Cyber Security Threat Modeling

1
1
THREAT
ASSESSMENT &
MODELING -
AUTOMOTIVE
Prepared by : Anish Cheriyan, Suresh
Sathiyakumar
Nirmal Suresh Pattassery
Contribution from: Lokesh Babu
Date : 4-September-2021

2
2
AGENDA
 Cyber Security Automotive Landscape
 Cyber Security Standard
 Lifecycle
 Threat Modeling
 Case Studies

3
3
Source: Automotive Cybersecurity Management System Audit
Automotive SYS, 11th May 2021

4
4
Software Security
Is Not Keeping
Pace with
Technology in the
Auto Industry
Source:
https://www.sae.org/binaries/content/assets
/cm/content/topics/cybersecurity/securing_t
he_modern_vehicle.pdf

5
5
TECHNOLOGIES POSE THE GREATEST CYBERSECURITY RISK
Source: https://www.sae.org/binaries/content/assets/cm/content/topics/cybersecurity/securing_the_modern_veh

6
6
CYBER–SECURITY STANDARD – ISO/SAE 21434
ISO 21434 specifies requirements for cybersecurity
risk management regarding engineering for concept, 2
development, production, operation, maintenance,
and decommissioning for road vehicle electrical and
electronic (E/E) 3 systems, including their components
and interfaces.
Formal Version is published on Aug 2021.

8
8
CYBER–SECURITY STANDARD
Cyber Security
Requirement Elicitation
Cyber Security
Implementation
Risk Treatment
Verification
Risk Treatment
Validation
• Derive Cyber security
goals based on the
threat modeling.
• Security Architecture &
Design
• Allocated CS
Requirements to
Design elements
• Identify appropriate CS
Controls.
• Define Interfaces &
Analyze Architectural
Design.
• Detailed down the CS
design.
• CS Coding Guidelines.
Establish the Bi-Directional Traceability & Consistency between CS Requirements and Goals.
• Cyber Security Verification
strategy, including
techniques like: Static &
Dynamic code analysis,
Network Tests & Brute force
simulating attacks.
Verification methods
including Security code
reviews and Test case
reviews etc.
• Cyber security test
specification, methods
include: BVA, Equivalence
classes, Error Guessing etc.
• Test the implementation of
the design and component
integration.
Note: Interpretation based on the “ASPICE for Cyber Security Yellow
page”
• Cyber Security Validation
Strategy, methods
including Penetration
Testing, Network Tests &
Brute force simulating
attacks.
• Cyber Security Test
execution.

9
9
CYBERSECURITY (CS) LIFECYCLE
Plan
CS
Requirement
Analysis
CS Design
CS
Implementatio
n
CS
Verification
Release &
Post Release
Support
 CS Relevance
Determination
 Equipment &
Infrastructure
 Cyber security
Interface
Agreement for
development
(CIAD)
 System Modeling
 List of Assets &
define CS goals
 Threat Modeling
(TARA, STRIDE)
 Testability Analysis
 Security
Requirement
 HW & SW CS
Architecture &
Design
 Vulnerability
Analysis
 CS Design
Guideline &
Review
 Commercial of the
Selves (COTS)
 Secure coding practices
 DevSecOps
 Testing [Security
Testing, SW & HW
Integration,
Component
Security]
 Risk Based Testing
[Code Review ,
PEN Testing,
FUZZ Testing]
 Release
 Product Security
Incident
Response Team
(PSIRT)
 Releasing
Security Fix
Patches
Implementation of Continuous integration and delivery pipeline.

10
10
DETERMINE CYBERSECURITY RELEVANCE

11
11
SYSTEM MODELING
Define the system from the Cybersecurity point of view to identify the scope of Threat Analysis & Risk Assessment (TARA)
Sequence

12
12
TYPICAL ATTACK SURFACE
Attack Surface Name
AS01 On Board Systems and Software
AS02 OTA Update Channel
AS03 Physical Ports (include USB, Diagonostic Port)
AS04 Automotive Ethernet Communication Channel
AS05
AV Sensors (such as LIDAR, RADAR, IMU, Wheel
Odometer)
AS06 Telematic Unit
AS07 CAN Bus
AS08 Wireless/Cellular Communication Channels

13
13
TYPICAL ATTACK TYPES
Sl No Attack Type
1 Adversarial attack on algorithms
2 Data exfiltration
3 Denial of Service
4 Disabling of sensors locally or remotely
5 Elevation of privilege to enable unauthorized control
6 Exfiltration of software modules and sensitive information
7 Gain access control to other modules
8 Gaining access/control through poor or misconfigurations
9 Gaining access/control through software vulnerabilities
10 Insider threat
11 Jamming (DoS) of Communication Channels
12 Jamming (DoS) of Signals
13 Malware infiltration and execution
14 side channel attack
15 Spoofing of CAN messages
16 Spoofing of communication
17 Spoofing of GPS Messages
18 Spoofing of packets
19 Spoofing of signals
20 Spoofing of software provider identity
21 Tampering of Data in Transit (MitM)
22 Tampering of Date at Rest
23 Tampering of hardware modules
24 Tampering of Software Functionalities
25 Tranduction attack (exploiting senor physics)

