Skip to main content
SpringerLink
Log in

Threat Modeling and Attack Simulations of Connected Vehicles: Proof of Concept

  • Conference paper
  • First Online:
Information Systems Security and Privacy (ICISSP 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1221))

Included in the following conference series:

Abstract

A modern vehicle contains over a hundred Electronic Control Units (ECUs) that communicate over in-vehicle networks, and can also be connected to external networks making them vulnerable to cyber attacks. To improve the security of connected vehicles, threat modeling can be applied to proactively find potential security issues and help manufacturers to design more secure vehicles. It can also be combined with probabilistic attack simulations to provide quantitative security measurements, which has not been commonly used while shown efficient in other domains. This paper reviews research in the field, showing that not much work has been done in the combined area of connected vehicles and threat modeling with attack simulations. We have implemented and conducted attack simulations on two vehicle threat models using a tool called securiCAD. Our work serves as a proof of concept of the approach and indicates that the approach is useful. Especially if more research of vehicle-specific vulnerabilities, weaknesses, and countermeasures is done in order to provide more accurate analyses, and to include this in a more tailored vehicle metamodel.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://nvd.nist.gov/.

  2. 2.

    https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.

  3. 3.

    https://www.foreseeti.com/.

  4. 4.

    https://www.microsoft.com/en-us/download/details.aspx?id=49168.

  5. 5.

    https://www.cpomagazine.com/cyber-security/connected-cars-a-new-and-dangerous-vector-for-cyber-attacks/.

  6. 6.

    https://cve.mitre.org/.

  7. 7.

    https://www.first.org/cvss/.

  8. 8.

    http://autosec.se/wp-content/uploads/2018/04/1.2-holisec-state-of-the-art.pdf.

  9. 9.

    https://www.autosar.org/.

  10. 10.

    https://www.autosar.org/standards/classic-platform/.

  11. 11.

    https://can-newsletter.org/uploads/media/raw/d904c90ba599c668e9758ae558dcb845.pdf.

References

  1. Alrabady, A., Mahmud, S.: Analysis of attacks against the security of keyless-entry systems for vehicles and suggestions for improved designs. IEEE Trans. Veh. Technol. 54(1), 41–50 (2005)

    Article  Google Scholar 

  2. van de Beek, S., Leferink, F.: Vulnerability of remote keyless-entry systems against pulsed electromagnetic interference and possible improvements. IEEE Trans. Electromagn. Compat. 58(4), 1259–1265 (2016)

    Article  Google Scholar 

  3. Buttigieg, R., Farrugia, M., Meli, C.: Security issues in controller area networks in automobiles. In: 18th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering, pp. 1–6 (2017)

    Google Scholar 

  4. Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security Symposium, San Francisco, pp. 77–92 (2011)

    Google Scholar 

  5. Dakermandji, J.: An autosar diagnostic platform. Master’s thesis, KTH Royal Institute of Technology, Stockholm, Sweden (2008)

    Google Scholar 

  6. Ekstedt, M., Johnson, P., Lagerstrom, R., Gorton, D., Nydrén, J., Shahzad, K.: Securi CAD by foreseeti: a CAD tool for enterprise cyber security management. In: 2015 IEEE 19th International Enterprise Distributed Object Computing Workshop (EDOCW), pp. 152–155. IEEE (2015)

    Google Scholar 

  7. Johnson, P., Lagerström, R., Ekstedt, M.: A meta language for threat modeling and attack simulations. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, p. 38. ACM (2018)

    Google Scholar 

  8. Johnson, P., Lagerström, R., Ekstedt, M., Österlind, M.: It Management with Enterprise Architecture. KTH, Stockholm (2014)

    Google Scholar 

  9. Johnson, P., Lagerström, R., Närman, P., Simonsson, M.: Extended influence diagrams for system quality analysis. J. Software 2(3), 30–42 (2007)

    Article  Google Scholar 

  10. Johnson, P., Vernotte, A., Ekstedt, M., Lagerström, R.: pwnPr3d: an attack-graph-driven probabilistic threat-modeling approach. In: Proceedings of the 11th International Conference on Availability, Reliability and Security, pp. 278–283. IEEE (2016)

    Google Scholar 

  11. Karahasanovic, A.: Automotive cyber security: threat modeling of the AUTOSAR standard. Master’s thesis, University of Gothenburg, Gothenburg, Sweden (2016)

    Google Scholar 

  12. Karahasanovic, A., Kleberger, P., Almgren, M.: Adapting threat modeling methods for the automotive industry. In: Proceedings of the 15th ESCAR Conference, pp. 1–10. Chalmers Publication Library (2017)

    Google Scholar 

  13. Katsikeas, S., Johnson, P., Hacks, S., Lagerström, R.: Probabilistic modeling and simulation of vehicular cyber attacks: an application of the meta attack language. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP) (2019)

    Google Scholar 

  14. Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6

    Chapter  Google Scholar 

  15. Lagerström, R., Johnson, P., Höök, D.: Architecture analysis of enterprise systems modifiability-models, analysis, and validation. J. Syst. Softw. 83(8), 1387–1403 (2010)

