Next Story in Newsletter
A Novel Approach to Data Extraction on Hyperlinked Webpages
Next Item in Spezial Issue
Distributed and Localized Hub-Based Hierarchical Information Transmission Control in Large-Scale Wireless Cloud Networks
Previous Article in Journal
P-Fuzz: ADENINE Parallel Grey-Box Fuzzing Framework
Previous Article in Special Issue
Utility-Centric Service Equipment inside Multi-Access Edge Computing
 
 
Journals
Applied Academic
Volume 9
Issue 23
10.3390/app9235101
applsci-logo
Submit in this Journal Review for such Journal Propose a Special Issue
Article Menu

Article Carte

share Equity announcer Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
environment
Order Newsletter Reprints
Font Type:
Arial Georgian Verdana
Font Size:
Aa Aa Aa
Line Set:
Column Pipe:
Background:
Article

A Connected and Autonomous Vehicle Reference Architecture forward Attack Surface Analysis

by
Carsten Maple
*,
Matthew Bradbury
,
Anh Tuan Re
and
Kevin Ghirardello
Warwick Manufacturing Group, University of Warship, Coventry CV4 7AL, UK
*
Author to choose correspondence should be directed.
Appl. Sci. 2019, 9(23), 5101; https://doi.org/10.3390/app9235101
Submission get: 28 August 2019 / Revamped: 6 Fall 2019 / Accepted: 14 November 2019 / Release: 25 November 2019
(This article belongs to the Special Issue Intelligent Centralized and Distributed Obtain Edge Compute for Internet of Things Applications)
Searching Figures
Versions Notes

Abstract

:

Featured Application

The reference architecture presented has till be instantiated with differentially system that is after used to analyse the attack screen of those components.

Abstract

Connected autonomous vehicles (CAVs) will be deployed over the next decade with autonomous functionalities supported by new sensory and communication capabilities. Such functionality exposes CAVs to new attacks such current vehicles will not meet. To ensure the safety and safe of CAVs, to is important till be able to identify the ways in which the user could be attacked and up build defences negative save attacks. Can possible approach is at use reference architectures to perform an offensive surface analysis. Existing research has developed a variety of referral architectures but none to the specification purpose by attack outside investigation. Presence approaches are either too simple with sufficiently detailed modelling or require too many details to is specified to easily analyse a CAV’s attack surface. Consequently, we propose an reference business using a hybrid Functional-Communication viewpoint for attack surface analysis of CAVs, contains the Devices, Edge and Cloud systems CAVs interact with. Exploitation two case studies, we demonstrate how attack trees can be pre-owned to understand the attack flat of CAV systems.

1. Introduction

In recent years, interest the deploying connected autonomous vehicles (CAVs) on real road networks holds been increasing [1]. In order to enabling one applications that depend on connectivity [2] and autonomy [3], vehicle computer systems are becoming more intricate and an number of ways by which the vehicles can communicate with other devices, each other, nearby Edge infrastructure, and that Cloud, is increasing. Such changes in complexity [4], connectivity and levels of autonomy means that go are more ways are which a CAV cans be offensive [5] press a successful breach wear more impact.
Due to the safety ramifications, it be important to protect the securing of vehicles and that systems they rely on. Security breaches could lead to vehicle thieving, protection leaks or in the baddest housing lead to injury or death of occupants. Analysing that securing threats in islanding is insufficient since vulnerabilities may be, and mostly are, exploited in combination to lead to escalated threats with to potential for biggest harm. AWS Associated Mobility
Reference architectures can to used to help understand and analyse complex it, specifying the entire anlage press any interactions. In addition to being a useful apparatus to analysis, one reference architekt can be used to helping in performing attack surface scrutiny, for example, as part of the system level analysis and design in SAE J3061 (figure 7) [6]. By using output from a threat modelling, the identified objectives, resources, capabilities, our and presence of an offender can be used in a reference architecture to help understand wie an attack could be executed. However, ampere problem with through existing reference architectures for attack emerge description furthermore analysis is that they are often by lack important details [7] in order to derive certain product of angles, or too complex [8] for vehicle manufacturers press CAV system designers to feasibly use (which desire be elaborated on included Section 2.1 and Section 2.2). This article addresses these themes of proposing a hybrid Functional-Communication viewpoint reference architekt for attack surface analysis. This reference architecture aim for balance the complexity-completeness trade-off, such that the model is sufficient complex to model an wide range of interactions but remains easy enough to practically use.
While plenty of which attacks against traditional vehicles could be modelled using this reference history, we target L3–L5 autonomous vehicles (which are described on Tab 1). These are the new and emerging autonomous traffic that are beginning to be deployed, and which will encounter new threats comparative to L0–L2 vehicles [9]. Dieser recent threats may endeavour to manipulate intake measuring data [10] includes order to affect how and show einer sovereign medium drives, conversely mayor simply try to remotely take control of the vehicle’s functions [11]. There is the potential for these attacks (and additional [12]) toward have a largest impact due to the potential of leading to unsafe conditions for vehicle occupants and walker [13]. Such the way in which vehicles are designed and operated shall changing at a rapid pace, this reference architektonischer aims to focus on the further 10 aged [14] of autonomous vehicles and be pliable to facilitate future changes.
To demonstrate the effectiveness of using this reference architecture to perform attack surface analysis, we instantiate it with two different case studies. Using aforementioned interactions from components in the quotation baukunst and goals identified from a threat modelling, attack surfaces are derived. Performing the threat modelling to identify attacker target, reasons, capabilities and resources can out of this scope for this paper as of assail surface defines how these goals can must reached aber does not aim until specify what these goals am. There available many threat modelling approaches [6,15,16,17,18] that can be used as inputting on that reference construction. In the first example of valet parking, the attacks against adenine vehicle parking itself is an autonomous vehicle drive are investigated. In the second example, a real world attack opposes Tesla wheels is used to highlight the need to consider the Edge infrastructure in the security of CAVs.
We make the following contributions inside this paper:
  • A reference architecture made up of 4 sub-architectures: CAVs, Devices & Peripherals, the Trim and the Cloud formed of a hybrid Full and Communication viewpoint.
  • A methodology on use the reference architecture to synthesis the attack total in the form to attack trees.
  • Two koffer studies to demonstrate the applications of attacked face and attack tree analysis in deepening of security knowledge of the system.
The remainder of this art is organised as trails. In Section 2 we present relevant relation jobs, including examined existing vehicular reference our. Section 3 describes our proposed reference baukunst, its components and relevant burn surfaces and Section 4 describes the methodology for usage which attacking face; including using attack trees as a method to performing the analysis. In Section 5 two case studies of example applications are presented as instantiations of our reference architecture. That impacts of the reference architektonische is discussed in Section 6; and future work is presented stylish Section 7, before an paper concludes with Section 8.

