Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Fully Networked Car Geneva, 3-4 March 2010 Security risk analysis approach for on-board vehicle networks 1 Alastair Ruddle Consultant, MIRA Limited.

Published byIsabel Thomson Modified over 10 years ago

Similar presentations

Presentation on theme: "The Fully Networked Car Geneva, 3-4 March 2010 Security risk analysis approach for on-board vehicle networks 1 Alastair Ruddle Consultant, MIRA Limited."— Presentation transcript:

1 The Fully Networked Car Geneva, 3-4 March 2010 Security risk analysis approach for on-board vehicle networks 1 Alastair Ruddle Consultant, MIRA Limited

2 The Fully Networked Car Geneva, 3-4 March 2010 2 Motivation o Future vehicles will become mobile nodes in a dynamic transport network vehicle systems will be under threat from malicious individuals and groups seeking to gain personal or organizational advantage ensuring security will be critical for the successful deployment of V2X technology o EU project EVITA aims to prototype a toolkit of techniques and components to ensure the security of in-vehicle systems hardware, software, analysis methods

3 The Fully Networked Car Geneva, 3-4 March 2010 EVITA scope and assets 3 EVITA only aims to investigate network security solutions at vehicle level Different levels of security protection are envisaged, depending on need Some assets may not require security measures (low risk) Risk analysis aims to prioritize security requirements

4 The Fully Networked Car Geneva, 3-4 March 2010 EVITA project security risk analysis rationale o Too costly to protect against every threat, so need to rank risks in order to prioritize countermeasures o Risk associated with a security attack depends on: severity of impact (ie. harm to stakeholders) drivers, other road users, civil authorities, ITS operators, vehicle manufacturers and system suppliers probability of successful attack depends on attacker resources, nature of attack o Physical safety is a key aspect of security physical harm may be an objective of an attack harm may also be an unintended consequence 4

5 The Fully Networked Car Geneva, 3-4 March 2010 Starting point – EVITA Use Cases 5 Powertrain PTC Body Electronic BEM Diagnosis Interface Hybrid Drive Engine Control Bluetooth USB Communication Unit CU Transmission Chassis & Safety CSC Chassis / Steering Brake Control Environmental Sensors Passive Safety Airbag Door Modules Instrument Light Control Display / Video Audio Navigation Head Unit HU Mobile Device In-vehicle network structure PT Sensors Chassis Sensors e.g. Steer Angle GPS/Galileo UMTS DSRC Telephone Climate Seat ECU A suite of 18 potential use cases was defined, based on EASIS project network architecture Scenario classes: car-car car-infrastructure mobile devices aftermarket maintenance Assumed reference architecture

6 The Fully Networked Car Geneva, 3-4 March 2010 Security threat agents and their motivations o Dishonest drivers avoid financial obligations, gain traffic advantages; o Hackers gain/enhance reputation as a hacker; o Criminals and terrorists financial gain, harm or injury to individuals or groups; o Dishonest organisations driver profiling, industrial espionage, sabotage of competitor products; o Rogue states achieve economic harm to other societies 6

7 The Fully Networked Car Geneva, 3-4 March 2010 7 Threat analysis – Attack Trees Common model to map attack trees to risk analysis

8 The Fully Networked Car Geneva, 3-4 March 2010 Severity classification in vehicle safety engineering 8

9 The Fully Networked Car Geneva, 3-4 March 2010 Extending from safety to security 9

10 The Fully Networked Car Geneva, 3-4 March 2010 Severity classification of privacy infringements 10

11 The Fully Networked Car Geneva, 3-4 March 2010 Financial severity classification 11

12 The Fully Networked Car Geneva, 3-4 March 2010 Security severity classification – a 4-component vector 12

13 The Fully Networked Car Geneva, 3-4 March 2010 Attack potential and probability o Attack potential evaluation using established, structured approach from Common Criteria applied in EVITA at asset attack level of attack trees o Indicative of attack probability (inverse relationship) numerical scale used to represent relative ranking of attack probability 13

14 The Fully Networked Car Geneva, 3-4 March 2010 Possibility for the driver (and/or other traffic participants) to mitigate possible safety hazards Controllability – safety hazards 14

15 The Fully Networked Car Geneva, 3-4 March 2010 Risk graph (fragment only) 15 Non-safety aspects addressed with table for controllability C=1 (C>1 only for safety issues)

16 The Fully Networked Car Geneva, 3-4 March 2010 A compressed tabular attack tree representation provides a convenient framework for documenting the risk analysis Attack Objective Severity (S) Attack Method Risk level (R) Combined attack method probability (A) Asset (attack) Attack Probability (P) B SBSB B1 R B1 (S B, A B1 )A B1 =min{Pa,Pb} a & b Pa Pb B2 R B2 (S B, A B2 )A B2 =max{Pd,Pe,Pf} d Pd e Pe f Pf Attack tree tables for risk analysis 16 OR: as easy as the easiest option AND: as hard as the hardest component

