Security Risk Analysis in the Automotive Industry

No industry is immune from cyber attacks

The number of cybersecurity incidents is increasing every year since more devices are connected to a network and perform calculations on different types of sensitive data that is attractive to attackers. The purpose of certain malicious actions is not just to obtain valuable information but also to disrupt a service using Denial-of-Service (DoS) attacks, for example. Unfortunately, every device that is capable to perform any sort of computations can be a potential target for an attack. This includes many industries that work with anything from IoT devices to small embedded systems.

Cybersecurity incidents in the automotive industry can cost lives

The automotive industry is not an exception from this list. Modern cars are highly complex and have dozens of embedded ECUs, which are inter-connected using CAN Bus network topology.

In a CAN Bus, all data packets are broadcasted to all the nodes on the network. In addition to this, some of the advanced security techniques for safe data exchange among ECUs may not be feasible to implement due to the performance requirements. For example, a car’s Antilock Braking System (ABS) or Dynamic Stability Control (DSC) system requires a very fast response because people’s lives depend on the performance of these embedded systems during critical situations. A security flaw in an ECU results in a vulnerability that can be exploited by attackers and cause a lot of problems for manufactures of embedded car components including costs of fixing vulnerabilities and potential lawsuits. Moreover, modern cars are getting highly complex because some components are connected to the Internet and manufacturing process involves IoT devices, cloud storage, etc. as shown in Figure 1. The scope of potential attacks and security problems is broader than ever. It is evident that security must be integrated into every phase of development of embedded systems to avoid the impending risks caused by a potential security attack. One of the most effective ways to prevent security issues on every stage of the development process is to perform Security Risk Analysis.

SRA-pic-1
Figure 1: Car Systems Security

Security risk analysis is a necessity

Security Risk Analysis (SRA) is a formal process of identifying, assessing, and mitigating security risks associated with a given system. SRA is very important because the costs of fixing a vulnerability for a product during the vehicle testing phase or once the product is on field might be greater than if the vulnerability was fixed during the design phase. Moreover, SRA has additional benefits:

  1. Enables innovative and secure new features through security by design
  2. Provides an optimal return on invest on your security efforts

The earlier vulnerabilities are discovered, the easier it is to manage them by incorporating them into the design and development phase. Risk analyses can be performed on any system or device including a car’s embedded systems such as entertainment systems, gateways, cluster devices, etc.

The best way to perform a security risk analysis

Risk analysis must follow effective and clear steps in order to be successful. As a best practice, SRA is performed during the project preparation and product/process conception stages of product development process. Our model of SRA consists of several steps illustrated in Figure 2.

First, security goals are identified considering product dependent factors such as scope of a product/process, use cases, and any existing assumptions for a given Target of Evaluation (TOE) that can be any embedded car component mentioned earlier. Using this information, we clearly and precisely finalize security goals of the TOE. Once security goals have been identified, we perform threat modeling, which is a very important part of SRA process. Threat modeling is a process of identifying, communicating, and understanding threats. More precisely, we work with customer to outline all possible attack paths and attacker models to realize threats and build attack trees, which are based on security goals and are used to represent attack paths in a structured way. All of this gives us understanding of a customer’s product in terms of security and we can perform risk assessment of identified threats based on security goals.

During risk assessment process, we calculate risk value that is a combination of attack potential and damage potential:

  1. Attack potential is a likelihood of a certain vulnerability being exploited that leads to a successful attack.
  2. Damage potential is an evaluation of a damage that can be introduced by a successful attack on a given vulnerability

Finally, we measure risk and represent this measure by using numerical values. We use our own scoring matrix that combines ratings for risk and damage potentials to calculate corresponding risk values for each threat.

The last step of SRA involves identified risk handling approaches based on the requirements and information obtained while closely working with the customer. We derive security needs using assumptions determined for security goals. Combining security needs and calculated risk value for each threat, we propose risk-handling steps to mitigate risks of the customer’s product.

SRA-pic-2
Figure 2: Security Risk Analysis Overview

Secure product life cycle

Security Risk Analysis is just the first step towards achieving security goals of a product as shown in Figure 3. ESCRYPT provides security throughout the product life cycle that helps to achieve sufficient security for our customers’ products and their needs.

Risks can be mitigated, transferred, avoided, or accepted. As the result of the performed risk analysis, our SRA framework helps customers to take appropriate actions. Based on the customer needs and willingness to accept and deal with existing risks, we define measures for risk mitigation associated with a given attack path. The key output of SRA is an input to a subsequent security concept. SRA is just a first step towards making a product secure and making sure that security goals are met. After the SRA is completed, we come up with security requirements based on customer product requirements as well as SRA output to maintain security. Examples of our services that can be done based on our recommendations are:

  1. Security Concepts based on the identified security needs and your input
  2. Secure Implementations of the Security Concepts including integrated security solutions with CycurHSM, CycurIDS, or CycurLIB
  3. Security Tests of the final product to identify real-world threats and to evaluate the implementation
  4. Secure Updates to recover from incidents during operations
SRA-pic-3
Figure 3: Product Development Lifecycle

 

If you have any questions, please feel free to contact us or comment below!

Amrita Bhanja                      Kirill Kultinov
Security Consultant            Security Specialist

 

 

Leave a Reply