Integrated Attack Tree in Residual Risk Management Framework-Reference-Cited by-同舟云学术

Integrated Attack Tree in Residual Risk Management Framework

Published:2023-11-29 Issue:12 Volume:14 Page:639
ISSN:2078-2489
Container-title:Information
language:en
Short-container-title:Information

Author:

Khan Ahmed Nawaz¹,Bryans Jeremy¹,Sabaliauskaite Giedre²^ORCID,Jadidbonab Hesamaldin¹^ORCID

Affiliation:

1. Institute of Future Transport and Cities, Coventry University, Coventry CV1 5FB, UK

2. Department of Computer Science, Swansea University, Swansea SA1 8EN, UK

Abstract

Safety-critical cyber-physical systems (CPSs), such as high-tech cars having cyber capabilities, are highly interconnected. Automotive manufacturers are concerned about cyber attacks on vehicles that can lead to catastrophic consequences. There is a need for a new risk management approach to address and investigate cybersecurity risks. Risk management in the automotive domain is challenging due to technological improvements and advances every year. The current standard for automotive security is ISO/SAE 21434, which discusses a framework that includes threats, associated risks, and risk treatment options such as risk reduction by applying appropriate defences. This paper presents a residual cybersecurity risk management framework aligned with the framework presented in ISO/SAE 21434. A methodology is proposed to develop an integrated attack tree that considers multiple sub-systems within the CPS. Integrating attack trees in this way will help the analyst to take a broad perspective of system security. Our previous approach utilises a flow graph to calculate the residual risk to a system before and after applying defences. This paper is an extension of our initial work. It defines the steps for applying the proposed framework and using adaptive cruise control (ACC) and adaptive light control (ALC) to illustrate the applicability of our work. This work is evaluated by comparing it with the requirements of the risk management framework discussed in the literature. Currently, our methodology satisfies more than 75% of their requirements.

Publisher

MDPI AG

Subject

Information Systems

Link

https://www.mdpi.com/2078-2489/14/12/639/pdf

Reference63 articles.

1. (2022, May 21). Researchers Hack BMW Cars, Discover 14 Vulnerabilities. Available online: https://www.helpnetsecurity.com/2018/05/23/hack-bmw-cars/.

2. (2023, November 17). Hackers Remotely Kill a Jeep on the Highway—With Me in It. Available online: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.

3. Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., and Shacham, H. (2010, January 16–19). Experimental security analysis of a modern automobile. Proceedings of the 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA.

4. (2021, November 11). Team of Hackers Take Remote Control of Tesla Model S from 12 Miles Away. Available online: https://www.theguardian.com/technology/2016/sep/20/tesla-model-s-chinese-hack-remote-control-brakes.

5. (2021). Road Vehicles—Cybersecurity Engineering (Standard No. ISO/SAE 21434:2021).