Proposing HEAVENS 2.0 – an automotive risk assessment model
Paper in proceeding, 2021

Risk-based security models have seen a steady rise in popularity over the last decades, and several security risk assessment models have been proposed for the automotive industry. The new UN vehicle regulation 155 on cybersecurity provisions for vehicle type approval, as part of the 1958 agreement on vehicle harmonization, mandates the use of risk assessment to mitigate cybersecurity risks and is expected to be adopted into national laws in 54 countries within 1 to 3 years. This new legislation will also apply to autonomous vehicles. The automotive cybersecurity engineering standard ISO/SAE 21434 is seen as a way to fulfill the new UN legislation, so we can expect quick and wide industry adoption. One risk assessment model that has gained some popularity and is in active use in several companies is the HEAVENS model, but since ISO/SAE 21434 introduces additional requirements on the risk assessment process, the original HEAVENS model does not fulfill the standard.

In this paper, we investigate the gap between the HEAVENS risk assessment model and ISO/SAE 21434, and we identify and propose 12 model updates to HEAVENS to close this gap. We also discuss identified weaknesses of the HEAVENS risk assessment model and propose 5 additional model updates to overcome them. In accordance with these 17 identified model updates, we propose HEAVENS 2.0, a new risk assessment model based on HEAVENS which is fully compliant with ISO/SAE 21434.

ISO/SAE 21434

UNECE regulation 155

Automotive

TARA

Threat Analysis

Risk Assessment

Author

Aljoscha Lautenbach

Network and Systems

Evidente AB

Magnus Almgren

Network and Systems

Tomas Olovsson

Network and Systems

Proceedings - CSCS 2021: ACM Computer Science in Cars Symposium

5
9781450391399 (ISBN)

Computer Science in Cars Symposium (CSCS ’21)
Ingolstadt, Germany,

Cyber Resilience for Vehicles - Cybersecurity for automotive systems in a changing environment (CyReV phase 2)

VINNOVA (2019-03071), 2019-01-10 -- 2022-03-31.

RICS2: Resilient Information and Control Systems

Swedish Civil Contingencies Agency, 2021-01-01 -- 2023-12-31.

Areas of Advance

Information and Communication Technology

Transport

Subject Categories

Embedded Systems

Computer Systems

DOI

10.1145/3488904.3493378

More information

Latest update

4/21/2023