Abstract
The emergence of connected and autonomous vehicles at an unprecedented pace ushered several state-sponsored initiatives to start planning and building a transportation information network that utilizes intelligent sensors and sophisticated communication systems. Peripheral sensors that are used to assist the human operator in lane changing, obstacle avoidance, and parking are slowly being integrated in modern automotive vehicles. Although this newly found convenience is a boon to the society, both socially and economically, it presents security challenges that are endemic to connected technologies. These challenges underscore the need to look closely at the state of automotive vehicle network security. Consequently, security metrics must be developed in order to measure the state of vehicle network security. As a major component of continuous improvement, quantitative and qualitative measures must be devised to be able to make a full appreciation of the process. This chapter describes vehicle network security metrics and derives sample attack calculations to illustrate their applicability.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Gemalto. (2018). Securing vehicle to everything. Retrieved April 13, 2020, from https://www.gemalto.com/brochures-site/download-site/Documents/auto-V2X.pdf
Karahasanovic, A. (2016). Automotive cyber security. Gotehnburg: Chalmers University of Technology University of Gothenburg.
Maggi, F. (2017, July). A vulnerability in modern automotive standards and how we exploited it. Retrieved November 2018, from https://documents.trendmicro.com/assets/A-Vulnerability-In-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf
Francia, G. A., & Francia, X. P. (2015). Critical infrastructure protection and security benchmarks. In Encyclopedia of information science and technology (3rd ed., pp. 4267–4278). Hershey, PA: IGI Global.
Francia, G. A., III, & El-Sheikh, E. (2021). Applied machine learning to vehicle security. In Y. Maleh, M. Shojafar, M. Alazab, & Y. Baddi (Eds.), Machine intelligence and big data analytics for cybersecurity applications (pp. 423–442). Cham: Springer Nature Switzerland AG.
Francia, G. A. (2020). Connected vehicle security. In 15th International Conference on Cyber Warfare and Security (ICCWS 2020), (pp. 173–181). Norfolk, VA.
SAE International. (1998, August 1). CAN specification 2.0: Protocol and implementations. Retrieved October 13, 2019, from SAE Mobilus: https://www.sae.org/publications/technical-papers/content/921603/
CSS Electronics. (2019). A Simple Intro to LIN bus. Retrieved October 2019, from CSS Electronics: https://www.csselectronics.com/screen/page/lin-bus-protocol-intro-basics/language/en
National Instruments. (2019, May 28). FlexRay automotive communication bus overview. Retrieved October 13, 2019, from National Instruments: https://www.ni.com/en-us/innovations/white-papers/06/flexray-automotive-communication-bus-overview.html
Vector Informatik GmbH. (2020). Media Oriented Systems Transport (MOST). Retrieved November 5, 2020, from Vector: https://www.vector.com/int/en/know-how/technologies/networks/most/#c21313
Keysight. (2019, February 28). From standard ethernet to automotive Ethernet. Retrieved November 6, 2020, from Keysight: https://www.keysight.com/us/en/assets/7018-06530/flyers/5992-3742.pdf
Zhou, A., Li, Z., & Shen, Y. (2019). Anomaly detection of CAN bus messages using a deep neural network for autonomous vehicles. Applied Sciences, 9, 3174.
Vasistha, D. K. (2017, August). Detecting anomalies in Controller Area Network (CAN) for automobiles. Retrieved April 13, 2020, from http://cesg.tamu.edu/wp-content/uploads/2012/01/VASISTHA-THESIS-2017.pdf
Upstream Security Ltd. (2020). ISO/SAE 21434: Setting the standard for automotive cybersecurity. Retrieved November 5, 2020, from Upstream: https://info.upstream.auto/hubfs/White_papers/Upstream_Security_Setting_the_Standard_for_Automotive_Cybersecurity_WP.pdf?_hsmi= 87208721&_hsenc=p2ANqtz-8ke_6RWU7hkISDBzRoHFeUhfbaRRQ7E9-Z2bvc4YMlP3JNvc42_oh1ZxJ5jtWQOUlTehUaSmp7MfNDcwzbzUWoZjrGHw
Schmittner, C., Griessnig, G., & Ma, Z. (2018). Status of the development of ISO/SAE 21434. In Proc of the 25th European Conference, EuroSPI 2018. Bilbao, Spain.
