1 Introduction

As vehicles are evolving into large smart devices connected to the Internet, the autonomous features they are equipped with dramatically change the mobility of vehicle users [1]. However, behind this convenience, new security threats that have not been considered in conventional vehicles have emerged. More specifically, the connectivity of Internet-equipped vehicles leaves them open to public allowing hackers to exploit malicious attempts [2,3,4]. In particular, the security vulnerabilities of the IT environment, such as those of computer systems and networks, are becoming major threats for connected vehicles. Furthermore, fully autonomous vehicles require higher safety and security measures because even minor security flaws or malfunctions can cause accidents involving many human casualties.

Current vehicle security-related regulations and standards [5,6,7] define cybersecurity threat analysis and risk assessment (TARA) for vehicles as important processes. However, they do not provide important criteria or evaluation standards that should be considered in each step of actual TARA. Therefore, they rely on the policies and capabilities of manufacturers and suppliers. The e-safety vehicle intrusion protected applications project (EVITA), jointly developed by European automobile manufacturers and suppliers, presents a reliable security framework for vehicle communication using the in-vehicle network (IVN), which is an on-board system. Remote attackers can take control of a vehicle by accessing connected vehicles through the wireless network, taking over the rights, and manipulating control software or messages. It implies that there is difficulty in sufficiently analyzing and evaluating cybersecurity threats and risks [8,9,10,11,12] in the interaction between connected vehicles and external entities.

Existing research on vehicle cybersecurity [13,14,15,16,17,18,19,20,21] focused on preventing unauthorized external access to the internal network by setting a boundary section [22]. However, these methods differ from the paradigm shift of cybersecurity to fast detection and recovery against advanced cyber-attack technologies in a rapidly developing IT environment. Instead of operating in a closed environment, vehicle networks are now connected to external cloud infrastructure, smart devices, grids, and other connected and autonomous vehicles (CAVs) for interaction. Thus, the fundamental defense strategy against the IVN is no longer valid [23]. According to the actual cases of vehicle cyber incidents [24,25,26], attackers remotely analyze the external communication of vehicles for a period of one year or longer and manipulate software through the network. Moreover, they seek vulnerabilities of the IVN or control software by injecting messages to gain unauthorized access. If an incident occurs as a result of long-term analysis, defenders need strategies and methods for fast recovery based on real-time analysis and actions so that these attacks do not lead to personal injury or financial loss [27].

Considering the changing cybersecurity paradigm of IVN, this study defines four criteria for the risk assessment of CAVs: probability, impact, exposure, and recovery. In particular, this study considers exposure items to prevent cyber incidents and recovery criteria to measure rapid resilience, in addition to the widely-used probability and impact. Cyber resilience is reflected in the safety and security of vehicles by evaluating the prevention of cyber threats and real-time follow-up measures for CAVs according to these criteria. Furthermore, we propose evaluation items and metrics based on these criteria and derive evaluation indices to reinforce security by assigning weights to controllable items. In addition, the target scope is expanded to communication and infrastructure to derive security requirements of the vehicle, communication, and infrastructure linkage areas, which could not be derived in prior studies.

The rest of this paper is organized as follows. Section 2 summarizes related studies of various conventional methods for security risk assessment in-vehicle environments. Section 3 introduces the PIER method, the risk assessment method proposed in this study, and explains the four primary criteria: attack probability, impact, exposure, and recovery, and evaluation metrics presented in this method. In particular, cyberattack response levels can be improved by weighting the controllable factors for security in CAVs and creating indices to remove threats and enhance resilience in advance. In Sect. 4, the cybersecurity risks for CAVs are evaluated by applying the proposed PIER method to automotive over-the-air (OTA) software update and collision avoidance, which are two significant features of connected vehicles (CVs) and autonomous vehicles (AVs). In Sect. 5, risk mitigation is verified by suggesting and re-evaluating security requirements that can reduce risk indices for major threats and risks derived from the previous cyber risk assessment. In addition, the proposed method is validated by comparing its coverage and performance with those of conventional methods. Finally, Sect. 6 presents the core security control factors for CVs and AVs derived in this study as key findings and summarizes the proposed method.

