Advanced training for automotive and embedded system security

Few things stir the automotive world to such strong emotion as the prospect of self-driving vehicles. Where some see enormous gains in comfort, convenience, and safety, others are concerned about hackers attacking their vehicles. Yet the need for effective embedded security in vehicles was on the rise before the advent of the automated vehicle. Today's vehicles already need protection against odometer manipulation, unwanted access to vehicle electronics, and many other threats.

This security training provides special IT security knowledge for the automotive industry. We follow a holistic approach that leads from secure ECU design to secure on-board networking and secure connected vehicles. Practical exercises and examples complement the training.

• Duration: 2 days
• Level: advanced

Participants

• Product or project managers who need to establish a solid understanding about automotive security principles for secure design of ECUs, the on-board network, or connected vehicle services
• Automotive product engineers who are responsible for analyzing and defining security requirements and security concepts

Training goals

• Get to know current aspects of automotive security.
• Develop a holistic view on automotive security
• Understand the challenges in and solutions for developing secure ECUs
• Understand the challenges and possibilities of secure networking
• Understand the challenges and possibilities of secure connected vehicles
• Learn how to apply the theories from the learning sections in real-world use cases
• Learn about the most important automotive security standards

Requirements

• Basic technical understanding of automotive systems (engineering level)
• Basic technical understanding of cryptography and IT security (i.e. knowledge from secure product design or equivalent)

The training covers both basic connectivity topics and detailed information about IoT protocols and technologies.

• Duration: 1 day
• Level: advanced

Participants

• Product or project managers who need to establish a solid understanding about secure design of connected or IoT products
• Product engineers who are responsible for analyzing and defining security requirements and for defining security concepts of connected or IoT products

Training goals

• Understand distinct security aspects regarding connectivity
• Understand important aspects of advanced access control
• Establish an overview knowledge of secure protocol configurations and pitfalls
• Learn the basics about protocols for the internet of things
• Comprehend the threats to interfaces and how to alleviate them
• Find out the basics about web services and possible vulnerabilities

Requirements

Basic technical understanding of mathematical and information technology (engineering level)

Basic technical understanding of cryptography and IT security (i.e. knowledge from secure product design or equivalent)

Basic IT security training that covers organizational and technical aspects of product development. The training focuses on security tasks in classic and agile development processes, cryptography, and basic IT security measures.

• Duration: 2 days
• Level: basic

Participants

• Product or project managers who need to establish a solid understanding about general security principles, processes and tools that are necessary for secure product design
• Product engineers who are responsible for analyzing and defining security requirements and for defining security concepts

Training goals

• Get to know different aspects of security (for example theory vs. practice, challenges, etc.)
• Learn and understand security basics (for example basic terminology)
• Find out how to set up a secure software development lifecycle
• Establish fundamental knowledge about cryptographic tools, algorithms, and protocols
• Understand important aspects of access control (authentication and authorization)
• Learn to apply main security principles
• Comprehend secure coding techniques

Requirements

Basic technical understanding of mathematical and information technology (engineering level)

Participants of this training learn about the general cybersecurity testing lifecycle for automotive products, get an overview of practical and effective security testing methods, and will understand how the requirements of global automotive regulations and standards can be fulfilled.

• Duration: 1 day
• Level: basic

Participants

• Product managers, project managers, test managers, and security managers who need to establish a solid understanding about security testing methods and how to apply them throughout the development lifecycle
• System engineers, system architects, and testers who are responsible for the execution of test strategies

Training goals

• Get to know the motivation, challenges, and limitations of security testing
• Find out how to thoroughly consider security testing in the product development lifecycle (for example testing activities in the different phases of the lifecycle)
• Get an overview of different security testing methods and understand the differences
• Learn and understand the basic principles of security testing
• Learn and understand “what” to target in the security testing in which testing setup (for example systems, devices, components, interfaces)
• Get to know how to handle identified weaknesses and which mitigation options exist
• Understand the requirements for security testing from the most prominent standards and regulations
• Interactive exercises to strengthen understanding of individual topics

Requirements

• Technical understanding of systems/products and system/product development
• Basic understanding of IT security is helpful

A solid threat analysis and risk assessment (TARA) is the basis of a thorough security concept and thus of all security-related steps in the development process. In this advanced coaching, we explain an established and approved TARA methodology that is based on the common criteria and fully aligned with ISO/SAE 21434.

