Roland Varriale, CISSP

The rapid development of Electric Vehicle Supply Equipment (EVSE) and incorporation within more traditional industrial control systems, such as Building Management Systems (BMS) and Building Energy Management Systems (BEMS) can lead to undesirable consequences. In a desire to gain functionality, separated components are often integrated and accessible through less secure means. Furthermore, the architecture and operational environment of some devices may lead to unintended consequences based on… Show more

The rapid development of Electric Vehicle Supply Equipment (EVSE) and incorporation within more traditional industrial control systems, such as Building Management Systems (BMS) and Building Energy Management Systems (BEMS) can lead to undesirable consequences. In a desire to gain functionality, separated components are often integrated and accessible through less secure means. Furthermore, the architecture and operational environment of some devices may lead to unintended consequences based on either physical or logical co-location. To perform analysis of the remote attack surface we used publicly available tools and data sets such as Shodan, nmap, and exploit-db’s searchsploit tool.

We will also discuss evidence of possible remote attack surface weakness across the sector, as a whole, and what the implications of weaknesses within our threat model may permit within the operating environment. Show less

In order to achieve control over certain vehicle functionality, adversarial agents frequently must spoof the speed of a moving vehicle. One way to combat this is to poll numerous signals from the vehicle network in order to evaluate the validity of a given signal. This research used discrete correlation function calculations to find pairs of signals within an automotive CAN bus network that exhibit strong correlation during normal driving conditions. This project uses data collected from a… Show more

In order to achieve control over certain vehicle functionality, adversarial agents frequently must spoof the speed of a moving vehicle. One way to combat this is to poll numerous signals from the vehicle network in order to evaluate the validity of a given signal. This research used discrete correlation function calculations to find pairs of signals within an automotive CAN bus network that exhibit strong correlation during normal driving conditions. This project uses data collected from a vehicle CAN bus and calculates the discrete correlation function values at various lag inputs, and analyzes how this information might be used to better protect against cyber security threats against moving vehicles. Show less

During fiscal year 2019 (FY 2019), the U.S. Department of Energy (DOE) Vehicle Technologies Office (VTO) funded early stage research & development (R&D) projects that address Batteries and Electrification of the U.S. transportation sector. The VTO Electrification Sub-Program is composed of Electric Drive Technologies, and Grid Integration activities. The Electric Drive Technologies group conducts R&D projects that advance electric motors and power electronics technologies. The Grid and Charging… Show more

During fiscal year 2019 (FY 2019), the U.S. Department of Energy (DOE) Vehicle Technologies Office (VTO) funded early stage research & development (R&D) projects that address Batteries and Electrification of the U.S. transportation sector. The VTO Electrification Sub-Program is composed of Electric Drive Technologies, and Grid Integration activities. The Electric Drive Technologies group conducts R&D projects that advance electric motors and power electronics technologies. The Grid and Charging Infrastructure group conducts R&D projects that advance grid modernization and electric vehicle charging technologies. This document presents a brief overview of the Electrification Sub-Program and progress reports for its R&D projects. Each of the progress reports provide a project overview and highlights of the technical results that were accomplished in FY 2019. Show less

The field of vehicular cybersecurity has received considerable media and research attention in the past few years. Given the increasingly connected aspect of consumer automobiles, along with the inherent danger of these machines, there has been a call for experienced security researchers to contribute towards the vehicle security domain. The proprietary nature of Controller Area Network (CAN) bus messages, however, creates a barrier of entry for those unfamiliar, due to the need to identify… Show more

The field of vehicular cybersecurity has received considerable media and research attention in the past few years. Given the increasingly connected aspect of consumer automobiles, along with the inherent danger of these machines, there has been a call for experienced security researchers to contribute towards the vehicle security domain. The proprietary nature of Controller Area Network (CAN) bus messages, however, creates a barrier of entry for those unfamiliar, due to the need to identify what the messages on a given vehicle's bus are broadcasting. This work aims to automate the process of correlating CAN bus messages with specific Electronic Control Unit (ECU) functions in a new vehicle, by creating a machine learning classifier that has been trained on a dataset of multiple vehicles from different manufacturers. The results show that accurate classification is possible, and that some ECUs that broadcast similar vehicle dynamics broadcast similar CAN messages. Show less

Detection of electronic control units on cars is labor intensive and tedious. This information is necessary in order to interact with vehicles utilizing a control area network (CAN) bus. To reduce the amount of interaction and time needed for this identification we posit that supervised machine learning classifiers can be utilized to assist in this labeling through a statistical analysis of the transmission frequency, message contents, and bus location.

