integrating automotive hazard and threat analysis...

Public

AVL List GmbH (Headquarters)

Georg Macher

INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J306123rd EuroAsiaSPI Conference, Graz, Austria

Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 2Public

Author(s): Georg Macher

Co-Author(s):

Andreas Riel - EMIRAcle Grenoble Institute of TechnologyChristian Kreiner - Graz University of Technology

Approved by:

Project Leader:

Version: 1.0

Release date: 15.09.2016

Security level: Public

Customer:

Project: SoQrates Working Group

Task ID:

Department: Development and Research -Powertrain Engineering

Copyright © 2016, AVL List GmbH (Headquarters)

INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J306123RD EUROASIASPI CONFERENCE, GRAZ, AUSTRIA


AGENDA

Cyber-Security and the Automotive Domain SAE J3061 Cyber-Security Guidebook

Initial Cyber-Security Assessment (TARA) EVITA method TVRA OCTAVE HEAVENS security model Attack trees SW vulnerability analysis

SAHARA Approach SAHARA Application Example Conclusion

Georg Macher


4

Where is the challenge related to automotive security?

CYBER- SECURITY AND THE AUTOMOTIVE DOMAIN


1st available “standard” for the automotive domain still work-in-progress draft

Proposes 3 ways of applying the SAE J3061 security processes for the automotive process landscape Standalone – with defined communication points to safety engineering processes In Conjunction with ISO 26262 processes Hybrid – an approach with only partially shared engineering processes

SAE J3061 CYBER-SECURITY GUIDEBOOK

© SAE J3061

Proposes an initial short cybersecurity assessment of all automotive systems (TARA) Analysis technique applied in the concept phase Identify potential threats to a feature and assess

associated risks Allows prioritization of cyber-security

activities and focusing of resources 3 step approach: Threat identification Risk assessment Risk analysis


EVITA PROJECT METHOD – FUNCTIONAL SECURITY ANALYSIS

Adaptation of ISO26262 HAZOP analysis called THROP Threats are defined based on primary functions of the feature Guide words are applied Potential worst-case scenarios are determined

For every safety critical function all information used has to be authentic Analysis based on analysis of attacks on vehicle function Risk level determination adopted from ASIL

© SAE J3061


EVITA SEVERITY CLASSIFICATION

© SAE J3061


EVITA ATTACK PROBABILITY RATING

© SAE J3061


TVRA - THREAT, VULNERABILITIES, AND IMPLEMENTATION RISK ANALYSIS

Process-driven methodology 10 steps to systematically identify unwanted incidents Determines the occurrence, likelihood and impact of threats to determine the risk Developed for data- and telecommunication networks Hardly applicable to embedded automotive systems


OCTAVE – OPERATIONALLY CRITICAL THREAT, ASSET, AND VULNERABILITY EVALUATION

Process-driven methodology A series of workshops to identify assets, current practices, Cybersecurity requirements,

threats, and vulnerabilities and then to develop a strategy and plan for mitigating risks and protecting assets

Questionnaires and separate worksheets which are completed by participants attending a series of workshops

Relation to embedded automotive systems not straightforward

© SAE J3061


HEAVENS SECURITY MODEL

Threat-centric model, realized by applying STRIDE approach Ranking of threats by determination of

Threat level (TL) – corresponding a likelihood estimation Impact level (IL) – impact on safety, financial, operational, privacy and legislation Security level (SL) – final risk ranking

Implies a lot of work to analyze and determine the individual SL Requires more details of the system design than possible available at early phases

© SAE J3061


all tables © SAE J3061

HEAVENS SECURITY MODEL


Attack Tree Analysis Analogous to safety fault tree analysis Using logic expression for combination of

sub-goals Adequate for exploiting combinations of

threats Not optimal suitable as a TARA

SW Vulnerability Analysis Examines SW code for know

vulnerabilities Focusing on SW level solely Not suitable as a TARA

ATTACK TREES AND SW VULNERABILITY ANALYSIS


SAHARA APPROACH

• SAHARA – Security-Aware Hazard and Risk Analysis

• Combined approach of STRIDE and HARA

• Developed prior to SAE J3061• Combined safety and security analysis

approach • Threat classification based on

adaptation of ASIL classification• Classification of security threats via:

required resources (R) required know-how (K) threat criticality (T)


SAHARA: SECL CLASSIFICATION

Resources (R)

Knowhow (K)

Criticality (T) SecL


Running example electric steering column lock system (ESCL)

1. Safety analysis with SAHARA

APPLICATION EXAMPLE 1/4© ISCN/SoQrates



2. Security analysis with STRIDE




3. Quantification of security threats with SAHARA method




4. Combination of Safety and Security Outcomes



SUMMARY

• Review of the current state-of-the-art early development phase analysis methods

• Review of SAE J3061 cyber-security guidebook proposals regarding TARA

• Dependability features (safety, security, availability …) are system-wide features with mutual impacts and interdisciplinary values

• SAHARA method provides a measureable quantification of system’s security

• Example application electric steering column lock system (ESCL)

20

Georg Macher

www.avl.com

THANK YOU


REFERENCES

EMC. 2015. EMC² Project. Available at: http://www.artemis-emc2.eu/.

ISO. 2011. ISO 26262 Road vehicles functional safety, parts 1-10. Geneva, Switzerland: International Organization for Standardization.

ISO. 2009. ISO/IEC 62443 Industrial communication networks network and system security. Geneva, Switzerland: International Organization for Standardization.

Macher, G., E. Armengaud, and C. Kreiner. 2015. A practical approach to classification of safety and security risks. In Proceedings of EuroSPI 2015, 10.1 - 10.10. Denmark.

Macher, G., E. Armengaud, E. Brenner, and C. Kreiner. 2016. A review of threat analysis and risk assessment methods in the automotive context. In Proceedings of SAFECOMP 2016, 20 September.

Macher, G., A. Hoeller, H. Sporer, E. Armengaud, and C. Kreiner. 2015. A combined safety-hazards and security-threat analysis method for automotive systems. In Proceedings of SAFECOMP 2015 Workshops ASSURE, DECSoS, ISSE, ReSA4CI, and SASSUR, The Netherlands, 22 September. Springer International Publishing AG.

MSDN. 2015. The MSDN STRIDE threat model. Available at: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

SAE. 2016. Vehicle Electrical System Security Committee. SAE J3061 Cybersecurity Guidebook for Cyber-Physical Automotive Systems.

Scuro, G. 2012. Automotive industry: Innovation driven by electronics. Available at: http://embedded-computing.com/articles/automotive-industry-innovation-driven-electronics/.

Sentilles, S., P. Stepan, J. Carlson, and I. Crnkovic. 2009. Component-based software engineering. In Proceedings of the 12th International Symposium CBSE, 24-26 June, 173-190. Berlin Heidelberg: Springer Berlin Heidelberg.

22

Georg Macher

integrating automotive hazard and threat analysis...

Documents