Professional Documents
Culture Documents
Security Engineering Iso 21434
Security Engineering Iso 21434
net/publication/348078835
CITATIONS READS
0 8,463
3 authors:
Harald Ruess
fortiss
130 PUBLICATIONS 2,471 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Yuri G Dantas on 18 March 2021.
Security Engineering
for ISO 21434
Security Engineering –
for ISO 21434
Authors
2
Content
Abstract 4
Introduction 5
Running Example 9
Incremental Approach 14
Approach by Example 16
Related Work 21
Conclusion 23
References 24
Imprint 26
3
Abstract
The ISO 21434 is a new standard that has been ting item security claims. This paper proposes a
proposed to address the future challenges of security engineering approach that can ease this
automotive cybersecurity. This paper takes a closer process by relying on Rigorous Security Assess-
look at the ISO 21434 helping engineers to un- ments and Incremental Assessment Maintenance
derstand the ISO 21434 parts, the key activities to methods supported by automation. The paper
be carried out and the main artefacts that shall be demonstrates by example that the proposed
produced. As any certification, obtaining the ISO approach can greatly increase the efficiency to
21434 certification can be daunting at first sight. produce artefacts, as well as enable continuous
Engineers have to deploy processes that include security assessment. Finally, the paper points out
several security risk assessment methods to some key research directions to fully realize the
produce security arguments and evidence suppor- proposed approach.
4
Introduction for security. One goal of this paper is to explain the
ISO 21434 providing to cybersecurity engineers a
comprehensive overview of the main activities that
New vehicle business models are in the process shall be carried out and the key artefacts that shall
of being forged based on the adoption of Infor- be produced to comply with the ISO 21434.
mation and Communication Technologies (ICT),
such as V2X communication and artificial intelli- This paper also goes beyond the ISO 21434. It de-
gence. According to Juniper Research [9], there are scribes an incremental approach for security for
currently tens of millions of connected vehicles, enabling the continuous security assessment of
and this number will reach 775 million vehicles by vehicles and therefore, enabling the continuous
2023. Connected vehicles already enable important certification of vehicles. This approach is based on
services, such as on-line streaming and Advanced three key elements:
Driver Assistance Systems (ADAS). In the near future,
they will enable services such as vehicles with very • Rigorous Security Assessments. Vulnerabilities
high level of autonomy. are introduced or not correctly mitigated be-
cause of the lack of rigor in the security argu-
The adoption of ICT, however, has also greatly in- ment used to support a claim. For example,
creased vehicle cybersecurity concerns. Until some arguments often contain implicit assumptions
years ago, attackers would necessarily have to be which lead to unintended implementation
physically close to carry out attacks against vehi errors. For the construction of such arguments,
cles. This is no longer the case with connected this paper suggests rigorous security arguments
cars. As already demonstrated by the now infamous written by logic-based methods supported
Jeep attack [7], without appropriate countermea- by domain-specific languages. Logic provides
sures, attackers can remotely take control of pretty precise semantics specifying, for example, the
much any vehicle function, such as the vehicle’s reasoning principles used to construct safety
braking system. The year of 2019 has seen an and security arguments and more importantly
emergence of cyberattacks [8]: 51 incidents have the means to check their correctness and com-
been reported only in the first quarter of 2019. This pleteness.
number is an increase of more than 300 % to 2018.
Moreover, while in the past attacks were carried out • Incremental Assessment Maintenance. As new
in its majority by white-hats1, now the majority of vulnerabilities and attacks are constantly being
the attacks reported are carried out by black-hats2 discovered, security updates will be a norm for
with a rise of 72 % from 2018. There is much reason connected vehicles. The question that follows
to believe that this trend will continue and even ac- is how to demonstrate that after an update, a
celerate. Indeed, as reported by the Hornetsecurity vehicle still complies with the ISO 21434 cer-
Security Lab [10], the automotive industry is the tification. That is, its security is supported by
third most targeted by attackers, behind only the a valid security argument and appropriate evi
energy and logistics sectors. dence. Re-doing the whole certification process
from scratch whenever there is an update is
The cost of handling attacks, e. g., car re-calls, up- not practical. A better approach is to modify the
dates, mitigate damage to reputation, will also in- existing security assessments and certification
crease as more connected vehicles enter the roads. artefacts incrementally by modifying only the
Current estimations predict that the cost of attacks pieces that have been affected by an update.
could reach USD 23 billion by 2023 [11]. Therefore,
it is increasingly important that vulnerabilities are • Automation. Increasing the automation of
found and mitigated before production and that vehicle’s security assessments is a necessary
new vulnerabilities discovered after production are requirement for efficient continuous vehicle
dealt within a short period of time. security assessment and certification. Moreover,
it also less prone to human error. Fortunately,
To address these concerns, the new ISO 21434 [3] there has been in the past year a great increase
has been developed replacing the SAE J3061 [4]. It in the maturity of automated reasoning and
is expected that the ISO 21434 will follow the suc- verification tools. For example, existing logic
cess of the ISO 26262 [2] for vehicle safety, but now programming tools can automatically generate
correct safety and security arguments [17][18],
collect [16] and maintain evidence generated
1 ecurity experts that carry out attacks to find vulnerabilities
S
with the intent of improving security. from workflows using automated tools [14].
2 yber-criminals that carry out attacks for normally financial
C
gains or notoriety.