    Article  Google Scholar 

  16. Ma, Z., Schmittner, C.: Threat modeling for automotive security analysis. Adv. Sci. Technol. Lett. 139, 333–339 (2016)

    Article  Google Scholar 

  17. Miller, C., Valasek, C.: A survey of remote automotive attack surfaces. In: BlackHat USA (2014)

    Google Scholar 

  18. Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. In: BlackHat USA (2015)

    Google Scholar 

  19. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)

    Google Scholar 

  20. Park, J.S., Kim, D., Hong, S., Lee, H., Myeong, E.: Case study for defining security goals and requirements for automotive security parts using threat modeling. In: SAE Technical Paper. SAE International (2018). https://doi.org/10.4271/2018-01-0014

  21. Pesé, M.D., Schmidt, K., Zweck, H.: Hardware/software co-design of an automotive embedded firewall. In: SAE Technical Paper. SAE International (2017)

    Google Scholar 

  22. Saat, J., Winter, R., Franke, U., Lagerstrom, R., Ekstedt, M.: Analysis of it/business alignment situations as a precondition for the design and engineering of situated it/business alignment solutions. In: 2011 44th Hawaii International Conference on System Sciences, pp. 1–9. IEEE (2011)

    Google Scholar 

  23. Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Sci. Coll. 23(4), 124–131 (2008)

    Google Scholar 

  24. Salfer, M., Eckert, C.: Attack graph-based assessment of exploitability risks in automotive on-board networks. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10. ACM (2018)

    Google Scholar 

  25. Salter, C., Saydjari, O.S.S., Schneier, B., Wallner, J.: Toward a secure system engineering methodology. In: Proceedings of the 1998 Workshop on New Security Paradigms, pp. 2–10. ACM (1998)

    Google Scholar 

  26. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Indianapolis (2014)

    Google Scholar 

  27. Sion, L., Van Landuyt, D., Yskout, K., Joosen, W.: Sparta: security & privacy architecture through risk-driven threat assessment. In: 2018 IEEE International Conference on Software Architecture Companion (ICSA-C), pp. 1–4. IEEE (2018)

    Google Scholar 

  28. Välja, M., Korman, M., Lagerström, R.: A study on software vulnerabilities and weaknesses of embedded systems in power networks. In: Proceedings of the 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids, pp. 47–52. ACM (2017)

    Google Scholar 

  29. Van Bulck, J., Mühlberg, T., Piessens, F.: Vulcan: efficient component authentication and software isolation for automotive control networks. In: ACM International Conference Proceeding Series, pp. 225–237 (2017)

    Google Scholar 

  30. Vernotte, A., Välja, M., Korman, M., Björkman, G., Ekstedt, M., Lagerström, R.: Load balancing of renewable energy: a cyber security analysis. Energy Inform. 1(1), 1–41 (2018). https://doi.org/10.1186/s42162-018-0010-x

    Article  Google Scholar 

  31. Williams, I., Yuan, X.: Evaluating the effectiveness of microsoft threat modeling tool. In: Proceedings of the 2015 Information Security Curriculum Development Conference, p. 9. ACM (2015)

    Google Scholar 

  32. Xiong, W., Gülsever, M., Kaya, K.M., Lagerström, R.: A study of security vulnerabilities and software weaknesses in vehicles. In: Askarov, A., Hansen, R.R., Rafnsson, W. (eds.) NordSec 2019. LNCS, vol. 11875, pp. 204–218. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35055-0_13

    Chapter  Google Scholar 

  33. Xiong, W., Krantz, F., Lagerström, R.: Threat modeling and attack simulations of connected vehicles: a research outlook. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP) (2019)

    Google Scholar 

  34. Xiong, W., Lagerström, R.: Threat modeling - a systematic literature review. Comput. Secur. 84, 53–69 (2019)

    Article  Google Scholar 

  35. Xiong, W., Lagerström, R.: Threat modeling of connected vehicles: a privacy analysis and extension of vehiclelang. In: International Conference on Cyber Incident Response, Coordination, Containment & Control (Cyber Incident). IEEE (2019)

    Google Scholar 

Download references

Acknowledgment

This work has received funding from Vinnova, the Swedish Innovation Agency, and the FFI program.

Author information

Authors and Affiliations

  1. School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, Stockholm, Sweden

    Wenjun Xiong, Fredrik Krantz & Robert Lagerström

Authors
  1. Wenjun Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fredrik Krantz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Lagerström
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wenjun Xiong .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Paolo Mori

  2. Plymouth University, Plymouth, UK

    Steven Furnell

  3. MODESTE/ESEO, Angers Cedex 2, France

    Olivier Camp

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Xiong, W., Krantz, F., Lagerström, R. (2020). Threat Modeling and Attack Simulations of Connected Vehicles: Proof of Concept. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2019. Communications in Computer and Information Science, vol 1221. Springer, Cham. https://doi.org/10.1007/978-3-030-49443-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-49443-8_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-49442-1

  • Online ISBN: 978-3-030-49443-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation