As the intelligent car-networking represents the new direction of the future vehicular development, automotive security plays an increasingly important role in the whole car industry chain. On condition that the accompanying problems of security are proofed, vehicles will provide more convenience while ensuring safety. Security models can be utilized as tools to rationalize the security of the automotive system and represent it in a structured manner.
As the intelligent car-networking represents the new generation of the vehicular trend, security plays a more and more important role in automotive industry. Unlike IT security, the security of the automotive system can have an effect on the physical environment directly. Therefore, several research projects for security in transport systems were funded and conducted over the last decade. The projects like PRESERVE (preparing secure vehicle-to-X Communication systems), EVITA (E-safety vehicle intrusion protected applications) and OVERSEE (open vehicular secure platform) were launched to study how to ensure the security of the intelligent transport system by European Commission. The objectives of PRESERVE is to design a scalable security subsystem for the communication of ITS. It aimed to secure the V2X (vehicle to everything) communication and protect the data being abused by malicious attackers. The performance and the cost are also considered for the product deployment in close-to-market implementation . EVITA focused on the trustworthy intra-vehicular communication in order to protect the sensitive data, which are transferred inside a vehicle . The goal of EVITA is to design a secure automotive on-board architecture. The security requirements are specified after analyzing the relevant use cases and the threat scenarios. EVITA proposed hardware security modules as trust anchors for automotive controllers to fulfill the security requirements. To meet the demand of information and communication management for vehicular applications, OVERSEE targeted to realize an open vehicular IT platform . Based on the architecture of the platform, the applications are deployed in a secure and dependable way to avoid interfering with the functionality and safety of the vehicle.
Moreover, some standardization activities are carried out to address and enforce the security aspects for automotive industry . Some security standards for vehicles have been developed such as SAE J3061  and ISO 20078 . Some are still under development like ISO/SAE 21434 , whose progress is reported in . In August of 2020, the UNECE WP.29 (the UN Economic Commission for Europe and the World Forum for Harmonization of Vehicle Regulations) released an exposure draft of uniform provisions. If it is passed, the member countries will be regulated to implement automotive cybersecurity practices and the cybersecurity management systems from January of 2021 .
The standards and the framework projects provide groundwork for in-depth study. They allow for supports for the applications in the field of automotive security. For the development of modern vehicles, rigorous security engineering is required as well as safety engineering . An overview on how to apply security testing technologies to automotive engineering is conducted in . Five techniques that are commonly used for automotive engineering are identified and classified according to the applications of different vehicle lifecycle phases and architecture layers. This paper addressed the need to develop testing methods to combine safety aspects for future work. As the security is brought up later than safety in automotive development, how to integrate them into the existing lifecycle is discussed in . The SAE J3061 suggests some interaction points between safety and security engineering during development processes . In , a process to integrate the properties of safety and security through automotive system development is proposed and illustrated with the use case of an electronic steering column lock system. Dürrwang et al. adapted the safety hazards analysis method with security guide-words in . It is used to identify the threats and security requirements during the safety analysis. In addition, there are several researches performed to adapt the safety models with security characteristics for system analysis, such as the model of Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) , and the model of Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS) . Unlike , this paper focuses on the perspectives of automotive security engineering—only the threat models originally designed for automotive security with independent inputs and outputs are considered. Thus, the adapted safety models are out of the scope of the discussion.
Since the outputs of threat models identify the potential attacks and the corresponding mitigation, modeling and assessing the security risks are demanded at the first stage of the design . Several automotive security modeling methods are proposed for automotive engineering . The J3061 Appendix A specifies some methods and techniques including the approach that originated from the framework project such as EVITA  and standards such as European Telecommunications Standards Institute (ETSI) Threat Vulnerability, and implementation Risk Analysis (TVRA) standard . In this section, we review the security risk analysis approaches, which are widely used by automotive industrial organizations and compare them from different aspects. It aims to provide hints for automotive engineer to better understand the security models.
The literature survey of the references on automotive security modeling was conducted and five representative methods for the subject were found. A comparison is made with respect to the reviewed methods and the results are showed in Table 1.
Table 1. Comparison of the automotive security models.
|Factors Methods||Application Context||Security Attributes||Reference Methods||Safety-Related||Risk Impact||Inputs & Outputs|
|EVITA||Vehicular IT systems||Authenticity, Integrity, Authorization, Freshness, Non-repudiation, Privacy, Confidentiality, Availability||Attack tree||YES||Safety, Finance, Privacy, Operation||Input: system use cases and assets
Output: attack scenarios, risk levels and security requirements
|HEAVENS||Automotive electrical and/or electronic systems||Confidentiality, Availability, Integrity, Authenticity, Authorization, Non-repudiation, Privacy, Freshness||STRIDE||YES||Safety, Finance, Privacy & legislation, Operation||Input: functional use cases
Output: risk matrix with threat level and impact level, high-level security requirements
|SINA||Connected vehicle systems||Authenticity, Availability, Integrity, Confidentiality, Authorization||STRIDE (with different threat types), Attack tree||YES||Safety||Input: system use cases
Output: the list of threats, failure mode, potential effects and severity
|SAHARA||Automotive embedded systems||Confidentiality, Availability, Integrity||STRIDE||YES||Safety||Input: the outcomes of safety analysis
Output: threat level and security level
|TVRA||Communications and services in ITS||confidentiality, integrity, availability, authenticity, accountability||TVRA for Telecommunications||NO||Availability of the network, Customer confidence||Input: ITS target of evaluation
Output: risk determination and possible countermeasures