Public AVL List GmbH (Headquarters) Georg Macher INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J3061 23 rd EuroAsiaSPI Conference, Graz, Austria
Public
AVL List GmbH (Headquarters)
Georg Macher
INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J306123rd EuroAsiaSPI Conference, Graz, Austria
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 2Public
Author(s): Georg Macher
Co-Author(s):
Andreas Riel - EMIRAcle Grenoble Institute of TechnologyChristian Kreiner - Graz University of Technology
Approved by:
Project Leader:
Version: 1.0
Release date: 15.09.2016
Security level: Public
Customer:
Project: SoQrates Working Group
Task ID:
Department: Development and Research -Powertrain Engineering
Copyright © 2016, AVL List GmbH (Headquarters)
INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J306123RD EUROASIASPI CONFERENCE, GRAZ, AUSTRIA
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 3Public
AGENDA
Cyber-Security and the Automotive Domain SAE J3061 Cyber-Security Guidebook
Initial Cyber-Security Assessment (TARA) EVITA method TVRA OCTAVE HEAVENS security model Attack trees SW vulnerability analysis
SAHARA Approach SAHARA Application Example Conclusion
Georg Macher
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 4Public
4
Where is the challenge related to automotive security?
CYBER- SECURITY AND THE AUTOMOTIVE DOMAIN
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 5Public
1st available “standard” for the automotive domain still work-in-progress draft
Proposes 3 ways of applying the SAE J3061 security processes for the automotive process landscape Standalone – with defined communication points to safety engineering processes In Conjunction with ISO 26262 processes Hybrid – an approach with only partially shared engineering processes
SAE J3061 CYBER-SECURITY GUIDEBOOK
© SAE J3061
Proposes an initial short cybersecurity assessment of all automotive systems (TARA) Analysis technique applied in the concept phase Identify potential threats to a feature and assess
associated risks Allows prioritization of cyber-security
activities and focusing of resources 3 step approach: Threat identification Risk assessment Risk analysis
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 6Public
EVITA PROJECT METHOD – FUNCTIONAL SECURITY ANALYSIS
Adaptation of ISO26262 HAZOP analysis called THROP Threats are defined based on primary functions of the feature Guide words are applied Potential worst-case scenarios are determined
For every safety critical function all information used has to be authentic Analysis based on analysis of attacks on vehicle function Risk level determination adopted from ASIL
© SAE J3061
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 7Public
EVITA SEVERITY CLASSIFICATION
© SAE J3061
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 8Public
EVITA ATTACK PROBABILITY RATING
© SAE J3061
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 9Public
TVRA - THREAT, VULNERABILITIES, AND IMPLEMENTATION RISK ANALYSIS
Process-driven methodology 10 steps to systematically identify unwanted incidents Determines the occurrence, likelihood and impact of threats to determine the risk Developed for data- and telecommunication networks Hardly applicable to embedded automotive systems
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 10Public
OCTAVE – OPERATIONALLY CRITICAL THREAT, ASSET, AND VULNERABILITY EVALUATION
Process-driven methodology A series of workshops to identify assets, current practices, Cybersecurity requirements,
threats, and vulnerabilities and then to develop a strategy and plan for mitigating risks and protecting assets
Questionnaires and separate worksheets which are completed by participants attending a series of workshops
Relation to embedded automotive systems not straightforward
© SAE J3061
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 11Public
HEAVENS SECURITY MODEL
Threat-centric model, realized by applying STRIDE approach Ranking of threats by determination of
Threat level (TL) – corresponding a likelihood estimation Impact level (IL) – impact on safety, financial, operational, privacy and legislation Security level (SL) – final risk ranking
Implies a lot of work to analyze and determine the individual SL Requires more details of the system design than possible available at early phases
