THREAT MODELLING FOR FUTURE VEHICLES stijn van winsen s vanwinsen student utwente nl . @ . . On Identifying and Analysing Threats for Future Autonomous and Connected Vehicles Master of Science - Computer Science - Kerckhoffs Institute Faculty of Electrical Engineering, Mathematics and Computer Science University of Twente 2017 January – Final Version Stijn van Winsen: Threat Modelling for Future Vehicles, On Identifying and Analysing Threats for Future Autonomous and Connected Vehi- 2017 cles, © January supervisors : Dr. N. (Klaas) Sikkel - University of Twente Dr. Ir. G.J. (Geert) Heijenk - University of Twente Ir. J.A.W. (Jeroen) de Wit - KPMG location : Enschede SUMMARY Modern day vehicles contain many IT components that have been designedforisolatedvehicles.Theshifttowardsvehiclesthatarecon- nected to other devices creates an increased attack surface for attack- ers. Together with a shift towards more autonomous vehicles, which introduce more cyber-physical systems, it becomes evident that the IT in vehicles needs to be properly secured. Vehicle manufacturers have only recently started to incorporate se- curityinthedesignprocess,andlacktechniquestodothis.Thisthesis therefore proposes a composite threat model focused on identifying all threats under the assumption that the system is already breached. The proposed composite threat model consists of two steps that a security expert within a vehicle manufacturer should follow for all relevant applications or systems. First, a complete interconnections drawing should be created to get a complete overview of all relevant components in the system, including all entities and high level data flows. 1 Second, using the drawing from step , the STRIDE threat mod- elling technique is used to identify all possible threats. Then, for all threats on the list, the threats are analysed based on their con- sequences on two aspects: Severity and Controllability. Severity de- scribes how severe a threat is if it occurs, this is analysed on four aspects:Safety,Operational,Privacy,andFinancial.Controllabilityde- scribes how controllable a threat is if it occurs. Usingtheseresults,asecurityexpertcanreasonaboutthedifferent threats and prioritise them on how important they are, and use this to find mitigation techniques. Since our model focuses on identifying all possible threats, the main recommendationsfromthevalidationincludecreatingatoolthatcan help a security expert in identifying the possible threats, and in par- ticular help in reducing irrelevant threats, as well as finding a way to make the results sellable to management. With this composite threat model, security experts can identify and analyse their vehicles for possible threats and make their vehicles more secure, as is evidently needed for future vehicles. iii ACKNOWLEDGEMENTS This thesis marks the end of seven and a half years of studying Com- puter Science and Computer Security at the University of Twente. After almost a year of writing this thesis, which is a tad long, my life as a student is now over. Although there have been some moments that things could have gone more smoothly, my supervisors were always there to get me back in track. I am therefore glad that Klaas en Geert agreed to su- pervise me during this research. You have always taken the time to discuss progress, read my thesis, provide me with valuable feedback and above all guide me in the process, even though you are not pri- marily engaged in the field of security. Thank you! IamalsogratefulthatJeroenfromKPMGhastakenthetimetodis- cuss my progress from time to time and helping me out with finding experts in the field. Jeroen, thank you for sometimes giving me the room to find things out by myself, but also helping me whenever I got stuck or needed a discussion in a field that was also new to you. I wrote my thesis as part of KPMG’s Cyber team. I am grateful to them for providing me the opportunity to do so and for making me feel a part of the team so quickly. Both on a professional level, as on a social level, you have provided me a great time. In particular, I have enjoyed the discussions, drinks and time in the office with my partners in crime: the co-interns. Iwouldalsoliketothankmyfriendsandfamilyforsupportingme, sometimesaskingmehowthingsweregoing,andsometimeskeeping quite and being an outlet if things were going less smoothly. Lastly, I would like to thank the guys from ShareLateX for provid- ing me the tools to write this thesis and André Miede for providing this wonderful thesis template. Stijn van Winsen v CONTENTS i introducing the research 1 1 introduction 3 2 background 5 21 5 . History 22 7 . Automotive Security 23 7 . Problem Statement 3 definitions 9 4 research design 11 41 11 . Research Objective 