A risk assessment framework for automotive embedded systems
Paper in proceeding, 2016

The automotive industry is experiencing a paradigm shift towards autonomous and connected vehicles. Coupled with the increasing usage and complexity of electrical and/or electronic systems, this introduces new safety and security risks. Encouragingly, the automotive industry has relatively well-known and standardised safety risk management practices, but security risk management is still in its infancy. In order to facilitate the derivation of security requirements and security measures for automotive embedded systems, we propose a specifically tailored risk assessment framework, and we demonstrate its viability with an industry use-case. Some of the key features are alignment with existing processes for functional safety, and usability for non-security specialists. The framework begins with a threat analysis to identify the assets, and threats to those assets. The following risk assessment process consists of an estimation of the threat level and of the impact level. This step utilises several existing standards and methodologies, with changes where necessary. Finally, a security level is estimated which is used to formulate high-level security requirements. The strong alignment with existing standards and processes should make this framework well-suited for the needs in the automotive industry.

Automotive security

Security requirements

Threat analysis

Risk assessment

Author

Mafijul Islam

Volvo Group

Aljoscha Lautenbach

Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)

C. Sandberg

Volvo Group

Tomas Olovsson

Chalmers, Computer Science and Engineering (Chalmers), Networks and Systems (Chalmers)

CPSS '16: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security

3-14
978-1-4503-4288-9 (ISBN)

2nd ACM International Workshop on Cyber-Physical System Security
Xi'An, China,

HEAling Vulnerabilities to ENhance Software Security and Safety (HEAVENS)

VINNOVA (2012-04625), 2013-04-01 -- 2016-03-31.

Areas of Advance

Information and Communication Technology

Transport

Subject Categories

Information Science

Embedded Systems

Computer Systems

DOI

10.1145/2899015.2899018

More information

Latest update

12/13/2021