© SAE J3061
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 12Public
all tables © SAE J3061
HEAVENS SECURITY MODEL
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 13Public
Attack Tree Analysis Analogous to safety fault tree analysis Using logic expression for combination of
sub-goals Adequate for exploiting combinations of
threats Not optimal suitable as a TARA
SW Vulnerability Analysis Examines SW code for know
vulnerabilities Focusing on SW level solely Not suitable as a TARA
ATTACK TREES AND SW VULNERABILITY ANALYSIS
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 14Public
SAHARA APPROACH
• SAHARA – Security-Aware Hazard and Risk Analysis
• Combined approach of STRIDE and HARA
• Developed prior to SAE J3061• Combined safety and security analysis
approach • Threat classification based on
adaptation of ASIL classification• Classification of security threats via:
required resources (R) required know-how (K) threat criticality (T)
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 15Public
SAHARA: SECL CLASSIFICATION
Resources (R)
Knowhow (K)
Criticality (T) SecL
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 16Public
Running example electric steering column lock system (ESCL)
1. Safety analysis with SAHARA
APPLICATION EXAMPLE 1/4© ISCN/SoQrates
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 17Public
Running example electric steering column lock system (ESCL)
2. Security analysis with STRIDE
APPLICATION EXAMPLE 2/4© ISCN/SoQrates
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 18Public
Running example electric steering column lock system (ESCL)
3. Quantification of security threats with SAHARA method
APPLICATION EXAMPLE 3/4© ISCN/SoQrates
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 19Public
Running example electric steering column lock system (ESCL)
4. Combination of Safety and Security Outcomes
APPLICATION EXAMPLE 4/4© ISCN/SoQrates
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 20Public
SUMMARY
• Review of the current state-of-the-art early development phase analysis methods
• Review of SAE J3061 cyber-security guidebook proposals regarding TARA
• Dependability features (safety, security, availability …) are system-wide features with mutual impacts and interdisciplinary values
• SAHARA method provides a measureable quantification of system’s security
• Example application electric steering column lock system (ESCL)
20
Georg Macher
www.avl.com
THANK YOU
Georg Macher | Development and Research - Powertrain Engineering | 15 September 2016 | 22Public
REFERENCES
EMC. 2015. EMC² Project. Available at: http://www.artemis-emc2.eu/.
ISO. 2011. ISO 26262 Road vehicles functional safety, parts 1-10. Geneva, Switzerland: International Organization for Standardization.
ISO. 2009. ISO/IEC 62443 Industrial communication networks network and system security. Geneva, Switzerland: International Organization for Standardization.
Macher, G., E. Armengaud, and C. Kreiner. 2015. A practical approach to classification of safety and security risks. In Proceedings of EuroSPI 2015, 10.1 - 10.10. Denmark.
Macher, G., E. Armengaud, E. Brenner, and C. Kreiner. 2016. A review of threat analysis and risk assessment methods in the automotive context. In Proceedings of SAFECOMP 2016, 20 September.
Macher, G., A. Hoeller, H. Sporer, E. Armengaud, and C. Kreiner. 2015. A combined safety-hazards and security-threat analysis method for automotive systems. In Proceedings of SAFECOMP 2015 Workshops ASSURE, DECSoS, ISSE, ReSA4CI, and SASSUR, The Netherlands, 22 September. Springer International Publishing AG.
MSDN. 2015. The MSDN STRIDE threat model. Available at: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
SAE. 2016. Vehicle Electrical System Security Committee. SAE J3061 Cybersecurity Guidebook for Cyber-Physical Automotive Systems.
Scuro, G. 2012. Automotive industry: Innovation driven by electronics. Available at: http://embedded-computing.com/articles/automotive-industry-innovation-driven-electronics/.
Sentilles, S., P. Stepan, J. Carlson, and I. Crnkovic. 2009. Component-based software engineering. In Proceedings of the 12th International Symposium CBSE, 24-26 June, 173-190. Berlin Heidelberg: Springer Berlin Heidelberg.
22
Georg Macher