Botnets are an increasing threat to both organizations and individuals. Users at the mercy of botnet operators may observe telltale signs of infection such as internet connectivity loss, antivirus malfunction, or a slowdown in normal computer operations. Despite these inconvenience there are legal implications to your computer being utilized for illicit activities. In our research we propose a methodology that mirror the original infection vector in order to gain access to an entity within the… Show more

Botnets are an increasing threat to both organizations and individuals. Users at the mercy of botnet operators may observe telltale signs of infection such as internet connectivity loss, antivirus malfunction, or a slowdown in normal computer operations. Despite these inconvenience there are legal implications to your computer being utilized for illicit activities. In our research we propose a methodology that mirror the original infection vector in order to gain access to an entity within the botnet. From that point there are several methods being utilized to fingerprint and scan for additional hosts and cleanse them in a large scale fashion. This research is hugely divergent from current approaches which target high value entities within the botnet infrastructure. Show less

A high level overview of some of the technologies that are used within vehicle systems and some possible implications of the inherent vulnerabilities that they contain

Industrial Control Systems and Supervisory Control and Data Acquisition (ICS/SCADA) systems are some of the hardest to protect due to their historical physical access-only nature. This significance, in relation to cybersecurity, as well as other security implications are discussed an consequently some approaches towards hardening networks to enable more secure operations

VTIS is a dynamic notification system that takes in a user's route and calculates the time-delay imposed by disruptions to the normal traversal. The disruptions are calculated by using crowdsourced notifications. This is accomplished by the creation of a client side application for notification display and a server infrastructure that will process and store the event information. We have devised a system that will generate personalized notifications for users based on a provided path, temporal… Show more

VTIS is a dynamic notification system that takes in a user's route and calculates the time-delay imposed by disruptions to the normal traversal. The disruptions are calculated by using crowdsourced notifications. This is accomplished by the creation of a client side application for notification display and a server infrastructure that will process and store the event information. We have devised a system that will generate personalized notifications for users based on a provided path, temporal range, and set of transportation modes. At a high level, the functionality of this system is to identify events that affect the user's route and notify the user of these events. The VTIS will provide a multimodal notification system based on information mined from Twitter data and volunteered information from VTIS users. This information will be stored to create a repository of transportation events., This repository will be queried to notify affected users of events that may affect their route.. Although this outlined problem has been solved previously, our approach is novel in several ways: (1)accounting for multiple modes, (2)combining user input with mined data, and the (3)modeling method used to calculate effects on the user's route. Some of these methods have been implemented separately; however, a comprehensive system has not been constructed that includes all of these items. Show less

A PHP class has been devised to encapsulate the functionality of a database connector while excluding the underlying DBMS used. This is extremely important in the design of robust PHP systems that use database integration.

We have simulated ideal linear and star polymers on a two-dimensional square lattice.

Random numbers are used to decide upon the direction of polymer growth. Each

configuration so generated forms an independent sample for statistical averaging. The

mean-square radius of gyration, <S2>, and its error have been computed for polymers

with two arms (linear chains) , and three, four, five or six arms. The data fit the expected

scaling laws. The g ratio… Show more

We have simulated ideal linear and star polymers on a two-dimensional square lattice.

Random numbers are used to decide upon the direction of polymer growth. Each

configuration so generated forms an independent sample for statistical averaging. The

mean-square radius of gyration, <S2>, and its error have been computed for polymers

with two arms (linear chains) , and three, four, five or six arms. The data fit the expected

scaling laws. The g ratio, <S2> star / <S2>linear, is in excellent agreement with the

theoretical predictions of Zimm and Stockmeyer, who showed that g = (3 f - 2) / f 2 ,

where f is the number of branches in the star polymer. Show less

The widespread use of unmanned aerial systems (UAS) lends itself to additional attack surface that was previously secured through physical security means. By leveraging UAS we can empower a penetration tester to gain a foothold into a network through means that would previously be thwarted through the guns, gates, guards physical security paradigm.