14
14
THREAT ANALYSIS & RISK ASSESSMENT (TARA)
Attack Goal
Attack
Objective
Attack Method 1)Attack Step
Assign Severity Attack Potential
Severity Risk Level
Attack Probability

17
17
CASE STUDY - 1
THREAT ANALYSIS AND RISK ASSESSMENT (TARA)

18
18
METHODS FOR THREAT ANALYSIS
• EVITA method comes from an
European research project EVITA (E-
Safety Vehicle Intrusion Protected
Applications).
• Thread identification uses attack
trees to identify generic threats;
threat classification means classify
the threat risk; and risk assessment
recommends actions based on the
resulting risk classification of the
threats.
• OCTAVE stands for Operationally
Critical Threat, Asset, and
Vulnerability Evaluation, which is a
process-driven threat/risk
assessment methodology.
• Microsoft STRIDE, TVRA.
• Common tools like Microsoft Threat
Modeling Tool.

19
19
CASE STUDY INFOTAINMENT
Step 1: Item Definition
• Complete analysis of the System, in
scope for the security analysis.
• Identify following information: item
boundary, function(use-cases) and
preliminary architecture
• Feature Scoping.
• Identify operational environment of the
item, constraints and compliance

20
20
Step 2: Identify the Asset:
Asset ID Asset Type Purpose
System
components
C I A
A10
Current Location
data
Data
The data related to the
current location of vehicle and
head unit.
Navigation, Wi-Fi,
Bluetooth
H M L
C – Confidentiality (Non-Repudiation)
I - Integrity (Authenticity)
A – Availability (Authorization)
Few Examples Scenarios Below from IVI domain
Something for which the compromise of its cybersecurity
properties can lead to damage to an item’s stakeholder

21
21
Step 3: Threat Modeling – Attack Tree

22
22
Step 3: Threat Modeling
AG10. Compromise integrity of location data of vehicle
3.1 Attack Goals Note:
Attack tree (denoted with Tag A*).
Attack Steps (denoted with Tag S*).

23
23
Step 4: Threat Analysis
AG10. Compromise integrity of location data of vehicle
No Attack goal Threat agent Motivation
AG10 Compromise integrity of location
data of vehicle
Individual attacker Gain personal advantage
To better understand the attacks, each attack goal should be identified with possible actors and motivations
in an effort to match threat agents and their intentions with particular attacks.

24
24
Identify Severity Vector and map S,P,O,F
Safety – Physically putting at risk or harming the driver and passengers of the
vehicle
Privacy – Identification and tracking of vehicles or individuals
Financial – Financial losses that may be experienced by individuals or ITS
operators.
Operational – Interference with vehicle systems and functions that do not impact
functional safety
Attack
Goal
Attack Objective Safety Privacy Financial Operational Severity
AG10 Disclose location history
data
0 3 3 0 3
Track location of HU 0 3 3 0 3
4* is the highest level and 0 is the lowest level

25
25
Attack Probability calculation
Factor Value Symbol Points
Preparation time
(1 point per week)
Less than 1 Day <1D 0
Less than 1 Week <1W 1
Less than 1 Month <1M 4
Less than 3 Months <3M 13
Less than 6 Months <6M 26
Over 6 Months >6M 100
Level of Expertise Layman script kiddie LSK 0
Competent attacker CA 2
Expert attacker EA 5
Level of knowledge Publicly available PA 0
Restricted info RI 1
Confidential info CI 4
Secret info SI 10
Opportunity window Permanent access PEA 0
Wide opportunity Wide 1
Moderate opportunity Mod 4
Small opportunity Small 12
No opportunity None 100
Equipment Standard equipment Std 0
Specialized equipment Spc 3
Dedicated equipment Ded 7
No availability None 100
Probability X = (Preparation_Time + Expertise +
Knowledge_of_System +
Opportunity_Window + Equipment)
Probability
X <= 9 5
10 <= X <= 13 4
14 <= X <= 19 3
20 <= X <= 24 2
25 <= X 1

26
26
Step 4 : Threat Analysis
Attack Probability calculation
ID Asset Attack (threats)
Prep.t
ime
Exper
tise
Inf
o.
Opportu
nity
Equipm
ent
eff
ort
Pr
ob
A10T
1
Physical tampering <1D CA RI Small Spc 18 3
S14T
1
Gain access to USB port <1W CA PA Small Spc 18 3
S3T1 Sniff Bluetooth packets <1D CA PA PEA Std 2 5
Attack
Goal
Attack Method Combined
Effort
Combined probability
AG10 Extract from device 18 3
Get runtime control of service 4 5
Extract Bluetooth device address 6 5
WIFI SSID 3 5
Extract location data from GPS 5 5

