The emergence of technologies and industries such as the Internet of Vehicles and autonomous driving has brought new development opportunities to the automotive industry, as well as new challenges. With the transformation of automobiles to the direction of intelligence and networking, the network security problems of automotive electronics have become increasingly prominent, and therefore more and more attention has been paid by the industry. Major manufacturers have accelerated the research and development and layout of automotive information security. Threat analysis and risk assessment are important activities to ensure the information security of automotive Electronic systems. The introduction of processes and methods is given in J3061, ISO 21434, GB/T 38628 and other guidelines.This articleBased on the existing research results and the practice of the automotive industry, an improved automotive electronic threat analysis and risk assessment process is proposed to improve its work efficiency.
This article will take NIST risk management framework, EVITA, HEAVENS, etc. as examples to introduce typical threat analysis and risk assessment methods, and introduce the improvement plan of this article.
The National Institute of Standards and Technology (NIST) has launched the Risk Management Framework (RMF), which provides a process for integrating security and risk management activities into the system development life cycle. This process is divided into 6 steps: classification, Select, implement, evaluate, authorize and monitor. The first step of classification is to define the system boundary, and then based on the system boundary, identify all types of information related to the system; the second step is to select an initial security control measure according to the security classification, and based on the risk and environmental assessment to adjust and supplement the security controls, which are the means within the information system responsible for protecting the system and its information; the third step is to implement and document how the selected security controls are implemented in the operational environment; the fourth Step 1 requires an appropriate process to assess the extent to which security controls are implemented correctly and operate as intended and meet the expected security requirements of the system; On the basis of determining that the risk is acceptable, authorize the system to operate; the final step is to continuously monitor security controls, record changes in the system or operating environment, conduct security impact analysis on relevant changes, and report system performance to relevant organization officials. Safe state.
EVITA stands for E-Safety Vehicle Intrusion Protected Applications, electronic safety vehicle intrusion prevention applications, is a project funded by the European Union’s seventh framework plan, the main goal of the project is to provide a reference for the design, verification and prototype architecture of automotive in-vehicle networks. In terms of risk severity, EVITA refers to the source of information security risk assessment methods and refers to the functional security risk assessment method in ISO 26262, and divides the severity level into 5 levels, namely S0 to S4; from the evaluation dimension, EVITA has a total of Four evaluation dimensions are provided: functional safety, privacy, property, and operations. The operational aspect is maintaining the desired operational performance of all vehicle and ITS functions; the functional safety aspect is ensuring the functional safety of occupants and roadside personnel; the privacy aspect is protecting the driver, as well as the intellectual property rights of vehicle manufacturers and suppliers. privacy in terms of property; protection from fraudulent financial loss and vehicle theft in terms of property. For these four security objectives, EVITA works in three stages: threat identification, threat classification and risk analysis. Threat identification is the use of scenarios and attack trees to identify threats and obtain security requirements; threat classification is to classify threats based on their severity and likelihood of a successful attack; risk analysis is to categorize threats and provide recommended actions. The analysis process is shown in Figure 1. Each specific asset has its attack possibility, and each attack target has its attack severity (including functional safety, etc.), which can be calculated separately by the method of probability combination. The probability of attack and the severity of the attack can further calculate the risk level. Figure 2 shows an example of this attack method.
Figure 1 EVITA-Threat analysis and risk assessment process based on attack tree method
Figure 2 An example of the threat analysis and risk assessment process based on the attack tree method
The HEAVENS security model focuses on method, process and tool support for threat analysis and risk assessment, and its goal is to propose a systematic approach to deriving cybersecurity requirements for vehicle electrical and electronic systems. The workflow of the HEAVENS security model is shown in Figure 3, and its main features are as follows:
Suitable for all kinds of road vehicles, such as passenger cars and commercial vehicles. At the same time, the model takes into account a wide range of stakeholders (eg, OEMs, fleet owners, vehicle owners, drivers, passengers, etc.)
Focusing on the threat, Microsoft’s STRIDE method is applied in the automotive electrical and electronic system. From the attacker’s point of view, STRIDE divides threats into 6 categories, namely Spooling (counterfeiting), Tampering (tampering), Repudiation (repudiation), InformationDisclosure (information disclosure), Dos (denial of service) and Elevation of privilege (permission). promote). The division of these six categories is related to the three elements of information security: confidentiality, integrity, availability, and the three basic attributes of information security: authentication, authentication, and auditing.