2 Related work

This section examines and compares the major characteristics of prior studies on the risk assessments of CVs, AVs, and CAVs.

Cui and Zhang [28] proposed the VeRA model to perform a simplified risk assessment for AVs, characterized by including human control in the risk assessment criteria and attack probability and severity. Probability was defined in three levels by combining the attacker’s knowledge and the equipment usage, whereas severity was defined as in SAE J3061 [7]. This index is similar to the impact index in other existing studies. The authors newly defined human control based on the automation level and human capacity of AVs, as defined in SAE J3016 [29]. However, objective criteria for measuring the driver’s ability in three levels are insufficient.

ISO/SAE 21434 [6] presents the metrics of attack impact and feasibility and an example to derive the risk value from the TARA methods. Four major attributes, that is, safety, financial, operational, and privacy damage, were used to assess impact according to four damage scenarios. The impact ratings of each attribute were classified into four grades according to each criterion. For attack feasibility, attack potential, common vulnerability scoring system, and attack vector were used. For each sub-attribute, the impact was evaluated according to different criteria from one to five. This assessment scheme is meaningful as it refers to standards related to each attribute. However, the process is complex and challenging to quickly apply because the various indices required by each standard must be evaluated in advance, as mentioned by Cui and Zhang [28].

Kelarestaghi et al. [30] proposed an impact-oriented risk assessment for IVN in the security of intelligent transport systems. Their proposal applied the risk model defined in the National Institute of Standards and Technology Special Publication 800-30 [31]. Risks that can influence a damaged IVN are classified into seven risk categories and subcategorized further to indicate the negative impact on the transportation network. This method uses five levels of likelihood and impact as a matrix to classify risk assessment into five risk clusters. However, the criteria (very low, low, moderate, high, and very high) of impact and likelihood ratings for each element are unclear, and results may differ depending on the situation or analyst.

Strandberg et al. [32] proposed start, predict, mitigate, and test (SPMT) as a method to predict and mitigate the vulnerabilities of vehicles for the analysis of vehicle security. SPMT consists of four phases, and the actual risk assessment is performed in the predictive phase. Predictions are made in accordance with the Common Vulnerabilities and Exposures database and STRIDE threat model, and risk is calculated by multiplying the prediction result by its probability. The SPMT process has a virtuous cycle that predicts threats in each phase, mitigates them, and re-assesses them. However, the six measures calculated by a simple product of the two indices have limitations when a detailed assessment is required, as they are significantly simplified.

Kong et al. [33] suggested a framework for evaluating smart car security by calculating the risk of three grades through the arithmetic product of asset, threat, and vulnerability analysis. The asset index partly transformed the severity evaluation of the EVITA project, and the asset value is determined by considering the highest impact among the three categories of safety, privacy, and operationality. The threat is calculated from the attack tree, and vulnerability is calculated using the probability of vulnerability and event occurring in a way similar to that performed for threat calculation. Unlike in prior methods, impact and probability are inherent in these indices. However, this framework assumes an equal possibility for every threat without environmental and technical limitations for every case of vulnerability specified in the attack tree. Thus, this method has limitations in realistic risk classification and evaluation.

Prior studies evaluating vehicle security commonly utilized the probability of attack and the resulting impact as factors in risk assessment. However, existing evaluation criteria do not sufficiently apply the connectivity property of CVs that allows attackers to access the IVN using an open wireless channel or the autonomous property of AVs that analyzes the driving context and determines vehicle control by merging various sensing data. This study proposes the PIER method, which performs threat analysis by considering exposure for reliable internal and external connections, and recovery for immediate detection of and restoration from attacks, as risk assessment factors, in addition to the existing indices for probability and impact.

3 PIER method

The quantitative risk and resilience assessment method proposed in this study evaluates the vulnerability of CAVs to threats, the probability of attack by such threats, the impact of results derived when an attack occurs, and the recovery method for returning a risk state to a normal state.