The theoretical part is complemented by a practical part. Here, the customer team creates a TARA for one of their systems, while the ETAS trainer provides support and reviews.

• Duration: 3 days (spread over approx. 3 months)
• Level: coaching

Participants

• Product and project managers who need to understand the methodology of a threat analysis and risk assessment in the context of the product development process
• Security managers who are responsible for conducting the threat analysis and risk assessment during the product development process

Coaching topics

• Learn and understand how the threat analysis and risk assessment contribute to efficient and effective risk management, for example in the context of ISO/SAE 21434
• Get to know how a threat analysis and risk assessment is performed
• Carry out a threat analysis and risk assessment for one of your systems

Starting with an introduction, we evaluate your current status quo of security testing, identify the gaps, and develop a strategy for the future.

• Duration: 1 day
• Level: coaching

Participants

• Product managers, project managers, test managers, and security managers who need to establish a solid understanding about security testing methods and how to apply them throughout the development lifecycle

Training goals

• Get to know the motivation, challenges, and limitations of security testing
• Find out how to thoroughly consider security testing in the product development lifecycle (for example testing activities in the different phases of the lifecycle).
• Get an overview of different security testing methods and understand the differences
• Learn and understand the basic principles of security testing
• Learn and understand “what” to target in the security testing in which testing setup (for example systems, devices, components, interfaces)
• Get to know how to handle identified weaknesses and which mitigation options exist
• Create a first draft of a security testing strategy during the workshop
• Understand the requirements for security testing from the most prominent standards and regulations
• Analyze the current status quo in your company together with the trainer
• Compare the status quo with best practices and other requirements
• Develop a target picture for the future and define the next steps

Requirements

• Technical understanding of systems/products and system/product development
• Basic understanding of IT security is helpful
• If available, an overview of the own security testing strategy

In this basic training, participants learn which security requirements the latest international standards call for and how they can be implemented.

• Duration: 1 day
• Level: basic

Participants

• Risk managers who want to learn about requirement standards and catalogs and the security goals outlined in international standards
• Product owners who want to learn the basics of deriving security requirements from standard catalogs

Training goals

• Introduction to information security standards
• ISO 27001 (information security management)
• OWASP ASVS (application security verification standard) v4.X
• OWASP MASVS (mobile application security verification standard) v1.2
• NIST 800-53 (catalog of security and privacy controls)

Requirements

• Basic knowledge of management systems
• Basic knowledge of security standards

This advanced IT security training focuses on ISO/SAE21434 requirements and overall cybersecurity management in the context of the UN regulation 155 (UNECE WP.29). The training covers subjects like risk assessment as well as the different engineering phases from concept to development and post development.

Participants may acquire a personal certification as “Cybersecurity Automotive Professional” by TÜV [PA(SB3] Rheinland.

• Duration: 2 days
• Level: advanced

Participants

• Security managers, product managers, and project managers
• System engineers, software engineers, hardware engineers, and developers

Training goals

• Learn the building blocks of ISO/SAE 21434 compliant security engineering
• Get an overview on how ISO/SAE 21434 helps you to meet the requirements of the UN regulation 155
• Understand the risk-based approach of ISO/SAE 21434 to product security
• Learn from our firsthand expertise for the ISO/SAE 21434 through dedicated case studies
• Get to know more about security engineering during the concept phase, incl. cybersecurity relevance assessment, security goals, and security concept
• Find out about the importance of security engineering in the development phase, incl. cybersecurity DIA, design, implementation, and V&V
• Benefit from our knowledge about cybersecurity in production, operations, maintenance, and decommissioning

Requirements

• Basic technical understanding of automotive systems on engineering level

Content

• Introduction to security engineering
• Governance & ecosystem
• Risk management
• Concept and development
• Production and operation

Basic IT security training that covers organizational and technical aspects of product development. The training focuses on security tasks in classic and agile development processes, cryptography, and basic IT security measures.

