A Systematic Risk Assessment Framework of Automotive Cybersecurity

The increasingly intelligent and connected vehicles have brought many unprecedented automotive cybersecurity threats, which may cause privacy breaches, personal injuries, and even national security issues. Before providing effective security solutions, a comprehensive risk assessment of the automotive cybersecurity must be carried out. A systematic cybersecurity risk assessment framework for automobiles is proposed in this study. It consists of an assessment process and systematic assessment methods considering the changes of threat environment, evaluation target, and available information in vehicle lifecycle. In the process of risk identification and risk analysis, the impact level and attack feasibility level are assessed based on the STRIDE model and attack tree method. An automotive cybersecurity risk matrix using a global rating algorithm is then constructed to create a quantitative risk metric. Finally, the applicability and feasibility of the proposed risk assessment framework are demonstrated through a use case, and the results prove that the proposed framework is effective. The proposed assessment framework helps to systematically derive automotive cybersecurity requirements.


Introduction
With the vehicles becoming more intelligent and connected, the automotive system is also becoming increasingly complex [1][2][3][4]. The construction of a more open system is inevitable in the development of the automotive industry, which, however, has some downsides. Increment of feature sets, connectivity, and complexity can lead to a large number of interactions in data, thus causing vulnerabilities that may be exploited by hackers, criminals, terrorists, and spies. The automotive system, while having the attributes of information technology (IT) systems, pays more attention to the safety of the road users [5][6][7][8][9]. The dynamic, diversified, and high-level attacks faced by intelligent vehicles may lead to issues involving personal privacy and safety, and even national security [10,11]. In view of the occurrence of more and more security incidents, automotive cybersecurity has become an important research topic, and a variety of security solutions have been proposed [12,13]. However, cybersecurity risks cannot be addressed at once because the existing security solutions mainly provide passive and 1 3 single protection against specific security problems [14]. By identifying and evaluating potential cybersecurity risks, risk assessment helps to provide theoretical supports for choosing security measures. Moreover, a security classification protection system for automotive cybersecurity can be constructed scientifically based on risk assessment and should be performed throughout the entire vehicle lifecycle (i.e., concept, development, production, operation, maintenance, and decommissioning phase) [15,16]. In addition, the UN regulation on the vehicle approval concerning cybersecurity and cybersecurity management system also puts forward corresponding requirements for cybersecurity risk assessment.
Automotive cyberattacks may cause certain safety implications on cars and drivers, which are different from attacks in IT systems. The automotive cybersecurity risk assessment and IT security assessment differ in assessment methods, although their process is generally consistent. Some analysis methods for automotive cybersecurity risk assessment have been proposed in the past few years, however, few systematic risk assessment frameworks for automobiles have been proposed. This paper presents a systematic risk assessment framework comprised of a specific assessment process and systematic assessment methods.
The rest of this paper is organized as follows. In Sect. 2, the widely used IT risk assessment methods and automobile risk assessment methods are investigated and analyzed. The systematic risk assessment framework of automotive cybersecurity is proposed in Sect. 3. The applicability and feasibility of the proposed framework are presented in Sect. 4. Finally, the conclusions of this study are drawn in Sect. 5.