5
Benefits. The benefits of the proposed approach Secondly, the use of incremental methods and
with respect to existing approaches are two-fold. automation greatly increases the efficiency of
re-certification in terms of time and cost. Efficiency
Firstly, rigorous security assessments with precise is key for enabling continuous certification. Other-
semantics enable the automated checking of when wise, the overhead costs of recertification are very
an argument is incomplete, e. g., some threats are high without adequate automation. This has been
not appropriately mitigated, or plain wrong. More observed, for example, in the avionics domain,
over, since the methods are based on logic, engi- where the change of a single line of code can imply
neers can query specifications like the following costs of in the order of millions of USD.3
ones:
The target audience for this paper is all cybersecuri-
Have all the identified threats been adequately ty engineers who are interested in the ISO 21434
mitigated? If not, which ones remain? itself and in an approach that enables the conti-
nuous certification for automotive vehicles. It is
Which architecture options with additional expected that, by reading this paper, cybersecurity
countermeasures can I use to mitigate the engineers will be able to obtain a clearer picture of
threats that have not yet been mitigated? the ISO 21434, especially of the activities performed
during the risk assessment. It is also expected that
What are the impacts of a particular design on cybersecurity engineers will both learn that parts of
other issues such as safety and performance? the ISO 21434 may be automated by suitable tech-
Will the new countermeasure affect some sa- niques as well as get a perspective on how to build
fety assumption, e. g., increased communica- continuous certification for automotive vehicles
tion latency? using an incremental approach.
What is the security argument used to support Section 1 provides an overview of the ISO 21434,
the security claim of an item? and Section 3 focuses more on the parts related
to risk assessment and concept phase. Section 4
describes an approach for the continuous vehicle
assessment and certification. Section 5 demonstra-
tes this approach through an illustrative example
described in Section 2. After a discussion of related
work in Section 6, Section 7 lists the key research
directions to fully realize the proposed approach.
The paper is concluded in Section 8.
3 S
tated by the DARPA project coordinator
https://www.youtube.com/watch?v=bXuBm_awZvg
6
ISO 21434 at a Glance security of items. Part 9 details the requirements
during concept phase. Parts 10 and 11 detail the
requirements during production, while Parts 12–14
As with the ISO 26262, the ISO 21434 is structured detail the requirements during the post-production.
into multiple parts (a.k.a. clauses) that tackle diffe- Finally, Part 15 details the requirements for supplier
rent aspects of cybersecurity. The technical parts of management.
the ISO 21434 are depicted in Figure 1. These parts
are preceded by parts defining the scope (Part 1), Part 5. This part details the requirements for build
the normative references (Part 2), the terms and ing and maintaining a cybersecurity culture and
abbreviations (Part 3) and general considerations governance. This is accomplished by setting cyber-
(Part 4). security policies, rules and processes for overall cy-
bersecurity management and for project dependent
Figure 1 provides an overview of all the technical cybersecurity management. The policies and rules
parts. Section 3 goes into more detail regarding for the overall cybersecurity management shall (1)
Parts 8 (Risk Assessment Methods), and 9 (Concept define the organization-specific rules and processes
Phase). for cybersecurity, e. g., the executive management’s
commitment to manage security risks; (2) assign
In a nutshell, Parts 5 and 6 contain the require responsibilities for security activities; (3) support the
ments for organizational cybersecurity. Parts 7 and implementation of cybersecurity; (4) institute and
8 describe activities and methods that can be used maintain cybersecurity culture; (5) perform organi-
during the lifecycle of a product to ensure the zational cybersecurity audits; (6) manage the sha-
PART 11 PART 13
Cybersecurity Operations and
Validation Maintenance
PART 14
Decommissioning
7
ring of cybersecurity information; (7) institute and (2) to confirm that the item satisfies the cyberse-
maintain management systems that support cyber- curity goals; (3) to confirm that the residual risk is
security activities; (8) and provide evidence that the acceptable.
tools used do not adversely affect cybersecurity.
Part 12. This part details the requirements during
Part 6. This part describes the requirements for the the fabrication, assembly and configuration of an
management of cybersecurity activities for the de- item or component. Its objectives are (1) to apply
velopment of a specific project. The key objectives the cybersecurity requirement for post-develop-
of these requirements are (1) assign the responsibili- ment to the item or component; and (2) to prevent
ties for cybersecurity activities; (2) plan the cyberse- the introduction of vulnerabilities during production.
curity activities; (3) create a cybersecurity case that
provide the high-level argument for the achieved Part 13. This part describes the requirements for
degree of cybersecurity. cybersecurity incident response and updates. Its
objectives are (1) to handle cybersecurity events
Part 7. This part details cybersecurity activities that that become a cybersecurity incident; and (2) to
can be performed at any stage of the lifecycle. The preserve cybersecurity during and after updates to
main objective of these requirements are (1) to col- items or components post-production.
lect relevant cybersecurity information; (2) to triage
collected cybersecurity information; (3) to assess Part 14. This part details the requirements on de-
cybersecurity events; (4) to identify and analyze cy- commissioning of an item or component. The main
bersecurity vulnerabilities; (5) to manage identified objective is to ensure that the item or component is
cybersecurity vulnerabilities. decommissioned in a secure manner.
Part 8. This part details methods that organizations Part 15. This part details the requirements for distri-
can use to determine the risks to stakeholders of buted cybersecurity activities. The main objective
cybersecurity threats. The main objectives of the of these requirements is to define the interactions,
methods are to (1) identify assets; (2) identify threat dependencies, and responsibilities between custo-
scenarios; (3) rate the impact; (4) identify or update mers and suppliers for cybersecurity activities.
the attack paths for threat scenarios; (5) assess the
ease with which the identified attack paths can be Section 4 describes the proposed approach and
exploited; (6) determine the risk value of a threat how this approach can help to achieve the objec-
scenario; and (7) select the appropriate risk treat- tives of Parts 8, 9 and 10 in an automated fashion.
ment. ISO 21434 has several appendixes that illustrate how
the ISO 21434 could be used in practice. Section 5
Part 9. This part details the requirements for the illustrates the proposed approach using the running
concept phase. Its main objectives are (1) define the example in the ISO 21434, Annex G. This running
item, the operational environment and its interac- example is described in Section 2.
tion with other items; (2) specify cybersecurity goals
and cybersecurity claims; and (3) specify cybersecu-
rity requirements and allocate them to the item or
to the operational environment.
8
Running Example oncoming vehicles can be detected. This is needed
to automatically switch the headlamp from high-
beam mode to low-beam mode and vice versa. The
This paper considers a headlamp system as the CAN bus is connected with a Gateway ECU. This
running example. The example is taken from ISO- Gateway ECU controls access to the CAN bus from
21434, Annex G [3]. other ECUs located outside the headlamp system
such as the Navigation ECU. The Navigation ECU
A headlamp system is responsible for turning on/off has two interfaces, namely Cellular and Bluetooth.
the headlamp of a vehicle following the demand of The Gateway ECU is also connected to an OBD-
the driver. It has two specific features, namely high- II connector through another CAN bus. OBD-II is
beam light and low-beam light. If the headlamp is an on-board computer that monitors data about
in high-beam mode, the headlamp system switches the vehicle such as speed. Both the Bluetooth and
the headlamp automatically to the low-beam mode Cellular interfaces and the ODB-II connector are
when an oncoming vehicle is detected. It returns located outside the item boundary4. They might be
automatically the headlamp to the high-beam entry points for attacking the headlamp system, as
mode if the oncoming vehicle is no longer detec- discussed in the following sections.
ted [3]. The headlamp system is a critical system as
harm, e. g., accidents, may occur if the lamp is un-
expectedly turned off over night.
Cellular Bluetooth
Navigation ECU
OBD-II
Connector
Gateway ECU
ITEM BOUNDARY
Other ECUs
Power
Headlamp Body Control
Switch
Switch ECU
Lamp Low Actuator
ON / Hi
Headlamp System ON / OFF
Request
9
Risk Assessment
This section enters into the details of the technical Figure 3 depicts the activities described in Parts 8
parts of the ISO 21434, namely Parts 8 and 9. Part and 9 (item definition) of the ISO 21434 for risk as-
9 (i.e., item definition) may use the risk assessment sessment. It includes the artefacts that they are sup-
methodology described in Part 8. This methodo- posed to produce and suggestions of methods that
logy can be partially carried out with automated can be used to produce them.
support, thus enabling the automated production
of several artefacts required for the security assess- The following text describes these activities and illus
ment of an item. trate them with the running example from Section 2.
• Preliminary Architecture
Item Definition • Assumptions about the item
and operational environment
Attach Path • Possible Attack Paths • Top-down Approach, e.g., Attack Trees,
• Link between Attack Paths STRIDE
Analysis and Threat Scenarios • Bottom-up Approaches (e.g., the Output
of Vulnerability Analysis
Figure 3. Activities, Artefacts and Methods mentioned in Part 8. Item definition is mentioned in Part 9. The full arrow
from an activity to an artefact specifies that this artefact is produced at the end of the activity. A full arrow from an
artefact to an activity specifies that this artefact is used as input to the corresponding activity. Finally, the dashed
arrows from an artefact to an activity specifies that the artefact can used as input, but not required, to the correspon-
ding activity.
10
Item Definition. This is an early-on activity that U
nexpected loss of head light: the headlamp
defines the item5 whose risk assessment is going to turns off during night driving resulting from the
be evaluated. During this activity, a preliminary ar- loss of integrity of CAN signal
chitecture of the item is described and the assump
tions about its operational environment.
Unable to switch on head light: the Power
Switch Actuator does not receive a request from
the Body Control ECU to turn on the lamp resul-
ting from the loss of availability of the CAN bus.
Example 3.1
Threat Scenario Identification. The threat scenarios
Consider the running example from Section 2. The for each damage scenario shall be identified. Notice
artefacts produced by this activity are the preli- that a damage scenario may be associated with
minary architecture of the headlamp system, the multiple threat scenarios. A threat scenario may
description of its architectural elements (a.k.a. func- include the targeted asset, the compromised cyber-
tions), and the item boundary. These artefacts are security property and the actions that need to be
described in Section 2. carried out by an attacker to accomplish a damage
scenario.
Asset Identification. From the artefacts produced
by the item definition activity, the item’s damage While there is a number of methodologies to carry
scenarios6 are identified. Moreover, one should also out this activity [33], the ISO 21434 proposes the use
enumerate the identified assets with cybersecurity of the two following methods or their combination:
properties that would lead to a damage scenario.
Three methods are suggested by the ISO 21434 for • misuse-case elicitation: Threats scenario can
carrying out this activity: often be identified by using items in an possible,
but unintended way.
• Impact rating: This method rates the impact of
cyberattacks to assets. • taxonomy mnemonic-based approaches, such
as STRIDE: Using threat categories enables a
• Deriving Assets from Threat Scenarios:7 systematic identification of threat scenarios.
Threat scenarios (produced in the threat scena- (See [33] for more about this type of technique.)
rio activity) can help identify key assets.
For this activity, there might be the need for an ad-
• Pre-defined Catalogues: Existing catalogues ditional artefact specifying what type of attacker is
provide a good source for identifying assets. being considered. This artefact is important as attacker
intentions, (e. g., is he a script-kid, cyber-criminal or
an agent supported by a government? and capabili-
ties, e. g., which types of channels is he able to hack?)
Example 3.2 lead to different types of threat scenarios.
11
Damage scenario Safety Financial Operational Privacy
unexpected loss
major negligible major negligible
of head light
unable to switch on
moderate negligible major negligible
head light
Table 1. Impact rating for the damage scenarios from Example 3.2.
