INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J3061

Transcription

1 INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J rd EuroAsiaSPI Conference, Graz, Austria Georg Macher AVL List GmbH (Headquarters)

2 INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J RD EUROASIASPI CONFERENCE, GRAZ, AUSTRIA Author(s): Co-Author(s): Approved by: Project Leader: Version: 1.0 Georg Macher Release date: Security level: Customer: Project: Task ID: Department: Andreas Riel - EMIRAcle Grenoble Institute of Technology Christian Kreiner - Graz University of Technology SoQrates Working Group Development and Research - Powertrain Engineering Copyright 2016, AVL List GmbH (Headquarters) Georg Macher Development and Research - Powertrain Engineering 15 September

3 AGENDA Cyber-Security and the Automotive Domain SAE J3061 Cyber-Security Guidebook Initial Cyber-Security Assessment (TARA) EVITA method TVRA OCTAVE HEAVENS security model Attack trees SW vulnerability analysis SAHARA Approach SAHARA Application Example Conclusion Georg Macher Georg Macher Development and Research - Powertrain Engineering 15 September

4 CYBER- SECURITY AND THE AUTOMOTIVE DOMAIN 4 Where is the challenge related to automotive security? Georg Macher Development and Research - Powertrain Engineering 15 September

5 SAE J3061 CYBER-SECURITY GUIDEBOOK 1 st available standard for the automotive domain still work-in-progress draft Proposes 3 ways of applying the SAE J3061 security processes for the automotive process landscape Standalone with defined communication points to safety engineering processes In Conjunction with ISO processes Hybrid an approach with only partially shared engineering processes Proposes an initial short cybersecurity assessment of all automotive systems (TARA) Analysis technique applied in the concept phase Identify potential threats to a feature and assess associated risks Allows prioritization of cyber-security activities and focusing of resources 3 step approach: Threat identification Risk assessment Risk analysis SAE J3061 Georg Macher Development and Research - Powertrain Engineering 15 September

6 EVITA PROJECT METHOD FUNCTIONAL SECURITY ANALYSIS Adaptation of ISO26262 HAZOP analysis called THROP Threats are defined based on primary functions of the feature Guide words are applied Potential worst-case scenarios are determined For every safety critical function all information used has to be authentic Analysis based on analysis of attacks on vehicle function Risk level determination adopted from ASIL SAE J3061 Georg Macher Development and Research - Powertrain Engineering 15 September

7 EVITA SEVERITY CLASSIFICATION SAE J3061 Georg Macher Development and Research - Powertrain Engineering 15 September

8 EVITA ATTACK PROBABILITY RATING SAE J3061 Georg Macher Development and Research - Powertrain Engineering 15 September

9 TVRA - THREAT, VULNERABILITIES, AND IMPLEMENTATION RISK ANALYSIS Process-driven methodology 10 steps to systematically identify unwanted incidents Determines the occurrence, likelihood and impact of threats to determine the risk Developed for data- and telecommunication networks Hardly applicable to embedded automotive systems Georg Macher Development and Research - Powertrain Engineering 15 September

10 OCTAVE OPERATIONALLY CRITICAL THREAT, ASSET, AND VULNERABILITY EVALUATION Process-driven methodology A series of workshops to identify assets, current practices, Cybersecurity requirements, threats, and vulnerabilities and then to develop a strategy and plan for mitigating risks and protecting assets Questionnaires and separate worksheets which are completed by participants attending a series of workshops Relation to embedded automotive systems not straightforward SAE J3061 Georg Macher Development and Research - Powertrain Engineering 15 September

11 HEAVENS SECURITY MODEL Threat-centric model, realized by applying STRIDE approach Ranking of threats by determination of Threat level (TL) corresponding a likelihood estimation Impact level (IL) impact on safety, financial, operational, privacy and legislation Security level (SL) final risk ranking Implies a lot of work to analyze and determine the individual SL Requires more details of the system design than possible available at early phases SAE J3061 Georg Macher Development and Research - Powertrain Engineering 15 September

