Product Protection and Industrial Security

Security for products and industrial applications

The Product Protection and Industrial Security department develops security solutions and new methods for securing electronic devices and for protecting corporate assets. To this end, our scientists study security issues in the fields of product protection, automotive security, industrial security, and the Internet of Things.

We support manufacturers of components, devices and vehicles, as well as suppliers and system integrators in developing, implementing and integrating secure vehicle and device functions, applications and value-added services.

For our customers, we offer security risk assessments to identify and manage threats, as well as methods and tools to systematically identify conceptual security vulnerabilities at an early stage. Furthermore, we support our customers in initiating the appropriate countermeasures.

Fraunhofer AISEC operates modern test laboratories for performing security, compliance, and interoperability tests. This allows us to offer a comprehensive, independent security evaluation of connected and embedded systems as well as hardware and software products.

Labs

Automotive Security Lab

The Automotive Security Lab allows security evaluation of complete vehicles and provides space for test setups to analyze multiple interacting components and devices.

Industrial Security Lab


Our Industrial Security Labs enable practical security work in the areas of networked production, Industry 4.0, Internet of Things and building automation.

 

Offerings

Our goal is to continuously improve our ability to develop secure systems and products in close cooperation with our customers and partners. Likewise, we want to enable our customers and partners to sustainably maintain the security of systems throughout their lifecycle.

Evaluate security      

  • Modern laboratories for security analyses and system evaluations
  • Sufficient space for the analysis of complete vehicles or larger system components
  • Penetration tests
  • Source code security audits
  • Analysis and assessment of vulnerabilities, evaluation of suitable countermeasures
  • Security risk assessments / security analyses of e.g., control units, on-board network architectures and communication links

 

Design security

Cross-domain

  • Securing bus systems
  • Designing appropriate security concepts
  • Application of modern encryption techniques in devices and applications

In production   

  • Secure production infrastructures and processes
  • Secure remote access, remote maintenance and remote updating
  • Secure plant networking
  • Anonymization of machine and device data
  • Securing data when bringing virtual and real production environments together
  • Protection for service processes
  • Development of procedures for secure remote software updates and remote maintenance

In the automotive sector

  • Development of secure control units and on-board network architectures
  • Development of secure Car-to-X (C2X) systems
  • Security measures for mobile electronics
  • Development of procedures for secure remote software updates

In product protection   

  • Support for the development of tamper-resistant components
  • Hardware- and software-based protection measures against counterfeit products
  • Component and spare part identification

 

Maintain security

Fraunhofer AISEC has extensive know-how and experience in the development of secure systems to support companies in the development and adaptation of appropriate field-tested methods and to transfer them into existing processes:

Operational / Application

  • Execution of security risk assessments
  • Elicitation of security requirements
  • Comprehensible assessment of the information technology risk for services and products
  • Source code security audits
  • Penetration tests
  • Support for the implementation of security measures and for quality assurance

Method development, tool developtment, integration

  • Selection of established security methods and adaptations for practical application in companies
  • Integration of security aspects into software lifecycle processes
  • Interaction of risk assessment with design, specification, implementation, testing and incident response
  • Establishment of a sustainable security engineering processes
  • Tool development and parameterization of tools

Expertise

Modern vehicles consist of complex and distributed systems and sometimes include more than 100 electronic control units (ECUs). In the future, the number and complexity of electronic components will continue to increase. The growing trend towards centralization also means that the threat potential for such systems will rise considerably. Consequently, the security of these systems is an indispensable prerequisite for OEMs, suppliers, automotive workshops, service providers, etc. to benefit from this increasing use of information technology in the automotive domain.

Fraunhofer AISEC supports OEMs, suppliers, equipment manufacturers and system integrators in the development, implementation and integration of secure vehicle functions, applications and value-added services, thus helping to make innovative products possible in the first place through the "Safety by Security" approach.