Surveys on Risk Assessment Methods
The cybersecurity risk assessment methods for IT systems have been relatively mature, with some automated assessment tools. As a crucial part of the information system lifecycle, cybersecurity risk assessment involves a series of standards and normative documents, such as GB/T 20984-2007 and 31509-2015. Moreover, several risk assessment methods for information cybersecurity have been applied to other industries as shown in Table 1. These methods are designed to identify the possible harms (e.g., vulnerabilities and threats) and resolve security issues. Although these risk assessment methods have some overlapping characteristics, they focus on different issues.
Automotive industry cannot directly adopt existing risk assessment methods of IT security, but certain assessment models and parameters can be used for automotive cybersecurity risk assessment. STRIDE method considered threats based on what the attackers were trying to achieve rather than the infinite variety of attacks and attack techniques [24]. This method can be used to identify potential threats to automobiles. CVSS can be applied directly to rating IT security vulnerabilities. In the cybersecurity risk assessment of automobiles, some CVSS indicators can be used to assess risk elements [21,25]. The OWASP method determined the severity of the risk by considering the quantifiable probability and impact parameters. Such two factors can be also considered to determine the risk level of the automotive cybersecurity.
As the foundation of vehicle cybersecurity engineering, risk assessment is a challenging research content. Many researchers have focused on the cybersecurity risk assessment of automobiles and proposed some risk assessment methods. After considering the severity of potential consequences, the possibility of attack, and controllability, Ruddle et al. [26] proposed an automotive cybersecurity risk assessment method in the E-safety vehicle intrusion protection application (EVITA) project. In the EVITA method, the attack potentiality parameters were obtained from common criteria [27], while other parameters (such as safety, financial, operational, and privacy parameter) were considered in the impact aspect. This method provided a detailed definition of safety parameters, while the definitions of the other three impact parameters were vague. Wolf and Sheibel [28] proposed a systematic and quantitative security risk analysis method based on evaluating the difficulty of attack and potential damage factors. Although this approach proposed some improvements in risk calculation, the privacy impact was ignored. Boudguiga et al. [29] proposed a risk analysis method by combining EVITA and TVRA methods. This method of risk analysis improved the EVITA attack tree method by using functional descriptions instead of attack objectives. In addition, the risk rating scheme of this method was consistent with that of TVRA through the risk computation method based on EVITA controllability. However, the feasibility of the risk analysis method for cooperative engines had not been demonstrated.
The STRIDE method shifts the focus from identifying specific attacks to the result of potential attacks, which does not require high cybersecurity skills and attack experience. Some recent studies have applied the STRIDE model to assess the potential risks of automobiles. Macher et al. [30] proposed a risk assessment method that integrated the STRIDE threat model into the hazard analysis and risk assessment. The method mapped the cyberattack goals to safety use cases in ISO 26262-3:2018 and added the security factor to assess automobiles [31]. However, the securitylevel parameters only considered the required knowledge, tools and threat criticality, and no other attack possibility or impact parameters were involved. Islam et al. [32] presented a threat analysis and risk assessment method by combining with the STRIDE model. The method mapped security objectives with impact parameters in the risk assessment and helped to describe possible threat impacts on stakeholders. Although this method provided an estimation of industrybased impact parameters, the method was only applicable to the concept phase of the vehicle lifecycle.
Dominic et al. [33] proposed a risk assessment method of cooperative automated driving that combined STRIDE classification and reference architecture of automated driving. However, the complexity of the threat model parameters presented in their method increased the evaluation workload. Monteuuis et al. [34] considered the threat analysis against human omissions and the trustworthiness for fully autonomous vehicles and proposed a controllability measure for attack observation. They adopted an improved STRIDE model and an attack tree method to analyze threats and compute risk value. The method presented a novel idea for the risk assessment of automotive cybersecurity.
The risk assessment methods for IT systems in the automotive industry have been applied in some international research projects, such as the EVITA project and healing vulnerabilities to enhance software security and safety (HEAVENS) project. The EVITA method was based on the attack trees model [35] and considered the driver controllability factor concerning safety-related threats [26]. This method did not consider the legislation factor of risk rating and focused on all the possible potential attacks against TOE, although the attacks are dynamic and practical. As an improved method of EVITA, the HEAVENS method focused on the threat analysis and risk assessment of automotive security engineering processes [24]. In the threat analysis, the architecture overview in the threat modeling process of STRIDE was no longer considered, the decomposition application step was eliminated, and the threat rating was performed in the risk assessment process. As a threat-centric model developed based on the STRIDE, this method established a mapping between security attributes and threats. However, the HEAVENS method is mainly used for the concept phase of the vehicle lifecycle.
The majority of studies have focused on risk rating methods, but the overall cybersecurity risk assessment process and systematic assessment methods of automobiles are rarely proposed. Some of the above methods are only applicable to the concept phase of the vehicle lifecycle. As the threat environment or TOE changes in different stages of the vehicle lifecycle, security vulnerabilities will emerge at The threat, vulnerability, and risk analysis (TVRA) method has been applied to automobiles [17,18]. The activities comprised in this method can be described as follows: (1) Identify the target of evaluation (TOE) and describe the assets and assessment goals (2) Identify the security objectives (3) Derive the functional security requirements (4) Complete the inventory of assets (5) Identify possible vulnerabilities and classify vulnerabilities and threats (6) Calculate the risks by combining the likelihood and consequences (7) Derive a set of security countermeasures (8) Select the security countermeasures in terms of cost and benefit (9) Design security services The method only gives a complete process, but it does not present the application method of each activity. However, this process can provide some references for automobile cybersecurity risk assessment STRIDE The STRIDE model consists of spoofing (S), tampering (T), repudiation (R), information disclosure (I), denial of service (D), and elevation of privilege (E) [19] It extends the original confidentiality, integrity, and availability model, and it is applicable to identify the relations among threats, assets, and security attributes CVSS The common vulnerability scoring system (CVSS) method is composed of the following metric groups: base, temporal, and environmental [20] (1) Base metric group: intrinsic characteristics of vulnerability (2) Temporal metric group: characteristics may change over time (3) Environmental metric group: characteristics concerning a specific environment The affected component of the CVSS method can be applied to software applications or hardware devices. This approach in measuring the impact of the vulnerability is a key feature [21]. The impact and exploitability parameters could be applied to cybersecurity risk assessment for automobiles OWASP Open web application security project (OWASP) method includes the likelihood and impact factors [22] (1) Likelihood factors: threat agent and vulnerability (2) Impact factors: technical impact and business impact This model mainly focuses on web application security and may lead to inconsistencies due to its excessive parameters [23]. However, the risk level of automobiles could be also determined with considering two aspects, i.e., the likelihood and impact factor some stages, leading to security risks for automobile assets. These methods hardly take into account the changes of the threat environment, TOE, and available information in the vehicle lifecycle. Moreover, the attack tree method and the STRIDE model have been used in the threat analysis of EVITA and HEAVENS, respectively. However, the attack tree method in EVITA required highly specialized evaluators, and the threat analysis using the STRIDE model lacked depth and details. In this study, a systematic risk assessment framework for automobile cybersecurity is proposed, including the assessment process and systematic assessment methods. The applicability and feasibility of the assessment framework are demonstrated with the use case of a telematics box (T-Box) remote-control function.