Pauli, D. (2016, September 16). Hackers Hijack Tesla model S from Afar, while the cars are moving. Retrieved October 2019, from The Register: https://www.theregister.co.uk/2016/09/20/tesla_model_s_hijacked_remotely/
McCarthy, C., Harnett, K., & Carter, A. (2014b, September). Characterization of potential security threats in modern automobiles: A composite modeling approach. U.S. Department of Transportation, National Highway Traffic Safety Administration, Washington, DC.
Petit, J., Feiri, M., & Kargl, F. (2014). Revisiting attacker model for smart vehicles. In 2014 IEEE 6th International Symposium on Wireless Vehicular Communications, WiVec 2014 Proceedings (pp. 1–5).
Monteuuis, J.-P., Petit, J., Zhang, J., Labiod, H., Mafrica, S., & Servel, A. (2018). Attacker model for connected and automated vehicles. In ACM Computer Science in Cars Symposium (CSCS’18). Berlin, Germany: Association of Computing Machinery.
Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., et al. (2010). Experimental security analysis of a modern automobile. In 2010 IEEE Symposium on Security and Privacy (pp. 447–462). Berkeley/Oakland, CA: IEEE.
Cho, K.-T., & Shin, K. (2016). Fingerprinting electronic control units for vehicle intrusion detection. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16). USENIX.
Wang, Q., & Sawhney, S. (2014). VeCure: A practical security framework to protect the CAN bus of vehicles. In International Conference on the Internet of Things (IOT) (pp. 13–18). Cambridge, MA.
Wolf, M., & Gendrullis, T. (2011). Design, implementation, and evaluation of a vehicular hardware security module. In 14th International Conference on Information Security and Cryptology. Seoul, South Korea.
Lokman, S., Othman, T., & Abu-Bakar, M. (2019). Intrusion detection system for automotive controller area network (CAN) bus system: A review. EURASIP Journal on Wireless Communications and Networking, 2019, 184.
Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, N., & Savage, S., et al. (2011). Comprehensive experimental analyses of automotive attack surfaces. In 20th USENIX Conference on Security (SEC’11) (p. 6). San Francisco, CA: USENIX Association.
EVITA Project. (2011, December 01). EVITA E-safety vehicle intrusion protected applications. Retrieved November 13, 2018, from https://www.evita-project.org/
PRESERVE. (2015, June). About the Project. Retrieved October 12, 2019, from Preparing Secure Vehicle-to-X Communication Systems (PREPARE) Project: https://preserve-project.eu/about
SeVeCom. (2008). Security on the road. Retrieved October 13, 2019, from SeveCom.eu: https://www.sevecom.eu/
Society of Automotive Engineers (SAE). (2012, January 12). Cybersecurity guidebook for cyber-physical vehicle systems J3061. Retrieved Ocotober 13, 2019, from SAE Mobilus: https://www.sae.org/standards/content/j3061/
Bauer, S., & Schartner, P. (2019). Reducing risk potential by evaluating specialized countermeasures for electronic control units. In 17th Escar Europe Conference 2019. Stuttgart, Germany: Embedded Security in Cars (ESCAR).
Government Accountability Office (GAO), United States. (2016). Vehicle cybersecurity: DOT and industry have efforts under way, but DOT needs to define its role in responding to a real-world attack. GAO Report 16–350. Retrieved November 14, 2018, from https://www.gao.gov/assets/680/676064.pdf
McCarty, C., Harnett, K., & Carter, A. (2014, October). A Summary of Cybersecurity Best Practices. US Department of Transportation, National Highway Traffic Safety Administration, Washington, DC. Retrieved from https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/812075_cybersecuritybestpractices.pdf
Society of Automotive Engineers (SAE) International. (2020, February 10). Hardware protected security for ground vehicles. Retrieved November 12, 2020, from SAE Mobilus: https://www.sae.org/standards/content/j3101_202002/
British Standard Institution. (2020). IATF 16949:2016 automotive quality management. Retrieved November 12, 2020, from BSI Group: https://www.bsigroup.com/en-US/iatf-16949-automotive/introduction-to-iatf-16949/
American National Standards Institute (ANSI). (2020). ISO/IEC/IEEE 29119-1:2013. Retrieved November 12, 2020, from ANSI Webstore: https://webstore.ansi.org/Standards/ISO/ISOIECIEEE291192013?gclid=CjwKCAiA17P9BRB2EiwAMvwNyKt4mT9KW0hN-taVxEzZBa7nN5sfZQzDV6HdWGRQddq5dVFT6Pv8LxoCQrEQAvD_BwE
Payne, S. (2006, June 19). A guide to security metrics. (SANS Institute). Retrieved from http://www.sans.org/readingroom/papers/5/55.pdf
Kark, K., Stamp, P., Penn, J., Bernhardt, S., & Dill, A. (2007, May 16). Defining an effective security metrics program. Retrieved February 2020, from Forrester: https://www.forrester.com/report/Defining+An+Effective+Security+Metrics+Program/-/E-RES42354#
Saydjari, S. (2006). Is risk a good security metric? In Proceedings of the 2nd ACM Workshop on Quality of Protection (pp. 59–60).
Schechter, S. (2005, January–February). Toward econometric models of security risk from remote attack. IEEE Security and Privacy, 40–44.
Manadhata, P., & Wing, J. (2005). An attack surface metric—CMU-CS-05-155. Pittsburgh, PA: Carnegie Mellon University.
Francia, G. (2016). Baseline operational security metrics for industrial control systems. In International Conference on Security and Management (pp. 8–14). Las Vegas, NV: CSREA Press.
Moukahal, L., & Zulkernine, M. (2019). Security vulnerability metrics for connected vehicles. In 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C) (pp. 17–23). Sofia, Bulgaria.
McCarthy, C., Harnett, K., & Carter, A. (2014a, October). Characterization of potential security threats in modern automobiles: A composite modeling approach. Retrieved February 25, 2020, from https://rosap.ntl.bts.gov/view/dot/12119
Sheehan, B., Murphy, F., Mullins, M., & Ryan, C. (2019). Connected and autonomous vehicles: A cyber-risk classification framework. Transportation Research Part A, 124, 523–536.
Forum of Incident Response and Security Teams (FIRST). (2019, June). Common vulnerability scoring system version 3.1: Specification document. Retrieved February 13, 2020, from https://www.first.org/cvss/specification-document
National Institute of Standards and Technology. (2019, November 15). CVE-2019-13582 Detail. Retrieved February 13, 2020, from https://nvd.nist.gov/vuln/detail/CVE-2019-13582
Common Vulnerabilities and Exposure. (2018, May 31). CVE-2018-9322. Retrieved February 13, 2020, from Common Vulnerabilities and Exposures: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9322
MITRE Corporation. (2020, August 20). CWE-787: Out-of-bounds write. Retrieved from Common Weakness Enumeration: http://cwe.mitre.org/data/definitions/787.html
Common Criteria Portal. (2017, April). Common criteria for information technology security evalaution. Retrieved February 24, 2020, from https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf
Francia, G. A., & Jarupathirun, S. (2009). Security metrics-review and research directions. In Proceedings of the 2009 International Conference on Security and Management (Vol. 2, pp. 441–445). Las Vegas, NV: CSREA Press.
Conti, G., Ahamad, M., & Stasko, J. (2005). Attacking information visualization system usability overloading and deceiving the human. In SOUPS 2005 (pp. 89–100). Pittsburgh, PA.
Hochheiser, H., & Schneiderman, B. (2001). Using interactive visualizations of WWW log data to characterize access patterns and inform site design. Journal of the American Society for Information Science and Technology, 52(4), 331–343.
Kumar, S., Singh, K., Kumar, S., Kaiwartya, O., Cao, Y., & Zhao, H. (2019). Delimitated anti jammer scheme for internet of vehicle: Machine learning based security approach. IEEE Access, 7, 113311–113323.
Acknowledgments
This work is partially supported by the Florida Center for Cybersecurity, under grant number 3901-1009-00-A (2019 Collaborative SEED Program), the National Security Agency under grant number H98230-19-1-0333 and the Office of Naval Research (ONR) under grant number N00014-21-1-2025. The United States Government is authorized to reproduce and distribute reprints notwithstanding any copyright notation herein.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Francia III, G.A. (2021). Vehicle Network Security Metrics. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-71381-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71380-5
Online ISBN: 978-3-030-71381-2
eBook Packages: Computer ScienceComputer Science (R0)