Abstract
With the trend towards connectivity and automation in the automotive domain, automotive cybersecurity and the protection against cyber attacks is increasingly important. This is mirrored in the upcoming regulation on cybersecurity for UNECE Type Approval. Therefore a structured and systematic approach to automotive cybersecurity risk management is needed.
Risk management in general focuses on, What to protect and How could it be damaged. The combination of these allows to identify and rate existing cybersecurity risks and enables further steps of risk management. Risk management in the automotive domain will be based on an international standard that is currently developed. The draft of ISO/SAE 21434 was published in 2020 and the publication of the final version is expected in 2021.
This standard does not describe a strict risk management approach but rather defines a framework of activities which need to be conducted, without specifying a process or methods. It is therefore important to investigate existing approaches, consider the guidance in standards and regulation and apply and evaluate resulting processes and methods.
We report here experiences collected during the application of an asset driven automotive cybersecurity analysis with the Tool ThreatGet which is compliant with ISO/SAE 21434. The considered use cases for this application is a gateway and communication ECU developed by TTControl.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Common Methodology for Information Technology Security Evaluation - Evaluation methodology, September 2012
32, I.S.: ISO 26262-1:2018 road vehicles—functional safety. International Organization for Standardization (2018)
32, I.S.: ISO/SAE FDIS 21434: Road vehicles – cybersecurity engineering. International Organization for Standardization, SAE International (2020)
Breuing, H., Heil, L., Vierling, B.: It security for the entire automotive ecosystem. ATZelectronics Worldwide 14(7), 60–63 (2019)
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Technical report, Black Hat 2015, August 2015
Cho, K., Bae, C., Chu, Y., Suh, M.: Overview of telematics: a system architecture approach. Int. J. Automot. Technol. 7(4), 509–517 (2006)
Committee, SVESS, et al.: SAE j3061-cybersecurity guidebook for cyber-physical automotive systems. SAE-Society of Automotive Engineers (2016)
Consortium, H.: Tailoring the heavens risk assessment methodology for improved performance, March 2018
Eckermann, E.: World history of the automobile. SAE (2001)
Henniger, O., Ruddle, A., Seudié, H., Weyl, B., Wolf, M., Wollinger, T.: Securing vehicular on-board it systems: the Evita project. In: VDI/VW Automotive Security Conference, p. 41 (2009)
Islam, M.M., Lautenbach, A., Sandberg, C., Olovsson, T.: A risk assessment framework for automotive embedded systems. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pp. 3–14 (2016)
Macher, G., Armengaud, E., Brenner, E., Kreiner, C.: A review of threat analysis and risk assessment methods in the automotive context. In: Skavhaug, A., Guiochet, J., Bitsch, F. (eds.) SAFECOMP 2016. LNCS, vol. 9922, pp. 130–141. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45477-1_11
Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: Sahara: a security-aware hazard and risk analysis method. In: 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 621–624. IEEE (2015)
Mürling, M.W.: Security by design: new “threatget” tool tests cyber security in vehicles and systems (2021). https://www.ait.ac.at/news-events/single-view/detail/6743?cHash=b6d28cc455fff1a63b7a25530dd6b00b
Rass, S., König, S., Schauer, S.: Defending against advanced persistent threats using game-theory. PLoS ONE 12(1), e0168675 (2017)
Rivett, R.S.: Hazard identification and classification: ISO26262-the application of IEC61505 to the automotive sector. In: 2009 5th IET Seminar on SIL Determination, pp. 1–24. IET (2009)
Schmittner, C., Chlup, S., Fellner, A., Macher, G., Brenner, E.: ThreatGet: threat modeling based approach for automated and connected vehicle systems. In: AmE 2020-Automotive meets Electronics; 11th GMM-Symposium, pp. 1–3. VDE (2020)
Schmittner, C., Dobaj, J., Macher, G., Brenner, E.: A preliminary view on automotive cyber security management systems. In: 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 1634–1639. IEEE (2020)
Schmittner, C., Griessnig, G., Ma, Z.: Status of the development of ISO/SAE 21434. In: Larrucea, X., Santamaria, I., O’Connor, R.V., Messnarz, R. (eds.) EuroSPI 2018. CCIS, vol. 896, pp. 504–513. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-97925-0_43
Schmittner, C., Ma, Z., Smith, P.: FMVEA for safety and security analysis of intelligent and cooperative vehicles. In: Bondavalli, A., Ceccarelli, A., Ortmeier, F. (eds.) SAFECOMP 2014. LNCS, vol. 8696, pp. 282–288. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10557-4_31
BM Service: Bosch presents the history of the car key, June 2019. https://www.bosch-presse.de/pressportal/de/en/bosch-presents-the-history-of-the-car-key-191680.html
Shostack, A.: Experiences threat modeling at Microsoft. MODSEC@ MoDELS 2008 (2008)
Acknowledgement
This project has received funding from the ECSEL Joint Undertaking (JU) under grant agreement No 783221 (AFarCloud). The JU receives support from the European Union’s Horizon 2020 research and innovation programme and Austria, Belgium, Czech Republic, Finland, Germany, Greece, Italy, Latvia, Norway, Poland, Portugal, Spain, Sweden. Parts of this work were funded by the Austrian Research Promotion Agency (FFG) and BMK (Austrian Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Schmittner, C., Schrammel, B., König, S. (2021). Asset Driven ISO/SAE 21434 Compliant Automotive Cybersecurity Analysis with ThreatGet. In: Yilmaz, M., Clarke, P., Messnarz, R., Reiner, M. (eds) Systems, Software and Services Process Improvement. EuroSPI 2021. Communications in Computer and Information Science, vol 1442. Springer, Cham. https://doi.org/10.1007/978-3-030-85521-5_36
Download citation
DOI: https://doi.org/10.1007/978-3-030-85521-5_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85520-8
Online ISBN: 978-3-030-85521-5
eBook Packages: Computer ScienceComputer Science (R0)