42 11 . Research Questions 43 12 . Research Approach 44 13 . Contributions 5 literature review 15 51 15 . Review Questions 52 15 . Review Method 53 16 . Findings 54 17 . Backward and Forward Citation Search 55 17 . Results 56 18 . Discussion ii creating the framework 19 6 future functionality 21 61 21 . Cooperative Functionality 62 27 . Individual Functionality 63 29 . Chapter Summary 7 vehicular it architecture 31 71 31 . Vehicular IT Components 72 33 . In-vehicle Communication 73 36 . Attack Surfaces 74 40 . IT Architecture 75 45 . Security 8 threat modelling 49 81 49 . Automotive Risk Management Techniques 82 62 . Chapter Summary 9 proposed threat model 65 91 65 . Composite Threat Model 92 70 . Use Cases 93 79 . Validation 94 81 . Improved Composite Threat Model 95 83 . Chapter Summary vii viii contents iii concluding the research 85 10 conclusion 87 11 discussion 91 111 91 . Contributions 112 92 . Limitations and Future Work iv appendix 95 a systematic literature review scopus search 97 : b expert interview 99 c expert validation interview 101 c1 . Interview Cyber Security Systems Architect of a Euro- 101 pean Truck Manufacturer d full elaboration use case threat lists 105 d1 105 . Predictive Cruise Control d2 106 . Emergency Brake Light e validated composite threat model 109 e1 109 . Composite Threat Model bibliography 115 LIST OF FIGURES 41 12 Figure . Phases,inputsandoutputsofthisresearch 51 16 Figure . Visual representation of study selection 71 33 Figure . The AUTOSAR software architecture 72 39 Figure . Mapping of attack surfaces 73 40 Figure . Vehicular IT Architecture Legend 74 Figure . General IT architecture for a European vehi- 41 cle 75 Figure . General IT architecture for an American vehi- 43 cle 76 44 Figure . GeneralITarchitectureforanAsianvehicle 77 Figure . Instance of a secure on-board network with 46 full, medium, and light HSMs 81 50 Figure . A simple data flow diagram 82 Figure . Overviewofthefunctionalsafetydevelopment 26262 52 process in ISO 83 26262 Figure . ISO safety process extended with secu- 55 rity activities 84 56 Figure . NIST Risk Management Framework 85 Figure . Modified NIST Risk Management Framework 57 for the vehicle sector 91 Figure . Composite Threat Model Steps as part of the 66 NIST framework 92 Figure . Interconnections drawing including high level 72 dataflowsforPredictiveCruiseControl 93 Figure . Interconnections drawing including high level data flows for Emergency Brake Light for a 75 modern day vehicle 94 Figure . Interconnections drawing including high level data flows for Emergency Brake Light for an 77 EVITA secured vehicle 95 83 Figure . Composite Threat Model Steps 1 Figure D. Threat list with determination of severity for 105 Predictive Cruise Control 2 Figure D. Threat list with determination of severity for 106 Predictive Cruise Control 3 Figure D. Threat list with determination of severity for Emergency Brake Light for a modern day ve- 106 hicle 4 Figure D. Threat list with determination of severity for Emergency Brake Light for an EVITA secured 107 vehicle ix 1 Figure E. Composite Threat Model Steps as part of the 109 NIST framework LIST OF TABLES 51 17 Table . Overview of found articles per topic 52 18 Table . Overviewoffoundarticlesperpublishedyear 61 23 Table . ETSI basic set of applications 71 34 Table . Groupingofselectedautomotivebussystems 72 46 Table . ComponentsofautomotiveHSMclasses 81 Table . STRIDE categories mapped on Data Flow Dia- 51 gram elements elements 82 54 Table . Failure rate for Safety Integrity Levels 83 Table . Riskgraphfragmentforsafety-relatedsecurity 58 threats 84 59 Table . SecL Determination Matrix 85 60 Table . SINAcategoriesmappedtoSTRIDEcategories 91 Table . STRIDEcategoriesmappedonInterconnection 67 drawing elements 92 68 Table . Controllability Level determination 93 Table . Severity Level determination for Safety, Oper- 69 ational, Privacy and Financial 94 70 Table . Example of result of final step 95 Table . Threat list with determination of severity for 73 Predictive Cruise Control 96 Table . Threat list with determination of severity for 74 Predictive Cruise Control, continued 97 Table . Threat list with determination of severity for Emergency Brake Light for a modern day ve- 76 hicle 98 Table . Threat list with determination of severity for Emergency Brake Light for an EVITA secured 78 vehicle 99 Table . ExampleonhowdifferentSafetylevelsmaybe 82 weighted within classes 1 Table E. STRIDEcategoriesmappedonInterconnection 111 drawing elements 2 111 Table E. Controllability Level determination 3 Table E. ExampleonhowdifferentSafetylevelsmaybe 112 weighted within classes 4 Table E. Severity Level determination for Safety, Oper- 113 ational, Privacy and Financial x
Description: