Adapting Threat Modeling Methods for the Automotive Industry

Paper in proceedings, 2017

We live in a world that is getting more interconnected by each day and we are witnessing a global change where all the devices in our surroundings are becoming “smart” and connected to the Internet. The automotive industry is also a part of this change. Today's vehicles have more than 150 small computers, embedded control units (ECUs), and multiple connection points to the Internet which makes them vulnerable to various on-line threats. Recent attacks on connected vehicles have all been results of security vulnerabilities that could have been avoided if appropriate risk assessment methods were in place during software development. In this paper we demonstrate how the threat modeling process, common for the computer industry, can be adapted and applied in the automotive industry. The overall contribution is achieved by providing two threat modeling methods that are specifically adapted for the concept of the connected car and can further be used by automotive experts. The methods were chosen after an extensive literature survey and with support of domain experts from the vehicle industry. The two methods were then successfully applied to the connected car and the underlying software architecture based on the AUTOSAR standard. We have empirically validated our results with domain experts as well as tested the found vulnerabilities in a simulated vehicle environment.