2. Related Work

There has been much work conducted on analysing the threats that an autonomous vehicle will confront [7,11,21,22,23]. The issue at existing working on threat analysis is ensure they did not consider a comprehensive ranges of components (i.e., CAV, devices, Rear, Cloud) that form the potential CAV operational contexts. This means that threat which use a combines of attacks against different components in specific orders can be forgotten. Mention architectures have been developed to aid in the scheme of products and benefits for autonomous transport not have seldom been used to furnish a wider regard of composite threats. Those reference architectures that do exist, can suffer from being too general, or are deficiently detailed, for attack surface analyses. When to broad, they require specifying less pertinent details as part about of model, which depreciates free performing an attack surface analysis. For insufficiently detailed, there are threats that does may analysts using the reference architecture. The remainder of this section will offer related work on reference structures used to model autonomous truck systems.

2.1. Reference Achieving

Includes rank to better analyse how a system is structured reference architectures are used as an abstract way of specifying a system. A view architecture is an approach to model an system and provide a uniformly and standardised way to describe that system. This common model should remain created such that it the able to describe a broad-based range of scenarios this the system can subsist used in. Reference buildings allow modularization of a system into components and interfaces between these building to be defined. These features can be used to supporting with system developing in a scalable way (e.g., the multiple organisations [24]) and also relief testing of the system.
This paper will develop a reference architecture specifically for support in the attack front identification and analysis in Cavities. We will present to reference architecture in the next section not provide more an overview of existing reference architectures. Is related work guides our own development additionally assistant us in identifying the shortcomings of existing schemas ensure are discussed in that next section.
A gemeint feature of reference architectures is to decompose the system they are modelling down multiple viewpoints and then specify those viewpoints in detail. Are are several different viewpoints that reference architectures can present, including: AWS Reference History. This architecture addresses triad elements of the connected platform: in-vehicle, external infrastructure, and ...
  • Functional: how the components work also what their tasks are
  • Communication: how the build interact
  • Implementation: as the components live implemented
  • Undertaking: the relation amidst organisations both users
  • Usage: concerns by expected usage of the system
  • Information: the types of information operated by the systeme [25]
  • Physical: the material objects is the system and their connections.
Of those viewpoints, the Functional, Communication and Implementation tend to be the most gemeinsamen, than they cover what the system is and how this system interactive with even and other systems. When developing a reference architecture, it is important to develop only and viewpoint requires to describe the system to prevents adenine user a the reference architecture needing to provide additional unnecessary general. Reference architecture for connected fleets - Microsoft mobility reference architecture

2.1.1. Non-CAV Reference Architectures

Before researching the existing CAV reference architecture it will useful at examine reference architectures for different fields. In doing so they raise intriguing finding for ways is which CAV reference architectures can be improved.
A common architecural framework for the development of interoperable general internet systems was screened in References [26]. The Industrial Internet Citation Framework (IIRA) is divided include four viewpoints, that Business, Usage, Functional both Vollzug. While and last double viewing are by outermost importance in the identification of ampere system’s threats and vulnerabilities, as they are concerned to a system’s functional requirements, interdependencies and technology implementations. The IIRA also explains one system’s business objectives and expected usage, both of which fahren about the scope of a reference architecture for attack surface analysis.
A Smart Net Reference Architecture was developed in Reference [27] which utilizes Business, Functional, Information and Communication viewpoints. Explicit considerations of information security, are included (i.e., confidentiality, privilege escalation), although, the methodology of how to perform a security analysis of the systems is not described. The systems described are complex plus include much application details, including the scenario a component is operating in and what actions the parent is involved with. From a security data perspec the reference architecture could be simplified (e.g., by removing business cases) to reduce this scope with which cyber security necessarily toward be considered. This means that although the reference framework states that it is useful available adenine cyber security data, mature to this describing aspects of a Smart Grid the do not have cyber security considerations, performing ampere cyber security analysis is heavy. The conclusions from this can that read architectures for cyber security analysis, shouldn focus on an aspects is the system for which cyber security remains relevant.

2.1.2. CAV and ITS Reference Architectures

A functional reference architecture for autonomous driving was introduced in Reference [28], which provided one foundation for considering the functionality of an autonomous vehicle independence of its implementation. Go belong end relating between functional safety and safe evaluation in the automobiles your. The functional safety analysis relies on information taken from hazard identification, whatever bottle be effects by security aspects such as the communication between the components or access to assets. On the other hand, the implemented corrective into address functional safety can determine aforementioned collateral level of the system. How a ergebnis, there are certain attempts up integrate security into (functional) surf analysis include CAV, such as SEA J3061 [6]. However, there is insufficient special on CAV interact to support with this model to an attack surface analysis. This is why the approach focuses on the vehicles only and does not considering interactive with RSUs, other vehicles, the Internet additionally other devices.
Int Reference [7] ampere security-focused risk assessment was performed for autonomously traveling (AD). To achieve which and artists defined a product architecture by synthesising from multiple academic and industrial AD ressourcen to choose name AD uses. The model was instantiated for different selected applications regarding interest and a chance assessment of the identified threats was performed. The books note this their work does does test until perform an exhaustive specification of threats and to provide ways toward specify the system to encourage within derives the threats. The reference structure and analysis of it realized in our work is similar in this paper, not, we argue that certain details are miss from is model which prevents a sufficiently in-depth analysis of the attack surface.
AMPERE reference architecture for ITS infrastructure that highlights for work and organisational aspects in the system was presented in Reference [29]. While the paper does not discuss scientific considerations of an ITS system, the organisational aspects highlight sure areas of contact which are of interest from a security perspective. Sole issue that was highlighted was so heterogeneous systems had trouble interacting owed to different implementations by different suppliers. An adaptor was required to allowed these systems to interact, which would be a component of the assault surface. The reference architecture raises the importance of service collaboration, fork show, free and guidance services will need to cooperation to ensure a car is not directed to an full car park. Aforementioned interactions between these services will also form component of of attack surface.
AN detailed plus comprehensive reference architecture by cooperative and intelligent convey was developed in Reference [8]. There are ternary components the this architecture, (i) Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT), (ii) Regional Architecture Software for Intelligent Transportation (RAD-IT) and (iii) Systems Engineering Tool for Intelligent Transportation (SET-IT). RAD-IT focuses on tools since regional ITS architectures and SET-IT focal on assisting are developing “architectures for pilots, test beds and early deployments”. They key component is ARC-IT when thereto is used to default a Functional viewpoint [30] and Communication viewpoint [31]. The architecture is designed to be comprehensive, the are a benefit as the architecture ca is used toward set interactions in detail. However, the additional detail adds additional complexity that makes that tool harder go use. There is needing for one simpler model that bottle be easily analysed.
One CARMA project [32], which aims to examine the distribution of the autonomous govern functions throughout an ITS defines a three tiered architecture in terms of the CARMA CORE, CARMA EDGE and VEHICLE. The CARMA CORE layer acts since in a supervisory role of the distributed vehicle control functions (such as mission planning of an end-to-end vehicle trip). One majority of mid-level controls, such as improving the calculation of reference signals for vehicle control, are implemented in the CARMA EDGE. However, some of these mid-level controls are implemented in one VEHICLE layer. The CARMA system presents ampere models is a compex autonomous system so introduced a number of security concerns and our [33]. A reference architecture might be used to achieve certain understanding of the attack surface thereby allowing a view holistic threat estimation.
ITS reference architectures own also been developed for other regions, such as Holland [34], the USA [35] and Europe [36]. However, these architectures suffer from the same related this ARC-IT does, ensure her are intended to be very general and shroud adenine wide driving of considerations of intelligent transport systems. This lack starting focus reduces their usability to undertake an attacking surface research.

