Browse > Article
http://dx.doi.org/10.12815/kits.2019.18.2.144

Deriving Essential Security Requirements of IVN through Case Analysis  

Song, Yun keun (Cyber Security Division, ESCRYPT)
Woo, Samuel (Electronics and Telecommunications Research Institute(ETRI))
Lee, Jungho (Korea Information Certificate Authority Inc.(KICA))
Lee, You sik (Cyber Security Division, ESCRYPT)
Publication Information
The Journal of The Korea Institute of Intelligent Transport Systems / v.18, no.2, 2019 , pp. 144-155 More about this Journal
Abstract
One of the issues of the automotive industry today is autonomous driving vehicles. In order to achieve level 3 or higher as defined by SAE International, harmonization of autonomous driving technology and connected technology is essential. Current vehicles have new features such as autonomous driving, which not only increases the number of electrical components, but also the amount and complexity of software. As a result, the attack surface, which is the access point of attack, is widening, and software security vulnerabilities are also increasing. However, the reality is that the essential security requirements for vehicles are not defined. In this paper, based on real attacks and vulnerability cases and trends, we identify the assets in the in-vehicle network and derive the threats. We also defined the security requirements and derived essential security requirements that should be applied at least to the safety of the vehicle occupant through risk analysis.
Keywords
Risk analysis; In-Vehicle Network; Security requirements; Connected vehicle;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Alexander K., Daniel A., Herve S., Tyrone S. and Marko W.(2013), "Trust assurance levels of cybercars in v2x communication," 2013 ACM workshop on Security, privacy & dependability for cyber vehicles, pp.49-60.
2 Charlie M. and Chris V.(2015), Remote exploitation of an unaltered passenger vehicle, Black Hat USA 2015.
3 Common Vulnerabilities and Exposures, "CVE-2017-6054," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6054, accedded 2019.03.29.
4 Common Vulnerabilities and Exposures, "CVE-2018-1170," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1170, accessed 2019.03.29, 2019e
5 Common Vulnerabilities and Exposures, "CVE-2018-16806," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16806, accessed 2019.03.29, 2019d
6 Common Vulnerabilities and Exposures, "CVE-2018-18071," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18071, accessed 2019.03.29, 2019c
7 Common Vulnerabilities and Exposures, "CVE-2018-18203," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18203, accessed 2019.03.29, 2019b
8 Common Vulnerabilities and Exposures, "CVE-2018-9322," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9322, accessed 2019.03.29, 2019a
9 Conde Nast, https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/, 2019. 03. 29.
10 Hiro O.(2012), "Paradigm change of vehicle cyber security," 2012 4th International Conference on Cyber Conflict(CYCON 2012), pp.1-11.
11 ISO, ISO/SAE CD 21434 Road Vehicles - Cybersecurity engineering, https://www.iso.org/standard/70918.html", accessed 2019.04.26.
12 ISO/IEC 15408(2017), Common Methodology
13 Karl K., Alexei C., Franziska R., Shwetak P., Tadayos K., Stephen C., Damon M., Brian K., Danny A., Hovav S and Stefan S, (2010), "Experimental Security Analysis of a Modern Automobile," 2010 IEEE Symposium on Security and Privacy, pp.447-462.
14 Marko W. and Michael S.(2009), A Systematic Approach to a Quantified Security Risk Analysis for Vehicular IT Systems, Automotive-Safety Security 2012, pp.195-210.
15 Marko W.(2018), "Strategies against being taken hostage by ransomware," ATZelektronik worldwide, vol. 13, no. 2, pp.44-47.   DOI
16 SAE International(2018), $J3016^{TM}$ Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles, https://saemobilus.sae.org/content/J3016_201806.
17 Pen Test Partners LLP, https://www.pentestpartners.com/security-blog/hacking-the-mitsubishi-outlander-phev-hybrid-suv, 2019. 03. 29.
18 PricewaterhouseCoopers(PwC) GmbH(2017), The 2017 Strategy & Digital Auto Report, https://www.strategyand.pwc.com/media/file/2017-Strategyand-Digital-Auto-Report.pdf.
19 PricewaterhouseCoopers(PwC) GmbH(2018), Five trends transforming the Automotive Industry, https://www.pwc.at/de/publikationen/branchen-und-wirtschaftsstudien/eascy-five-trends-transforming-the-automotive-industry_2018.pdf.
20 Sen N., Ling L. and Yuefeng D.(2017), Free-Fall: Hacking Tesla From Wireless to Can Bus, Black Hat USA 2017.
21 Tencent Keen Security Lab, https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/, 2019.03.31.
22 US DoT(2017), An Introduction to Connected Automated Vehicles, https://www.its.dot.gov/presentations/2017/CAV2017_AdvTechTransport.pdf.
23 Yousik L., Samuel W., Jungho L., Yunkeun S., Heeseok M. and Donghoon L.(2019), "Enhanced Android App-Repackaging Attack on In-Vehicle Network," Wireless Communications and Mobile Computing, vol. 2019, no. 5650245, p.13.
24 for Information Technology Security Evaluation - Evaluation methodology, https://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R5.pdf.