1
Security risk analysis approach
for on-board vehicle networks
Alastair Ruddle
Consultant, MIRA Limited
The Fully Networked Car
Geneva, 3-4 March 2010
Motivation
Future vehicles will become mobile nodes in
a dynamic transport network
o
•
•
vehicle systems will be under threat from
malicious individuals and groups seeking to gain
personal or organizational advantage
ensuring security will be critical for the
successful deployment of V2X technology
EU project EVITA aims to prototype a
toolkit of techniques and components to
ensure the security of in-vehicle systems
o
•
hardware, software, analysis methods
The Fully Networked Car
Geneva, 3-4 March 2010
2
EVITA scope and assets
Security
Security
Sensor
Actuator
ECU
OEM Backend
Sensor
Actuator
ECU
Security
Security
ECU
ECU
Third-Party
Different levels of
security protection
are envisaged,
depending on need
Security
ECU
ECU
Security
Sensor
Actuator
ECU
ECU
Sensor
Actuator
The Fully Networked Car
Geneva, 3-4 March 2010
EVITA only aims to
investigate network
security solutions at
vehicle level
Some assets may not
require security
measures (low risk)
Risk analysis aims
to prioritize security
requirements
3
EVITA project security risk analysis rationale
o Too costly to protect against every threat, so need
to rank risks in order to prioritize countermeasures
o Risk associated with a security attack depends on:
• severity of impact (ie. harm to stakeholders)
— drivers, other road users, civil authorities, ITS operators,
vehicle manufacturers and system suppliers
• probability of successful attack
— depends on attacker resources, nature of attack
o Physical safety is a key aspect of security
• physical harm may be an objective of an attack
• harm may also be an unintended consequence
The Fully Networked Car
Geneva, 3-4 March 2010
4
Starting point – EVITA Use Cases
A suite of 18 potential use cases was defined,
based on EASIS project network architecture
In-vehicle network structure
Communication
Diagnosis
Interface
Unit CU
Powertrain
Chassis & Safety
Body Electronic
Head Unit
PTC
CSC
BEM
HU
GPS/Galileo
UMTS
DSRC
Bluetooth
USB
Engine Control
Brake Control
Instrument
Audio
Door Modules
Steering
Environmental
Transmission
PT Sensors
Sensors
Passive Safety
Airbag
Chassis Sensors
Light Control
Climate
Display / Video
Mobile Device
Seat ECU
e.g. Steer Angle
Assumed reference architecture
The Fully Networked Car
Geneva, 3-4 March 2010
• car-infrastructure
• aftermarket
Navigation
Telephone
• car-car
• mobile devices
Chassis /
Hybrid Drive
Scenario classes:
• maintenance
5
Security threat agents and their motivations
o Dishonest drivers
• avoid financial obligations, gain traffic advantages;
o Hackers
• gain/enhance reputation as a hacker;
o Criminals and terrorists
• financial gain, harm or injury to individuals or groups;
o Dishonest organisations
• driver profiling, industrial espionage, sabotage of
competitor products;
o Rogue states
• achieve economic harm to other societies
The Fully Networked Car
Geneva, 3-4 March 2010
6
Threat analysis – Attack Trees
Common model to map attack trees to risk analysis
The Fully Networked Car
Geneva, 3-4 March 2010
7
Severity classification in vehicle safety engineering
The Fully Networked Car
Geneva, 3-4 March 2010
8
Extending from safety to security
The Fully Networked Car
Geneva, 3-4 March 2010
9
Severity classification of privacy infringements
The Fully Networked Car
Geneva, 3-4 March 2010
10
Financial severity classification
The Fully Networked Car
Geneva, 3-4 March 2010
11
Security severity classification – a 4-component vector 12
The Fully Networked Car
Geneva, 3-4 March 2010
Attack potential and probability
o Attack potential evaluation
• using established, structured approach from “Common Criteria”
• applied in EVITA at “asset attack” level of attack trees
o Indicative of attack probability (inverse relationship)
• numerical scale used to represent relative ranking of attack
probability
The Fully Networked Car
Geneva, 3-4 March 2010
13
Controllability – safety hazards
Possibility for the driver (and/or other traffic
participants) to mitigate possible safety hazards
The Fully Networked Car
Geneva, 3-4 March 2010
14
Risk graph (fragment only)
Non-safety aspects addressed with table for
controllability C=1 (C>1 only for safety issues)
The Fully Networked Car
Geneva, 3-4 March 2010
15
Attack tree tables for risk analysis
16
A compressed tabular attack tree representation
provides a convenient framework for documenting
the risk analysis
Attack
Severity Attack
Objective
(S)
Method
B
Risk level
(R)
Combined attack
method probability
(A)
B1
RB1(SB, AB1)
AB1=min{Pa,Pb}
B2
RB2(SB, AB2)
AB2=max{Pd,Pe,Pf}
SB
Attack
Asset Probability
(attack)
(P)
a&
b
d
e
f
Pa
Pb
Pd
Pe
Pf
OR: as easy as the easiest option
AND: as hard as the hardest component
The Fully Networked Car
Geneva, 3-4 March 2010
Overview of EVITA attack trees
o The 18 EVITA use cases suggested 10 attack trees:
• attack E-call, attack E-toll
• tamper with warnings, attack active break
• manipulate speed limits, force green light
• manipulate traffic flow, simulate traffic jam
• unauthorized braking, engine denial-of-service
o These are representative, but not exhaustive
o Rationalization of the attack trees revealed:
• 44 different asset attacks, involving 16 different assets
o Risk analysis provides the means to assess the
relative importance of protecting these assets
The Fully Networked Car
Geneva, 3-4 March 2010
17
Risk-based prioritisation of counter-measures
Identified threats
Asset
Attack
Denial of service
Chassis
Safety
Exploit
Controller implementation
flaws
Wireless
Comms
Corrupt or fake
messages
Jamming
The Fully Networked Car
Geneva, 3-4 March 2010
Risk analysis results
Risk level
Instances
1
2
4
5
2
3
4
5
6
7
4
5
3
1
1
1
5
5
4
1
4
3
3
2
Security requirements
Authenticity_6, Availability_102,
Low priority
Availability_106
Authenticity_1, Authenticity_2,
Authenticity_3 …
… Confidentiality_1,
Confidentiality_2, Authenticity_101
…
Important to protect
against this asset attack
… Availability_107, Availability_108,
Integrity_102
18
Conclusions
A security risk analysis approach has been
developed from automotive safety and IT
security practices
o
•
•
•
o
19
attack trees to identify asset attacks from use
cases, attacker type and motivations
4-component security risk vector, potentially
including security-related safety issues
attack potential and controllability to assess
probability of successful attack
Level and frequency of risks associated with
asset attacks identified in attack trees
indicate priorities for counter-measures
The Fully Networked Car
Geneva, 3-4 March 2010
Acknowledgements
For further information see: www.evita-project.org
The Fully Networked Car
Geneva, 3-4 March 2010
20