SAVTA: A Hybrid Vehicular Threat Model: Overview and Case Study

Abstract

In recent years, significant developments were introduced within the vehicular domain, evolving the vehicles to become a network of many embedded systems which depend on a set of sensors to interact with each other and with the surrounding environment. While these improvements have increased the safety and incontestability of the automotive system, they have opened the door for new potential security threats which need to be defined, assessed, and mitigated. The SAE J3061 standard has defined threat modeling as a critical step toward the secure development process for vehicle systems, but it did not determine which method could be used to achieve this process. Therefore, many threat modeling approaches were adopted. However, using one individual approach will not identify all the threats which could target the system, and may lead to insufficient mitigation mechanisms. Thus, having complete security requires the usage of a comprehensive threat model which identifies all the potential threats and vulnerabilities. In this work, we tried to revise the existing threat modeling efforts in the vehicular domain. Also, we proposed using a hybrid method called the Software, Asset, Vulnerability, Threat, and Attacker (SAVTA)-centric method to support security analysis for vehicular systems. SAVTA combines different existing threat modeling approaches to create a comprehensive and hybridized threat model. The model is used as an aid to construct general attack trees which illustrate attack vectors that threaten a particular vehicle asset and classify these attacks under different sub-trees.