Abstract
As the automobile industry has recently adopted information technologies, the latter are being used to replace mechanical systems with electronically-controlled systems. Moreover, automobiles are evolving into smart cars or connected cars as they are connected to various IT devices and networks such as VANET (Vehicular Ad hoc NETwork). Although there were no concerns about the hacking of automobiles in the past, various security threats are now emerging as electronic systems are gradually filling up the interiors of many automobiles, which are in turn being connected to external networks. As such, researchers have begun studying smart car security, leading to the disclosure of security threats through the testing or development of various automobile security technologies. However, the security threats facing smart cars do not occur frequently and, practically speaking, it is unrealistic to attempt to cope with every possible security threat when considering such factors as performance, compatibility, and so forth. Moreover, the excessive application of security technology will increase the overall vehicle cost and lower the effectiveness of investment. Therefore, smart car security risks should be assessed and prioritized to establish efficient security measures. To that end, this study constructed a security risk assessment framework in a bid to establish efficient measures for smart car security. The proposed security risk assessment framework configured the assessment procedure based on the conventional security risk analysis model GMITS (ISO13335) and utilized ‘attack tree analysis’ to assess the threats and vulnerabilities. The security risk assessment framework used the results of an asset analysis, threat/vulnerability analysis, and risk analysis to finally assess the risk and identify the risk rating. Moreover, it actually applied the proposed framework to assess security risks concerning targeted increases in vehicle velocity and leakages of personal information, which are the leading threats faced by smart cars. Here, the framework was applied to vehicle velocity increase and personal information leakage, which are the leading threats.
Similar content being viewed by others
References
Bernardo DV, Hoang DB (2012) Multi-layer security analysis and experimentation of high speed protocol data transfer for GRID. Int J Grid Util Comput 3(2–3):81–88
Bharadiya B, Maity N, Hansdahs RC (2014) An authentication protocol for vehicular ad hoc networks with heterogeneous anonymity requirements. Int J Space-Based Situat Comput 4(1):1–14
Brooks RR, Sander S, Deng J, Taiber J (2009) Automobile security concerns. IEEE Veh Technol Mag 4(2):52–64
Cha BR, Kim JW (2013) Handling and analysis of fake multimedia contents threats with collective intelligence in P2P file sharing environments. Int J Grid Util Comput 4(1):1–9
Checkoway S, McCoy D, Kantor B, Anderson D, Shacham H, Savage S, Kohno T (2011) Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the USENIX security symposium; 8–12 August, San Francisco, pp 77–92
Chen YJ, Liao GY, Cheng TC (2009) Risk assessment on instrumentation and control network security management system for nuclear power plants. In: 2009 43rd Annual IEEE/IFIP International Carnahan conference on security technology; 5–8 October, 2009. IEEE, Zurich, pp 261–264
Cho AR, Cho HJ, Son YD, Lee DH (2012) A message authentication and key distribution mechanism secure against CAN bus attack. J Korea Inst Info Sec Cryptol 22(5):1057–1068 (in Korean)
EVITA (2009) Security Requirements for Automotive on-board Networks based on Dark-side Scenarios EVITA Deliverable D2. 3. EVIPA Project
Francillon A, Danev B, Capkun S (2011) Relay attacks on passive keyless entry and start systems in modern cars. In: Network and distributed system security symposium
Hahn A, Govindarasu M (2011) Cyber attack exposure evaluation framework for the smart grid. IEEE Trans Smart Grid 2(4):835–843
Han H (2012) SmartCar. KISTI Mark Rep 2(4):3–7 (in Korean)
Hossain I, Mahmud SM (2007) Analysis of a secure software upload technique in advanced vehicles using wireless links. In: IEEE intelligent transportation systems conference; 30 September–3 October. IEEE, Seattle, WA, pp 1010–1015
Johansson KH, Törngren M, Nielsen L (2005) Vehicle applications of controller area network: handbook of networked and embedded control systems. Birkhäuser, Boston, pp 741–765
Kang YD, Jeong KD (2010) Development of cyber security assessment methodology for the instrumentation & control systems in nuclear power plants. J Acad Ind Technol 11(9):3451–3457
Kang DJ, Lee JJ, Lee Y, Lee IS, Kim HK (2013) Quantitative methodology to assess cyber security risks of SCADA system in electric power industry. Journal of the Korea Institute of Information Cryptology 23(3):445–457 (in Korean)
KDB Research (2014) Smart car world market 230 trillion Korean won annual growth of 6.7%, http://www.yonhapnews.co.kr/economy/2014/05/04/0301000000AKR20140504025000002.HTML. Accessed 7 May 2014
Ketel M (2008) IT security risk management. In: Proceedings of the 46th Annual Southeast Regional Conference; 28 March. ACM, New York, pp 373–376
Kim JW, Han TM (2012) Trends of the standard open platform for in-vehicle infotainment and GENIVI based human machine interface. J KIISE Softw Appl 39(6):444–452 (in Korean)
Kim GJ, Lee DS (2014) Car security technology research trends by reviewing international conferences such as escar. Rev Korea Ins Info Sec Cryptol 24(2):7–20 (in Korean)
Kim ST, Jun MS, Park DW (2008) A study on the security assessment for information system risk management and budget management. J Korea Soc Comput Info 16(1):69–77
Kim KA, Lee DS, Nam KK (2011) ICS security risk analysis using attack tree. J Info Sec 11(6):53–58 (in Korean)
Kim JE, Chun BJ, Park SB (2013) Secure diagnostic implementation for automotive ECU with crypto library. Korea Society Automotive Engineers2013 Annual Conference; 20–22 November, Ilsan, South Korea: 1136–1144 (in Korean)
Ko JB, Lee SK, Shon TS (2013) Security threat evaluation for smartgrid control system. J Korea Ins Info Cryptol 23(5):873–883 (in Korean)
Koscher K, Czeskis A, Roesner F, Patel S, Kohno T (2010) Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy; 16–19 May. IEEE, Oakland, pp 447–462
Li W, Huang J, You W (2010) Attack modeling for electric power information networks. In: 2010 International Conference on Power System Technology; 24–28 October, IEEE, Hangzhou, pp 1–5
Lim WW, Kim JS, Kim SJ, Oh HK (2011) Reduced RSU-dependency authentication protocol to enhance vehicle privacy in VANET. J Korea Ins Info Cryptol 21(6):21–34 (in Korean)
Lv WP, Li WM (2011) Space based information system security risk evaluation based on improved attack trees. In: 2011 Third International Conference on Multimedia Information Networking and Security; 4–6 November. IEEE, Shanghai, pp 480–483
Miller C, Valasek C (2013) Adventures in automotive networks and control units. . http://illmatics.com/car_hacking.pdf. Accessed on 13 Dec 2016
Narita M, Bista BB, Takata T (2013) A practical study on noise-tolerant PN code-based localisation attacks to internet threat monitors. Int J Space-Based Situat Comput 3(4):215–226.