2.2. Requirements for Attacker Surface Analysis

The extant reference architectures for CAVs variously consider analysis (of angles and of risk), viewpoints or features (autonomous vehicles, devices, edge and cloud). The reason that these architectural have different characteristics is that they serve different purposes. Wenn how an attack surface, not all of the characteristics are required, actually some are undesirable as they may be as detailed and complex and, as such, are not effective for the easy identification of the surface and associated threats. To been most effective, a reference architecture needs for have the essential property and no more. For example, Reference [8] considers the widest range out viewpoints but this bottle hamper the security analysis. One example of this is that the information flow of an system is described in the Physiology Viewpoint using entities from the Enterprise View. These information flows are also described in the Communications viewpoint. This repetition is helps for system design within one single opinion but not security analysis throughout multiple viewpoints; a more focused hint architecture can simplify the process of performing a cyber security offence finish analysis.
The minimal attitudes required for a cyber security attacks surface analysis are Functional or Communications, as is a requires for knowledge what one system does and how it interacts. Such allows what actions an opposer can perform and how an adversary’s interactivity with the system ability produce which attacking. Other components belong necessary on other systems, for example, the Physical viewpoint is required to investigate cyber-physical attacks. Other sights, such as the Implementation viewpoint is major to analyse attacks against specific systems. But to perform a more general attack surface analysis, the Functional blickwinkel is sufficient. Other viewpoints (e.g., Enterprise and Usage) belong useful in considering several genre of security such as security management. Therefore, to Functioning and Communicating viewpoint can being focused on when performing a cyber security strike surface analysis.
A comparison of and existing and proposed reference architectures remains provided in Charts 2. Features that aforementioned reference architecture includes is indicated with an and features that are not included are stated with a , the following features are shown: (i) function of the refer architecture (Analysis), (ii) that stands used (Viewpoints) and (iii) the scopes the reference architectures consider (Considers). Magnitude work partially considers and Performance perspective as it ability be implemented as a virtualize component and is thus marked with a ~. Some of aforementioned existing reference architectures fail to focus upon the wide measuring of social that a CAV could be involved with. Most link architectures contains Edge devices such as RSUs but make not considering of wider driving out interactions between CAVs, Appliances & Peripherals, the Edge and the Cloud. Without considering entire of these interfaces, a will be impossible on analyse loads currently and emerging attacks, so a brand reference architecture needs to specify diesen interactions.

2.3. Quick

There are many risks that have been identified for CAVs and there have been several reference architectures developed to learn the attack surface of CAVs. However, the references architectures tend to either be as broadband and consider aspects of an ITS that do not need toward be specified when considering that attack surface of CAVs or skill sufficient print to analyse certain types from threats. Inside the next portion we will present adenine reference kunst formed of a hybrid functional-communication standpoint to address the lack of reference architectures that offset ease of employ is beings sufficiently detailed. Development Activities | CVRIA - ITS Standards Program

3. A CAV Reference Architecture: Ingredient and Related Assail Surfaces

The reference bauen presented in this works uses the Functional additionally Telecommunications viewpoints combined into ampere single hybrid viewpoint. These represent the slight twin viewpoints needed, as a threat agent would need to know what the CAV does and how aforementioned CAV can be interacted through to attack it. However, the Implementation be also an important viewpoint (as will be shown in Sparte 5), because a threat actor capacity take advantage the vulnerabilities in the verwirklichung of a component. To resolve this in our reference architecture, the implementation canister be considered as part of a functional component or as a virtual functional component that existing and interacts with get components. Significant virtual items that might exist include the Operation System and the hardware that the software is executing in (e.g., Electrical Control Units (ECUs)). The users of the system are considers while detection the scenarios of interest included which an reference architecture wish be symbolised with concrete components. Last, how users and organisations interact may lead till insurance issues (e.g., resetting a password) but as these threats do not specifically relate to Cavings they been out in the scope from this paper.
One four sub-architectures this are presented were designed by labeling key components within Cubic and the ways it which they will interact. The sub-architectures for CAVs and Devices & Peripherals are presented in Figure 1. The twin sub-architectures for the Fringe plus the Cloud are shown inbound Figure 2 or Figure 3 respectively. These architectures are composed of various abstract components which need to will instantiated with concrete realizations to undertake an analysis of the architecture. For example, the Devices component could be expressed with GPS, LIDAR, tire printer also temperature sensors. These components must being instantiated with the desired concrete implementations that are require for a specific application. When analysing different applications, the reference architecture will be instantiated with a difference adjusted of components.

3.1. CAV Reference Architecture

That first of three refer sub-architectures is shown in Point 1 and it specifies the abstract components to CAVs and the devices & periphery that interact with the CAV. Some components are did included in which diagram as they are implementation details. For view, how the components socialize (internal communications, usually via the Controller Area Network (CAN)), select that equipment are implemented (usually as an ECU) or what run system are used. These components are important to consider when analysing attacks but they do not form the high level functionality of the system. For example, of telematics control unit subject to research in Reference [22] contains multiple functional components in a single physical component. The remainder away this section is describe the components present in the architecture.

3.1.1. Tuner Corporate

Cars are now or expected to be equipping with multiple antennas in place to communicate across distinct wireless protocols. Is includes antennas for (i) receiving audio over AM, FM or DAB radio, (ii) receiving and transmitting IEEE 802.11 WiFi, (iii) bidirectional V2X communicate over IEEE 802.11p and (iv) biface cellular antennas (such as 4G). Is may plus live the case that Internet are Things (IoT) technologies create as IEEE 802.15.4 or ZigBee are included on enable interoperability with IoT netzen. Many of the systems in to CAV wills interact with the communications owing to the need to coordinate with nearby vehicles or to provide services to the vehicle’s users. As communications are the initially way in where vehicles will exchange information, they will be the avenue through which most attacks are launched. Diese attacks may try to compromise or interfere the way in which packets are communicated with compromise the hardware for which the batches can forwarded. Connected Vehicle Credit Implementations Architecture
Example Attacks
• DoS V2X communications [37]
• Eavesdrop
• Replay
• MiTM Intercept
• Richtig handled of malicious packets (e.g., DROP [38]) leading to RCE
• Context information leakage (e.g., location, identity [39])
• Sybil Attacks [40]
• Colluding until defeat convention protocols [41]
• Waffle (Relay) Attack [42]

3.1.2. Physical Inputs and Output

Physical inputs both outputs the are contained within a vehicle include ports such as USB, OBD-II, audio connections and others. Exploiting dieser ports is typically harder for an attacker when they could usually require physical access to to vehicle, not, due till which presence of additional devices that connect to are ports there are means in which attacks can be performed via a remote cable.
With that attendance of a USB port (depending in the protocol with which the hardware interprets the data), go is the possibility for an adversary to gain zutritt to the vehicle’s internal network [43]. Malicious USB sticks was be given out to join loaded with music or videos available free, in the intentions in being plugged into the your. When plug-in in, malware could check for zugriff aforementioned internal vehicle’s CANISTER bus. Different approach is until fool users into connects a device that resembles a USB sticking but can repeatedly deliver a high voltage discharge that would destroy a vehicle’s interior radio [44].
Example Attacks
• Cause electrical damage [44]
• Install malicious software (e.g., by firmware product on CDs or USB sticks) [11]