3.1 Process

The overall process performs risk assessment by applying risk factors and PIER criteria to analyze the CAVs functionalities, as depicted in Fig. 1. The main functionalities of CAVs include automotive OTA and collision avoidance, as shown in Fig. 1(a). In-vehicle components interact with the external entities and can be exposed as attack surfaces from the connectivity properties. In Fig. 1(b), the PIER methodology presented in this study is applied to the main functionalities that require risk assessments. This method evaluates risk criteria based on the risk factors in each risk category: probability, impact, exposure, and recovery. Section 3.2 describes these major risk categories composing the risk matrix in four subsections. Each risk criteria is covered in detail in Table 1 of Sect. 3.3. Risk factors that cause high risk derive security requirements to mitigate them as countermeasures, as shown in Fig. 1(c). The PIER method finally determines the risk level by applying the previously derived security requirements to the main functionalities in the risk assessment stage again in Fig. 1(d).

Fig. 1
figure 1

The overall process of PIER method: a automotive software update over-the-air (OTA) and collision avoidance as main functionalities of a connected and autonomous vehicle, b PIER risk assessment based on the risk categories, risk factors, and each criterion, c security requirements to mitigate the risk as countermeasures, and d reassessment risk to determine the final security risk

Full size image

3.2 Risk categories

3.2.1 Probability: P

Probability is the likelihood of actual attack occurrence according to the attacker’s effort and the defender’s proactive action. This is closely related to the skills required for the attack, the preparation cost, and the configuration of the defense system. Attackers can attempt an assault with little effort and time if an attack using known techniques is valid. When the hurdles to an attack are low, an easily attempted valid attack makes an incident. This is a considerable risk to the target system.

The PIER model measures the probability using the following Eq. (1) based on the required skill, preparation time, and essential defense system.

$$\begin{aligned} {\textit{Probability}} = \mathop {\min }\limits _{\alpha } \mathop {\max }\limits _\beta \left\lceil \sum _{i}^n \eta _{i} \cdot \left( \frac{P_{i}}{n} \right) ^{2} \right\rceil , \end{aligned}$$
(1)

where the measurement items, n, mean the number of risk factors \(P_{i}\) in each risk category P. The risk factor is evaluated as low, medium, or high. A predefined weight matrix \(\eta _{i}\) is applied to the controllable factor \(\exists P_{i}^*\).

The PIER method sets the minimum value \(\alpha\) of the risk level to one and the maximum value \(\beta\) to three to rate all risk categories into three levels of classes, respectively. Also, it is applied the weight of 1.5 by multiplying the weight vector in each risk category. For example, the weight vector \(\eta\) becomes \(\left[ 1, 1, 1.5 \right]\) in the case of the probability factors for \(P_{1}\), \(P_{2}\), and \(P_{3}^*\), when \(P_{3}^*\) is a controllable weighted factor.

3.2.2 Impact: I

Impact refers to the damage caused by an attack. A CAV is a safety-critical and mission-critical system simultaneously. If a remote attack directly affects the driveline of a moving CAV, the driver may lose control of the vehicle with unintentional acceleration, braking, or steering. The impact of this loss of driveline control caused by cyber attacks is more severe than the simple inconvenience caused by malfunctions in the audio or air conditioning systems. The impact of potential harm is high if the result of a cyberattack is directly connected to the safety of passengers or other road users. Furthermore, even when a cyberattack does not directly affect the passengers’ safety, it may still have a critical impact on business, especially when the recovery process consumes more procedures, time, and cost than expected.

The PIER model measures the impact using the following Eq. (2) based on the resulting damage, the target of the damage, and the recovery time from a cyberattack.

$$\begin{aligned} {\textit{Impact}} = \mathop {\min }\limits _{\alpha } \mathop {\max }\limits _{\beta } \left\lceil \sum _{i}^n \eta _{i} \cdot \left( \frac{I_{i}}{n} \right) ^{2} \right\rceil , \end{aligned}$$
(2)

where the measurement items, n, mean the number of risk factors \(I_{i}\) in each risk category I. The risk factor is evaluated as low, medium, or high. A predefined weight matrix \(\eta _{i}\) is applied to the controllable factor \(\exists I_{i}^*\).

