ABSTRACT
The increasing use of software and connectivity in modern vehicles has made cybersecurity an important issue in the automotive industry. ISO 21434 is a standard for automotive cybersecurity engineering that provides guidelines for the development and validation of secure automotive systems. For effective implementation and practical use of ISO 21434, it must be incorporated into existing automotive industry development workflows.
In this paper, we investigate the practical applicability of ISO 21434 in the context of the Security Abstraction Model (SAM), a security modeling approach for the domain-specific modeling language EAST-ADL, and provide insights into the benefits and consequences of this approach. In doing so, we describe the methodological opportunities of integrating ISO 21434 into SAM on the one hand and present a case study illustrating the application of this integrated approach in the development of a secure automotive system on the other hand. Our results suggest that the integration of ISO 21434 into SAM better supports automotive system security in the early development phases and makes it transparent to a wide range of stakeholders. At the same time, it becomes clear that a representation of the interrelationships in the form of a metamodel, in contrast to ISO 21434 in which these are only described textually, significantly improves conceptual understanding and ultimately enables pragmatic usability in industrial development.
- Omar Y Al-Jarrah, Carsten Maple, Mehrdad Dianati, David Oxtoby, and Alex Mouzakitis. 2019. Intrusion detection systems for intra-vehicle networks: A review. IEEE Access 7 (2019), 21266–21289.Google ScholarCross Ref
- Jozef Andraško, Ondrej Hamul’ák, Matúš Mesarčík, Tanel Kerikmäe, and Aleksi Kajander. 2021. Sustainable data governance for cooperative, connected and automated mobility in the European Union. Sustainability 13, 19 (2021), 10610.Google ScholarCross Ref
- Matthias Bergler, Juha-Pekka Tolvanen, and Ramin Tavakoli Kolagari. [n. d.]. Integrating Security and Safety with Systems Engineering: a Model-Based Approach. ([n. d.]).Google Scholar
- Matthias Bergler, Juha-Pekka Tolvanen, Markus Zoppelt, and Ramin Tavakoli Kolagari. 2021. Social Engineering Exploits in Automotive Software Security: Modeling Human-targeted Attacks with SAM. In 31st European Safety and Reliability Conference, ESREL 2021. 2502–2509.Google Scholar
- Philippe Cuenot, Patrick Frey, Rolf Johansson, Henrik Lönn, Yiannis Papadopoulos, Mark-Oliver Reiser, Anders Sandberg, David Servat, Ramin Tavakoli Kolagari, Martin Törngren, 2010. The east-adl architecture description language for automotive embedded software. In Model-Based Engineering of Embedded Real-Time Systems: International Dagstuhl Workshop, Dagstuhl Castle, Germany, November 4-9, 2007. Revised Selected Papers. Springer, 297–307.Google ScholarCross Ref
- Subasish Das, Srinivas R Geedipally, Karen Dixon, Xiaoduan Sun, and Chaolun Ma. 2019. Measuring the effectiveness of vehicle inspection regulations in different states of the US. Transportation research record 2673, 5 (2019), 208–219.Google Scholar
- Tian Guan, Yi Han, Nan Kang, Ningye Tang, Xu Chen, and Shu Wang. 2022. An overview of vehicular cybersecurity for intelligent connected vehicles. Sustainability 14, 9 (2022), 5211.Google ScholarCross Ref
- Ondrej Hamulák, Josef Andraško, and Matús Mesarcik. 2021. The digital development of the European Union: data governance aspects of cooperative, connected and automated mobility. IDP: revista de Internet, derecho y política= revista d’Internet, dret i política34 (2021), 7.Google Scholar
- Feng Luo, Yifan Jiang, Zhaojing Zhang, Yi Ren, and Shuo Hou. 2021. Threat analysis and risk assessment for connected vehicles: A survey. Security and Communication Networks 2021 (2021), 1–19.Google Scholar
- Georg Macher, Christoph Schmittner, Omar Veledar, and Eugen Brenner. 2020. ISO/SAE DIS 21434 automotive cybersecurity standard-in a nutshell. In Computer Safety, Reliability, and Security. SAFECOMP 2020 Workshops: DECSoS 2020, DepDevOps 2020, USDAI 2020, and WAISE 2020, Lisbon, Portugal, September 15, 2020, Proceedings 39. Springer, 123–135.Google Scholar
- Maenad Manead. 2021. About. http://www.maenad.eu/Google Scholar
- Peter Mell, Karen Scarfone, and Sasha Romanosky. 2006. Common vulnerability scoring system. IEEE Security & Privacy 4, 6 (2006), 85–89.Google ScholarDigital Library
- Seunghyun Park and Jin-Young Choi. 2020. Malware detection in self-driving vehicles using machine learning algorithms. Journal of advanced transportation 2020 (2020), 1–9.Google ScholarCross Ref
- Brandon Schoettle and Michael Sivak. 2014. A survey of public opinion about connected vehicles in the US, the UK, and Australia. In 2014 International Conference on Connected Vehicles and Expo (ICCVE). IEEE, 687–692.Google ScholarCross Ref
- Juha-Pekka Tolvanen and Matti Rossi. 2003. Metaedit+ defining and using domain-specific modeling languages and code generators. In Companion of the 18th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. 92–93.Google Scholar
- Hatice Sonmez Turel, Emine Malkoc Yigit, and Ipek Altug. 2007. Evaluation of elderly people’s requirements in public open spaces: A case study in Bornova District (Izmir, Turkey). Building and Environment 42, 5 (2007), 2035–2045.Google ScholarCross Ref
- UNECE UNECE. 2021. UN Regulation No. 155 - cyber security and Cyber Security Management System. https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-securityGoogle Scholar
- UNECE UNECE. 2021. UN Regulation No. 156 - software update and software update management system. https://unece.org/transport/documents/2021/03/standards/un-regulation-no-156-software-update-and-software-updateGoogle Scholar
- Yunpeng Wang, Yinghui Wang, Hongmao Qin, Haojie Ji, Yanan Zhang, and Jian Wang. 2021. A systematic risk assessment framework of automotive cybersecurity. Automotive Innovation 4 (2021), 253–261.Google ScholarCross Ref
- Markus Zoppelt and Ramin Tavakoli Kolagari. 2019. SAM: a security abstraction model for automotive software systems. In Security and Safety Interplay of Intelligent Software Systems: ESORICS 2018 International Workshops, ISSA 2018 and CSITS 2018, Barcelona, Spain, September 6–7, 2018, Revised Selected Papers. Springer, 59–74.Google ScholarCross Ref
Index Terms
- Automotive Software Security Engineering based on the ISO 21434
Recommendations
ISO/SAE DIS 21434 Automotive Cybersecurity Standard - In a Nutshell
Computer Safety, Reliability, and Security. SAFECOMP 2020 WorkshopsAbstractA range of connected and automated vehicles is already available, which is intensifying the usage of connectivity features and information sharing for vehicle maintenance and traffic safety features. The resulting highly connected networking ...
An Ontology for ISO software engineering standards
Software engineering standards often utilize different underpinning metamodels and ontologies, which sometimes differ between standards. For better adoption by industry, harmonization of these standards by use of a domain ontology has been advocated. In ...
Security software engineering: do it the right way
SEPADS'07: Proceedings of the 6th WSEAS International Conference on Software Engineering, Parallel and Distributed SystemsSecure software development is one of the most information system issues that raised through the use of the internet and networked systems. The importance of developing secure software increases. In this work we present a process for the development of ...
Comments