Guest blog: automating automotive cybersecurity assurance

The advancing connectivity and complexity of automotive onboard systems increases vehicle vulnerability to cyber attacks but providing safety and security assurance can be incredibly time-consuming. Kacper Sowka, final year PhD student partnering with HORIBA MIRA and Coventry University, explains how automation in the production of threat models could play an important role.

Today, the number of Electronic Control Units (ECUs) within a vehicle can exceed 50, producing substantial data and controlling a wide variety of onboard systems. As a result of this increase, vehicle vulnerability to cyberattacks has grown exponentially. Attack motivations span four main categories – safety, financial, privacy and operational – and could range from access to financial data to breaching safety critical systems, such as brakes and airbags, resulting in threats to life. This is further complicated as vehicles must also meet the exacting demands of passive and active safety domains, as well as Safety of the Intended Functionality (SOTIF) and Functional Safety governed by ISO standards 21448 and 26262 respectively.

Comprehensive threat modelling techniques have been developed to aid cybersecurity experts in anticipating and mitigating the wide-ranging potential threats: ‘attack trees’ are one such approach

In response to the growing requirement for automotive cybersecurity assurance, standards such as ISO/SAE 21434 and UN Regulation No. 155 have been issued to provide guidance and requirements for cybersecurity assurance in vehicles. ISO/SAE 21434 outlines goal-orientated principles and best practices to achieve an acceptable level of assurance but, due to understanding in this area still evolving, it fails to specify the exact means nor methods for OEMs and auditing bodies to follow.

To meet the ‘reasonable standard of cybersecurity’, comprehensive threat modelling techniques have been developed to aid cybersecurity experts in anticipating and mitigating the wide-ranging potential threats: ‘attack trees’ are one such approach. They break down and simplify the constituent parts of a potential attack and have the potential to support several applications, including the identification and analysis of potential attack paths, the production of assurance cases, generation of risk assessments and outlining of appropriate cybersecurity test cases.

However, their development usually relies on intensive expert-driven construction or rudimentary defined processes; producing them can be complex and time-consuming, with the process often liable to error.

Thus, automatic generation of attack trees offers several possible advantages in the context of automotive cybersecurity: efficiency of time and resource being a key benefit, allowing experts to focus on other critical issues, while the process to regulatory compliance would be streamlined.

An attack tree generator that provides a comprehensive analysis of how potential losses could occur, structuring these in a hierarchal manner, would be highly valuable for risk prioritisation and creating useful assurance cases. In outlining vulnerabilities, such an attack tree would also encode a procedure for exploiting a given system and could therefore determine penetration test cases.

To further their effectiveness, the generation of attack-defence trees (as opposed to basic attack trees) would enable the implementation of mitigating defences, too. And, if established to have the capacity for on-going evolution and the addition of large amounts of new data, the attack tree generator could incorporate changes in policy and threat landscapes for continuous improvement.

Research to date has explored abstract processes to automate attack trees from input data, often following formally defined system models. However, determining the specific procedure, the level of automation that can be expected and the type of data available is application dependant. Human knowledge and experience are crucial in its success, and therefore establishing a mechanism for translating and formalising known and future vulnerabilities/threats into an input dataset for the generator is necessary for future development.

In the short term, a lesser degree of automation could prove beneficial to the automotive industry and provide a greater degree of assurance: maintaining a human expert in the loop will mitigate uncertainty from customers and users, while the introduction of a semi-automatic procedure will support existing processes and human expertise, rather than attempting to replace them. Familiarising the existing workforce with the concept and processes surrounding attack tree generators will be important for establishing how progressive transition into further automation can be achieved.

Thus, while a fully automatic approach would bring significant benefits, and research into how that can be made a reality is ongoing, a lesser, more practically viable degree of automation is still desirable. Questions such as how to automate attack tree generation and establishing a dependable validation procedure are vital to the operation, as is the practical benefit of any automation introduced into existing assurance activities, since innovation should be driven primarily by utility, not an arbitrary progression towards systems merely perceived as more sophisticated. These questions are especially important in the automotive environment, given the close relation to safety, and HORIBA MIRA is a key partner in the wider research into cybersecurity assurance now and in the future.

HORIBA MIRA’s Vehicle Resilience (VRES) team provides advice and guidance on cybersecurity assurance and compliance, and can share further insight on the automated generation of attack trees to support automotive cybersecurity assurance.

Kacper Sowka - a final year PhD student partnering with HORIBA MIRA and Coventry University,