Systematic Risk Assessment Framework
The cybersecurity risk assessment of automobiles should cover the whole vehicle lifecycle and consider the changes of threat environment, TOE, and available information in vehicle lifecycle. In addition to financial loss and information leakage, personal safety is also subject to automotive cybersecurity threats. Moreover, due to the wide variety of automotive cybersecurity assets and various attack means, the risk assessment of automotive cybersecurity is very complicated. For this reason, a systematic framework is presented in this study. The framework is organized into two blocks, namely the risk assessment process and systematic assessment methods. The risk assessment process consists of risk identification, risk analysis, and risk assessment; the assessment methods in each activity are described in the corresponding process as shown in Fig. 1.

Risk Identification
In automotive risk identification, TOE or use cases should be determined before asset identification to judge whether the candidate in an item are true assets. Then, threat identification is performed to identify the threat scenarios in the cybersecurity properties of assets. According to the ENISA asset taxonomy method [36], automobile assets can be classified into eight categories (i.e., sensors and actuators, information, in-vehicle communication components, communication networks and protocols, vehicle functions, software management, decision-making algorithms, networks, and domain isolation features). Combined with the asset categories, the data flow diagram could be constructed on the basis of TOE/use case to identify fine-grained assets and describe the related security attributes and damage scenarios. After asset identification, the threat classification method of STRIDE as shown in Table 2 is adopted to identify threats and describe the threat scenario of each asset based on the data flow diagram. The STRIDE model focuses on identifying the influence of potential attacks or goals of the attacker with the SDL threat modeling tool [19,24].