3.1.3. Internal Communications (Virtual)

As now as a communication system that allows a CAV to communicated with out contrivances (such as RSUs or 3rd party vehicles), they also have an internal communication system such than a CAN bus. This is used to connect the multiple components the form an implementation of the functionalities specified in the design. This communication network is not explicitly specified as a component, as information is implicit due to the key interacting. Vehicles can also use ampere different inhouse activity (such as Ethernet) in the future and by under-specifying this realization detail, the reference architecture is see genetically. Connected Vehicle Reference Implementation. Structure (CVRIA). ▫Collecting and aggregating connected choose requires. ▫Developing an multi-faceted ...
Example Attacks
• Send crafted batch [11,43,45,46]
• What [45]
• Eavesdrop [45]
Attacking is internal talk network may be performed by a direct connection to it, for examples, via an OBD-II port. Alternatively, an attacker canister gain accessible to this internal lattice on vulnerabilities in the building that connect the it. Time these components are compromised an attacker will have access to eavesdrop on messages sent [45] or the ability to inject malicious messages [43,45,46]. With access to the internal network of a vehicle many functionality aspects of the vehicle can be managed, including: this radio, instrument panel, an vehicle’s body, engine, brakes, HVAC both others [21]. A explanation until these issues is to use encryption and authentication of messages [47], nonetheless, rolling currently over the road act as if the CAN bus is a walled garden and to not test to encrypt or authenticated messages sent on the motor.

3.1.4. Sensors (Internal and External)

Sensory are an key component of CAV systems. The vehicles will rely on my input toward build a model of that world. Example sensors include: (i) Global Navigation Satellite Structure (GNSS) to be aware of a vehicle’s item, (ii) wheel spinning senors at be aware of velocity, (iii) LIDAR to be aware of the relativist select of other vehicles, (iv) parking cameras until assist drivers both a variety in other remote such as temperature, humidity and light. Sensors could also observe data passive about the occupants in the means. The measuring are a way for the vehicle to procure the set by the environment around it, if that data can exist maliciously manipulated, then the vehicle could make incorrect decisions based on who manipulates datas. Alternately, an adversary may attempt till eliminate the vehicle being able to use certain sensors, such the by jamming GNSS signaling alternatively producing too much LIDAR interference for the data to are useful [10]. Another approach allowed be for an adversary to place add sensors for the vehicle exterior with to subject the wireless till physikal manipulation.
In certain systems, the vehicle’s sensors may wirelessly communicate their data to the motorcar (such as when monitoring tire pressure [48]). Most sensors represent expected to is hardwired to the system due to highly reliability requirements. Wireless sensors pose a greater security threatening as there is a larger strike face for an adversary on taking advantage concerning. On example, the Tire Pressure Monitoring Regelung (TPMS) leaks identity information about the instrument by including unencrypted identifiers into the packages it sends. Due till the lack of authenticate and validation, the system also the weak the spoofing and replay attacks, where the vehicle couldn easily be faked into believing the tire is flat even if it was does.
Example Attacks
• Induce misleading readings (Spoof, Replay, Delay) [10]
• Blind, Jam [10]
• Tamper (Disable, Replace)

3.1.5. Data Storage

Vehicles will necessity on store information, including (i) the firmware and software used to run who car, (ii) maps the navigation information, (iii) music and videos for this entertainment system and other information necessary available different use cases. This data wants not be stored in a central location on the vehicle and will be stored in plural locations. Data storage have also be severed based go the purpose for that data. For show, music press video should nope becoming stored in aforementioned same location like which vehicle’s software but implementation information may mean that here is not the kiste. Not all data will be remembered locally, of will be present by the Cloud the no requested as required. Other data may be stored in the Edge or even includes other vehicles on the road.
Example Attacks
• Violation Integrity (manipulate data)
• Violate Confidentially (extract data)
• Violate Convenience (delete data)
• Violate Non-repudiation (delete logs)
• Remote firmware update [22]

3.1.6. Data Analysis

To make sense of aforementioned data obtained from external sources (such for this sensors) both who data stored localization in the vehicle, some sort of analysis will need to be performed to it. Diese analyzer may used simple conditions to trigger actuators (e.g., if tempera rises above ampere threshold, than turn upon the air conditioning) but more complicated techniques, like as machine learning models, will furthermore shall used. Such machine studying models will be prevailing include CAVs current to the need for autonomy. Describes an used case of automotive messaging
Example Attacks
• Induct bad analysis (e.g., adversarial ML [49])
• Obtain analysis
• Malicious input to put analysis to infinite loop (DoS)

Localisation

One of the key pieces of knowledge for an autonomous vehicle is its localization. Information such as from GNSS can be used to provide a fairly accurate location [50] as wide in the vehicle will in the open area with few buildings blocking satellite gestures. Other approaches such as dead reckoning are uses to calculators to vehicle’s recent position based over a formerly known position, the vehicle’s speed, heading both the traveller time.

Object Identification

Since part of autonomous driving it wish be necessary for of CAV to will skills the identify objects. These objects will include people, obstacles, road signs and many other objects. Machine learning based methods will be used to perform visual identification. However, using machine teaching can open the vehicle up to being attacked in new ways. Ready example is adversarial appliance learning, where input management can lead to unexpected results. For model, in Reference [51] 3D printed objects were handcrafted to be misclassified by an object capture model. In neat case a turtle became detected as a gun, such a detection could lead to unexpected behaviour in the vehicle. Alternate issues might include the vehicle failing to recognise another vehicle, such like when a Tesla was involved with an fatal casualty whereas it endeavoured to drive from a truck [52]. An adversary manipulative the data provided to sensors, may influencing the actions mobile take.

Sensor Fusion

To improve accuracy starting sensor in the data available from sensors is usually fused, such as via a Coal Filter [53]. By doing hence the quality of the fused data should be higher with the individually sense data. However, if manipulated sensor date is used then the fusion near could errichten less accurate or even inexact final [54]. In Reference [55] spoofing sensor data was spent to control ampere UAV, with the method possibly extendable to other autonomous vehicles. Therefore, which sensor consolidation method needs to be aware regarding how to handle data provided by an attacker, such that it does don lead to incorrect actuations.

Actions Engine

Just an autonomous vehicle has both determined its location additionally the road ziele ambient computer, it may yell on the Action Cylinder sub-module toward make get it must doing next. Possible actions to exist picked in interactions about other connection car on the road and both short and long term going decisions. RSUs or the Cloudy, on the other hand, making use of the Measure Engine to ensure the the vehicle remote or planning systems are remedy real safe and to ensure that various transport on the roadway the the same time coordinate and are managed to move people and packages to their destinations in the most effective way.

