How to prevent cyber attacks on connected cars using Threat Modeling
The automotive industry is undergoing major change towards increasingly connected and autonomous cars, and with more vehicles using V2X communications the risks and threats are rising. Designing for security and managing cyber risks proactively is absolutely key. As McKinsey and Company states in this article “Carmakers must securely design vehicle platforms and related digital mobility services from the start. That is because the inherent complexity of vehicle platforms, with their long development cycles and complex supply chains, do not allow for late-stage architectural changes.” However, designing for security and managing risks proactively is a very challenging task, and many companies are thus struggling.
Threat Modeling fit very well with the task. It is a methodology for optimizing Network/Application/Internet security by identifying objectives and vulnerabilities and defining countermeasures to prevent or mitigate the effects of threats to the systems/environments or devices. For automotive environments, Threat Modeling is used to enhance security proactively by identifying vulnerabilities and threats to the system in total and the different parts as e.g. a particular product/unit/ECU controller or connection that compromised could cause road accidents, injuries, theft, financial losses, etc.
ENISA recommends in the publication “Cyber Security and Resilience of smart cars, Good practices and recommendations.pdf” — that vehicle manufacturers should conduct cyber security risk assessments that include Threat Modeling for each of their vehicles as well as the in and out going data flows around the vehicle. Those analyses should also be updated over time. It is also recommended that manufacturers analyze possible threat sources, a threat source is defined as the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. For each vulnerability, a summary report should be produced that concisely summarizes the risk analysis and the Threat Modeling information. The results of the analyses and the critical information that comes out as the results should also be traceable to related documentation.
securiCAD tooling enable automated Threat Modeling and Attack Simulations tailored for connected vehicles — making Threat Modeling practically viable for automotive companies. securiCAD is a leading tool for automated Threat Modeling and Attack Simulations, developed to perform virtual attack simulations on models of IT architectures. It enables companies to transform their Threat Modeling and Risk Assessments from isolated technical problems to a holistic approach for measuring the risk exposure of their IT infrastructures. One of the specializations of securiCAD is for connected vehicles, enabling automotive companies to model the specific systems of connected vehicles and conduct automated Threat Modeling and Attack Simulations on these specific systems. The specialization is developed in an innovation project that involves foreseeti, Scania, Volvo Cars, F-Secure and KTH Royal Institute of Technology Stockholm.
Using securiCAD in the automotive industry sector:
The fundamental approach of cyber security analysis with securiCAD is to simulate attacks on a digital twin/model of your current or future systems/devices/applications. As simulations are conducted on a digital twin/model, securiCAD will not interfere with the real existing solution. When the model of the environment is built in securiCAD, check the model/structure and flag the high value assets. Any object in the model and any number of objects can be chosen as a high value asset. The attack simulations in securiCAD will then try to reach every corner of the model, which means that for most objects in the model, there are attack simulation results. The report shows risk exposure values and Time to Compromise values for the selected High Value Assets. The Critical Paths and Chokepoints visualizes the attack paths, how an attacker can most easily reach and/or compromise your High Value Assets. The user can then chose and test the effectiveness of different applicable mitigation actions, to assess how the risks can be mitigated in the most effective way.
Proactive modeling at the design stage: Enables manufacturers to uncover weaknesses in devices/products or applications before they are introduced. Simulate attacks on planned IT architectures already at the design stage and/or before deployment. Take proactive actions based on the insights back to the development team.
Proactive modeling of existing architecture: Analyze live systems in a non-intrusive way. Build a model of your architecture; manually and top down, or automatically through data import. Simulate attacks. Find out what security actions have the best effect in lowering your overall business risk.
