A Framework for Cybersecurity Requirements Management in the Automotive Domain
Author:
Luo Feng1, Jiang Yifan1ORCID, Wang Jiajia1, Li Zhihao1, Zhang Xiaoxian2
Affiliation:
1. School of Automotive Studies, Tongji University, Shanghai 201804, China 2. iSOFT Infrastructure Software Co., Ltd., Shanghai 200125, China
Abstract
The rapid development of intelligent connected vehicles has increased the attack surface of vehicles and made the complexity of vehicle systems unprecedented. Original equipment manufacturers (OEMs) need to accurately represent and identify threats and match corresponding security requirements. Meanwhile, the fast iteration cycle of modern vehicles requires development engineers to quickly obtain cybersecurity requirements for new features in their developed systems in order to develop system code that meets cybersecurity requirements. However, existing threat identification and cybersecurity requirement methods in the automotive domain cannot accurately describe and identify threats for a new feature while also quickly matching appropriate cybersecurity requirements. This article proposes a cybersecurity requirements management system (CRMS) framework to assist OEM security experts in conducting comprehensive automated threat analysis and risk assessment and to help development engineers identify security requirements prior to software development. The proposed CRMS framework enables development engineers to quickly model their systems using the UML-based (i.e., capable of describing systems using UML) Eclipse Modeling Framework and security experts to integrate their security experience into a threat library and security requirement library expressed in Alloy formal language. In order to ensure accurate matching between the two, a middleware communication framework called the component channel messaging and interface (CCMI) framework, specifically designed for the automotive domain, is proposed. The CCMI communication framework enables the fast model of development engineers to match with the formal model of security experts for threat and security requirement matching, achieving accurate and automated threat and risk identification and security requirement matching. To validate our work, we conducted experiments on the proposed framework and compared the results with the HEAVENS approach. The results showed that the proposed framework is superior in terms of threat detection rates and coverage rates of security requirements. Moreover, it also saves analysis time for large and complex systems, and the cost-saving effect becomes more pronounced with increasing system complexity.
Funder
Shanghai Pudong New Area Science and Technology Development Fund Industry-University-Research Special Project
Subject
Electrical and Electronic Engineering,Biochemistry,Instrumentation,Atomic and Molecular Physics, and Optics,Analytical Chemistry
Reference38 articles.
1. Skavhaug, A., Guiochet, J., and Bitsch, F. (2019). Computer Safety, Reliability, and Security, Proceedings of the 35th International Conference, SAFECOMP 2016, Trondheim, Norway, 21–23 September 2016, Springer. Proceedings 35. 2. Embedded software: Facts, figures, and future;Ebert;Computer,2009 3. Askarov, A., Hansen, R., and Rafnsson, W. (2019). Secure IT Systems, Proceedings of the 24th Nordic Conference, NordSec 2019, Aalborg, Denmark, 18–20 November 2019, Springer. Proceedings 24. 4. Filipovikj, P., Jagerfield, T., Nyberg, M., Rodriguez-Navas, G., and Seceleanu, C. (2016, January 10–14). Integrating pattern-based formal requirements specification in an industrial tool-chain. Proceedings of the 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), Atlanta, GA, USA. 5. Tucci-Piergiovanni, S., Chen, D., Mraidha, C., Lönn, H., Mahmud, N., Reiser, M.-O., Kolagari, R.T., Yakymets, N., Librino, R., and Torchiaro, S. (2014). Handbook of Research on Embedded Systems Design, IGI Global.
|
|