To this end, Fraunhofer AISEC has a broad range of expertise in securing both internal and external vehicle communication using automotive-grade security mechanisms and protocols. Our employees are intensively involved with the new ISO/SAE 21434 standard, which is intended to support automotive manufacturers in demonstrating prevention against cyberattacks as early as the vehicle development stage.

We advise on and offer solutions for secure function enabling, secure coupling of back-end services, or defense against attacks. In the area of in-vehicle systems, Fraunhofer AISEC develops security mechanisms that also increase the functional safety of vehicle components. In addition, concepts are developed and implemented that enable the secure integration of vehicle components into existing or new automotive systems.

Industrial systems are taking on increasingly complex tasks and interacting more and more with each other and with other systems. The newly emerging networking of previously isolated systems poses a challenge to the IT security of these systems. Many systems and their components are only inadequately protected against these changes, because in the industrial environment the systems are protected in terms of operational safety, but often have no integrated security measures. Once an attacker has gained access to one part of the plant, it is easy to spy on or manipulate other parts of the plant.

Attacks on industrial plants can be associated with both reputational losses and concrete financial damage for operators and plant manufacturers. In extreme cases, a lack of protection against attackers can also pose a safety hazard in sensitive areas.

Unfair imitation of products, components and design causes major damage, which is constantly reaching new record levels. The negative effects of technology theft and product piracy are a serious threat. Manufacturers lose market share and suffer image damage. Consumers (often unconsciously) use inferior products whose safety, functionality and reliability are questionable. Ultimately, even national economies are weakened by a decline in investment, job cuts and tax losses.

Embedded systems are a component of many modern capital assets and consumer products. If preventive technological protection is neglected, this opens up opportunities for attacks on hardware and software in embedded systems. The spectrum of attacks ranges from targeted modification to complete reverse engineering and product piracy. We offer the development and implementation of suitable measures on the electronics and software to counteract this. The execution of penetration tests and source code security audits is also part of the service offering.

Methods and fields of application

The increasing complexity of networked systems and the diversity of hardware and software components require new system architectures as well as methods and tools to systematically identify conceptual security vulnerabilities at an early stage and to initiate the appropriate countermeasures.

Fraunhofer AISEC has the relevant know-how and experience in the field of security risk assessments to support companies in the development and adaptation of appropriate field-tested methods and to transfer them into existing processes:

  •  Execution of security risk analyses
  • Risk assessment and survey of security requirements
  • Interaction of risk assessment with design, specification, implementation, testing, incident response
  • Integration of security aspects into software lifecycle processes

 

The "Internet of Things" (IoT) with its various manifestations such as Industry 4.0, information and communication technology, smart homes or connected cars is only possible with the highest level of security. The requirements here go beyond classic IT security. Rather, we are talking about the security of physical systems, cyber physical security or, more catchily, cyber security.

Typical use cases are:

  • Authentication of components with their unique identity
  • Monitoring and ensuring system integrity
  • Protection of data and communication

For corresponding solution concepts we offer integrated system solutions based on secure hardware to protect infrastructure and components against attacks, fraud and sabotage.

Security code analyses can be performed during the implementation phase or in the early test phase to identify and eliminate risks based on implementation vulnerabilities.

For this purpose, Fraunhofer AISEC uses a continuously evolving set of open source tools and in-house developments to perform a tool-supported manual analysis with a special focus on embedded systems with C/C++ code. The tooling combines analyses on different representations of the source code to capture the code both syntactically and semantically to thus detect correlations and logical errors.

Fraunhofer AISEC can draw on several years of experience in the field of security code analysis and has already performed analyses for customers in a wide range of domains, such as automotive, medical or Industry 4.0. In the automotive domain in particular, extensive knowledge of programming standards, libraries and frameworks has been built up.