This artefact describing the attacker would enable related to safety. For example, [23] proposes meth
the use of formal approaches to enumerate in an ods for extracting in an automated fashion security
automated fashion threat scenario identification by relevant information from safety analysis, e. g., Fault
using precise mathematical models [18, 19, 28, 34]. Tree Analysis (FTA), Failure Modes and Effects Analy
Section 5 illustrates how automation is a corner sis (FMEA), and safety cases.
stone for incremental security engineering.
Attack Path Analysis. From the preliminary architec-
Impact Rating. This activity takes as input the dama- ture, assumptions about the item/environment, and
ge scenarios derived from the activity Asset Identi- the damage scenario, one produces the possible at-
fication. Each damage scenario is assessed accor- tack paths and their association to threat scenarios.
ding to four impact categories for the stakeholders: To do so, the ISO 21434 proposes the use, possi-
safety (S), financial (F), operational (O) and privacy bly in combination, of both top-down, e. g., Attack
(P). Other categories may be considered. Moreover, Trees, and bottom-up, e. g., vulnerability analysis.
one of the following impact rating is associated The attack paths shall include the following infor-
with the damage scenario: severe, major, moderate, mation: vulnerabilities or weaknesses that could be
or negligible. Finally, safety related impacts shall be exploited, and how these could be exploited in an
derived from the ISO 26262 [2]. The resulting arte- attack realizing a threat scenario.
facts are the damage scenario assessments.
Example 3.5
Example 3.4
Both Bluetooth and Cellular interfaces may be ac-
The impact rating for the damage scenarios from cessible from the outside, possibly by an attacker.
Example 3.2 is described in Table 1. Hence, this paper considers such interfaces as the
entry point vulnerabilities for the headlamp system.
Regarding the first damage scenario, an accident
might happen if the lamp switches off overnight Consider the threat scenarios from Example 3.3.
driving. Hence, the safety impact for this scenario A threat path for Threat Scenario 1 can be:
is major. The operational impact is also major, be-
cause if the lamp is not working properly the driver
an attacker compromises the Navigation ECU
needs to take the vehicle to a mechanic for repair. from the Cellular interface to send malicious
The damage impact for both financial and privacy signals to turn off the lamp during night driving,
categories are negligible for this scenario.
compromised Navigation ECU transmits the
For the second damage scenario, this paper con- received malicious signals, and
siders that the driver is not able to switch on the
lamp over morning driving. The safety impact is Gateway ECU forwards the malicious signals
then moderate, as the impact would not be as se- to Power Switch Actuator through the CAN
vere as driving at night. The operational impact is bus.
major, following the same reason explained for the
first scenario. The damage impact on financial and
privacy are both negligible for this scenario.
12
Time
Attack steps Expertise Equipment Knowledge Opportunity Level
(#days)
public
A expert 14 standard unlimited high
information
restricted
B expert 7 standard unlimited high
information
public
C proficient 1 standard unlimited high
information
Table 2. Attack feasibility for the attack path for Threat Scenario 1 (Example 3.5).
Note that this very same attack could be also quired to compromise the Navigation ECU through
carried out from the Bluetooth interface. Similarly, the Cellular interface (attack step (a)). It also con-
a threat path for Threat Scenario 2 can be: siders that the total time for an expert to exploit
attack step (a) is 14 days. Equipment refers to hard-
an attacker compromises the Navigation ECU ware or software required to exploit an attack path.
from the Bluetooth interface to flood the CAN The Cellular interface may be readily available and
bus with high priority messages, easily accessible by the attacker though, e. g., wire
less network. Therefore, the equipment required
compromised Navigation ECU transmits the for exploiting attack step (a) is standard. The knowl
received malicious messages, and edge required by the attack is public, as information
regarding the Cellular interface may be available on
Gateway ECU forwards the malicious the Internet. Opportunity is the amount of access
messages to the CAN bus. required by the attack to exploit an attack path. The
opportunity is unlimited for step (a), because the
Attack Feasibility Rating. Each attack path is rated Cellular interface may be available without any time
according to the following categories: high, me- limitation to the attacker.
dium, low or very low. The following three methods
are suggested for rating attack paths: The attack potential approach considers the most
expensive argument from each attack step to com-
• Attack Potential: The rating of an attack path is pute the overall feasibility for the attacker’s path.
obtained by evaluating the attack level taking For example, if you need an expert for one attack
into account core factors required, including step and a proficient for another attacker step the
elapsed time, specialist expertise and item overall value w.r.t. expertise is expert. The value for
knowledge required, window of opportunity, each attack’s step is high (see Table 2). Hence, the
and equipment. overall attack feasibility for the attack path for Threat
Scenario 1 is high. This paper considers that the
• CVSS2: The attack path rating is obtained from overall attack feasibility for the attack path for Threat
common vulnerability scoring systems, e. g., Scenario 2 is medium.
available at https://www.first.org/cvss/.
Risk Determination. The risk of threat scenarios
• Attack vector: The rating is determined by is determined from the impact associated with its
analyzing the predominant attack vector of the corresponding damage scenario and the likelihood
attack path. of its associated attack paths. The risk are integers
from 1 (lowest risk) to 5 (highest risk). A risk matrix
with the likelihood of attack paths and impact of the
damage scenario is a suggested method to carry
Example 3.6 out this activity.