17 The Fully Networked Car Geneva, 3-4 March 2010 Overview of EVITA attack trees o The 18 EVITA use cases suggested 10 attack trees: attack E-call, attack E-toll tamper with warnings, attack active break manipulate speed limits, force green light manipulate traffic flow, simulate traffic jam unauthorized braking, engine denial-of-service o These are representative, but not exhaustive o Rationalization of the attack trees revealed: 44 different asset attacks, involving 16 different assets o Risk analysis provides the means to assess the relative importance of protecting these assets 17

18 The Fully Networked Car Geneva, 3-4 March 2010 Risk-based prioritisation of counter-measures 18

19 The Fully Networked Car Geneva, 3-4 March 2010 19 Conclusions o A security risk analysis approach has been developed from automotive safety and IT security practices attack trees to identify asset attacks from use cases, attacker type and motivations 4-component security risk vector, potentially including security-related safety issues attack potential and controllability to assess probability of successful attack o Level and frequency of risks associated with asset attacks identified in attack trees indicate priorities for counter-measures

20 The Fully Networked Car Geneva, 3-4 March 2010 Acknowledgements 20 For further information see: www.evita-project.org

Download ppt "The Fully Networked Car Geneva, 3-4 March 2010 Security risk analysis approach for on-board vehicle networks 1 Alastair Ruddle Consultant, MIRA Limited."

Similar presentations

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.
Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.

Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.
1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
Efficient Secure Aggregation in VANETs Maxim Raya, Adel Aziz, and Jean-Pierre Hubaux Laboratory for computer Communications and Applications (LCA) EPFL.

Efficient Secure Aggregation in VANETs Maxim Raya, Adel Aziz, and Jean-Pierre Hubaux Laboratory for computer Communications and Applications (LCA) EPFL.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
SOA for EGovernment 1 Emergency Services Enterprise Framework: A Service-Oriented Approach Sukumar Dwarkanath COMCARE Michael Daconta Oberon Associates.

SOA for EGovernment 1 Emergency Services Enterprise Framework: A Service-Oriented Approach Sukumar Dwarkanath COMCARE Michael Daconta Oberon Associates.
Www.vsrc.org.uk Pete Thomas Professor in Road and Vehicle Safety Vehicle Safety Research Centre Loughborough University, UK A review of ITS and their safety.

Pete Thomas Professor in Road and Vehicle Safety Vehicle Safety Research Centre Loughborough University, UK A review of ITS and their safety.
GREEN PAPER TOWARDS A NEW CULTURE FOR URBAN MOBILITY EUROPEAN COMMISSION.

GREEN PAPER "TOWARDS A NEW CULTURE FOR URBAN MOBILITY" EUROPEAN COMMISSION.
the European Union policy

the European Union policy
The Fully Networked Car Geneva, 3-4 March 2010 1 DEVELOPMENT OF OPEN-CORE FLEXRAY CONTROLLER FOR OEM ULTRA LOW COST AUTOMOTIVE APPLICATIONS PRAMOD.VSUBRAT.

The Fully Networked Car Geneva, 3-4 March DEVELOPMENT OF OPEN-CORE FLEXRAY CONTROLLER FOR OEM ULTRA LOW COST AUTOMOTIVE APPLICATIONS PRAMOD.VSUBRAT.
Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.

Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.
Evolution of Automotive In-Vehicle Networking

Evolution of Automotive In-Vehicle Networking
The Fully Networked Car Geneva, 4-5 March 2009 1 T. Russell Shields Chair, Ygomi LLC Vehicle Communications to Help the Environment.

The Fully Networked Car Geneva, 4-5 March T. Russell Shields Chair, Ygomi LLC Vehicle Communications to Help the Environment.
Module N° 7 – Introduction to SMS

Module N° 7 – Introduction to SMS
The EMERALD RTD Plan and the ASAS Validation Framework R P (Bill) Booth 10 October 2002.

The EMERALD RTD Plan and the ASAS Validation Framework R P (Bill) Booth 10 October 2002.
1 Ben Pierce, Battelle March 2, 2010 US DOT IntelliDrive SM Program.

1 Ben Pierce, Battelle March 2, 2010 US DOT IntelliDrive SM Program.
0 - 0.

0 - 0.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
Addition Facts 1 - 20.

Addition Facts
1 9 Moving to Design Lecture 4. 2 9 Analysis Objectives to Design Objectives Figure 9-2.

1 9 Moving to Design Lecture Analysis Objectives to Design Objectives Figure 9-2.

Similar presentations

Ads by Google