27
27
Step 5: Risk Assessment
Risk Calculation Attack Potential
Severity Level Potential = 1 Potential = 2 Potential = 3 Potential = 4 Potential = 5
Si = 0 No risk No risk No risk No risk No risk
Si = 1 R0 R0 R1 R2 R3
Si = 2 R0 R1 R2 R3 R4
Si = 3 R1 R2 R3 R4 R5
Si = 4 R2 R3 R4 R5 R6
ID Attack Objective Attack Method Severity probabilit
y
Risk
AG10 Disclose location history data 3 5
Extract from device 3 3
Get runtime control of service 5 5
Track location of HU 3 5
Extract Bluetooth device address 5 5
WIFI SSID 5 5
Extract location data from GPS 5 5

28
28
Step 6: Risk Treatment
Goal ID Cybersecurity Goal Security Control
SG8
Unauthorized access to Bluetooth interface should
be prevented.
Bluetooth security measures, Intrusion prevention system, Kernel Hardening,
User space hardening.
SG9
Unauthorized access to Wi-Fi interface should be
prevented.
Wi-Fi security measures, Intrusion prevention system, Kernel Hardening, User
space hardening, Network Firewall, Audits and Best Practices.
Attack
ID
Asset Attack (leaf) Prep. time
Expertis
e
Info.
Opportunit
y
Equipmen
t
effor
t
Prob Security
A10T1
Compromise integrity
of location data of
vehicle
<1D CA RI Small Spc 18 3 Countermeasures
Probability will be reduced by the Counter measures taken on the Security Risk.

29
29
CASE STUDY - 2
THREAT ANALYSIS AND RISK ASSESSMENT (TARA)

30
30
CASE STUDY TELEMATICS
 System analysis, Boundary analysis,
Feature scoping
 Define CS Scope
Gain access to phone number and Extracting valuable
data

31
31
Attack Goal
Attack
Objective
Attack Method 1)Attack Step
Assign Severity Attack Potential
Severity Risk Level
Attack Probability

32
32
Attack Objective Attack Goal Involved Assets Safety Privacy Financial Operational Severity
Gain access to phone number Extracting valuable data Private Data 0 3 2 0 3
 Impact in S, F, O, P categories cannot be compared and is to be
evaluated separately
 Pick MAX of (S, F, O, P) impact level for the damage scenario
impact rating
Attack Goal, Attack Objective & Security

33
33
Identify Method & Attack Step
Objective:
Gains access to phone
number
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
Method 2: Install back door
SW update (Malicious) to
gain access to WIFI
Attack Step1 :
Read phone data from
memory (buffer
overruns -kernel)
Attack Step 2 :
Read phone data by
password cracking
(unauthorized access)
Sub Method
Launch Man in
middle OTA attack
Attack Step 2:
Read Microphone data &
get in vehicle audio file
Attack Goal:
Extracting valuable data
Attack Step 1 :
Exploit Kernel
Vulnerability/ Password
cracking to gain access

34
34
“Read phone data by password
cracking (unauthorized access)”
Elapsed Time: 0
Expertise: 3
Knowledge of system: 3
Window of Opportunity: 1
Equipment: 4
“Attack Potential” is 11 (SUM of the above)
Attack Potential

35
35
Objective:
Gain access to phone number
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
Attack Potential: 11
gain access to WIFI
Attack Step1 :
memory (buffer
overruns -kernel)
Attack Step 2 :
Read phone data by
password cracking
Sub Method
Launch Man in middle
OTA attack
Attack Step 2:
Attack Goal:
Attack Step 1:
Exploit Kernel
Or
And
Assign Attack Potential
The potential of a node whose children are AND’ed =
MAX(children)

36
36
Objective:
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
gain access to WIFI
Attack Step1 :
memory (buffer
overruns -kernel)
Attack Step 2 :
Read phone data by
password cracking
Sub Method
OTA attack
Attack Step 2:
Attack Goal:
Attack Step 1:
Exploit Kernel
Or
And
A3
A4 A3
A4
A3
A4
Derive Attack Probability
A3
CASE STUDY – TELEMATICS

37
37
Objective:
Severity-3
Assets: SIM Data
Method 1: Code
execution attack
gain access to WIFI
Attack Step1 :
memory (buffer overruns -
kernel)
Attack Step 2 :
Read phone data by
password cracking
Sub Method
OTA attack
Attack Step:
Attack Goal:
Attack Step :
Exploit Kernel
Or
And
A3
A4 A3
A4
A3
A4
A3
Derive Security Risk Level
R4
R3
R4 R3
R3
R4
R3

38
38
Objective Method Sub Method Attack Step
Security Risk
Level
Gain access
to phone
number
Code execution attack
Read phone data by password cracking (unauthorized
access)
R4
Read phone data from memory (buffer overruns -kernel) R3
Install back door SW
update (Malicious) to
gain access to WIFI
Exploit Kernel Vulnerability/ Password cracking to gain
access
R4
Launch Man in middle OTA
attack
Read Microphone data & get in vehicle audio file R3
Derive Counter Measure

Cyber Security Threat Modeling

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Cyber Security Threat Modeling

Ähnlich wie Cyber Security Threat Modeling (20)

Mehr von Dr. Anish Cheriyan (PhD)

Mehr von Dr. Anish Cheriyan (PhD) (16)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cyber Security Threat Modeling

Hinweis der Redaktion