13
Example 3.7
Incremental Approach
One can determine the risk value for both threat
scenarios from Example 3.3 based on the risk ma- While the ISO 21434 is a step forward for the cyber-
trix. To this end, consider both the impact rating security of connected vehicles, it does not enter
from Example 3.4 and the attack feasibility rating into the details of how to efficiently operationalize
from Example 3.6. cybersecurity. Given the complexity of connected
vehicles, carrying out all activities and producing all
This paper considers the safety impact rating only artefacts while still satisfying the production time
from Example 3.4. The risk value for Threat Scena- lines is not feasible without automation. Moreover,
rio 1 is 4, as the impact on safety is major and the cybersecurity is a continuous task as new vulne-
likelihood of its attack path is high. The risk value rabilities and attacks are discovered (after vehicle
for Threat Scenario 2 is 2, as the impact on safety production) requiring new countermeasures and
is moderate and the likelihood of its attack path is analysis.
medium.
This paper proposes an incremental approach for
Risk Treatment Decision. From all the artefacts pro- ISO 21434 that enables continuous and efficient
duced by the other activities, excepting the attack cybersecurity based on three main pillars:
feasibility rating which is optional, a risk treatment
decision is produced for each threat scenario. This • Rigorous Security Assessments. This paper
artefact shall contain treatment options, such as proposes security rigorous assessment speci-
avoiding risk by removing risk sources, reducing fication based on precise logical models with
risk, by, e. g., inserting countermeasures, sharing or precise semantics. In contrast with existing
transferring the risk to, e. g., suppliers or through assessment languages, such as Goal Structure
insurance, or accepting or retaining the risk. Notation [6], that include textual elements, rigo-
rous security assessments can be automatically
checked for missing assumptions or flaws in the
argumentation.
Following the previous work by [18, 17, 23], this
paper proposes domain specific languages ena-
bling the specification of system architectures,
i.e., components and channels, including phy-
sical components, e. g., CAN bus or ECUs, and
safety and security elements, e. g., hazards and
threats, as well as safety and security architec-
tural patterns, e. g., safety and security monitors,
watchdogs, and firewalls.
From this language, safety and security reaso-
ning principles are specified as logic programm-
ing rules. They specify, for example, under
which conditions a particular security pattern
used in a given architecture can guarantee the
security against some given threats.
14
Reasoning
Principles
Patterns
Increment Automated
(new System, new threat, Design
new asset) Exploration
DSL
Trade-Off Analysis
Certification
Artefacts
Automated Certification for
Selected Item Increment
used in databases and for network routing. It The increment D is fed to the logic specification
seems possible to use and adapt these tech based on a Domain-Specific Language (DSL) on
niques for the maintenance of rigorous security which architectural patterns and reasoning rules are
assessments. specified. By using design exploration techniques,
the machinery automatically generates a collection
• Automation. For increased process efficien- of item increments all of which are associated with
cy and reduced errors, increased automated a security assessment.
support is key. Fortunately, the past years have
witnessed the emergence of several automated A trade-off analysis among the generated item in-
methods for the reasoning about system archi- crements taking into account other aspect, such as
tectures by, e. g., design exploration, and the safety, performance, costs or quality. This trade-off
generation of evidence by using (formal) tools, is supported by automated techniques enabling the
such as static analyzers and model-checkers. selection of a best suited item increment.
Figure 4 depicts how the three pillars above are Finally, the certification artefacts, e. g., security as-
used for the incremental security engineering of sessments, are generated for the new item.
ISO 21434. This paper refers to these three pillars
working together as the machinery, especially when Benefits. The proposed approach has two key
referring to the automation of tasks. benefits to existing approaches based on model-
based engineering, e. g., GSN models, or textual
Assume a given item definition I for which a rigo- models, e. g., Excel sheets.
rous security assessment has been carried out.
Moreover, assume that there is a new increment, D, The first benefit is derived from the use of logic-
to the item, e. g., new feature, or to the assumptions based specifications for the generation of security
about the environment, e. g., new threat, that may assessment. As a result, one can rely on concepts
invalidate the existing security assessment for I. like soundness and completeness using precise
15
semantics, instead of the textual semantics which
may be ambiguous in GSN models for example. Approach by Example
This enables the automatic checking of whether the
argument used in security assessments is correct or The goal of this section is to describe (1) how the
whether there are flaws in the reasoning or missing proposed approach can be used to automate parts
assumptions. Moreover, using logic-based tools, it of the ISO 21434 risk assessment and (2) how this
is even possible to automatically enumerate which approach deals with incremental changes in the
evidence is still required for completing a security system architecture, thus supporting continuous
argument. security assessment and certification. To this end,
the machinery is applied to the headlamp system
The second benefit is provided by the use of incre- explained in Section 2.
mental methods and automation. This enables a
less human error prone and efficient certification
process. Without these two elements, the overhead
costs for certification is very high as already ob Automating ISO 21434
served in the avionics domain where the change of
a single line of code can imply costs of in the order The machinery takes as input the preliminary sys-
of millions of USD. tem architecture as well as the damage scenarios
associated with both assets from the system archi-
A key impact of the two benefits above is that the tecture and cyber-security properties. The machine-
proposed incremental approach enables continu- ry also expects as input the impact rating for each
ous certification of connected vehicles. Whenever given damage scenario. These artefacts cover three
there is a new incremental change to the item or activities from the risk assessment, namely item de-
to the environment assumptions, new certification finition, asset identification, and impact rating.8
artefacts should be produced for certification. The
use of rigorous security assessments and the incre- Consider the Example 3.2 from Section 3. The as-
mental approach enable the production of these set is the CAN bus transmitting messages from the
artefacts in a highly automated fashion by relying Gateway ECU to the headlamp system. This section
on automated reasoning tools, such as logic pro- considers the Damage Scenario 1 only, namely un-
gramming tools [25, 16]. Moreover, certification expected loss of head light.
authorities have to check whether the artefacts are
compliant to the ISO 21434. Since the methods
used in the approach are based on rigorous security
assessments, certification authorities can use exis- Example 5.1
ting tools to automatically check whether the secu-
rity arguments are correct. In the DSL, one can specify both the identified asset
and damage scenarios as follows:
asset(can2).
dmgScenario(“hl turns off overnight
driving”,can2,int, [maj,neg,maj,neg]).
