Seeking methodology for systematic system threat analysis
The automotive industry has been moving from purely mechanical to cyber-physical systems. Therefore, the industry and regulators had to introduce cybersecurity standards and practices. The International Organization of Standardization (ISO) and the Society of Automotive Engineers (SAE) contributed a standard for cybersecurity assessment of road vehicles.
The ISO/SAE 21434 [ISO21] document defines cybersecurity assessment and risk management guidelines for a vehicle’s life-cycle. Many organizations tried to implement design verification tools to facilitate applying the ISO/SAE 21434 standard. The Austrian Institute of Technology (AIT) also developed ThreatGet to aid security engineers and system designers with Threat Analysis and Risk Assessment (TARA). ThreatGet verifies vehicle designs against a database of threat-rules. A threat-rule describes a bad pattern within the system design. The threat-rule database is mostly populated with ad-hoc rules. Meanwhile, ISO/SAE 21434 requires the explicit identification of attack paths, feasibility, impact, and many more properties.
We argue that this information cannot be extracted from threat-rules that were created without knowledge of a specific system. Each system has specific attack surfaces. To perform a TARA, we have to consider entire attack scenarios that begin at a surface and end with an asset rather than considering ad-hoc design elements and their respective security requirements. We lack a methodology to treat a system model systematically to extract such comprehensive threat-rules.
This thesis proposes a methodology for the systematic construction of threat-rules. We apply ThreatGet to an existing smart vehicle whilst being as faithful as we can to the TARA requirements of [ISO21]. We take the system design and cybersecurity best practices into account, which is contrary to the existing rules that only contain generic domain-specific information and can be applied to any system in the target domain. We address the system design through formal interpretations of cybersecurity guidelines that we transform into attack trees. This transformation leads to the compositional construction of detailed attack scenarios. Thereby, we create threat-rules that contain the TARA requirements (e.g., attack paths, feasibility, and impact) of our specific system design.
Applying our methodology, we identify seven assets and 29 anti-patterns and combine them into 633 theoretical threat-rules. We carefully select a set of threat-rules and show how to implement them in ThreatGet while obtaining the ISO/SAE 21434 work products. We discover that some threat-rules contain invalid attack paths, as our relation between assets is often too simplistic. Therefore, the amount of threat-rules is just a theoretical upper bound and should be reduced through improved relations between assets.
More to Read
Check out our latest article about the LEDEL library that Solver Intelligent Analytics and Universitat Politècnica de València (UPV) project partners are developing for the project.