3.2.3 Exposure: E

Exposure indicates the likelihood that the attack vectors of the CAV are exposed to attackers. Hackers consider the reachability to the target, exploitation of known vulnerabilities, and the possibility of spreading damage when establishing a strategy for an efficient attack.

Reachability refers to the ability of a hacker to connect directly or indirectly to an attack target. An attacker can access the target through network scanning if the target is exposed to the Internet or a public network. Even if the attacker is not connected directly to their target, they can indirectly access the system step by step by gaining authority over an intermediate system through a different network. However, this requires more time and effort than direct access. Therefore, it is crucial to accurately identify possible attack routes and the reachability of the target for effective defense and risk assessment.

Furthermore, known or unsolved vulnerabilities can deteriorate the security of the system. Unlike in conventional IT systems, known vulnerabilities inherent in embedded software provide hackers with attack vectors because of its longer patching cycles and the difficulties of fixing vulnerabilities in real-time. Therefore, carrying a known vulnerability in such an environment means easy exposure of attack vectors to hackers.

The accessibility is evaluated in terms of the perspective of whether an attack conducted by a hacker to take over the authority of a vehicle can be simultaneously applied to a large number of unspecified vehicles at a remote location. The risk is extremely high if the server transmitting control commands to remote vehicles are exposed to the Internet and grants permission to hackers because the attack can spread to an unspecified number of CVs. However, the spread risk is low because each new target would require a similar amount of effort to attack if physical possession is assumed or the target vehicle is specified through the network.

The PIER model measures the exposure using the following Eq. (3) based on the reachability to the target, exploitable vulnerabilities, and accessibility to spread damages.

$$\begin{aligned} {\textit{Exposure}} = \mathop {\min }\limits _{\alpha } \mathop {\max }\limits _{\beta } \left\lceil \sum _{i}^n \eta _{i} \cdot \left( \frac{E_{i}}{n} \right) ^{2} \right\rceil , \end{aligned}$$
(3)

where the measurement items, n, mean the number of risk factors \(E_{i}\) in each risk category E. The risk factor is evaluated as low, medium, or high. A predefined weight matrix \(\eta _{i}\) is applied to the controllable factor \(\exists E_{i}^*\).

3.2.4 Recovery: R

Recovery refers to the ability to recover a system from damage caused by cyberattacks to a normal state. In a cyberattack, delays in appropriate action increase the degree of damage and loss exponentially. Therefore, it is essential to detect attacks quickly and take appropriate measures. The defender must consider the detection capabilities, patch methods, and supply chain coverages for early detection and fast responses.

Detection capability is determined by the presence of a monitoring system that can recognize threats in advance or in real-time to respond to cyber-attacks immediately. In a conventional IT environment, abnormal access attempts are monitored by mirroring the security system logs such as firewalls and intrusion detection and prevention systems (IDPSs). Even a CAV environment requires the system to detect malicious traffic in network communication and analyze attack behaviors effectively. Ideally, it is necessary to block threats in advance by the analysis result before the actual attack behavior occurs. However, it is realistic for the CAV to establish strategies through real-time detection and immediate response, considering the characteristics of the mission-critical system.

The patch method is evaluated to determine whether it can collectively patch vulnerabilities inherent in CAVs or related systems. An effective defense neutralizes attacks with a preemptive response system that blocks the attackers’ intrusion kill chain [34]. Furthermore, it is crucial to quickly prepare and spread a patch to the target systems when vulnerabilities are exploited. When updating the controller software, a conventional automobile requires a physical connection to a diagnostic device. Because these vehicles are manually processed, the spread cycle is significantly longer, and the completion rate of actions is low; thus, vulnerabilities discovered in this system remain risk factors for an unspecified amount of vehicles. CAVs utilize automotive OTA technology [35] for efficiently and simultaneously distributing patched software to multiple CVs.

Supply chain performance [36] evaluates the dependence of the existing supply network and the external entities on the defense against attack and acting on any vulnerabilities. When a vehicle can respond to cyberattacks without requiring additional costs, outside resources, or changes in the supply network, it implies that its defense is relatively fast. However, additional time is required if an additional budget is required for defense or to change the contract, such as a license extension. It may take more time to find the different partnerships beyond the existing supply chain [37]. Therefore, it is essential to manage the supply chain for efficient operation with comprehensive coverage.