16
der can find detailed description on how to specify path. It then automatically calculates the overall
elements for the system architecture such as chan- level of an attack path following the attack potential
nels and components in [17]. approach. Given the overall level of an attack path,
reasoning principles rules are specified to automati-
The next activities are the threat scenario identifi- cally calculate the risk determination for each threat
cation and attack path analysis. The machinery can following the risk matrix method.
automate these activities. The reasoning principles
specify a potential threat for each asset associated
with a damage scenario. A potential threat becomes
an actual threat if the asset may be reached by Example 5.2
an attacker. The machinery expects as input the
public elements of the system architecture, i.e., The machinery outputs the following w.r.t. the
the elements that may be accessible by external attack feasibility rating and risk determination.
users. Bluetooth and Cellular interfaces and OBD-II
connector are considered to be public elements. {attFS([can2,[can2,gw,can1,bt], int,
Reachability rules are specified to automatically maj],high)}
check whether from a public element (e. g., Blue- {riskDT([can2,[can2,gw,can1,bt],
tooth) an attacker may access an asset (e. g., CAN int,maj],4)}
bus) through a path P. The machinery identified
three possible paths to access the CAN bus (located For both facts, attFS and riskDT, the first argument
between Gateway ECU and headlamp system) from is the threat ID. The threat ID is composed of the
the public elements. identified asset (can2), the attacker’s path (direction
from right to left), the cyber-security property (in-
Next in the risk assessment are the attack feasibility tegrity), and the impact rating (major). This example
rating and risk determination. As shown in Table considers the safety impact rating only. The last
2, a level (e. g., high) is assigned to each step of an argument of attFS and riskDT denotes, respectively,
attacker’s path. The machinery takes as input the the overall feasibility rating (high), and the risk value
assigned level to each attack step of a given attack for the identified threat (4).
Cellular Bluetooth
Navigation ECU
OBD-II
Connector
Gateway ECU
ITEM BOUNDARY
Other ECUs FIREWALL
Power
Headlamp Body Control
Switch
Switch ECU
Lamp Low Actuator
ON / Hi
Headlamp System ON / OFF
Request
17
The last activity in the risk assessment is risk treat- recommendation of security patterns to mit-
ment decision. The machinery enables the auto- igate identified threats (risk treatment decision),
mated recommendation of security patterns to explicitly suggesting where to deploy them in
mitigate identified threats. To this end, reasoning the architecture
principles are specified for (1) Mitigation: which
threats can be mitigated by a given deployed secu-
rity pattern and which threats cannot be mitigated.
(2) Security Pattern Recommendation: which Incremental Security Approach
security patterns, e. g., Firewall or Security Monitor,
can be used and where exactly they should be de- To illustrate the incremental approach depicted
ployed to mitigate threats that have not yet been in Figure 4, assume that there is an incremental
mitigated. change in the headlamp system as follows.
The machinery recommended using a firewall to Increment. Consider as increment the ability to per-
mitigate the identified threat. The architecture of form software updates on the Body Control ECU. It
the headlamp system with a firewall is depicted in is assumed that at some point during the life-cycle
Figure 5. A firewall is deployed between the Gate- of the headlamp system a software update on the
way ECU and the headlamp system. The goal is Body Control ECU is performed. This software up-
to mitigate malicious incoming flows from public date may be performed by, e. g., a wired connection
elements such as Bluetooth, Cellular or OBD-II through the OBD-II connector, or through-the-air
connector. by using the Bluetooth or Cellular interfaces.
In summary, the machinery can automate the follo- The considered increment may lead to new threats
wing parts of the ISO 21434 risk assessment: to the headlamp system as new flows are genera-
ted between public elements (e. g., OBD-II connec-
identification of threats given damage scenarios tor) and the headlamp system. A potential threat is
(threat scenario identification) an attacker injecting malicious code into the Body
Control ECU (asset) in an unauthorized fashion. This
identification of the attacker’s path to exploit potential threat may lead to loss of integrity of the
identified threats (attack path analysis) Body Control ECU due to unauthorized access.
calculation of the overall level of an attacker’s Following the approach illustrated in Figure 4, the
path (attack feasibility rating) given the assig- machinery takes the inputs described in Section 5.1
ned level to each attack step of an attack path and a potential threat to the Body Control ECU. The
machinery then automatically checks whether the
calculation of the risk value for each identified given potential threat is an actual threat by checking
threat (risk determination) possible attacker’s paths. Three attacker’s paths are
identified, initiated from the OBD-II connector, Blue-
tooth and Cellular interface, respectively.