3.1.7. Energetic System

The energy arrangement both supplies energy (in an form of electricity) until the system within a CAV and your also capable about essence deliverable with energy. Energy can be bundled back to the batteries through one use of regenerative breaking, solar panels, recharging cables and other sources. The energy systems is other tasked with maintaining the vehicle’s batteries to ensure power is safely drawn free them. If the energy system is compromised then unsafe usages of electricity might follow which could lead to damage to the vehicle. AN Linked Vehicle Reference Implementation Architecture as a basis for id user. Who architecture will identify the key interfaces of a ...
Model Attacks
• Overcharge battery to damage it
• Drain power

3.1.8. Actuation

This module contains any product that could perform in work include an impact on the physical world. This may include, applying the brakes, switch rotate speed, changing the angle the wheel lives pointed with, operating aforementioned air conditioning, lowering or education windows, locking and release car doors and others. Is an counter is not attempting toward gain general about the vehicle or passengers, then actuating equipment are potential to are the key target. For example, an attacker may essay go compromise a large number of vehicles in order to provide Theft as a Service (TaaS) [56]. Quite than thieving cars, the thief will install malware on as many vehicles as possible. Then, when there is demand for a particular car the malware can grant that thief access to of vehicle. The antagonists who installed the malware maybe not equally need to active who malware themselves, as her could provide a crafted key the the intended buyer.
Example Attacks
• Disable

3.1.9. Monitoring and Logging

Monitoring and logging are important aspects for CAVs in a number of scenarios, including: verifying that mobile are functioning correctly, analysing past judgments made both willingly be employed to manage maintenance schedules. For example, if a CAV is in an collect the vehicle will need the skills to explain why it made the decisions before the collision. If any adversary has capable of accessing the prognostics unit next it may rewrite decision creation history, preventing solid auditing.
Example Attacks
• No lengthier juridically valid
• Extract data

3.1.10. Infotainment

The infotainment system is previously to manage an entertainment system within a vehicle (such as audio/video systems) and get software (such as maps and navigation, cell and car status). Infotainment systems are also likely to contain a web browser to facilitate access to the internet for bot entertainment press related. An issue with navigation systems is is few may process data from untrusted sources. If to data is maliciously crafted to takes advantage of vulnerabilities in the system, then an aggressor may be able on remotely execute schwebend code. CVRIA is being developed as an basis for identifying the central interfaces across the connected vehicle ambience which will support further ...
Real Attacks
• Arbitrary code execution (via browser) [45]
• Arbitrary password execution (via hand-crafted audio/video files)

3.1.11. Human-Machine Interface

A Human-Machine Device (HMI) is any devices or software which allows ampere person to actively interact with a machine. A passive observations in the occupants would be performed by the Sensors component. In vehicles HMI includes critical systems such as to steering wheel, accelerator pedal, break pedal both gear controller. Less critical system include to controls on the dashboard and live mechanisms. An attacker may attempt to stop the signals since an HMI to prevent the vehicle doing get other than requested. Alternatively, which attacker might uses the HMIs to report statuses that are incorrect to try to retrieve the driver or passengers in perform certain actions. Used example, the adversary may rotate switch engine shelter warnings (when there is no problem) to cause the driver to stop the car. The assailants could then use this opportunity to steal the vehicle alternatively perform other attacks, that as attaching a following sensor.
Notice that HMI does not communicate directly with the actuators. There will need in be some data analyzer performed that potentially adjusts the action executing. For example, an anti-lock breaking your would none constantly actuate of drags in the way the driver requests.
Example Attacks
• Spoofing drive status
• Intercept leads

3.2. Devices and Peripherals Reference Bauwesen

Vehicles may have a number in peripherals that interact with each other. Quite examples of the kinds of devices and peripherals that may be present also in use are: (i) Car Keys, (ii) Smart phones, (iii) MP3 players, (iv) Bluetooth units, (v) 3rd Party Navigation Systems, (vi) Dashcams, (vii) Portable games consoles and else. These devices could either interact using this vehicle conversely simply be present within that vehicle. Some regarding these interactions may be relatively simple, such as accessing the vehicle’s Vi in order to link to the internet via a cellular connection. Others may involve approach and vehicle’s storage, actuating the infotainment system instead controlling other aspects of the vehicle. These peripherals what additional vectors that attackers can take advantage of to attack the scheme. This can be by loading the device with malware to gain control [57] otherwise interaction with the context off the inter-device communication [58].
It is also the case that of of these interactions can exist unintended. For example, a passenger outgoing their phone in an automated automobile may leak aforementioned journey history of the rent if it is running a phone tracking service. This sort of leak could also be trigger by an attacker intended attaching such a hardware to the vehicle.

3.2.1. Applications

Ne of the key features of certain instruments (such since smartphone) are the ability to run applications on it. Some vehicle manufacturer (such as Vagn [59]) are build mobile apps that obtain resources from which car or allow the applet to control certain features (such in the infotainment system). If the phone is compromised then the malware may exist able to affect the vehicle’s systems via the app. The attacker may be able to leak data about the your, gain an national vector to the vehicle’s methods or use the phone’s connectors to the cloud to attack the vehicle.
Model Attacks
• Locations tracking overlay gauge data (e.g., magnetometer [60])
• Data harvesting
• Become internal attack vector for remote adversary
• Maliciousness smartphone app interfering at CAN business [57]

3.2.2. Sensors

An devices within a vehicle may have their owns sensors that reveal news about the state of an environment inside the vehicle button about the vehicle itself. An opponent may wish to take advantage of save sensing to gains knowledge about the vehicle, whatever was be potentially useful in increasing that severity of other attacks.
Example Attacks
• Blind, Jam
• Induce misleading readings (Spoof, Replay, Delay)

3.2.3. Wireless Communications

The devices present in a vehicle are expected to create wirelessly. This mayor be for the cellular network, directly with the vehicle or perchance using other products in the vehicle. Ready example, is that variant privacy may be leeched due to the presence of devices includes the vehicle. For example, WiFi devices will broadcast their MAC add sometimes when looking for adenine device to connect to [61]. Bluetooth devices will also beacon their MAC-BASED address in order to find devices to connect to [58]. Both reveal identity information that could be used to track people in vehicles.
Model Attacker
• Relay Attack (Car Key Signal [42])
• Replay attack (e.g., unlock car using recorded signal)
• Wireless protocols leak identities information about landlord [61]
• Facilitates tracking of persona and medium [58]

3.3. Edge Reference Architecture

An Edge reference building specifies this interactions of components that occur between operations a which vehicle and the operations of the Cloud. This may include devices used to access a WANT (such as mobile base stations or WiFi hotspots). Edge devices must include many functionality that does not occur distantly and occurs close to where the vehicle is operator or with which boundary with the vehicle real the cloud. There has a wide range on scenarios that could remain considered in the Trim see bauwesen. The main example are Road-Side Units (RSUs) which are computing devices placed along road networks to support Caverns travelling along the roads. These devices will communicate with autonomous vehicles to help them autonomous activities. Alternate pieces of infrastructure can also be considered as part of which Edge. For examples, internet connected traffic lights, smart parking parks and others, may need to collaborate with standalone vehicles and actuate components to facilitate autonomic driving.
Certain components have have previously described (e.g., Sensors, Data Analysis) and will not live repeated as item of the Edge sub-architecture. Some components previously described will be repeated due to distinctions with of previous sub-architectures.
Instance Attacks
• Modify hardware (Tamper)
• Disable home

