Automotive Security Models

As the intelligent car-networking represents the new direction of the future vehicular development, automotive security plays an increasingly important role in the whole car industry chain. On condition that the accompanying problems of security are proofed, vehicles will provide more convenience while ensuring safety. Security models can be utilized as tools to rationalize the security of the automotive system and represent it in a structured manner.

Automotive Security Models;intelligent car-networking;PRESERVE

1. Introduction

As the intelligent car-networking represents the new generation of the vehicular trend, security plays a more and more important role in automotive industry. Unlike IT security, the security of the automotive system can have an effect on the physical environment directly. Therefore, several research projects for security in transport systems were funded and conducted over the last decade. The projects like PRESERVE (preparing secure vehicle-to-X Communication systems), EVITA (E-safety vehicle intrusion protected applications) and OVERSEE (open vehicular secure platform) were launched to study how to ensure the security of the intelligent transport system by European Commission. The objectives of PRESERVE is to design a scalable security subsystem for the communication of ITS. It aimed to secure the V2X (vehicle to everything) communication and protect the data being abused by malicious attackers. The performance and the cost are also considered for the product deployment in close-to-market implementation [1][63]. EVITA focused on the trustworthy intra-vehicular communication in order to protect the sensitive data, which are transferred inside a vehicle [2][64]. The goal of EVITA is to design a secure automotive on-board architecture. The security requirements are specified after analyzing the relevant use cases and the threat scenarios. EVITA proposed hardware security modules as trust anchors for automotive controllers to fulfill the security requirements. To meet the demand of information and communication management for vehicular applications, OVERSEE targeted to realize an open vehicular IT platform [3][65]. Based on the architecture of the platform, the applications are deployed in a secure and dependable way to avoid interfering with the functionality and safety of the vehicle.

Moreover, some standardization activities are carried out to address and enforce the security aspects for automotive industry [4][66]. Some security standards for vehicles have been developed such as SAE J3061 [5][67] and ISO 20078 [6][68]. Some are still under development like ISO/SAE 21434 [7][69], whose progress is reported in [8][70]. In August of 2020, the UNECE WP.29 (the UN Economic Commission for Europe and the World Forum for Harmonization of Vehicle Regulations) released an exposure draft of uniform provisions. If it is passed, the member countries will be regulated to implement automotive cybersecurity practices and the cybersecurity management systems from January of 2021 [9][71].

The standards and the framework projects provide groundwork for in-depth study. They allow for supports for the applications in the field of automotive security. For the development of modern vehicles, rigorous security engineering is required as well as safety engineering [10][72]. An overview on how to apply security testing technologies to automotive engineering is conducted in [11][73]. Five techniques that are commonly used for automotive engineering are identified and classified according to the applications of different vehicle lifecycle phases and architecture layers. This paper addressed the need to develop testing methods to combine safety aspects for future work. As the security is brought up later than safety in automotive development, how to integrate them into the existing lifecycle is discussed in [12][74]. The SAE J3061 suggests some interaction points between safety and security engineering during development processes [13][75]. In [14][76], a process to integrate the properties of safety and security through automotive system development is proposed and illustrated with the use case of an electronic steering column lock system. Dürrwang et al. adapted the safety hazards analysis method with security guide-words in [15][77]. It is used to identify the threats and security requirements during the safety analysis. In addition, there are several researches performed to adapt the safety models with security characteristics for system analysis, such as the model of Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) [16][78], and the model of Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS) [17][79]. Unlike [18][80], this paper focuses on the perspectives of automotive security engineering—only the threat models originally designed for automotive security with independent inputs and outputs are considered. Thus, the adapted safety models are out of the scope of the discussion.

2. Security Modeling Methods for Automotive Industry

Since the outputs of threat models identify the potential attacks and the corresponding mitigation, modeling and assessing the security risks are demanded at the first stage of the design [19][81]. Several automotive security modeling methods are proposed for automotive engineering [20][82]. The J3061 Appendix A specifies some methods and techniques including the approach that originated from the framework project such as EVITA [2][64] and standards such as European Telecommunications Standards Institute (ETSI) Threat Vulnerability, and implementation Risk Analysis (TVRA) standard [21][83]. In this section, we review the security risk analysis approaches, which are widely used by automotive industrial organizations and compare them from different aspects. It aims to provide hints for automotive engineer to better understand the security models.

The literature survey of the references on automotive security modeling was conducted and five representative methods for the subject were found. A comparison is made with respect to the reviewed methods and the results are showed in Table 1.

Table 1. Comparison of the automotive security models.

Factors Methods Application Context Security Attributes Reference Methods Safety-Related Risk Impact Inputs & Outputs
EVITA Vehicular IT systems Authenticity, Integrity, Authorization, Freshness, Non-repudiation, Privacy, Confidentiality, Availability Attack tree YES Safety, Finance, Privacy, Operation Input: system use cases and assets

Output: attack scenarios, risk levels and security requirements
HEAVENS Automotive electrical and/or electronic systems Confidentiality, Availability, Integrity, Authenticity, Authorization, Non-repudiation, Privacy, Freshness STRIDE YES Safety, Finance, Privacy & legislation, Operation Input: functional use cases

Output: risk matrix with threat level and impact level, high-level security requirements
SINA Connected vehicle systems Authenticity, Availability, Integrity, Confidentiality, Authorization STRIDE (with different threat types), Attack tree YES Safety Input: system use cases

Output: the list of threats, failure mode, potential effects and severity
SAHARA Automotive embedded systems Confidentiality, Availability, Integrity STRIDE YES Safety Input: the outcomes of safety analysis

Output: threat level and security level
TVRA Communications and services in ITS confidentiality, integrity, availability, authenticity, accountability TVRA for Telecommunications NO Availability of the network, Customer confidence Input: ITS target of evaluation

Output: risk determination and possible countermeasures
  • Application context: The five modeling methods for automotive security reviewed in the last section are exploited for different usage scope. Some methods targeted on the systems on the vehicle and others took the V2X scenarios into account. For example, the method of the TVRA is designed to evaluate the communications and services of network infrastructure in the ITS.
  • Security attributes: The security attributes are the protected targets of the valuable asset. Ordinarily, security is composed of the attributes of confidentiality, integrity and availability. The attributes and security objectives in the context of the automotive systems are extended by adding authenticity, accountability, authorization, privacy, non-repudiation, and freshness. The explanation of the attributes can be referred to in [21][22][83,92]. Each method specifies different security attributes as objectives.
  • Reference methods: Since automotive security is developed based on the traditional IT security modeling methods, the approaches to build a threat model used either the quantitative or the qualitative methods. Most of the methods have been reviewed in Section 2.
  • Safety related: The safety has always been regarded as a critical engineering concern for the automotive industry. Unlike IT security, the safety process is essential for automotive design.
  • Risk impacts: Risk assessment is employed to rank the threat with impact level parameters. It aids to analyze the potential impacts of threats on the stakeholders like user, dealer or manufacturer of the vehicles. The impact factors can be considered such as the safety of the car occupants and road users, the direct and indirect financial cost for the stakeholders, the operational incidents, and the violation of privacy and regulations. These factors assist to derive the security objectives.
  • Inputs and outputs: These factors can be used to better understand the models especially from the engineering point of view. The perspectives of analysis are different from the methods, and thus, the required and start point are different. Since the objectives of each method are various, the outcomes are diverse accordingly.