Browse > Article
http://dx.doi.org/10.3745/KTSDE.2020.9.12.387

A Methodology for Integrating Security into the Automotive Development Process  

Jeong, Seungyeon (고려대학교 자동차융합학과)
Kang, Sooyoung (고려대학교 정보보호학과)
Kim, Seungjoo (고려대학교 사이버국방학과/정보보호대학원)
Publication Information
KIPS Transactions on Software and Data Engineering / v.9, no.12, 2020 , pp. 387-402 More about this Journal
Abstract
Conventional automotive development has mainly focused on ensuring correctness and safety and security has been relatively neglected. However, as the number of automotive hacking cases has increased due to the increased Internet connectivity of automobiles, international organizations such as the United Nations Economic Commission for Europe(UNECE) are preparing cybersecurity regulations to ensure security for automotive development. As with other IT products, automotive cybersecurity regulation also emphasize the concept of "Security by Design", which considers security from the beginning of development. In particular, since automotive development has a long lifecycle and complex supply chain, it is very difficult to change the architecture after development, and thus Security by Design is much more important than existing IT products. The problem, however, is that no specific methodology for Security by Design has been proposed on automotive development process. This paper, therefore, proposes a specific methodology for Security by Design on Automotive development. Through this methodology, automotive manufacturers can simultaneously consider aspects of functional safety, and security in automotive development process, and will also be able to respond to the upcoming certification of UNECE automotive cybersecurity regulations.
Keywords
Automotive Development; Evidence-based Standards; Secure SDLC; UNECE Cybersecurity Regulation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr, "Basic concepts and taxonomy of dependable and secure computing," IEEE Transactions on Dependable and Secure Computing, Vol.1, No.1, pp.11-33, 2004.   DOI
2 A. Michailidis, U. Spieth, T. Ringler, B. Hedenetz, and S. Kowalewski, "Test front loading in early stages of automotive software development based on AUTOSAR," 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010), pp.435-440, 2010.
3 R. Y. Takahira, L. R. Laraia, F. A. Dias, S. Y. Abraham, P. T. Nascimento, and A. S. Camargo, "Scrum and Embedded Software development for the automotive industry," Proceedings of PICMET'14 Conference: Portland International Center for Management of Engineering and Technology; Infrastructure and Service Integration, pp.2664-2672, 2014.
4 Young, William, and Nancy G. Leveson. "An integrated approach to safety and security based on systems theory," Communications of the ACM, Vol.57, No.2, pp.31-35, 2014.   DOI
5 S. Kriaa, L. Pietre-Cambacedes, M. Bouissou and Y. Halgand, "A survey of approaches combining safety and security for industrial control systems," Reliability Engineering & System Safety, Vol.139, pp.156-178, 2015.   DOI
6 C. Wolff, L. Krawczyk, R. Hottger, C. Brink, U. Lauschner, D. Fruhner, ... and B. Igel, "AMALTHEA-Tailoring tools to projects in automotive software development," 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Vol.2, pp.515-520, 2015.
7 Schmittner, Christoph, Zhendong Ma, and Erwin Schoitsch. "Combined safety and security development lifecylce," 2015 IEEE 13th International Conference on Industrial Informatics (INDIN), pp.1408-1415, 2015.
8 Sabaliauskaite, Giedre, Sridhar Adepu, and Aditya Mathur, "A six-step model for safety and security analysis of cyber-physical systems," International Conference on Critical Information Infrastructures Security, pp.189-200, 2016.
9 Pricop, Emil, Sanda Florentina Mihalache, and Jaouhar Fattahi, "Innovative fuzzy approach on analyzing industrial control systems security," Recent Advances in Systems Safety and Security, pp.223-239, 2016.
10 M. Brunner, M. Huber, C. Sauerwein, and R. Breu, "Towards an integrated model for safety and security requirements of cyber-physical systems," 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp.334-340, 2017.
11 Y. Zhang, P. Shi, C. Dong, Y. Liu, X. Shao, and C. Ma, "Test and Evaluation System for Automotive Cybersecurity," 2018 IEEE International Conference on Computational Science and Engineering (CSE), pp.201-207, 2018.
12 S. Yi, H. Wang, Y. Ma, F. Xie, P. Zhang, and L. Di, "A safety-security assessment approach for communicationbased train control (cbtc) systems based on the extended fault tree," 2018 27th International Conference on Computer Communication and Networks (ICCCN), pp.1-5, 2018.
13 H. Abdo, M. Kaouk, J. M. Flaus, and F. Masse, "A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie- combining new version of attack tree with bowtie analysis," Computers & Security, Vol.72, pp.175-195, 2018.   DOI
14 Skoglund, Martin, Fredrik Warg, and Behrooz Sangchoolie, "In Search of Synergies in a Multi-concern Development Lifecycle: Safety and Cybersecurity," International Conference on Computer Safety, Reliability, and Security, pp.302-313, 2018.
15 Geismann, Johannes, Christopher Gerking, and Eric Bodden, "Towards ensuring security by design in cyber-physical systems engineering processes," Proceedings of the 2018 International Conference on Software and System Process, pp.123-127, 2018.
16 T. Chowdhury, E. Lesiuta, K. Rikley, C. W. Lin, E. Kang, B. Kim, ... and A. Wassyng, "Safe and secure automotive over-the-air updates," International Conference on Computer Safety, Reliability, and Security, pp.172-187, 2018.
17 F. Asplund, J. McDermid, R. Oates, and J. Roberts, "Rapid Integration of CPS Security and Safety," IEEE Embedded Systems Letters, Vo.11, No.4, pp.111-114, 2018.   DOI
18 Lisova, Elena, Irfan Sljivo, and Aida Causevic, "Safety and security co-analyses: A systematic literature review," IEEE Systems Journal, Vol.13, No.3, pp.2189-2200, 2018.   DOI
19 K. Huang, C. Zhou, Y. C. Tian, S. Yang, and Y. Qin, "Assessing the physical impact of cyberattacks on industrial cyber-physical systems," IEEE Transactions on Industrial Electronics, Vol.65, No.10, pp.8153-8162, 2018.   DOI
20 D. S. Fowler, J. Bryans, M. Cheah, P. Wooderson, and S. A. Shaikh, "A Method for Constructing Automotive Cybersecurity Tests, a CAN Fuzz Testing Example," 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp.1-8, 2019.
21 Oka, Dennis Kengo, Tommi Makila, and Rikke Kuipers, "Integrating Application Security Testing Tools into ALM Tools in the Automotive Industry," 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp.42-45, 2019.
22 S. Verma, T. Gruber, C. Schmittner, and P. Puschner, "Combined Approach for Safety and Security," International Conference on Computer Safety, Reliability, and Security, pp.87-101, 2019.
23 R. Bramberger, H. Martin, B. Gallina, and C. Schmittner, "Co-engineering of Safety and Security Life Cycles for Engineering of Automotive Systems," ACM SIGAda Ada Letters, Vol.39, No.2, pp.41-48, 2020.   DOI
24 Apvrille, Ludovic, and Letitia W. Li, "Harmonizing safety, security and performance requirements in embedded systems," 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp.1631-1636, 2019.
25 J. Dobaj, C. Schmittner, M. Krisper, and G. Macher, "Towards Integrated Quantitative Security and Safety Risk Assessment," International Conference on Computer Safety, Reliability, and Security, pp.102-116, 2019.
26 M. Koschuch, W. Sebron, Z. Szalay, A. Torok, H. Tschiurtz, and I. Wahl, "Safety & Security in the Context of Autonomous Driving," 2019 IEEE International Conference on Connected Vehicles and Expo (ICCVE), pp.1-7, 2019.