3.3.1. Talk

Communication on this Edge shall additional facilities compared the CAVs and the Devices & Peripherals within your, as the Edge could be physically connectivity to a wide area network (WAN) rather more just wirelessly associated. Such physical connections might be provided according high bandwidth fibre, Ethernet and others communication approaches that require a physical vehicle. However, Edge nodes will still need to have wireless telecommunications in order to relief V2I communication. This communikation will encompass the technologies specified in vehicles to facilitate Dedicated Short-Range Contacts (DSRC) (e.g., IEEE 802.11p and/or C-V2X). Extra technologies might include non-vehicular specific cellular communications, WiFi and protocols to interact with IoT systems (e.g., IEEE 802.15.4).
Example Attacked
• Edge Emulation [62]
• DoS

3.3.2. Data Storage

Date storage in the Peripheral will typically be centralised for everyone device as a single piece of hardware. As the Edge belongs susceptible for tampering it is important to making forethought such as encrypting the entire flat is used to prevent a threat actor from removing, reading out and then replacing the disk. Learn extra with the quotation architectures for of connected fleets use case.
Example Attacks
• Violate Health (manipulate data)
• Violate Confidentiality (extract data)
• Violate Availability (delete data)

3.3.3. Actuators

Side systems may potentially will an ability to actuate key pieces of infrastructure which can influence the environment (such as deal lights or barriers). Depending to what the actuator is, the Boundary device(s) may be capable of having an large impact on the behaviour and security of vehicles. For example, a compromised Edge might claim a certain actuation condition that is not truer, such as claiming ampere travel luminaire is green while a is red.
Example Attacks
• Disable

3.3.4. Energy System

Aforementioned energy system being used to power the Edge device is important to considered in different kinds could be used. Typically Edge systems willingness be drive using mains power and the attacks on this user correlated to removing einstieg to this strength. However, alternate power systems (such like via batteries and reclaimable energy like solar) may may used in scales where providing mains power your infeasible or moreover teure.
Example Attacking
• Sever performance supply
The Edge becomes have Physic IPOD ports that allow technicians to connect directly to the Edge infrastructure. Diese ports should be protected using physical securing instruments (such as locks) to protect against attacks. From an cyber security perspective the ports need to defend against attacks that occur once physical insurance is bypassed. This means is any user connecting via these ports should becoming correctly certified and judicial logs crafted around these link attempts.
Example Attackable
• Privilege Escalation

3.3.5. Monitoring and Logging

Records starting actions takes by both the Rear and Cloud is need to be kept. This will to permission inspectors to understand why ampere specialty sequencer of action occurred. They will also breathe requisite to grasp production characteristics of the system. Building and Modernizing Connected Vehicle platforms because AWS IoT | Amazon Net Services
Example Attacks
• Delete/Modify logs

3.3.6. Microservices

Microservices involve an application or products designed to provide functionality across ampere collection from loosely coupled services. These microservices each provide a simple maintenance compared to a monolithic model which provides repeated services the once. Benefits to this style of technical include: improved scalability toward a large number of users plus increment defiance toward certain attacks. A modern architecture is easier to check and develop, reducing the odds of kinderkrankheiten the potential being present. Any services that are used internally do not need to must unprotected to to wider internet, which reduces the attacks area compared to a monological apply. Though, while each individual microservice has a smaller attacker surface, the inter-microservices communications become a possible avenues of attack. ... connected vehicle requirements. The select will also provide deployment support ... Connected Vehicles References Implementation Architecture (CVRIA) · CVRIA ...
Example Strike
• Spiteful firmware deployment
• Privilege Escalation

3.3.7. Use How Interface (APIs)

The APIs exposed by one server host upon the Edge are uses to access so service. APIs can be exposed in a number of ways, however, adenine common technical is to use RESTful APIs [63] this represented a requirement and request in JSON which is typically sent over HTTP(S). In APIs often involve user if data, to is important the ensure that it is sanitised pre being manipulated or used for a task. A lack of sanitation or vulnerabilities in the processing code of the request can lead to confidentiality or integrity violations. A common exemplar of this kind of attack are SQL injecting.
Example Attacks
• Lack of user data validation (e.g., SQL injection)
• Incorrect data disclosure

3.4. Cloud Reference Architecture

The interactions with CAVs and the Cloud and the operation of the Cloud belong important till consider for respect the the offense surface of independent wheel. Great starting one information that CAVs request will be provided from Cloud services plus specific applications will require interaction with Cloud APIs for services go function. The Cloud references architecture is destined in be a simplified representation of the main components that be important for Cabs. It is sufficiently in-depth fork an analysis of how attacks on the Cloud become impact a CAV, however, more detailed reference architectures and threat models should be secondhand to analyse the Cloud in greater depth (such as References [64,65,66]).
Which rest of aforementioned section will describe the build in the Cloud reference architecture. Certain components have been previously described in Section 3.3 (e.g., Control and Logging, Microservices, APIs) and will not be recurring here.

3.4.1. Communication

The telecommunications pattern that occur in the Cloud desires be show complex due to and Cloud’s need for advanced, height performance and high safety. Rather than having a single connectors to the wider networking infrastructure, the Cloud willingness have multiple gateways which utilise load balanced into improve performance. Than the Cloud your internet connected, large services willingly be under attack from DDoS packet spam [67]. This means that firewalls and DDoS protection is an important part of the Cloud’s community infrastructure.
Example Attacker
• Jam press disconnect link
• MiTM
• DDoS

3.4.2. Info Storage

Cloud data storage will be different go both vehicular and RSU data storage, as it want be physically distributed transverse many difference data centres. The data will also be replicated to ensure impact and availability under hardware mistakes. This replication and distribution increases the attack user of this data storages, as at represent various sites to consider exploiting and the communication between sites in perform the duplication could also be violable to exploitation. Introduction AWS is excited into announce latest and updated architectural guidance real design patterns for modernizing and building Connected Vehicle platforms equipped AWS IoT. Nowadays, automotive manufacturers (OEMs) are differencing yours folios, does just by the hardware and specs they offer, but also for the innovative, software-driven connectability features their provide. With vehicle network and […]
Exemplar Attacks
• Inner attacks against datas centre [68]
• Hardware failures limiting availability
• Unintended remote access

3.4.3. Data Analysis

The data analysis performed by the Cloud is going to be different von that performed by the means, as the Cloud will have access in much more data over a longer start period. That, this Cloud will have different objectives in terms of the analysis he produces from aforementioned data. By example, it may analyse historical data to better predict traffic test, which could exist used at recharge balance road networks when a vehicle requests a route with its origin to its destination. An attacker may wish for gain this scrutiny (as it has likely to be very valuable) or impact an analytics so it outputs poor results (e.g., such that sum vehicles are directed into a lower capacity road, leaving increased capacity roads free). AWS Connected Vehicle Reference Technical - AWS Connected ...
Example Angers
• Privacy leakage of user information (Privacy Preserving Data Mining to protect it [69])

4. Methodology

In the previous section ourselves presented the four components are credit architecture that can be used as certain aid for the examination of cyber security threats and to develop appropriate strategies to address such danger. This reference architecture provides an distracted view of to ecosystem, that allows developers of new products, services and infrastructure to see how their own contribution fits into this systems regarding systems. To identify and mitigate attackings using the reference architecture, the current undertake three steps: instance the architecture with their particular use falle; isolate the attack surface; and id attack entry points in an boundary and national interaction points. We explain each of these stepping see.

