A Review of Threat Analysis and Risk Assessment Methods in the Automotive Context

Macher, Georg; Armengaud, Eric; Brenner, Eugen; Kreiner, Christian

doi:10.1007/978-3-319-45477-1_11

Cited by 55 publications

(43 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The HEAVENS method simplifies the indicators of threat analysis and is easier to implement. In addition to the threat analysis methods mentioned in SAE J3061, many other methods (such as OCTAVE, ATA, and FMVEA) that may be applicable to the automotive environment are summarized in [6,18]. Despite all this, these methods are qualitative analyses and have not been effectively verified in the automotive context by considering functional safety.…”

Section: Related Workmentioning

confidence: 99%

“…The functions implemented by the software on the vehicles are increasing at a rate of about 30% every year, which makes the manageability of the vehicle's functions a great challenge (e.g., real-time, safety, and security) [6]. With the development of advanced driving assistance systems (ADASs), automatic driving technology, and V2X technology, the security threat scenarios faced by vehicles have become more complex and have a serious impact.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Security Risk Analysis Approach for Safety-Critical Systems of Connected Vehicles

Luo¹,

Hou²,

Zhang³

et al. 2020

Electronics

View full text Add to dashboard Cite

Modern vehicles are no longer merely mechanical systems but are monitored and controlled by various electronic systems. Safety-critical systems of connected vehicles become vulnerable to cyberattacks because of increasing interconnection. At present, the security risk analysis of connected vehicles is mainly based on qualitative methods, while these methods are usually subjective and lack consideration for functional safety. In order to solve this problem, we propose in this paper a security risk analysis framework for connected vehicles based on formal methods. Firstly, we introduce the electronic and electrical architecture of the connected vehicle and analyze the attack surfaces of the in-vehicle safety-critical systems from three levels of sensors, in-vehicle networks, and controllers. Secondly, we propose a method to model the target of evaluation (i.e., in-vehicle safety-critical system) as a Markov decision process and use probabilistic computation tree logic to formally describe its security properties. Then, a probabilistic model checker PRISM is used to analyze the security risk of target systems quantitatively according to security properties. Finally, we apply the proposed approach to analyze and compare the security risks of the collision warning system under a distributed and centralized electrical and electronic architecture. In addition, from a practical point of view, we propose a Markov model generation method based on a SysML activity diagram, which can simplify our modeling process. The evaluation results show that we can have a quantitative understanding of the security risks at the system level in the early stage of system design.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Security Risk Analysis Approach for Safety-Critical Systems of Connected Vehicles

Luo¹,

Hou²,

Zhang³

et al. 2020

Electronics

View full text Add to dashboard Cite

show abstract

“…And in cybersecurity, an additional view of a cybersecurity related defence model with static and dynamic design will be needed (Figures and ).…”

Section: Integrating Automotive Spice Functional Safety and Cybersementioning

confidence: 99%

Extending Automotive SPICE 3.0 for the use in ADAS and future self‐driving service architectures

Messnarz¹,

Kreiner

Macher

et al. 2018

J Software Evolu Process

Self Cite

View full text Add to dashboard Cite

The SOQRATES (www.soqrates.de) working party has been established in 2003 with the support of the Bavarian SW initiative. Major automotive suppliers joined forces to exchange best practices in topics such as Automotive SPICE, functional safety, and cybersecurity.The research method of SOQRATES is to compare the best practices, and in case that a specific design pattern is accepted by all parties, it is declared and published as a state of the art.Some of the results of the working party have been packaged into training courses.For example, in the EU project SafEUr (518632-LLP-1-2011-1-AT-LEONARDO-LMP, 2011-2012) a European partnership with inputs from SOQRATES developed a skill set, training materials, and best practices for the implementation of ISO 26262.For example, in the EU project AQUA (Knowledge Alliance for Quality in Automotive, EAC-2012EAC- -0635, 2013EAC- -2014, a European partnership with inputs from SOQRATES developed a skill set, training materials, and best practices for integrating Automotive SPICE, ISO 26262, and Six Sigma.For example, in the EU project AQU (Automotive Quality Universities, 2015-1-CZ01-KA203-013986, 2015-2017), a European partnership with inputs from SOQRATES applied the AQUA concept with universities in Austria, Germany, France, and Czech Republic who educate students that will work in the automotive industry.Also, the working party elaborated integrated assessment models where the Automotive SPICE 3.0 has been merged with ISO 26262 (further safety related questions) and SAE J3061 (further cybersecurity questions). This paper will look into the future of self-driving cars and discuss the design patterns that are currently analysed in the working party to support a vehicle in future self-driving infrastructure architectures and processes. KEYWORDSAutomotive SPICE, cybersecurity, functional safety, ISO 26262, SAE J3061, service architectures for automotive 1 | INTRODUCTION ADAS stands for Autonomous Driving Assistance Systems and realises functions that support the driver but still keep the driver in the flow. It is still expected that there is a driver with a driver licence who is part of the control flow. From 2030 on the plans from OEMs are to produce self-driving cars where there are no drivers, the passenger is a person that is provided with a mobility service. The car itself must control the situation (supported by infrastructure), and also the insurance model will have been changed by then. Cars will have a black box that logs all vehicle data from all electronic control units (ECUs) and insurance will go with the car and the component, and will not be on the driver as a person any more.In case of the steering example in this paper, the authors also outline the future of a self-driving scenario.Automotive companies experience an exponential increase in functional development. Major car manufacturers develop vehicle functions that can be decomposed into features (functions) on ECU and supplier level. A real time communication (via a bus) of a set of electronic control units ...

show abstract

“…in autonomous driving and express the need of related new testing concepts. [20,21,22]. Only few address stratified sampling [11,12]; but they do it without discussing one-sided confidence intervals.…”

Section: Existing Viewsmentioning

confidence: 99%

Statistical Considerations on Software-Safety Estimation in Licensing

Ehrenberger¹

2018

MCS

View full text Add to dashboard Cite

During the discussions in preparation of the new versions of the International Electrotechnical Commission (IEC) standards IEC 61508-3 and IEC 61508-7, controversies regarding the proper roles of statistical validation or verification of safety-related software have emerged. These controversies regard changing demand profiles and continuous operation versus on-demand operation. This contribution derives a formula for calculating the failure probability per demand of software that has been tested under a demand profile that is different from the profile of its intended use. It also explains how failure rates can be expressed in terms of failure probabilities per demand, if the operational conditions are known. It further describes how software that is alternately operated continuously and on demand can be characterized in statistical terms and how the two operation modes can be recognized during a statistical evaluation. The notion of "mission" is suggested for sequences of demands or mixtures of demand-driven and continuous operation of software. In order to allow statistical calculations many requirements have to be met strictly. They are listed in the appendix. This article can hopefully facilitate licensing of software in many cases. Remarks are invited.

show abstract

A Review of Threat Analysis and Risk Assessment Methods in the Automotive Context

Cited by 55 publications

References 4 publications

Security Risk Analysis Approach for Safety-Critical Systems of Connected Vehicles

Security Risk Analysis Approach for Safety-Critical Systems of Connected Vehicles

Extending Automotive SPICE 3.0 for the use in ADAS and future self‐driving service architectures

Statistical Considerations on Software-Safety Estimation in Licensing

Contact Info

Product

Resources

About