27 B. De Win, R. Scandariato, K. Buyens, J. Gregoire, and W. Joosen, "On the secure software development process: CLASP, SDL and Touchpoints compared," Information and software technology, Vol.51, No.7, pp.1152-1171, 2009.   DOI
28 Microsoft, "Security Development Lifecycle - SDL Process Guidance," Ver.5.2, 2012.
29 United States Congress, "NIST SP 800-64 - Security Considerations in the System Development Life Cycle", Rev.2, 2019.
30 OWASP, Comprehensive, lightweight application security process [Internet], http://www.owasp.org, 2006.
31 SAE Vehicle Electrical System Security Committee, "Sae j3061-cybersecurity guidebook for cyber-physical automotive systems," SAE-Society of Automotive Engineers, 2016.
32 Blyler, John, "Software-Hardware Integration in Automotive Product Development," SAE, pp.i-v, 2014.
33 Schmittner, Christoph, and Georg Macher, "Automotive Cybersecurity Standards-Relation and Overview," International Conference on Computer Safety, Reliability, and Security, pp.153-165, 2019.
34 UNECE, "Draft Cyber Security Regulation," final clean version, 2020.
35 H. Hunjan, "ISO/SAE 21434 Automotive Cyber-Security Engineering," Presentation, Renessas Electronics LTD, 2018.
36 LDRA, "Build Security Into The Connected Car Development Life Cycle" [Internet], https://ldra.com/buildsecurityconnected-car-development-life-cycle/?fbclid=IwAR01liF34G0QMtisIVoazTFlDZR2GhVCXOFtg1BkGr7_U9RNwgCfRG02kko, 2017.
37 E. Schoitsch, C. Schmittner, Z. Ma, and T. Gruber, "The need for safety and cyber-security co-engineering and standardization for highly automated automotive vehicles," Advanced Microsystems for Automotive Applications 2015, pp.251-261, 2016.
38 Sabaliauskaite, Giedre, and Aditya P. Mathur, "Aligning cyber-physical system safety and security," Complex Systems Design & Management Asia, pp.41-53, 2015.
39 Synopsys, What is ASIL? [Internet], https://www.synopsys.com/automotive/what-is-asil.html
40 Schmittner, Christoph, and Zhendong Ma, "Towards a framework for alignment between automotive safety and security standards," International Conference on Computer Safety, Reliability, and Security, pp.133-143, 2014.
41 Miller, Joseph D, "Automotive System Safety: Critical Considerations for Engineering and Effective Management," John Wiley & Sons, 2019.
42 S. H. Houmb, S. Islam, E. Knauss, J. Jurjens, and K. Schneider, "Eliciting security requirements and tracing them to design: An integration of Common Criteria, heuristics, and UMLsec," Requirements Engineering, Vol.15, No.1 pp.63-93, 2010.   DOI
43 Mellado, Daniel, Eduardo Fernandez-Medina, and Mario Piattini, "A common criteria based security requirements engineering process for the development of secure information systems," Computer Standards & Interfaces, Vol.29, No.2, pp.244-253, 2007.   DOI
44 Yin, Lei, and Fang-Liang Qiu, "A novel method of security requirements development integrated common criteria," 2010 International Conference On Computer Design and Applications, Vol.5, pp.V5-531, 2010.
45 D. Mellado, C. Blanco, L. E. Sanchez, and E. Fernandez-Medina, "A systematic review of security requirements engineering," Computer Standards & Interfaces, Vol.32, No.4, pp.153-165, 2010.   DOI
46 Mesquida, Antoni Lluis, and Antonia Mas, "Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension," Computers & Security, Vol.48, pp.19-34, 2015.   DOI
47 H. Li, X. Li, J. Hao, G. Xu, Z. Feng, and X. Xie, "Fesr: A framework for eliciting security requirements based on integration of common criteria and weakness detection formal model," 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp.352-363, 2017.
