Browse Publications Technical Papers 2022-01-7087

Identification and Verification of Attack-Tree Threat Models in Connected Vehicles 2022-01-7087

As a result of the ever-increasing application of cyber-physical components in the automotive industry, cybersecurity has become an urgent topic. Adapting technologies and communication protocols like Ethernet and WiFi in connected vehicles yields many attack scenarios. Consequently, ISO/SAE 21434 and UN R155 (2021) define a standard and regulatory framework for automotive cybersecurity, Both documents follow a risk management-based approach and require a threat modeling methodology for risk analysis and identification. Such a threat modeling methodology must conform to the Threat Analysis and Risk Assessment (TARA) framework of ISO/SAE 21434. Conversely, existing threat modeling methods enumerate isolated threats disregarding the vehicle’s design and connections. Consequently, they neglect the role of attack paths from a vehicle’s interfaces to its assets. In other words, they are missing the TARA work products, e.g., attack paths compromising assets or feasibility and impact ratings. We propose a threat modeling methodology to construct attack paths by identifying, sequencing, and connecting vulnerabilities from a valid attack surface to an asset. Initially, we transform cybersecurity guidelines to attack trees, and then we use their formal interpretations to assess the vehicle’s design. This workflow yields compositional construction of attack paths along with the required TARA work products (e.g., attack paths, feasibility, and impact). More importantly, we can apply the workflow iteratively in the context of connected vehicles to ensure design conformity, privacy, and cybersecurity. Finally, to show the complexity and the importance of preemptive threat identification and risk analysis in the automotive industry, we evaluate the presented modelbased approach in a connected vehicle testing platform, SPIDER.


Subscribers can view annotate, and download all of SAE's content. Learn More »


Members save up to 17% off list price.
Login to see discount.
Special Offer: Download multiple Technical Papers each year? TechSelect is a cost-effective subscription option to select and download 12-100 full-text Technical Papers per year. Find more information here.