12 HEAVENS SECURITY MODEL all tables SAE J3061 Georg Macher Development and Research - Powertrain Engineering 15 September

13 ATTACK TREES AND SW VULNERABILITY ANALYSIS Attack Tree Analysis Analogous to safety fault tree analysis Using logic expression for combination of sub-goals Adequate for exploiting combinations of threats Not optimal suitable as a TARA SW Vulnerability Analysis Examines SW code for know vulnerabilities Focusing on SW level solely Not suitable as a TARA Georg Macher Development and Research - Powertrain Engineering 15 September

14 SAHARA APPROACH SAHARA Security-Aware Hazard and Risk Analysis Combined approach of STRIDE and HARA Developed prior to SAE J3061 Combined safety and security analysis approach Threat classification based on adaptation of ASIL classification Classification of security threats via: required resources (R) required know-how (K) threat criticality (T) Georg Macher Development and Research - Powertrain Engineering 15 September

15 SAHARA: SECL CLASSIFICATION Resources (R) Knowhow (K) Criticality (T) SecL Georg Macher Development and Research - Powertrain Engineering 15 September

16 APPLICATION EXAMPLE 1/4 Running example electric steering column lock system (ESCL) ISCN/SoQrates 1. Safety analysis with SAHARA Georg Macher Development and Research - Powertrain Engineering 15 September

17 APPLICATION EXAMPLE 2/4 Running example electric steering column lock system (ESCL) ISCN/SoQrates 2. Security analysis with STRIDE Georg Macher Development and Research - Powertrain Engineering 15 September

18 APPLICATION EXAMPLE 3/4 Running example electric steering column lock system (ESCL) ISCN/SoQrates 3. Quantification of security threats with SAHARA method Georg Macher Development and Research - Powertrain Engineering 15 September

19 APPLICATION EXAMPLE 4/4 Running example electric steering column lock system (ESCL) ISCN/SoQrates 4. Combination of Safety and Security Outcomes Georg Macher Development and Research - Powertrain Engineering 15 September

20 SUMMARY 20 Review of the current state-of-the-art early development phase analysis methods Review of SAE J3061 cyber-security guidebook proposals regarding TARA Dependability features (safety, security, availability ) are system-wide features with mutual impacts and interdisciplinary values SAHARA method provides a measureable quantification of system s security Example application electric steering column lock system (ESCL) Georg Macher Georg Macher Development and Research - Powertrain Engineering 15 September

21 THANK YOU

22 22 REFERENCES EMC EMC² Project. Available at: ISO ISO Road vehicles functional safety, parts Geneva, Switzerland: International Organization for Standardization. ISO ISO/IEC Industrial communication networks network and system security. Geneva, Switzerland: International Organization for Standardization. Macher, G., E. Armengaud, and C. Kreiner A practical approach to classification of safety and security risks. In Proceedings of EuroSPI 2015, Denmark. Macher, G., E. Armengaud, E. Brenner, and C. Kreiner A review of threat analysis and risk assessment methods in the automotive context. In Proceedings of SAFECOMP 2016, 20 September. Macher, G., A. Hoeller, H. Sporer, E. Armengaud, and C. Kreiner A combined safety-hazards and securitythreat analysis method for automotive systems. In Proceedings of SAFECOMP 2015 Workshops ASSURE, DECSoS, ISSE, ReSA4CI, and SASSUR, The Netherlands, 22 September. Springer International Publishing AG. MSDN The MSDN STRIDE threat model. Available at: SAE Vehicle Electrical System Security Committee. SAE J3061 Cybersecurity Guidebook for Cyber-Physical Automotive Systems. Scuro, G Automotive industry: Innovation driven by electronics. Available at: Sentilles, S., P. Stepan, J. Carlson, and I. Crnkovic Component-based software engineering. In Proceedings of the 12th International Symposium CBSE, June, Berlin Heidelberg: Springer Berlin Heidelberg. Georg Macher Georg Macher Development and Research - Powertrain Engineering 15 September