ITEM BOUNDARY
Navigation ECU Navigation ECU
OBD-II OBD-II
Connector Connector
Camera Camera
ECU ECU
Sec. Monitor
Oncoming Car Information Oncoming Car Information
Yes / No Yes / No
Sec. Monitor
Power Power
Headlamp Body Control Headlamp Body Control
Switch Switch
Switch ECU Switch ECU
Lamp Low Actuator Lamp Low Actuator
ON / Hi HEADLAMP SYSTEM ON / Hi
Headlamp System ON / OFF Headlamp System ON / OFF
(Functional)
Request Request
(a) Sec. monitor associated to the Body Control ECU (b) Sec. monitor associated to the CAN bus
18
GOAL
The Headlamp System is Secure
against Identified Threats
STRATEGY ASSUMPTION
Mitigate all All Threats have
Identified Threats been Identified
SOLUTION SOLUTION
Use Firewall Use Security
Monitor
Figure 7. Security argument in the form of a GSN model derived by the machinery for the headlamp system
Automated Design Exploration. Next, the machi- expensive (performance-wise) than the one deploy-
nery automatically suggests solutions for mitigating ed by means of software instrumentation. The
the identified threat. Two solutions are depicted in reason is that the deployed proxy shall intercept
Figure 6. It suggested the deployment of a security each incoming message from the Gateway ECU
monitor to mitigate the identified threat. The goal is regardless of the destination of the message. The
to mitigate malicious access from public elements security monitor associated with the Body Control
by enforcing access control policies, such as “only ECU shall only intercept messages destined to
authorized users from public elements may write the Body Control ECU itself. Hence, based on the
data into the Body Control ECU”. performance impact of such solutions, one may
choose the security monitor illustrated in Figure 6a
Figure 6a illustrates a security monitor associated over the one illustrated in Figure 6b.
with the Body Control ECU, whereas Figure 6b
illustrates a security monitor associated with the Automated Security Argument Generation. Once
CAN bus. Both solutions can mitigate the identified a design solution is chosen, the machinery can
threat. The main difference is that the former may construct the security argument based on the
be deployed by means of software instrumentation, (previously and newly) identified threats, and the
and the latter may be deployed as a physical proxy security pattern that has been proposed. That is, it
between the Gateway ECU and the Body Control can construct security arguments in the form of a
ECU. GSN model. Figure 7 depicts a (piece of the) GSN
model derived from the machinery for the head-
Trade-off Analysis. A trade-off analysis should be lamp system. It includes the identified threat as well
carried out to help engineers to choose the best as which security pattern can be used to mitigate
suited solution for the system. For example, the se- which threat.
curity monitor deployed as a proxy might be more
19
20
security concerns. For example, GSN extensions
with security features, so that in a single frame-
Related Work work, one can express both security and safety [24].
Moreover, our previous work [23, 27] proposed me-
chanisms for extracting security relevant informa-
Recent white papers [12][32] also give an overview tion from safety analysis, such as Fault Tree Analysis
on ISO 21434. They both discuss the set of guide or Failure Mode and Effects Analysis.
lines proposed for securing automotive vehicles.
The white paper [12] focuses on the activities per- While this paper is inspired by these previous work,
formed in the risk assessment. It proposes an ap- the main focus here is on incremental methods for
proach to automotive cybersecurity engineering. safety and security co-analysis. As illustrated by the
This approach suggests the use of offense and de- running example and in our previous work [18], the
fense mechanisms for helping engineers to imple- proposed approach takes into account both safety
ment the guidelines of ISO 21434. The white paper and security during trade-offs to determine the best
[32] proposes a layered approach for securing auto- design increments.
motive vehicles. The advantage of this approach
is to reduce the probability of an attack’s success
by providing multi-layered response to attacks for
protection, detection, and response. This paper pro-
poses an incremental approach to enable the conti-
nuous certification for automotive vehicles.
21
Next Research Tooling. Currently, the machinery is based
on the logic programming engine DLV [25]
22
Conclusion
This paper describes the ISO 21434 standard for of ICT in vehicles. However, without adequate
automotive security focusing on the activities and automated methods, it may fall short given the tight
artefacts that shall be produced by engineers. The deadlines in placing vehicles in the market. This
paper goes beyond the ISO 21434 by describing pressure may cause engineers to cut corners by
an incremental security engineering approach. It overlooking (implicit) assumptions or not taking into
illustrates by example how this approach can sup- account the trade-offs between safety and security
port engineers in constructing arguments for item thus leading to insecure vehicles.
security claims. Finally, it points to multiple research
directions to realize the proposed incremental ap- Therefore, the next years will require a co-joint ef-
proach in an operational setting. fort between research institutes, industry and certi-
fication bodies to develop the framework needed,
The ISO 21434 is a step forward towards increasing i.e., methods and processes, to efficiently derive
vehicle security as it addresses some of the key appropriate security arguments supported by com-
challenges upcoming with the increased adoption prehensive evidence.
23
References
[1] AF3 – AutoFOCUS 3. More information at [13] Alessandra Bagnato, Barbara Kordy, Per
https: //af3.fortiss.org/. Håkon Meland, and Patrick Schweitzer. Attribute
decoration of attack-defense trees. IJSSE, 3(2):1–35,
[2] ISO 26262, Road vehicles – Functional 2012.
safety — Part 6: Product development: software
level. Available from https://www.iso.org/standard/ [14] Tewodros A. Beyene and Harald Ruess.
43464.html. Evidential and continuous integration of software
verification tools. In Formal Methods – 22nd Inter-
[3] ISO/SAE AWI 21434, Road Vehicles – Cyber- national Symposium, FM 2018, Held as Part of the
security engineering. Under development. Federated Logic Conference, FloC 2018, Oxford,
UK, July 15-17, 2018, Proceedings, pages 679–685,
[4] SAE – Society of Automotive Engineers, SAE 2018.
J3061 - Cybersecurity Guidebook for Cyber-Phy-
sical Automotive Systems. Available from https:// [15] Stefano Bistarelli, Fabio Fioravanti, and Pa-
www.sae.org/standards/content/j3061_201601/. mela Peretti. Defense tree for economic evaluations
of security investment. In ARES 06, pages 416–423,
[5] Threatget – threat analysis and risk manage- 2006.
ment. Available at https://www.threatget.com/.
