A Comparative Study of JASO TP15002-Based Security Risk Assessment Methods for Connected Vehicle System Design

Kawanishi, Yasuyuki; Nishihara, Hideaki; Souma, Daisuke; Yoshida, Hirotaka; Hata, Yoichi

doi:10.1155/2019/4614721

Cited by 11 publications

(7 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The security analysis process specified in JASO TP15002 [14] consists of five phases: ToE (Target of Evaluation) definition, Threat analysis, Risk assessment, Define security objectives, and Security requirement selection. We follow a concretization of it studied in [26]. It also reflects a refactoring of the process and data in the original security analysis process.…”

Section: Process Overviewmentioning

confidence: 99%

See 1 more Smart Citation

On Validating Attack Trees with Attack Effects: An Approach from Barwise-Seligman's Channel Theory

Nishihara¹,

Kawanishi²,

Souma³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

In security analysis, attack trees are a major tool for showing the structural decomposition of attacks and for supporting the evaluation of the quantitative properties (called attributes) of the attacks. However, the validities of decompositions are not established by attack trees themselves, and fallacious decisions about security may be made when the attack trees are inaccurate. This paper enriches attack trees with effects of attacks, with a formal system focusing on refinement scenarios. Relationships among effects indicate relationships among attacks and it allows for a systematic evaluation of attack decompositions. To describe effects this paper applies Barwise-Seligman's channel theory. Infomorphisms, in particular, play a significant role to connect effects with distinct granularities. As a result, the consistency of a decomposition is formally defined and a condition for it is stated. This framework is applied to a case study of a vehicular network system. As an application of the idea of consistency, possible degrees of mitigation for attacks in attack trees are discussed.

show abstract

Section: Process Overviewmentioning

confidence: 99%

“…Based on the model in [27], a vehicular network system can be specified as the ToE. While the entire network system is analyzed in [26], the focus of this paper is on specific parts of the network (Fig. 5).…”

Section: Target Of Evaluation(toe)mentioning

confidence: 99%

On Validating Attack Trees with Attack Effects: An Approach from Barwise-Seligman's Channel Theory

Nishihara¹,

Kawanishi²,

Souma³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…e Japanese Automotive Standard Organization (JASO) published the TP15002 guideline to standardize the procedures of the security design in the early stage of the development [12]. Kawanishi et al proposed better solutions for security evaluation based on TP15002 [13,14]. e E-safety Vehicle Intrusion Protected Application (EVITA) project, funded by European Union, designed, verified, and prototyped a security architecture for in-vehicle networks where securityrelevant components and data are pretested against unauthorized access.…”

Section: Cybersecurity Designmentioning

confidence: 99%

A Systematic Approach for Cybersecurity Design of In-Vehicle Network Systems with Trade-Off Considerations

Luo

2020

Security and Communication Networks

View full text Add to dashboard Cite

With the increasing connectivity of modern vehicles, protecting systems from attacks on cyber is becoming crucial and urgent. Meanwhile, a vehicle should guarantee a safe and comfortable trip for users. Therefore, how to design a cybersecurity-critical system in vehicles with safety and user experience (UX) considerations is increasingly essential. However, most co-design methods focus on safety engineering with attack concerns and do not discuss conflicts and integration, and few contain the UX aspect. Besides, most existing approaches are abstract at a high level without practical guidelines. This paper presents a literature review of existing safety and security design approaches and proposes a systematic approach for cybersecurity design of in-vehicle network systems based on the guideline in SAE J3061. The trade-off analysis is performed by using association keys and the proposed affecting map. The design process of an example Diagnostic on Internet Protocol (DoIP) system is reported to show how the approach works. Compared with the existing approaches, the proposed one considers safety, cybersecurity, and UX simultaneously, solves conflicts qualitatively or quantitatively, and obtains trade-off design requirements. This approach is applicable to the cybersecurity-driven design of in-vehicle network systems in the early stage with safety and UX considerations.

show abstract

“…Threat identification is used to identify possible security threats inside each target of evaluation (TOE) module, such as message tampering, malicious code injection, and message blocking. Attack surfaces and corresponding threats against connected vehicles have been investigated by [4,11,16,26]. In our example, the possible attacks were extracted from these research efforts.…”

Section: Threat Identificationmentioning

confidence: 99%

Security Risk Analysis Approach for Safety-Critical Systems of Connected Vehicles

Luo¹,

Hou²,

Zhang³

et al. 2020

Electronics

View full text Add to dashboard Cite

Modern vehicles are no longer merely mechanical systems but are monitored and controlled by various electronic systems. Safety-critical systems of connected vehicles become vulnerable to cyberattacks because of increasing interconnection. At present, the security risk analysis of connected vehicles is mainly based on qualitative methods, while these methods are usually subjective and lack consideration for functional safety. In order to solve this problem, we propose in this paper a security risk analysis framework for connected vehicles based on formal methods. Firstly, we introduce the electronic and electrical architecture of the connected vehicle and analyze the attack surfaces of the in-vehicle safety-critical systems from three levels of sensors, in-vehicle networks, and controllers. Secondly, we propose a method to model the target of evaluation (i.e., in-vehicle safety-critical system) as a Markov decision process and use probabilistic computation tree logic to formally describe its security properties. Then, a probabilistic model checker PRISM is used to analyze the security risk of target systems quantitatively according to security properties. Finally, we apply the proposed approach to analyze and compare the security risks of the collision warning system under a distributed and centralized electrical and electronic architecture. In addition, from a practical point of view, we propose a Markov model generation method based on a SysML activity diagram, which can simplify our modeling process. The evaluation results show that we can have a quantitative understanding of the security risks at the system level in the early stage of system design.

show abstract

A Comparative Study of JASO TP15002-Based Security Risk Assessment Methods for Connected Vehicle System Design

Cited by 11 publications

References 40 publications

On Validating Attack Trees with Attack Effects: An Approach from Barwise-Seligman's Channel Theory

On Validating Attack Trees with Attack Effects: An Approach from Barwise-Seligman's Channel Theory

A Systematic Approach for Cybersecurity Design of In-Vehicle Network Systems with Trade-Off Considerations

Security Risk Analysis Approach for Safety-Critical Systems of Connected Vehicles

Contact Info

Product

Resources

About