A direct mapping relationship between security attributes and threats is established during threat analysis, facilitating the assessment of the technical impact of a specific threat to a specific asset (in addition to confidentiality, integrity, availability, also focus on authentication, authorization, non-repudiation, privacy security properties such as security and timeliness)
The security objectives (security, financial, operational, privacy and legislative) during the risk assessment were mapped with impact level estimates.This helps to understand the potential business impact of a specific threat on relevant stakeholders (e.g. OEMs)
Estimates of impact level parameters (security, operational, financial, privacy and legislative) based on industry standards are provided.For example, the safety parameters are in accordance with the functional safety standard ISO 26262, the financial parameters are based on the German BSI standard, the operating parameters are based on the failure mode and effects analysis (FMEA) proposed by the car, and the privacy and legislative parameters are related to the German BSI standard “Privacy Impact Assessment Guideline”
Figure 3 Workflow of the HEAVENS security model
Threat analysis and risk assessment for automotive electronic and electrical systems undoubtedly need to be systematically considered from multiple dimensions and aspects, in order to achieve no repetition and no omissions. As shown in Figure 4, for the identification of assets, on the one hand, it starts from the depth structure of the car, and on the other hand, it can be considered from the hardware and software structure of the equipment; for each identified asset, you can refer to the STRIDE method. Consider possible cybersecurity threats or attack methods from the six aspects of counterfeiting, tampering, denial, information leakage, denial of service, and escalation of privileges, and correspond to the affected security attributes of assets, so as to further evaluate the security attributes of specific assets. Severity of impact. In the process of threat analysis of specific assets, it is necessary to consider not only the vulnerabilities and attack methods similar to traditional IT systems, but also the unique vulnerabilities and corresponding possible attack methods of vehicle systems, combined with specific functional use cases and work scenarios. or process analysis.
Figure 4 Dimensions and elements of threat analysis and risk assessment for automotive electronics
Based on the above dimensions, this paper has formed a threat analysis and risk assessment framework for automotive electronic network security as shown in Figure 5, and refined it into the specific process in Table 1. Its main work products and supporting environment are shown in Figure 6. Figure 5 uses the data flow diagram to analyze the impact level from the perspective of system assets, and uses the attack tree to analyze the threat level from the perspective of the attacker, so as to complete the threat analysis and risk assessment of the system. Data flow graph analysis and attack tree analysis complement each other in the “asset-threat” mapping relationship. The “asset-threat” pair obtained from the data flow graph analysis can be supplemented to the attack tree analysis method. Similarly, from The “asset-threat” pairs obtained in the attack tree analysis method can also be supplemented into the data flow graph analysis method until the “asset-threat” pairs of the two are matched, as shown in Figure 7.
Figure 5 Threat analysis and risk assessment framework for automotive electronic network security
Table 1 Description of Threat Analysis and Risk Assessment Process Activities
Figure 6 Work products and supporting environments of process activities
Figure 7 Threat analysis process of fusion data flow graph and attack tree method
This article uses the FOTA (Firmware Over-The-Air) gateway to illustrate the application of the above threat analysis and risk assessment process. Its application scenarios and functions are shown in Table 2, and the use case diagram of remote control is shown in Figure 8.
Table 2 Application scenarios and functions of FOTA gateways
Figure 8 FOTA gateway remote control use case diagram
Define functions with users as the core, identify functional modules and assets that implement these functions, and form system architecture diagrams and asset tracking records. The asset tracking records are shown in Table 3.
Table 3 Asset Tracking Record Form for FOTA Gateway Remote Control Use Case (Part)
Next, do data flow graph analysis and attack tree analysis, as shown in Figure 9 and Figure 10, respectively, and cross-comparison, complement and improve each other, summarize and fill in the corresponding threat records, as shown in Table 6.
Figure 9 FOTA gateway remote control module data flow diagram example
Figure 10 FOTA gateway “cannot control air conditioner” attack tree example (part)
Table 6 Threat Synthesis Log Sheet (Part of Threat Tracking Log Sheet)
Finally, a risk assessment is performed to assess the threat level (Table 7), the impact level (Table 8), and then determine the security level of the threat based on the two (Table 9).
Table 7 Vulnerability-Attack Potential Record Form (Part of Threat Track Record Form)
Table 8 Threat Impact Tracker (Part of Threat Tracker)
Table 9 Threat-Security Level Tracking Form (Part of Threat Tracking Form)
This paper improves some current threat analysis and risk assessment technical methods in the automotive field, and proposes a structured and systematic implementation process. At the same time, it applies data flow diagrams (used by HEAVENS and STRIDE methods) and attack trees (used by EVITA). method) to analyze the possible threats to system assets, which makes the analysis of threats more comprehensive. However, the degree of automation of this process method is not high. In the future, it is necessary to further improve the tooling and facilitation of the process, and realize the accumulation of analysis results in the form of a knowledge base, which will be continuously reused for new system analysis.