A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS
In recent years, legislation and standardization of cyber security management for cyber-physical systems such as automotive systems have been progressing steadily. ISO/SAE 21434, published in 2021, addresses the management and analysis of electrical systems within road vehicles from a cybersecurity...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2023-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10049108/ |
| _version_ | 1797894971787837440 |
|---|---|
| author | Yasuyuki Kawanishi Hideaki Nishihara Hirotaka Yoshida Hideki Yamamoto Hiroyuki Inoue |
| author_facet | Yasuyuki Kawanishi Hideaki Nishihara Hirotaka Yoshida Hideki Yamamoto Hiroyuki Inoue |
| author_sort | Yasuyuki Kawanishi |
| collection | DOAJ |
| description | In recent years, legislation and standardization of cyber security management for cyber-physical systems such as automotive systems have been progressing steadily. ISO/SAE 21434, published in 2021, addresses the management and analysis of electrical systems within road vehicles from a cybersecurity perspective. It also recommends some methods for the threat analysis and risk assessment (TARA) process. However, there are two problems in the evaluation methods derived from conventional security analysis approaches. One problem is related to the insufficient evaluation of attack feasibilities for cyber-physical systems by the CVSS-based approach. Another problem is the unclear relationship between damage factors in analyzing the impact of damage to each asset. In this paper, we focus on the TARA process, and apply an “asset container” method for threat classification, proposed by the authors at DECSoS 2017, and a CWSS-based risk quantification method. Moreover, we can also add some perspective to improve risk evaluation suitable for automotive systems. Following our past studies on methodologies to evaluate the risk of such special cyber-physical systems, we can quantify risks limited to some cyber-physical systems, such as direct access attacks to in-vehicle networks. |
| first_indexed | 2024-04-10T07:19:03Z |
| format | Article |
| id | doaj.art-e9d4b4f9d67e4220bd761ca3d07dd032 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-04-10T07:19:03Z |
| publishDate | 2023-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-e9d4b4f9d67e4220bd761ca3d07dd0322023-02-25T00:00:37ZengIEEEIEEE Access2169-35362023-01-0111181481815610.1109/ACCESS.2023.324649710049108A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSSYasuyuki Kawanishi0https://orcid.org/0000-0003-1499-7115Hideaki Nishihara1https://orcid.org/0000-0002-1604-2075Hirotaka Yoshida2Hideki Yamamoto3Hiroyuki Inoue4https://orcid.org/0000-0003-4308-9343Cyber-Security Research and Development Office, Research and Development Unit, Sumitomo Electric Industries Ltd, Osaka, JapanSEI-AIST Cyber Security Cooperative Research Laboratory, Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology (AIST), Osaka, JapanSEI-AIST Cyber Security Cooperative Research Laboratory, Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology (AIST), Osaka, JapanCyber-Security Research and Development Office, Research and Development Unit, Sumitomo Electric Industries Ltd, Osaka, JapanSEI-AIST Cyber Security Cooperative Research Laboratory, Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology (AIST), Osaka, JapanIn recent years, legislation and standardization of cyber security management for cyber-physical systems such as automotive systems have been progressing steadily. ISO/SAE 21434, published in 2021, addresses the management and analysis of electrical systems within road vehicles from a cybersecurity perspective. It also recommends some methods for the threat analysis and risk assessment (TARA) process. However, there are two problems in the evaluation methods derived from conventional security analysis approaches. One problem is related to the insufficient evaluation of attack feasibilities for cyber-physical systems by the CVSS-based approach. Another problem is the unclear relationship between damage factors in analyzing the impact of damage to each asset. In this paper, we focus on the TARA process, and apply an “asset container” method for threat classification, proposed by the authors at DECSoS 2017, and a CWSS-based risk quantification method. Moreover, we can also add some perspective to improve risk evaluation suitable for automotive systems. Following our past studies on methodologies to evaluate the risk of such special cyber-physical systems, we can quantify risks limited to some cyber-physical systems, such as direct access attacks to in-vehicle networks.https://ieeexplore.ieee.org/document/10049108/In-vehicle securitysecurity designrisk analysisTARAISO/SAE 21434CWSS |
| spellingShingle | Yasuyuki Kawanishi Hideaki Nishihara Hirotaka Yoshida Hideki Yamamoto Hiroyuki Inoue A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS IEEE Access In-vehicle security security design risk analysis TARA ISO/SAE 21434 CWSS |
| title | A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS |
| title_full | A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS |
| title_fullStr | A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS |
| title_full_unstemmed | A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS |
| title_short | A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS |
| title_sort | study on threat analysis and risk assessment based on the x201c asset container x201d method and cwss |
| topic | In-vehicle security security design risk analysis TARA ISO/SAE 21434 CWSS |
| url | https://ieeexplore.ieee.org/document/10049108/ |
| work_keys_str_mv | AT yasuyukikawanishi astudyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hideakinishihara astudyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hirotakayoshida astudyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hidekiyamamoto astudyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hiroyukiinoue astudyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT yasuyukikawanishi studyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hideakinishihara studyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hirotakayoshida studyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hidekiyamamoto studyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss AT hiroyukiinoue studyonthreatanalysisandriskassessmentbasedonthex201cassetcontainerx201dmethodandcwss |