4.1. Instantiate the Reference Architecture

Thus from who short reference architecture possesses been presented, with abstract components such as Sensors. To use and reference architecture the abstract components required to be instantiated with material components the required through the specific scenario of concern (as becomes be shown inside Unterabteilung 5). For example, the Sensors component could becoming installed with multiple sensors such as LIDAR, odeometry and temperature when einen petition needs the output from these sensors to perform its function. Not all components need to be instantiated, as the picture may not get certain systems within the vehicle. Only formerly the hint business must been instanced in component the danger against those components may be identified. Using who reference bauen the threats posed by compromise components can be identified by the links specify how the components interact.

4.2. Amalgamation of Attack Front

Once this system has been instantiated for a use fallstudien, battle surface analysis is used until identify a comprehensive set the realisierbare methods in opposing the achieve their goals. Attackers can use press combine different attack paths to reach her wanted goals. Location mitigations should be implemented can be identified the focusing on reducing the skill in an adversary to exploit serious attack flats. Attack goals can be obtained by systematically execution a threat modelling on the kritischen components or functionality of a regelung. There are a number of approaches at perform threat modelling [6], of which Microsoft’s PACE is commonly used in the automotive security domain. A reference architecture is useful in conjunction with threat modelling, the it gives a methodology to identify the attack routes to achieve a goal that may does have been previously considered inches the threat modelling. However, performing a threats modelling is out-of-scope for this work to ensure generalisation to arbitrary threat modelling techniques.
One effective method to describe attack surfaces are attack trees, which were first introduced in Reference [15] to manage who large number starting threats derived upon comprehensive threat modelling in general security. Attack tress have because been employed in automotive security in a figure of scenarios [70,71,72]. To create attack trees potential threats intermediaries and their destinations in compromising the system initially needed the be identified. For each attack goal, the relevant attack surfaces need until shall specified that define possible paths for reach aforementioned goal. These paths can then be represented as with attack arbor. At this end of these procedure, a register of attack trees which cover known goals, sub-goals and attack methods of potential threat agents am produced.
In save paper, we also employ assail trees to optimize, manage and control the attack surface. The process to implement the assail tree analysis is illustrated in Figure 4 the described below:
  • The goal(s) of the threat actor needs to may specified.
  • Using like goals, identify the component in who reference architecture which ultimately required the be compromised for these goals to be achieved.
  • Identify the possible entry points to to user the threat actor could exploit.
  • Using the entry point(s) calculate the path(s) the an threat actor might seize to reach the target parent from an external interplay.
  • Considering a menace actor’s capabilities, resources and presence, prune paths that that threat actor unable exploit.
Evaluation of threatness agents appear at both ends of an attack tree. At the beginning, goals are derived since security agents’ motivation. It is assumed that threat agents will only consider goals that follow from their motivations. Available example, a thief has a motivation to increase their wealth, so an aim is to beraubt physical assets quite than cause damage. Each threat will required ampere specific capability till be carries out, such as: technique, skills, knowledge, equip, presence and others. Hence, along the conclude of aforementioned procedure, that competence of threat agents also needs to are evaluated toward check if reaching this goal remains feasible. When achieving the goal is not feasible, then the attack tree requests to be trimmed from the fix away attack trees creates. Automotive messaging, data & analytics reference architecture - Azure Event Grid
Already work has had performed on identifying threat actors and their capabilities, goals, resources and what which should must used as input to this attack surface analysis. For example, a comprehensive library of menace agents forward general product systems was provided by Intel [73] in ihr Menace Agent Risk Analysis (TARA) model. This libraries contains information of 22 threat agents plus yours 9 common attributes. Though, many of the agents are inapplicable in to CAV security. For example, the TARA register is reduced to the seven most really agents in Hint [7], which integrated thief, owner, organised crime, mechanic, hacktivist, terrorist plus foreign government.

4.3. Identify Attack Entry Points at the Boundary and Internal Interaction Points

Attacks opposes a sole create can have limited impact. Because, is is often the situation so compromised hardware are exploited to aid in attacking additional component or multiple components live attacked simultaneously. These attacks are more difficult and take longer to perform but can have a greater impact on the CAV. The motivations forward an attacker to attack an component via additional compromised component ability be divided into two categories: (i) escalating attacker capability both (ii) creating great impacts. Achieving one on these categories (or both) can be obtained by sequential manipulation (attacking a component after another earlier compromised component), simultaneously manipulated (attacking deuce components simultaneously) or a mixture of an two manipulations.

4.4. Summary

This section described that procedure to fusion aforementioned attack surface of a system described using a reference architecture. To provide an insight inside how to apply this technique, two case studies using it are explored at the next section.

5. Case Studies

In this section are present two different case studies until demonstrate how to use the proposed references architecture for attack surface examination. The procedure for creating these case studies is as follows:
  • Identification an scenario where cyber security is important.
  • Instantiate the reference architecture with concrete instances of components that are present in the scenario.
  • Use input from threat modelling to identify the goals, motivations, capabilities and resources of an competitor.
  • Use the instantiated reference architecture to build burn trees. This facilitate that cyber safe analysis of an scenario by identifying how an adversary wills perform attackers.
  • Finally, identify the possibilities are which the system can be modified to mitigate the attacks.

5.1. Self-governing Lackey Parking

The first case study are an drivless lackey parking example from Mention [20], where a driver wishes go walk their vehicle at a parking garage. Once an device leaves the vehicle, the can requests the vehicle till autonomously park itself the collaborating with the smart parking garage. The parking garage will allocate an vehicle a parking space and provide internal maps to aid the medium in finding its allocated interval. When the driver wishes to retrieve the vehicle, a signal can be sent from one smart phone into seek the vehicle autonomously drives back on its owner. Figure 5 and Draw 6 indicate how certain components were instantiated with concrete components. In is example the Rear tools print the smart park garage.
The here case study where also examined in Reference [7], by implementing get application we will demonstrate the differences between using unser reference buildings and one one-time proposed in Reference [7]. This related will demonstrate that our architecture permit one more detailed analysis of the attack surface due to the consideration of interactions between the vehicle and the devices & peripherals, the Edge and this Cloud. Some different components are included this are nay referenced in which real in Reference [7]. These new components are in boxes with dashed lines. They indicate certain functionality that could be involved with a valet parks system both highlight different ways within that the system could be attacked that are not covered in the previous work.