To validate the security of a system or component, a purely theoretical analysis of the security concept is not sufficient. Penetration tests, on the other hand, provide information about actual resistance to attacks. Our experience shows that concepts are sometimes implemented incorrectly and that vulnerabilities only emerge in interaction with other hardware and software components.
The PIN research department knows how to take a holistic view of hardware and software in a penetration test. Our employees have many years of experience in industrial projects. Furthermore, scientific methods are used to develop new attack vectors according to customer needs. The spectrum of investigations ranges from control units, networked systems and application software to industrial plants or complete vehicles. Numerous laboratories at the institute complete the possible scope of services.

  • Attacks on Confidentiality, Integrity, Authenticity of information on bus systems
  • Security tests on debug interfaces in microcontrollers
  • Visibility- and access-protected parking spaces in the building for large test setups up to several vehicles

 

Selected Projects

 

SecForCars

 

The more electronic devices steer, accelerate and brake cars, the more important protection against cyberattacks becomes. That's why 15 partners from industry and academia are working on new approaches to IT security in self-driving cars over the next three years in the joint project Security For Connected, Autonomous Cars (SecForCARs).

 

 

IUNO Insec

 

In the IUNO Insec project, a consortium from research and industry is working together on integration and migration strategies for industrial IT security – especially for small and medium-sized enterprises.

 

 

Anonymization for Optimization

In the funded project Anonymization for Optimization, Fraunhofer AISEC is working together with the Institute for Machine Tools and Industrial Management (IWB) at the Technical University of Munich on a solution that makes it possible to store collected machine data anonymized and encrypted in the cloud in order to optimize machines and use them more efficiently.

 

Publications

  • Alexander Giehl, Michael P. Heinl, and Maximilian Busch. “Leveraging Edge Computing and Differential Privacy to Securely Enable Industrial Cloud Collaboration Along the Value Chain”. In: 2021 IEEE 17th International Conference on Automation Science and Engineering (CASE). Lyon, France:
    IEEE, 2021, pp. 2023–2028. ISBN: 978-1-6654-1873-7. DOI: 10.1109/CASE49439.2021.9551656.
    URL: https://ieeexplore.ieee.org/document/9551656.
  • Michael P. Heinl, Simon Gölz, and Christoph Bösch. “A Comparative Security Analysis of the German Federal Postal Voting Process”. In: DG.O2021: The 22nd Annual International Conference on Digital Government Research. DG.O’21. Omaha, NE, USA: Association for Computing Machinery, 2021, 198–207. ISBN: 9781450384926. DOI: 10.1145/3463677.3463679.
    URL: https://doi.org/10.1145/3463677.3463679.
  • Tobias Madl. “Security Concept with Distributed Trust-Levels for Autonomous Cooperative Vehicle Networks”. In: Proceedings of the 32nd Annual IEEE Intelligent Vehicles Symposium. IV ’21. NAGOYA, JAPAN: IEEE, 2021.
  • Stefan Tatschner, Ferdinand Jarisch, Alexander Giehl, Sven Plaga, and Thomas Newe. “The Stream Exchange Protocol: A Secure and Lightweight Tool for Decentralized Connection Establishment”. In: vol. 21. 15. 2021. DOI: 10.3390/s21154969.
    URL: https://www.mdpi.com/1424-8220/21/15/4969.
  • Emanuel Q. Vintila, Philipp Zieris, and Julian Horsch. “MESH: A Memory-Efficient Safe Heap for C/C++”. In: Proceedings of the 16th International Conference on Availability, Reliability and Security. ARES ’21. Vienna, Austria: ACM, Aug. 2021. ISBN: 978-1-4503-9051-4. DOI: 10.1145/3465481.3465760.
    URL: https://doi.org/10.1145/3465481.3465760.