The PIER model measures the recovery using the following Eq. (4) based on the attack detection capability, patch methods, and supply chain performance.

$$\begin{aligned} {\textit{Recovery}} = \mathop {\min }\limits _{\alpha } \mathop {\max }\limits _{\beta } \left\lceil \sum _{i}^n \eta _{i} \cdot \left( \frac{R_{i}}{n} \right) ^{2} \right\rceil , \end{aligned}$$
(4)

where the measurement items, n, mean the number of risk factors \(R_{i}\) in each risk category R. The risk factor is evaluated as low, medium, or high. A predefined weight matrix \(\eta _{i}\) is applied to the controllable factor \(\exists R_{i}^*\).

3.3 Risk assessment criteria

The PIER model evaluates risks using four categories: the degree of being exposed to threats of cyber-attack; the probability of actual attacks from these threats; the impact of damage as a result of the attack; and the ability to recover from the damage of the attack. Three major risk factors are defined for each category, and the corresponding response levels are evaluated according to the three criteria of high, medium, and low. In particular, assigning weights to items that allow the defender to control the cybersecurity environment and remove threats in advance improves the defender’s cyberattack response level. Table 1 shows the evaluation criteria and weight matrix of the major risk factors.

Table 1 Criteria of risk factors
Full size table

3.4 Risk assessment formula

The following Eq. (5) defines the environmental risk of CAVs when considering the probability, impact, exposure, and recovery described in the previous section.

$$\begin{aligned} {\textit{Risk}} = {\textit{Probabilty}} \times {\textit{Impact}} + {\textit{Exposure}} + {\textit{Recovery}}, \end{aligned}$$
(5)

where \({\textit{Probabilty}} \times {\textit{Impact}}\) is the impact on damage multiplied by its probability, plus the exposure and recovery create the risk value.

Figure 2 shows a matrix for evaluating the risk using the PIER method. The evaluated risk ranges from three to 15, where a higher value indicates a higher risk. In this study, a PIER risk ranging from three to six is classified as Negligible, seven to eight as Minor, nine to 12 as Serious, and 13 to 15 as Critical.

Fig. 2
figure 2

Risk evaluation matrix

Full size image

4 PIER implementation and evaluation for connected and autonomous vehicles (CAVs)

This section defines the two primary functions of CAVs: automotive OTA and collision avoidance. In addition, the overall risk for CAVs is evaluated from a cybersecurity perspective by analyzing exposure of threats to external entities, attack probability, the impact of the attack, and recovery from the damage.

4.1 Main functions

4.1.1 Automotive over-the-air (OTA) in connected vehicles (CVs)

Automotive software is an essential vehicle component directly related to users’ safety on the road. Therefore, vehicle control software requires high reliability and security. That is why the manufacturer, dealer, or authorized maintenance channel manages the automotive software update instead of the user. Updating conventional automotive software requires authorized diagnostic equipment and diagnostic communications over a wired network physically connected to the vehicle. Even when an urgent software update is needed, the owner cannot update the software directly and must visit a repair shop instead. Consequently, it causes the update life cycle of automotive software to be significant long. As a result of these limitations, these cause software vulnerabilities are left unattended, and vulnerabilities in software can be exploited as attack targets or attack surfaces.

Fig. 3
figure 3

Automotive OTA architecture in connected vehicles (CVs)

Full size image

Automotive OTA in Fig. 3 is a new alternative to overcome the limitations of a conventional vehicle control software update with a long update cycle and conveniently update the software within a shorter cycle. This method remotely updates the software of a vehicle controller using a cellular or IoT network to which the CAVs are connected. These updates include not only software with a relatively low safety rating, such as automotive infotainment systems, but also software components with a high safety rating, such as drivetrain controller firmware. The automotive OTA ecosystem consists of backend servers, remote repositories, wireless networks, IVNs, electronic control units (ECUs), and software packages.

Automotive OTA reduces the update cycle of vehicle control software using CAVs connectivity. However, this can provide attack surfaces that damage the integrity of the automotive control software [46, 47] because it allows a modification of the vehicle software, which was a barrier to the internal components in the past. Serious security risks can occur if an attacker can affect the lifecycle of on-demand software such as repository, distribution, and installation. Maliciously manipulated software becomes a route for an attacker to remotely control the engine, braking, steering, and infotainment system of moving vehicles. It can be a critical risk that directly affects the safety and lives of users on the road.

4.1.2 Collision avoidance in autonomous vehicles (AVs)

Positioning, perception, judgment, and control are the core technologies required for AVs. Such vehicles use various sensors to recognize the location, road, and surrounding objects of the vehicle while determining the speed, steering, and braking commands for stable driving. Autonomous driving software sends the commands to the drive and steering systems to control the vehicular movement. The collision avoidance technology of AVs in Fig. 4 is crucial for accident prevention. It requires accurate recognition of various external factors and the internal conditions of the vehicle that can occur in driving contexts on the road.

Fig. 4
figure 4

Collision avoidance in autonomous vehicles (AVs): a multiple sensing data fusion, b data analysis, and c driving control, i.e, steeing, braking, and acceleration of the vehicle

Full size image

The driving context of AVs is based on the state of the driving vehicle, the predicted path, and the movement of the surrounding objects. In particular, this context includes not only control information such as vehicle speed, acceleration, driving direction, and the predicted path, but also specific factors that can directly affect the vehicle control pattern, such as high-speed driving, downtown driving, intersection entry or exit, parking and stopping attempts, and emergency braking. In addition, it analyzes the driving interference and collision possibility against moving objects on the driving routes inside and outside by detecting and predicting the movements of the objects.

Severe risks to vehicle safety occur if attackers can intervene while AVs combine and process multiple sensing data or if attackers can interfere while AVs are operating collision avoidance in response to a dangerous situation [48, 49]. For example, the AVs may fail to recognize a collision risk over the front by intense light into the front camera [38] or by reverse-injecting the light detection and ranging wavelength [39] to interrupt the moving object recognition on the road.

4.2 PIER analysis for CAVs

A CAV is a mission-critical system. If the security system of this ecosystem is bypassed and the integrity or availability of the control software is compromised, the guarantee of the safe operation of the drive system cannot be guaranteed due to malicious manipulation. This brings about a high impacted risk because it can cause a critical incident involving the casualties of road users. In particular, the automotive OTA provided by CVs is relatively easy to access externally. Therefore, access should be controlled from the cyber defense perspective, and risk factors should be evaluated with a focus on prevention through monitoring. In contrast, the collision avoidance feature provided by AVs is a factor that places critical importance on a fast recovery, as real-time availability and resulting safety are essential.

4.2.1 PIER analysis of automotive OTA in CVs

Conventional cyber-attacks on vehicles were from hackers forcing an update of manipulated software to the internal controller of the vehicle. However, a vehicle not connected to the Internet has to be physically occupied to tamper with its software. In contrast, a CV connected to a wireless network can update software remotely without physically occupying the vehicle. The repository used for software storage, a wireless network used for distribution, and the process of extracting and patching software changes in an automotive OTA are IT-based components. Therefore, the scope of exploitable vulnerabilities is broad, and the exposure is high in terms of accessibility even without expert knowledge concerning in-vehicle design and control technology. A higher level of security is required in the automotive OTA because attackers can create a path allowing the direct manipulation or remote control of the vehicle simply by taking control of the remote repository server using the security technology of the universal IT environment. Therefore, the monitoring and response to anomalous behaviors are necessary along with a cyber-defense system and the back-end cloud infrastructure to which a vehicle is connected. Table 2 shows the risk assessment for automotive OTA in CVs.

Table 2 Risk assessment for automotive OTA in CVs
Full size table

4.2.2 PIER analysis of collision avoidance in AVs

The drivetrain software in AVs applying collision avoidance by analyzing the driving context based on multi-sensing data directly affects the cybersecurity risk. If an analysis error is caused by the interference of sensing signals, manipulated data, or malfunctioning sensors by the attacker, it can cause an accident that may involve human injuries while driving AVs. Direct manipulation of a vehicle’s sensing signal or control software requires expert knowledge of the automotive domain and thus can be a barrier to attackers in terms of probability and exposure. However, security threats that adversely affect the driving system during vehicle operation can cause severe damage even in a fleeting moment. Therefore, real-time resilience and prevention systems are considered crucial factors. Table 3 shows the risk assessment for collision avoidance in AVs.

Table 3 Risk assessment for collision avoidance in AVs
Full size table

5 Discussion

5.1 Countmeasures to mitigate risk

5.1.1 Security requirements as countermeasure in automotive OTA

The security requirements specified in Table 4 are presented as countermeasures to mitigate the risk in automotive OTA.

First, signatures for known vulnerabilities in an OEM C &C or cloud repository are monitored to prevent the execution of known vulnerabilities on a server and block suspicious behavior when identified [17, 40, 41], thereby lowering the risk of exposure (\(E_{2}=3\rightarrow 2\)). In addition, the most significant opportunity for attackers from the exposure perspective is that an attack surface is accessible in the public domain because the server or particular transmission sections are exposed to attackers. To complement this, man-in-the-middle attacks in the transmission section are made more difficult by encrypting the transmission or converting sections into dedicated lines (\(E_{3}=2\rightarrow 1\)). Furthermore, it also blocks manipulated software of an attacker containing malicious code by verifying the code signature based on the public key infrastructure [42, 43] whenever installing the software package sent from the endpoint of the vehicle controller (\(E_{1}^{*}=2\rightarrow 1\)).

When reliable backend, transmission section, and endpoint are configured by applying these security requirements to automotive OTA, the high risk of exposure is mitigated to low. As a result, the overall risk assessment of automotive OTA lowers from the risk of 13 as Critical to eight as Minor.

Table 4 Security requirements to mitigate security risk level in automotive OTA
Full size table

5.1.2 Security requirements as countermeasure in collision avoidance

The security requirements specified in Table 5 are presented as countermeasures to mitigate collision risks in AVs.

First, a secure flashing [44] prevents an attacker from arbitrarily manipulating the vehicle’s control software. A secure boot [45] is utilized to perform a kill chain defense when such software is installed and prevent misuse of the manipulated software (\(R_{2}=3\rightarrow 1\)). In addition, in-vehicle IDPSs prevent the manipulated controller area network (CAN) messages or abnormal behaviors of the control software in the IVNs. Anti-spoofing and anti-jamming are applied simultaneously to prevent interference, manipulation, and interruption of the sensing data in advance (\(R_{1}^{*}=3\rightarrow 1\)). Maintaining up-to-date attack signatures is crucial to detect abnormal behavior or attack routines inside a vehicle accurately. Batch patching is performed using automotive OTA to update detection patterns, and a supply chain system is secured and managed in advance to keep this patch up to date (\(R_{3}=3\rightarrow 2\)).

When reliable IVNs and sensing data convergence scheme is configured by applying these security requirements to collision avoidance of AVs, a high-security risk of recovery is mitigated to low. As a result, the overall risk assessment of collision avoidance lowers from the risk of seven as Minor to five as Negligible.

Table 5 Security requirements to mitigate security risk level in collision avoidance
Full size table

5.2 Performance comparison

In this section, the coverage of the risk criteria used in a risk assessment and the procedure simplicity from the process perspective is compared with existing methodologies to verify the effectiveness of the PIER method proposed in this study.

5.2.1 Risk criteria coverage

Most methodologies employ the attack probability and impact of an attack as criteria for assessing the cybersecurity risk of vehicles. As shown in Table 6, the attack feasibility attribute in ISO/SAE 21434 [6] rates the attack probability, including the elapsed time, specialized expertise, and equipment required for the attack from the capability perspective of attackers. The PIER method quantitatively assesses the attack probability factors by categorizing them into the required skill, preparation time, and defense system level and subdividing it into risk factors under each criterion.