Risk Analysis
Risk analysis aims to assess the impact of the threat scenario and attack feasibility of each attack path. It consists of impact assessment and attack analysis. Impact assessment aims to estimate the magnitude of damage caused by compromised cybersecurity properties of assets. Attack analysis activity mainly includes attack path analysis and attack feasibility assessment. Given that automotive cybersecurity problems presumably curtail driving safety, user privacy security, national security, and the associated impacts on stakeholders (i.e., safety ( S ), finance ( F ), operation ( O ), and privacy or legislation ( P )) could be determined [26,32]. The impact assessment parameters can be quantified according to relevant industry standards, such as ISO 26262-3:2018 and BSI 100-4. The impact assessment parameters in this framework refer to those in the HEAVENS method, as shown in Table 3 [24]. According to the estimated impact parameters, the sum can be computed to obtain the impact level as shown in Table 4. The equation is expressed as follows: where I is the total impact value. Attack path analysis is used to identify the potential attack paths and then link them to threat scenarios. In this activity, the attack tree method [35] is utilized to construct the attack paths based on the identified threat scenarios that are considered to be the root node of the attack tree. Attack feasibility assessment is applied to assess the ease of exploiting each attack path. In the process of attack path analysis and attack feasibility assessment, the changes in the threat environment, TOE, and the available information during the vehicle lifecycle should be considered. Then, three attack feasibility assessment methods are adopted, i.e., attack potential-based method, CVSS exploitabilitybased method, and attack vector-based method. The selection of the attack feasibility assessment approach depends on the phase in the vehicle lifecycle and available information. When the attack feasibility level or impact level is equal to 0, there is no potential risk. In this paper, the impact level and attack feasibility level are divided into 4 levels (1-4), without considering the quality management level.
The attack potential is derived from ISO/IEC 18045:2008 and has been redefined considering the characteristics of automobiles. Based on this, the assessment parameters (i.e., expertise ( EX ), knowledge about TOE ( KN ), window of opportunity ( WI ), equipment ( EQ )) of attack feasibility are determined by referring to the HEAVENS method, as shown in Table 5. Similarly, the sum can be computed to derive the attack feasibility level according to the parameters shown in Table 6. Considering the attack feasibility level value is 0 when the sum of parameter values exceeds 9, this paper dose not analyze this case any longer. The equation is expressed as follows: where AF is the total attack feasibility value. In the early phase of product development, the attack feasibility can be qualitatively estimated based on the attack vector, when the available information is insufficient to determine a specific attack path. Attack vectors can be divided into 4 categories, namely network, adjacent, local, and physical, as shown in Table 7 [21]. The attack feasibility level increases with the increasing of the remoteness of the attack path. The CVSS exploitabilitybased method can be determined by the exploitability metrics group in the CVSS base metrics. The exploitability metrics group includes 4 parameters, i.e., attack vector ( V ), attack complexity ( C ), privileges required ( P ), and user interaction ( U ), as shown in Tables 8 and 9. In the CVSS exploitability-based method, the equation is expressed as follows [21]: Perform some actions that cannot be traced back Information disclosure (I) Access data in transmission or data storage Denial of service (D) Interrupt the normal operation of the system Elevation of privilege (E) Perform unauthorized actions  where E is the exploitability value.

Risk Assessment
To determine the risk level, risk assessment is performed according to the impact level of damage scenarios and the attack feasibility level of attack paths. After the aforementioned activities, the risk values can be calculated, forming a risk matrix to be used for risk assessment. In the aforementioned risk assessment methods, most of the risk levels are determined by risk matrix. The construction of risk matrix mainly depends on the evaluation experience, without quantitative analysis. In this study, the global rating algorithm [37] is used to construct the risk matrix of automotive cybersecurity, as shown in Table 10. The risk value is calculated as follows: where R is the risk value, m and n are the weight parameters of I and AF , respectively. The impact and attack feasibility factors are hypothesized to have the same contribution to risk. Thus, m and n are both set to 0.5.
The risk level should also be determined based on the impact level and the attack feasibility level. The risk values calculated from Eq. (4) can be used to construct the cybersecurity risk matrix. The equation is expressed as follows: where RL is risk level value; IL is impact level value; AL is attack feasibility level value; F represents the risk function of IL and AL.

Advantages of the Proposed Framework
The systematic risk assessment framework of the automotive cybersecurity presented in this study shows the following advantages: (1) Compared with existing risk assessment methods for automobiles, the proposed framework has a specific risk assessment process and systematic risk assessment methods, which make it more effective. (2) The proposed framework demonstrates a comprehensive manner to analyze the possible attack paths of system assets through the integration of the STRIDE model and attack tree. (3) This framework considers the changes in the threat environment, TOE, the available information, and proposes three attack feasibility assessment methods. Thus, the proposed systematic risk assessment framework can be applied throughout the vehicle lifecycle. (4) The automotive cybersecurity risk matrix has been constructed using a global rating algorithm, which can cre-    ate quantitative risk metrics and enhance the objectivity of assessment results.