[16] Simon Cruanes, Grégoire Hamon, Sam
[6] GSN Community Standard Version 1. 2011. Owre, and Natarajan Shankar. Tool Integration with
Available at http://www.goalstructuringnotation. the Evidential Tool Bus. In Verification, Model Checking,
info/documents/GSN_Standard.pdf. and Abstract Interpretation, 14th International Con-
ference, VMCAI. Proceedings, 2013.
[7] Hackers remotely kill a Jeep on the high-
way – with me in it, 2015. Available at https://www. [17] Yuri Gil Dantas, Antoaneta Kondeva, and
wired.com/2015/07/hackersremotely-kill-jeep- Vivek Nigam. Less manual work for safety engi-
highway/. neers: Towards an automated safety reasoning with
safety patterns. In International Conference on
[8] Q1 2019 sees a rapid growth of automotive Logic Programming (ICLP), 2020.
cyber incidents, 2019. Available at https://upstream.
auto/blog/q1-2019-sees-a-rapid-growth-of- [18] Yuri Gil Dantas, Antoaneta Kondeva, and
automotivecyber- incidents/. Vivek Nigam. Towards automating safety and
security co-analysis with patterns (position paper).
[9] The changing face of automotive cyber In Safecomp, 2020.
attacks, 2020. Available at https://www.trustonic.
com/opinion/the-changing-face-ofautomotive- [19] Yuri Gil Dantas, Vivek Nigam, and Carolyn
cyber-attacks/. Talcott. A formal security assessment framework for
cooperative adaptive cruise control. In IEEE Vehicu-
[10] Cyber attacks on automotive sector picking lar Networking Conference (VNC), 2020.
up speed, 2020. Available at
https://www.hornetsecurity.com/en/securityinfor- [20] Anne Dardenne, Axel van Lamsweerde, and
mation/cyber-attacks-onautomotive-sector-picking- Stephen Fickas. Goal-directed requirements acquisi-
up-speed/. tion. Sci. Comput. Program., 20(1-2):3–50, 1993.
[11] Upstream security’s 2020 global automotive [21] Edward Griffor, editor. Handbook of System
cybersecurity report, 2020. https://upstream.auto/ Safety and Security. 2016.
upstreamsecurity-global-automotive-cybersecurity-
report-2020/. [22] Ashish Gupta, Inderpal Singh Mumick, and
V. S. Subrahmanian. Maintaining views incremen-
[12] Dr. Hasan I. Akram. Bridging the Cyberse- tally. In Peter Buneman and Sushil Jajodia, editors,
curity Gap in Automotive: The Upcoming ISO/SAE Proceedings of the 1993 ACM SIGMOD Internatio-
21434 and its Implications for Automotive Cyber- nal Conference on Management of Data, Washing-
security Engineering. Matrickz GmbH, White Paper, ton, DC, USA, May 26–28, 1993, pages 157–166.
2020. ACM Press, 1993.
24
[23] Antoaneta Kondeva, Carmen Carlan, Harald [32] Vit Sembera. ISO/SAE 21434: Setting the
Ruess, and Vivek Nigam. On computer-aided tech- Standard for Connected Cars’ Cybersecurity. Trend
niques for supporting safety and security co-engi- Micro Research, White Paper, 2020.
neering. In The 9th IEEE International Workshop on
Software Certification WoSoCer, 2019. [33] Adam Shostack. Threat Modeling:
Designing for Security. Wiley.
[24] Per Håkon Meland, Elda Paja, Erlend Andreas
Gjære, Stephane Paul, Fabiano Dalpiaz, and Paolo [34] Abraao Aires Urquiza, Musab A. AlTurki, Max
Giorgini. Threat analysis in goal-oriented security I. Kanovich, Tajana Ban Kirigin, Vivek Nigam, Andre
requirements modelling. Int. J. Secur. Softw. Eng., Scedrov, and Carolyn L. Talcott. Resource-bounded
5(2):1–19, 2014. intruders in denial of service attacks. In 32nd IEEE
Computer Security Foundations Symposium, CSF
[25] Wolfgang Faber Thomas Eiter Georg Gott- 2019, Hoboken, NJ, USA, June 25-28, 2019, pages
lob Simona Perri Francesco Scarcello Nicola Leone, 382–396, 2019.
Gerald Pfeifer. The dlv system for knowledge re-
presentation and reasoning. ACM Trans. Comput.
Logic, 7:499–562, 2006.
25
Imprint
Publisher Picture Credits
fortiss Title: shutterstock ©TierneyMJ
www.fortiss.org Page 4: shutterstock © metamorworks
© 2021 Page 6: shutterstock © Titima Ongkantong
Page 14: shutterstock © Wright Studio
Authors Page 20: shutterstock © LevLev
Yuri Gil Dantas Page 23: shutterstock © Iurii Motov
Dr. Vivek Nigam Seite 26: fortissGmbH © Kathrin Kahle
Dr. Harald Ruess
Layout
Sonja Taut
Print
viaprinto | CEWE Stiftung & Co. KGaA
Martin-Luther-King-Weg 30a
48155 Münster
26
fortiss is the Free State of Bavaria research institute Although this white paper was prepared with the
for software-intense systems based in Munich. The utmost care and diligence, inaccuracies cannot be
institute’s scientists work on research, development excluded. No guarantee is provided, and no legal
and transfer projects together with universities and responsibility or liability is assumed for any damages
technology companies in Bavaria and other parts resulting from erroneous information.
of Germany, as well across Europe. The research
activities focus on state-of-the-art methods, tech
niques and tools used in software development and
systems & service engineering and their application
with cognitive cyber-physical systems such as the
Internet of Things (IoT).
27
fortiss GmbH
Guerickestraße 25
80805 Munich
Germany
www.fortiss.org
Tel.: +49 89 3603522 0
E-Mail: info@fortiss.org