In addition, the VeRA methodology [28] in Table 6 presents human control as an evaluating factor in terms of recovery. The controllability property, which can handle dangerous situations in assessing risk, is a meaningful indicator from the perspective of recovery. Human control is selected according to a pre-configured matrix with a combination of the automation level of AVs and human capability. The six levels of autonomy in SAE J3016 [29] are widely referenced indices for classifying AVs. However, human capability or experience level is difficult to establish as an objective index in interacting with a vehicle. Consequently, this measure may lead to a problem with an item that may lead to underestimated or exaggerated errors in a risk assessment because there are no quantitative criteria for human driving ability or response skills under a critical situation.

The PIER method uses an index that evaluates rapid resilience in a critical situation from a recovery perspective. Resilience is evaluated by the criteria of the quick recognition of a high-risk situation, the patch method applied, the time required, and the coverage of the supply chain as the response capabilities. The crucial elements of the CAVs resilience are the capability to recover the cybersecurity risk immediately by detecting and taking action in advance of dangerous situations, neutralizing the attack through kill chain defense, spreading patches in real-time, and responding with a thorough supply chain.

Table 6 Coverage of risk categories
Full size table

5.2.2 Conciseness of application steps

It is important to sufficiently assess the risk criteria for each factor to evaluate the risk to CAVs. ISO/SAE 21434 [6] fully describes the steps necessary for a risk assessment. Sufficient review and assessment of risk factors are meaningful when designing and certifying the end-to-end architecture in the development stage of CAVs. However, obstacles may arise in assessing and removing risk factors if the process is too complicated or takes a prolonged time to apply. If cyber-attacks are in progress or while driving CAVs, it is necessary to quickly assess the risk using only core risk factors and establish an appropriate response strategy accordingly.

Table 7 shows the total number of processes required for a risk assessment and tasks to be applied in advance. Annex H of ISO/SAE 21434 provides examples of the TARA method. The TARA method requires seven steps of risk evaluation, including an impact rating and an attack feasibility rating, to determine the risk value of CAVs. The damage scenario of the asset identification stage should precede the impact rating, whereas attack path analysis based on threat scenarios is required to determine the attack feasibility rating. The dependency required at each stage of a risk assessment cause in delay decision-making under situations in which an immediate risk decision and response are required.

The PIER method does not require preparation, and the risk criteria are defined compactly for a fast risk rating. The risk categories, risk factors, weights, and criteria required for a PIER risk assessment are expressed in a single line, as shown in Table 1. The PIER method, a two-step process without prior procedures, can quickly deduce the risk and countermeasures compared to the existing methods described in Table 7.

Table 7 Process steps
Full size table

6 Conclusion and future work

This study proposes the PIER method to evaluate the cybersecurity risk of CAVs. This method uses probability, impact, exposure, and recovery as four risk categories of a risk assessment. It realizes cyber-resilience by adding exposure and recovery risk factors to the probability and impact indices for the TARA of CAVs. Exposure risk factors provide criteria to evaluate the attack surface for connectivity attributes in CAVs. Recovery risk factors provide criteria to assess the rapid resilience in terms of availability and real-time properties in mission-critical systems, CAVs.

This study applies automotive OTA as a representative function of CVs and collision avoidance as a representative function of AVs to the PIER method to verify the effectiveness of the proposed methodology. It evaluates the risk level in each aspect of CVs and AVs based on the risk categories, risk factors, criteria, and evaluation matrix of the PIER method. Security requirements derived from the factors causing the high risk are important countermeasures to mitigate the risk. Derived security requirements from the case study of automotive OTA in CVs lower the risk from Critical to Minor. Countermeasures from the method in collision avoidance of AVs reduce the risk from Minor to Negligible. Reducing the risk level effectively in the re-evaluation after applying the countermeasures proves the effectiveness of this PIER methodology.

The PIER method has broader coverage in terms of exposure and resilience compared to other studies for risk assessment of CAVs security. In particular, the predefined detailed criteria for each risk factor provide quick assessment and derive countermeasures because it simplifies the risk assessment process without the preparation stage.

The following research aims to refine and propose the key steps for risk assessment considering the cyber-resilience of CAVs to simplify and clarify the TARA method in automotive cybersecurity-related laws, regulations, and standards.