Nilsson DK, Larson UE (2008) Secure firmware updates over the air in intelligent vehicles. In: IEEE International Conference on Communication; 19–23 May. IEEE, Beijing, pp 380–384
NIST (2002), Risk management guide for information technology system, NIST SP800-30
Patsakis C, Dellios K, Bouroche M (2014) Towards a distributed secure in-vehicle communication architecture for modern vehicles. Comput Secur 40:60–74
Petrlic R, Sekula S, Sorge C (2013) A privacy-friendly architecture for future cloud computing. Int J Grid Util Comput 4(4):265–277
Pudar S, Manimaran G, Liu CC (2009) PENET: a practical method and tool for integrated modeling of security attacks and countermeasures. Comput Secur 28(8):754–771
Ray PD, Harnoor R, Hentea M (2010) Smart power grid security: a unified risk management approach. In: 2010 International Carnahan Conference on Security Technology; 18–21 October. IEEE, Barcelona, pp 276–285
Raya M, Hubaux JP (2007) Securing vehicular ad hoc networks. J Comput Secur 15(1):39–68
Ren D, Du SU, Zhu H (2011) A novel attack tree based risk assessment approach for location privacy preservation in the VANETs. In: 2011 International Conference on Communications; 5–9 June, Kyoto. IEEE, Japan, pp 1–5
Rouf I, Miller R, Mustafaa H, Taylor T, Oh S, Xu W, Gruteser M, Trappe W, Seskar I (2010) Security and privacy vulnerabilities of in-car wireless networks: A tire pressure monitoring system case study. 19th USENIX Security Symposium; 11–13 August, Washington, pp 323–338
Roy A, Kim DS, Trivedi KS (2010) ACT: Attack countermeasure trees for information assurance analysis. In: IEEE Conference on Computer Communications Workshops; 15–19 March. IEEE, San Diego, pp 1–2
Schneier B (1999) Attack trees. Dr Dobb’s Journal 24(12):21–29
Studnia I, Nicomette V, Alata E, Deswarte Y, Kaâniche M, Laarouchi Y (2013) Survey on security threats and protection mechanisms in embedded automotive networks. In: 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop; 24–27 June. IEEE, Budapest, pp 1–12
Ten CW, Liu CC, Govindarasu M (2007) Vulnerability assessment of cyber security for SCADA systems using attack trees. In: IEEE Conference on Power Engineering Society General Meeting; 24–28 June, Tampa, FL. IEEE, USA, pp 1–8
Uhm JH (2012) An architecture of a dynamic cyber attack tree: Attributes approach. J Korea Inst Info Cryptol 21(3):67–74 (in Korean).
Viduto V, Maple C, Huang W (2011) Managing threats by the use of visualisation techniques. Int J Space-Based Situ Comput 1(2–3):204–212
Weiss JD (1991) A system security engineering process. In: Proceedings of the 14th National Computer Security Conference; 1–4 October, Washington, D.C., pp 572–581
Wi MS, Kim DS, Park JS (2013) Security analysis of AMI using ACT. J Korea Inst Info Cryptol 23(4):639–653 (in Korean)
Wolf M, Gendrullis T (2011) Design, implementation, and evaluation of a vehicular hardware security module. In: International Conference on Information Security and Cryptology; 30 November–2 December, Seoul, South Korea, pp 302–318
Wolf M, Scheibel M (2012) A systematic approach to a quantified security risk analysis for vehicular IT systems. In: Automotive-Safety and Security; 14–15 November, Karlsruhe, pp 195–210
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kong, HK., Hong, M.K. & Kim, TS. Security risk assessment framework for smart car using the attack tree analysis. J Ambient Intell Human Comput 9, 531–551 (2018). https://doi.org/10.1007/s12652-016-0442-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-016-0442-8