Risk Assessment Application
As a key equipment of the automotive network connection system, telematics box (T-Box) is mainly used for automobile communication with telematics service and applications. T-Box is an embedded system that integrates MCU/CPU, flash, GPS, 3G/4G, Wi-Fi, bluetooth, and other modules and provides the connection between in-vehicle networks and the mobile phone/PC through the cloud platform. Therefore, there are many communication interfaces for vehicle connection, e.g., Wi-Fi, cellular network, GPS, serial port, and gateway. While these communication interfaces provide attack channels and remote attack possibility for vehicular function systems. According to the real-world cybersecurity vulnerabilities and the attack feasibility of vehicles, a T-Box device is taken as a use case for cybersecurity risk assessment. The data flow diagram of T-Box is shown in Fig. 2. T-Box can realize vehicle remote control, anti-theft, bluetooth control, firmware over-the-air, and other vehicle remote-control functions. Users can send door-unlocking instructions through the mobile phone application. The instruction is sent to the T-Box in the vehicle through the telematics service provider (TSP) cloud platform, and then the T-Box sends the instruction to the controller area network (CAN) to unlock the doors. The module of T-Box remote-control function is shown in Fig. 3.
The attackers can reverse the analysis of the T-Box firmware, and send spoof control commands to unlock the doors. An example of the T-Box is given to show how to use the framework to assess the cybersecurity risk of automobiles. The in-vehicle infotainment system (IVI) is accessed through the hotspot. The command execution vulnerability is used to execute the system command and bounces the shell window to the terminal test computer. After entering the IVI system, the route information is viewed through the route command to obtain the T-Box IP address. Through secure shell roaming in the T-Box, the firmware of the application program is analyzed, and the remote-control program is called to unlock the door. This paper analyzes the feasibility of the attack event using the attack potential-based feasibility parameters as shown in Table 5. The attackers should have a certain understanding of cybersecurity and should be a practitioner, then the required TOE knowledge can be controlled by the developers. Besides these, it is necessary to purchase some dedicated equipment or write attack scripts or programs. This attack event can be realized through remote accessing and attacking, and the window of opportunity is relatively high. Therefore, the results of attack feasibility assessment are EX = 1, KN = 1, WI = 1, EQ = 1, and AL = 2 according to Tables 5 and 6. The significance of this score is not to accurately quantify the probability of a successful attack, but to evaluate the correlation coefficient of risk in an abstract way. In terms of impact assessment, an attacker can illegally open the door, to steal property or the vehicle, causing financial loss. In addition, the attack case has a certain impact on operation. According to the information listed in Tables 3  and 4, the results of impact assessment are S = 0, F = 10, O = 10, P = 0, and IL = 2. Therefore, the risk level value can Table 10 Automotive cybersecurity risk matrix   Risk level  Impact level   1  2  3  4   Attack feasibility level  1  1  2  2  3  2  2  2  2  3  3  2  2  3  3  4  3  3 3 4

Fig. 2
Automotive T-Box data flow diagram be set to 2 according to the risk matrix in Table 10. The results of risk assessment of automotive cybersecurity could provide proper evidence to support security measures for automobiles. This use case proves the applicability and feasibility of the proposed systematic assessment framework.

Conclusions
As an important evaluation method for security assurance, cybersecurity risk assessment assists in determining the security status of automotive systems and extracting the automotive security requirements. This study proposes a systematic risk assessment framework of automotive cybersecurity that comprises a specific risk assessment process and systematic risk assessment methods, which is applicable to all phases of the vehicle lifecycle. A comprehensive method has been established to analyze cybersecurity assets, threats, and attack paths of automobiles. Moreover, the proposed framework provides assessment indicators of impact and attack feasibility and a quantitative cybersecurity risk matrix, which helps to enhance the objectivity of risk assessment. Finally, the applicability and feasibility of the proposed framework are demonstrated by assessing the potential risk of the T-Box remote-control function.
As an important foundation for the realization of automotive cybersecurity, risk assessment provides effective solutions for the security of intelligent vehicles. In the entire vehicle lifecycle, cybersecurity risk assessment activities have clear pertinence and focus. However, there are still some difficulties in the research, such as the lack of a unified assessment indicator system and the distraction of subjective factors.
In future research, the following aspects will be further investigated: improving the theoretical system of cybersecurity risk assessment to enhance the practicability of assessment models and methods; improving the cybersecurity risk assessment indicator system to enhance the comparability of risk assessment results (e.g., impact and attack feasibility indicators).