48 Barafort, Beatrix, Antoni-Lluis Mesquida, and Antonia Mas, "Integrating risk management in IT settings from ISO standards and management systems perspectives," Computer Standards & Interfaces, Vol.54, pp.176-185, 2017.   DOI
49 Barafort, Beatrix, Antoni-Lluis Mesquida, and Antonia Mas, "Integrated risk management process assessment model for IT organizations based on ISO 31000 in an ISO multistandards context," Computer Standards & Interfaces, Vol.60, pp.57-66, 2018.   DOI
50 Lee, Younghwa, Jintae Lee, and Zoonky Lee, "Integrating software lifecycle process standards with security engineering," Computers & Security, Vol.21, No.4, pp.345-355, 2002.   DOI
51 D. Horie, T. Kasahara, Y. Goto, and J. Cheng, "A new model of software life cycle processes for consistent design, development, management, and maintenance of secure information systems,"2009 Eighth IEEE/ACIS International Conference on Computer and Information Science, pp.897-902, 2009.
52 Amara, Naseer, Zhiqui Huang, and Awais Ali, "Modelling Security Requirements for Software Development with Common Criteria," International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, pp.78-88, 2019.
53 MISRA, C, MISRA C [Internet], https://www.misra.org.uk/
54 Craigen, Dan, Nadia Diakun-Thibault, and Randy Purse., "Defining cybersecurity," Technology Innovation Management Review, Vol.4, No.10, 2014.
55 R. Bell, "Introduction to IEC 61508," ACM International Conference Proceeding Series, Vol.162, pp.3-12, 2006.
56 Amiso M. George, "Japan (Toyota)," in Case studies in crisis communication: International perspectives on hits and misses, Part III, pp.227-252, 1997.
57 R. Debouk, "Overview of the 2nd Edition of ISO 26262: Functional safety-road vehicles," General Motors Company, Warren, MI, USA, 2018.
58 J. M ssinger, "Software in automotive systems," IEEE Software, Vol.27, No.2, pp.92-94, 2010.   DOI
59 C. Miller and C. Valasek. "Remote exploitation of an unaltered passenger vehicle," in Black Hat USA, pp.91, 2015.
60 Mathias Dehm, Markus Tschersich, "Road Vehicles' Life-Cycle: Mapping of relevant standards and regulations for automotive cybersecurity," in ESCAR Europe, 2019.
61 N. M. Mohammed, M. Niazi, M. Alshayeb, and S. Mahmood, "Exploring software security approaches in software development lifecycle: A systematic mapping study," Computer Standards & Interfaces, Vol.50, pp.107-115, 2017.   DOI
62 H. Khattri, N. K. V. Mangipudi, and S. Mandujano, "Hsdl: A security development lifecycle for hardware technologies," 2012 IEEE International Symposium on HardwareOriented Security and Trust, pp.116-121, 2012.
63 P. Salini and S. Kanmani. "Survey and analysis on security requirements engineering," Computers & Electrical Engineering, Vol.38, No.6, pp.1785-1797, 2012.   DOI
64 S. Khou, L. O. Mailloux, J. M. Pecarina, and M. Mcevilley, "A customizable framework for prioritizing systems security engineering processes, activities, and tasks," IEEE Access, Vol.5, pp.12878-12894, 2017.   DOI
65 T. Loruenser, H. C. Pohls, L. Sell, and T. Laenger, "CryptSDLC: Embedding cryptographic engineering into secure software development lifecycle," Proceedings of the 13th International Conference on Availability, Reliability and Security, pp.1-9, 2018.
66 Ruggieri, Maxwell, Tzu-Tang Hsu, and Md Liakat Ali. "Security Considerations for the Development of Secure Software Systems," 2019 IEEE 10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), pp.1187-1193, 2019.
67 E. Venson, X. Guo, Z. Yan, and B. Boehm, "Costing Secure Software Development: A Systematic Mapping Study," Proceedings of the 14th International Conference on Availability, Reliability and Security, pp.1-11, 2019.
68 V. Casola, A. De Benedictis, M. Rak, and U. Villano, "A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach," Jounal of Systems and Software, Vol.163, pp.110537, 2020.   DOI