Combining Cyber Security Intelligence to Refine Automotive Cyber Threats-Reference-Cited by-同舟云学术

Combining Cyber Security Intelligence to Refine Automotive Cyber Threats

Published:2024-02-05 Issue: Volume: Page:
ISSN:2471-2566
Container-title:ACM Transactions on Privacy and Security
language:en
Short-container-title:ACM Trans. Priv. Secur.

Author:

Sommer Florian¹,Gierl Mona¹,Kriesten Reiner¹,Kargl Frank²,Sax Eric³

Affiliation:

1. Karlsruhe University of Applied Sciences, Karlsruhe, Germany

2. Ulm University, Ulm, Germany

3. Karlsruhe Institute of Technology, Karlsruhe, Germany

Abstract

Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, the vehicle is exposed to security attacks that are able to impact road safety. A profound understanding of security attacks, vulnerabilities, and mitigations is necessary to protect vehicles against cyber threats. While automotive threat descriptions, such as in UN R155, are still abstract, this creates a risk that potential vulnerabilities are overlooked and the vehicle is not secured against them. So far, there is no common understanding of the relationship of automotive attacks, the concrete vulnerabilities they exploit, and security mechanisms that would protect the system against these attacks. In this paper, we aim at closing this gap by creating a mapping between UN R155, Microsoft STRIDE classification, Common Attack Pattern Enumerations and Classifications (CAPEC™), and Common Weakness Enumeration (CWE™). In this way, already existing detailed knowledge of attacks, vulnerabilities, and mitigations is combined and linked to the automotive domain. In practice, this refines the list of UN R155 threats and therefore supports vehicle manufacturers, suppliers, and approval authorities to meet and assess the requirements for vehicle development in terms of cybersecurity. Overall, 204 mappings between UN threats, STRIDE, CAPEC attack patterns, and CWE weaknesses were created. We validated these mappings by applying our Automotive Attack Database (AAD) that consists of 361 real-world attacks on vehicles. Furthermore, 25 additional attack patterns were defined based on automotive-related attacks.

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,General Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/3644075

Reference78 articles.

1. Amer Aijaz, Bernd Bochow, Florian Dötzer, Andreas Festag, Matthias Gerlach, Rainer Kroh, and Tim Leinmüller. 2006. Attacks on inter vehicle communication systems-an analysis. Proc. WIT (2006), 189–194.

2. Emad Aliwa, Omer Rana, Charith Perera, and Peter Burnap. 2021. Cyberattacks and countermeasures for in-vehicle networks. ACM computing surveys (CSUR) 54, 1 (2021), 1–37.

3. Adeeb Mansoor Ansari and Mohammed Nazir. 2022. Risk Assessment of Security Vulnerabilities in Smart Home Using CAPEC and Defensive Goals. In Advances in Data and Information Sciences. Springer, 705–722.

4. AO Kaspersky Lab. 2019. On the IoT road: perks benefits and security of moving smartly. https://securelist.com/on-the-iot-road/91833/

5. Harold Booth Doug Rike and Gregory Witte. 2013. The National Vulnerability Database (NVD): Overview. https://www.nist.gov/publications/national-vulnerability-database-nvd-overview