  • Alexander Giehl, Norbert Wiedermann, Makan Tayebi Gholamzadeh, and Claudia Eckert. “Integrating security evaluations into virtual commissioning”. In: 2020 IEEE 16th International Conferenceon Automation Science and Engineering Proceedings. Hong Kong: IEEE, 2020. ISBN: 978-1-7281-6904-0. DOI: 10.1109/CASE48305.2020.9217004.
    URL: https://ieeexplore.ieee.org/document/9217004.
  • Gerhard Hansch. “Automating Security Risk and Requirements Management for Cyber-Physical Systems”. Dissertation. Göttingen, Germany: Georg-August-Universität Göttingen, Dec. 2020. DOI: 10.24406/AISEC-N-608669.
    URL: http://hdl.handle.net/21.11130/00-1735-0000-0005-1517-A
  • Michael P. Heinl, Alexander Giehl, and Lukas Graif. “AntiPatterns Regarding the Application of Cryptographic Primitives by the Example of Ransomware”. In: Proceedings of the 15th International Conference on Availability, Reliability and Security (ARES 2020). ARES ’20. Virtual Event, Ireland: Association for Computing Machinery, 2020. ISBN: 9781450388337. DOI: 10.1145/3407023.
    3409182. URL: https://doi.org/10.1145/3407023.3409182.
  • Johannes Obermaier and Marc Schink. “Analysis of Firmware Protection in StateoftheArt Microcontrollers”. In: Proceedings of the 2020 Embedded World Conference. EWC ’20. Nuremberg, Germany: WEKA Fachmedien, Feb. 2020.
  • Daniel Angermeier, Kristian Beilke, Gerhard Hansch, and Jörn Eichler. “Modeling security risk assessments”. In: 17th escar Europe : embedded security in cars (Konferenzveröffentlichung). 2019. DOI: 10.13154/294-6670.
  • Alexander Giehl, Peter Schneider, Maximilian Busch, Florian Schnoes, Robin Kleinwort, and Michael F. Zaeh. “Edgecomputing enhanced privacy protection for industrial ecosystems in the context of SMEs”. In: 12TH CMI Conference  2019. Copenhagen, Denmark: IEEE, 2019. DOI: Publication Pending.
  • Alexander Giehl, Norbert Wiedermann, and Sven Plaga. “A framework to assess impacts of cyber attacks in manufacturing”. In: 2019 11th International Conference on Computer and Automation Engineering Proceedings. Perth, Australia: ACM, 2019. ISBN: 9781450362870.
    DOI: 10.1145/3313991.3314003. URL: https://doi.org/10.1145/3313991.3314003.
  • Gerhard Hansch, Peter Schneider, and Gerd Brost. “Deriving Impactdriven
    Security Requirements and Monitoring Measures for Industrial IoT”. In: 5th ACM Cyber Physical System Security Workshop. CPSS ’19. Auckland, New Zealand: ACM, July 2019. ISBN: 9781450367875/19/07. DOI: 10.1145/3327961.3329528.
  • Gerhard Hansch, Peter Schneider, Kai Fischer, and Konstantin Böttinger. “A Unified Architecture for Industrial IoT Security Requirements in Open Platform Communications”. In: 24th IEEE Conference on Emerging Technologies and Factory Automation. ETFA ’19. Zaragoza, Spain: IEEE, Sept. 2019.
  • Michael P. Heinl, Alexander Giehl, Norbert Wiedermann, Sven Plaga, and Frank Kargl. “MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness”. In: Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing SecurityWorkshop. CCSW’19. London, United Kingdom: Association for Computing Machinery, 2019, 1–15. ISBN: 9781450368261. DOI: 10.1145/3338466.3358917. URL: https://doi.org/10.1145/3338466.3358917.
  • Johannes Obermaier. “Breaking and Restoring Embedded System Security From Practical Attacks to Novel PUFBased Physical Security Enclosures”. Dissertation. München: Technische Universität München, 2019.
  • Sven Plaga, Norbert Wiedermann, Simon Duque Anton, Stefan Tatschner, Hans Schotten, and Thomas Newe. “Securing future decentralised industrial IoT infrastructures: Challenges and free open source solutions”. In: Future Generation Computer Systems 93 (2019). Ergebnispräsentation Fraunhofer AISEC Bibliography PIN 5 im Rahmen von IUNO AP4 in der April 2019 Ausgabe des Elsevier Future Generation Computer Systems Journal, pp. 596 –608. ISSN: 0167739X. DOI: https://doi.org/10.1016/j.future.2018.11.008. URL: http://www.sciencedirect.com/science/article/pii/S0167739X18314043.
  • Peter Schneider. “Do’s and Don’ts of Distributed Intrusion Detection in CyberPhysical Systems”. In: accepted at CyberHunt at BigData. 2019.
  • Peter Schneider and Alexander Giehl. “Realistic Data Generation for Anomaly Detection in Industrial Settings Using Simulations”. In: Computer Security. Ed. by Sokratis K. Katsikas, Frédéric Cuppens, Nora Cuppens, Costas Lambrinoudakis, Annie Antón, Stefanos Gritzalis, John Mylopoulos, and Christos Kalloniatis. Cham: Springer International Publishing, 2019, pp. 119–134. ISBN: 9783030127862.

