There are several industry guidelines, standards, and formal training courses related to automotive cybersecurity, but we are not going to cover those in this post. Training courses and snazzy certificates are great, but the best way to learn is by doing. Luckily, many of the most popular cybersecurity tools are free and open source. In a matter of minutes, a motivated student can download a state-of-the-art tool and begin exploring!
Great Automotive Hacking Demo
Before we get into the tools, I wanted to share this amazing video with you. It’s a live demonstration of hacking a Jeep on the highway. It is breathtaking.
Hopefully that video provides motivation to learn hands-on skills and protect your systems!
Hands-on Learning with Cybersecurity Tools
An excellent place to get started with hands-on learning is at SecTools.org. This site lists and reviews the top 125 network security tools available today, along with links to download.
For this post, I will just highlight a few of the most popular tools that are relevant to typical automotive security concerns. Several of these tools are covered in popular (and expensive) commercial cybersecurity courses. All of these tools are free and open source and can be safely installed and run on a home PC for testing and learning.
- Snort is a free and open source network intrusion detection system that can perform real-time traffic analysis, packet logging, content searching, and more.
- Intro Video: Using Snort
- Metasploit is a free software framework for identifying security vulnerabilities and performing penetration testing.
- Intro Video: Metasploit for Beginners
- Wireshark is a free network packet analyzer
- Intro Video: The Complete Wireshark Course
- Spiderfoot is a free and open source “footprinting” tool that gathers data from public sources to profile a target prior to penetration testing.
- Intro Video: Spiderfoot
- Sometimes called “Google for Hackers”, Shodan is a search engine that lets users search for specific types of computers, such as PLCs.
- Intro Video: Shodan Search Engine Tutorial
For the more adventurous, many of the most popular security tools have been pre-packaged in the Kali Linux distribution, which provides an ideal platform for exploring cybersecurity and penetration testing.
A recent NIST report states that the U.S. needs immediate and sustained improvements in its cybersecurity workforce. In a separate report, it notes that there is a consensus that cybersecurity competitions (aka wargames) will play a key role in raising the bar for cybersecurity skills. In an appendix, the report lists a large number of such competitions already available to students and professionals.
In this post, we will just give a taste of what’s available by highlighting a few free online cybersecurity games:
- TargetedAttacks – An interactive video cybersecurity choose-your-own-adventure suitable for beginners. A sample of TargetedAttacks is shown in the embedded video below.
- Cyber Storm – Department of Homeland Security’s (DHS) biennial exercise with over 1000 players.
- OverTheWire – Unix console-based challenges that teach Bash, cryptography, and more. Multiple levels suitable for beginner to advanced
- CaptureTheFlag365 – Build and defend your own virtual servers while attacking others
- HackThisSite – Complete hacking challenges in a safe and legal environment
- CyberCompEx – Provides links to other cyber competitions
Unlike the traditional world of automotive, where technology changes on a product evolution cycle, the world of automotive cybersecurity is continually evolving. One of the reasons there are so many guidelines is that the guidance needs to be updated every few months to keep up with the ingenuity of the attackers. Unlike the functional safety world, we are not dealing with random (or systematic!) failures, but rather with the willful action of humans seeking to do us harm. It is bound to be more dynamic than the sterile functional safety world of statistical failure rates and probabilities. But today these two worlds are intersecting, so something’s gotta give.
Don’t miss our post on An Introduction to STAMP. STAMP provides the STPA-Sec methodology for cybersecurity assessment.