• Duration: 2 days
• Level: basic

Participants

• Product or project managers who need to establish a solid understanding about general security principles, processes and tools that are necessary for secure product design
• Product engineers who are responsible for analyzing and defining security requirements and for defining security concepts

Training goals

• Get to know different aspects of security (for example theory vs. practice, challenges, etc.)
• Learn and understand security basics (for example basic terminology)
• Find out how to set up a secure software development lifecycle
• Establish fundamental knowledge about cryptographic tools, algorithms, and protocols
• Understand important aspects of access control (authentication and authorization)
• Learn to apply main security principles
• Comprehend secure coding techniques

Requirements

Basic technical understanding of mathematical and information technology (engineering level)

Participants of this training learn about common attacks on Windows installations and explore tools like command & control frameworks and malware like Mimikatz.

• Duration: 1 day
• Level: basic

Participants

• Windows administrators
• Administrators of applications or services based on Windows hosts
• Developers and architects for those systems, applications, and services
• Anyone interested in evaluating the security and hardening options of Windows systems

Training goals

• Learn about common attacks on Windows installations
• Explore tools that attackers might also use in the wild
• Learn to spot misconfigurations and potential for privilege escalation
• Deepen your understanding of Windows hardening options and countermeasures
• Participate in a hands-on hacking lab with exercises for all parts

Requirements

• Basic knowledge of Windows
• General understanding and awareness of IT security

This advanced coaching provides detailed information on threat and risk analyses and on how to build, run, and evaluate a threat model.

• Duration: 2 days
• Level: advanced

Participants

• Product and project managers who need to understand the methodology and output of a threat model
• Security managers who are responsible for performing or understanding the output of a threat model
• System, software, and hardware engineers, as well as developers

Training goals

• Understand in general terms what a threat and risk analysis/threat model is
• Get deeper insights into the four stages of performing a threat model with the STRIDE methodology
• Learn how to create a data flow diagram of a, respectively your own, product/service/solution, including trust boundaries
• Get a basic understanding of how to rate/identify risks or threats
• Learn how to elaborate counter or mitigation measures for each identified threat
• Understand several options for evaluating your own analysis and elaborating matching action items

Requirements

• General understanding and awareness of IT security
• Knowledge about the system overview, technologies, and communication between these components

In this basic training, we present the most common security vulnerabilities of web applications and demonstrate methods to protect web applications.

• Duration: 1 day
• Level: basic

Participants

• Developers who want to learn basic web application vulnerabilities and how to prevent them
• Architects who want to know more about how to secure web applications or platforms

Training goals

• Introduction to web application security covering OWASP Top 10
• Knowledge about the most common vulnerabilities and their respective mitigations
• OWASP Top 10 including demos of the most common attacks
• Vulnerabilities:
  • Injection
  • Cryptographic failures
  • Server-side request forgery
  • Vulnerable and outdated components
  • Identification and authentication failures
  • Security misconfigurations
• Hands-on hacking lab to learn basic penetration testing skills

Requirements

• Basic knowledge of web applications
• Background in enterprise IT technologies

Participants of this training learn the basics of cloud security, potential attack paths, and their mitigations including a practical CTF-style exercise.

• Duration: 1 day (up to 2 days, depending on the experience of the participants)
• Level: advanced

Participants

• Product and project managers who need to work in cloud ecosystems
• Security managers who are responsible for a product in the cloud
• System, software, and hardware engineers, as well as developers who work in the cloud

Training goals

• Understand what cloud security is
• Get deeper insights into the cyber kill chain, and how it is applied for cloud scenarios
• Understand the top cloud attack kill chains
• Apply the cloud attack kill chains in an examplary vulnerable environment
• Learn about countermeasures and mitigations in your architecture and cloud infrastructure

Requirements

• General understanding and awareness of IT security
• Knowledge about the system overview, technologies, and communication between these components
• cloud fundamentals