  • Konstantin Böttinger, Rishabh Singh, and Patrice Godefroid. “Deep Reinforcement Fuzzing”. In: IEEE Symposium on Security and Privacy Workshops 2018. 2018.
  • Alexander Giehl and Sven Plaga. “Implementing a Performant Security Control for Industrial Eth-ernet”. In:2018 International Conference on Signal Processing and Information Security. Dubai,United Arab Emirates: IEEE, 2018. DOI:10.1109/CSPIS.2018.8642758. URL: https://doi.org/10.1109/CSPIS.2018.8642758
  • Alexander Giehl and Norbert Wiedermann. “Security verification of third party design files in man-ufacturing”. In:2018 10th International Conference on Computer and Automation EngineeringProceedings. Best Presentation Award. Brisbane, Australia: ACM, 2018. ISBN: 978-1-4503-6410-2/18/02. DOI:10.1145/3192975.3192984. URL: https://doi.org/10.1145/3192975.3192984.
  • Matthias Niedermaier, Thomas Hanka, Sven Plaga, Alexander von Bodisco, Dominik Merli. “EfficientPassive ICS Device Discovery and Identification by MAC Address Correlation”. In:Proceedings of the5th International Symposium for ICS & SCADA Cyber Security Research 2018. Electronic Workshopsin Computing (eWiC). Zusammenarbeit mit der Hochschule Augsburg – status: präsentiert auf derICS-CSR 2018/Hamburg (co-located with ARES 2018). Hamburg: British Computer Society Learning& Development Ltd., 2018. URL: https://ewic.bcs.org/category/19361(visited on09/09/2018)
  • Johannes Obermaier, Florian Hauschild, Matthias Hiller, and Georg Sigl. “An Embedded Key Man-agement System for PUF-based Security Enclosures”. In:2018 7th Mediterranean Conference onEmbedded Computing (MECO). 2018, pp. 1–6. DOI:10.1109/MECO.2018.8406028.
  • Johannes Obermaier and Vincent Immler. “The Past, Present, and Future of Physical Security En-closures: From Battery-Backed Monitoring to PUF-Based Inherent Security and Beyond”. In:Journalof Hardware and Systems Security2.4 (2018), pp. 289–296. ISSN: 2509-3436. DOI:10.1007/s41635-018-0045-2. URL: https://doi.org/10.1007/s41635-018-0045-2.
  • Johannes Obermaier, Vincent Immler, Matthias Hiller, and Georg Sigl. “A Measurement System forCapacitive PUF-based Security Enclosures”. In: Proceedings of the 55th Annual Design AutomationConference. DAC ’18. San Francisco, California: ACM, 2018, 64:1–64:6. ISBN: 978-1-4503-5700-5. DOI:10.1145/3195970.3195976. URL: http://doi.acm.org/10.1145/3195970.3195976
  • Sven Plaga, Melanie Niethammer, Norbert Wiedermann, and Alexander Borisov. “Adding ChannelBinding for an Out-of-Band OTP Authentication Protocol in an Industrial Use-Case”. In:Proceedingsof the 1st International Conference on Data Intelligence and Security. ICDIS ’18. Kooperation imRahmen von IUNO AP4, Fraunhofer AISEC mit BOSCH Corporate Sector Research and AdvanceEngineering submitted to "The 1st International Conference on Data Intelligence and Security".South Padre Island, Texas, USA: IEEE, 2018. ISBN: 978-1-5386-5762-1. DOI:10.1109/ICDIS.2018.00048
