle Security Operations Center and participate as a subscriber (i.e., receive data from the Vehicle Security Operations Center).

The VSOC implements different boxes addressing data storage, analysis capabilities, event-processing procedures, response options, digital forensics capabilities, and threat hunting activities. The architecture allows the VSOC to communicate with third parties such as manufacturer backends or cybersecurity service providers (e.g., threat intelligence). The developed VSOC fully fulfills eight of fourteen metrics, and six out of fourteen metrics are partially fulfilled.

Furthermore, we evaluate the proposed VSOC against fourteen metrics. The metrics result from related work and our contribution. Examples are autonomy, data aggregation, coverage, inclusion of people, addressing physical assets, and supporting real-time safety.

Blue Team Fundamentals: Roles and Tools in a Security Operations Center

The publication is a result of the EU-funded SELFY project.

Abstract of the publication

The evolution from low-impact malicious code in the mid-70s to current Denial-of-Service (DoS) attacks, widespread malware campaigns, and Advanced Persistent Threats (APTs) shaped the furtherance of Information Technology (IT) security services that Security Operations Centers (SOCs) provide to protect against cyberattacks. Despite the ever-growing importance of SOCs, there is little academic and fundamental research. Terminology and the associated definitions are highly influenced by companies developing proprietary software and training and are mostly not standardized. This paper closes part of the gap and provides a suitable research base regarding people and technologies. For this purpose, literature research was conducted using academic literature and industry data, such as advertising material, company white papers, and employment advertisements. A survey with 24 experts in various areas of IT security was conducted to validate and expand the identified roles and tools. Allowing the creation of an overview of roles and tools currently utilized in the industry. These can be seen as building blocks, whereas the company’s individual needs determine its presence, capabilities, and association within SOCs. The percentage of participants who classified the defined roles and tools as part of SOCs is detailed. The survey furthermore captured the affiliation of roles between SOCs and Computer Emergency Response Teams (CERT) or Computer Security Incident Response Teams (CSIRT), often seen as specialized sub-capabilities that work on data SOCs provide. The common terminology creates a uniform basis for further research and more efficient communication and defines roles and technologies in SOCs that can be used to identify possible gaps.

Fast Charging Communication and Cybersecurity: A Technology Review

This work was created in the research project \enquote{Elektromobiles Sicheres Laden} (ESiLa) funded by the Bavarian Ministry of Economic Affairs, Regional Development and Energy under grant DIK0512/01.

Abstract of the publication

With the increasing amounts of electric vehicles on the road, the demand for public charging stations increases as well. While AC charging is used for charging at home, DC fast charging is commonly used when traveling long distances. Since DC fast charging requires higher level communication between vehicle and charging station, it provides an increased attack surface to both sides. This paper reviews communication standards and their implementations used in fast charging scenarios. Focusing on cybersecurity aspects of these communications, we cover current and future security measures built into the communication standards between vehicles and charging stations.