  • Sven Plaga, Norbert Wiedermann, Hansch Gerhard, and Newe Thomas. “Secure your SSH Keys! –Motivation and Practical Implementation of a HSM-based Approach Securing Private SSH-Keys”. In:Proceedings of the 17th European Conference on Cyber Warfare and Security. ECCWS ’18. Uni-versity of Oslo, Norway: Academic Conferences and Publishing International (ACPI) Limited, 2018,pp. 370–379. ISBN: 978-1-911218-85-2.
  • S. Plaga, N. Wiedermann, M. Niedermaier, A. Giehl, T. Newe. “Future Proofing IoT Embedded Plat-forms for Cryptographic Primitives Support”. In:12th International Conference on Sensing Technol-ogy 2018. ICST’18. University of Limerick, Ireland: Institute of Electrical and Electronics Engineers(IEEE), 2018, pp. 52–57. DOI:10.1109/ICSensT.2018.8603610.
  • Peter Schneider and Konstantin Böttinger. “High-Performance Unsupervised Anomaly Detectionfor Cyber-Physical System Networks”. In:Proceedings of the 2018 Workshop on Cyber-PhysicalSystems Security and PrivaCy. CPS-SPC ’18. Toronto, Canada: ACM, 2018, pp. 1–12. ISBN: 978-1-4503-5992-4. DOI:10.1145/3264888.3264890. URL: http://doi.acm.org/10.1145/3264888.3264890.
  • Norbert Wiedermann and Sven Plaga. “Rowhammer – A Survey Assessing the Severity of this At-tack Vector”. In:Proceedings of the 2018 Embedded World Conference. EWC ’18. Nuremberg,Germany: WEKA Fachmedien, Feb. 2018. ISBN: 978-3-645-50173-6
  • Philipp Zieris and Julian Horsch. “A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow Integrity”. In: Proceedings of the 2018 ACM Asia Conference on Computer and Communi-cations Security. ASIA CCS ’18. Incheon, Republic of Korea: ACM, June 2018. ISBN: 978-1-4503-5576-6. DOI:10.1145/3196494.3196531. URL: http://doi.acm.org/10.1145/3196494.3196531.
  • Konstantin Böttinger. “Guiding a Colony of Black-box Fuzzers with Chemotaxis”. In:38th IEEESymposium on Security and Privacy (S&P 2017) Workshops. 2017.
  • Gerhard Hansch, Peter Schneider, and Sven Plaga. “Packet-wise Compression and Forwarding ofIndustrial Network Captures”. In:9th IEEE International Conference on Intelligent Data Acquisi-tion and Advanced Computing Systems: Technology and Applications. (University "Politehnica" ofBucharest, Romania). IDAACS ’17. Bucharest, Romania: IEEE, Sept. 2017, pp. 66–70. ISBN: 978-1-5386-0696-4. DOI:10.1109/IDAACS.2017.8095051.
  • Johannes Obermaier, Robert Specht, and Georg Sigl. “Fuzzy-Glitch: A Practical Ring Oscillator BasedClock Glitch Attack”. In:2017 International Conference on Applied Electronics (AE). IEEE, Sept.2017, pp. 1–6. DOI:10.23919/AE.2017.8053601.
  • Johannes Obermaier and Stefan Tatschner. “Shedding too much Light on a Microcontroller’s FirmwareProtection”. In:11th USENIX Workshop on Offensive Technologies (WOOT 17). Vancouver, BC:USENIX Association, 2017. URL: https://www.usenix.org/conference/woot17/workshop-program/presentation/obermaier