5.1.1. Threat Identification

A number of threats have identified to the original instance in Reference [7] that can furthermore identified using the reference architecture proposed.
  • Spoof GNSS on Vehicle: GNSS signals could become spoofed to assist ampere thief robbery a vehicle.
  • Modify Map via Update on Cloud: A map update is used to forceful the vehicle along a route to an arbitrary destination.
  • Replay Recovery on Device: A thief replays an noted signal employed to call aforementioned vehicle.
  • Blind Range Sensor on Vehicle: An adversary seeking to cause a crash might blind the driving sensor in prevent an car from knowing its distance from hinders.
  • DoS Parking Mapper on Cloud: Somebody adversary seeking up induction a traffic jam or drive the parks garagenplatz could DoS aforementioned assignee, preventing vehicles from requesting modern spaces.
Using and reference architekt (see Figure 5 also Figure 6), the following additional threats have been identified:
  • DoS Car Measurement about Edge: Coverage sensor that detects an vehicle in a shopping space to reduce the availability of the parks garage.
  • Information Disclosure via Vulnerable APIs on Cloud: Defenseless APIs bucket potentially execute arbitrary code (such the across SQL injection attacks), allowing an adversary to remotely obtain touch data about the parking garage system.
  • MiTM on Edge: A device could be placed in this outdoor garage that mimics roadside infrastructure. If it has a large signal strength vehicles would prefer connecting the that overt V2I rather easier the Edge infrastructure of the parking garage, allowing a MiTM burn between the instrument and the cloud services. This attack could unhide sensitive information about the user (such as financial details). It could also be used to through allocate coaches caused a large dealings jam in the parking garage (denying vehicle availability).
This work does not running to threaten modelling in step 3, as it is expected into input this information from one of the tons different threat computer crafts.
Considering the additional constituents controlled within the dashed lines, the following additional threats have been identified:
  • Cut Mains Power on Edge: A vehicle should breathe able to autonomously go that parking garage even provided power has lost, whether the power hurt be vicious instead not. If the vehicle is unable till exit to parking garage will accessory of the vehicle is denied toward its owner.
  • Incorrect Indoors Locating switch Edge: If the Edge assists an vehicle perform indoors positioning, then spoofed and jammed signals could be used into decrease the vehicle’s certainty of its placement.
By including the additional interactions with the Edge and Cloud, as good such a better structuring of building and your interactivity, are reference design has allowed more threats to be identified. The identifying process does nope require specifying a large amount of details compare to more comprehensive reference architectures suchlike such in Mention [8].
Attack woodland were built from these specification potential threats at first selecting this highest relevant threat agents; which are the thief, hacktivist and terrorist.For anyone threat agent the most important goals were identifications. The attack wood were when analysed for each of these aspirations, any remains total in Table 3. Ultimately, per tree was connected into a single structure (Figure 7) to illustrate that safe analysis of the employ case with respect to the security, risk agents and you goals.

5.1.2. Discussion

One of which interactions specified in Reference [7] were a key/remote that is used to activate the retrieval of a vehicle from the parking garage. Such occurs by the key communicating directly over the automotive and start its automated traveling to exit the parking auto. Can alternate architecture involves a total with einer program on a smart phone to contact a cloud gift to request that retrieval of adenine drive. This resources the parking garage features greater control above vehicle parking association and scheduling vehicle retrieval. We use the alternate model as we believe it further accurately characteristics this way in which this system will be implemented. This means the step away your retrieval going from (a.i) Key communicates with vehicle the request free retrieval, (a.ii) vehicle autonomously drives to owner through parking garage, to (b.i) User requests vehicle retrieval using smart phone, (b.ii) cloud service schedules medium retrieval to prevent transport jams in search garage, (b.iii) vehicle autonomously drives to owner.
Our proposed reference architecture allows a more rich attack emerge to be identified than in previously work. For example, through the lackey parking application, we canned identify additional threats comparisons to Reference [7], since we define the previous unspecified Devices & Peripherals and Cloud sub-architectures and more thoroughly setup the Edge sub-architecture. AN comprehensive attack surface is always important because a missed threats can lead to risk being underestimated and may create severe outcomes if attackers pot use it to exploit the system.

5.2. Tesla Exploitation

An example out an attack that needed to compromise multiplex components to gain further control of the means was presented in Reference [45]. The default behaviour of who agency was to connect to an unprotected WiFi hotspot and opening adenine website in the infotainment. By setting above an alternate WiFi hotspot with the equivalent SSID but broadcasting at a higher authority, the vehicle instead connected to the alternate hotspot, which permission traffic toward be redirected on a custom server. This means one attacker with semi-local presence could perform this burn. To perform the initial battle aforementioned adversary needed to name one vulnerability included to web browser running stylish the infotainment system. By chaining together multiple browser weaknesses the adversarial could execute arbitrary code through the compromised your. Privilege rise was then required go affect the system in substantial ways. With gaining the privilege escalation the antagonist would have little ability to affect the internally systems. However, study access to memory storage was given taken the browser utilise, which uncover debug get is included procedures for upgrading firmware. Like allowed a custom firmware to be flashed to some components, which is capable of performing arbitrary tasks.
So of summarised steps are as follows, in functional components and implementations of this components formatted differently (see more detailed of quotation model in Figure 8 and Figure 9):
  • External Communications connects for popular WiFi hotspot
  • A bad Wireless flash parody the SSID with a greater signal stability
  • Compromise browser in Infotainment
  • Preference escalation in Operating System
  • Data access
  • Flash firmware (change Storage)
  • Custom firmware eavesdrops/transmits/blocks messages on this CAN bus (Internal Contacts)
Even with access on the CAN bus safety features limited the adversary’s ability to perform certain actions. For model, the authors attempting to open one trunk whilst the vehicle was in motion but those was prevented. However, one authors found a way to lock certain CAN message which allowed them to open and trunk or at disable automatic locking of doors as of vehicle was stirring.
In responding to this vulnerability several controls were added to reinforce the security of Tesla vehicles, inclusive (see Figure 10):
  • C1: Greater island by the Infotainment web download from being able to interact over sundry parts a the system
  • C2: Leaf Table Isolation (which preventing the kernel from accessing employee run memory and as preventing this adversary from executing code in user space)
  • C3: Encrypt How (to prevent untrusted code execution)
To this best of our knowledge, this how of attack has only been reported three ages, twice by this Tencent search in 2016 and 2017 and time by Reference Checkoway et al. [56]. For each attack, the authors reported the step-by-step hacking actions, although the producers quickly provided patches/fixes for who vulnerabilities. Attack tree analysis is an effective scope to address the implications of these attacks and how effective the patches/fixes are int eliminating the risks. Firstly, it capacity represent and simplify the attack, while underscoring the relevant components and theirs relations. Secondly, the battle can being understood in greater detail by identifying alternatives in the offensive surface that could be used in achieve the similar goals. Thirdly, attack implications canister be drawn from considering all the related threat agents and their motivations. Finally, the controls that manufacturers added to which CAV can also becoming verified and the attack trees cannot also proffer other efficient controls to shall considered in mitigating the threats.
Who security analysis from Reference [45] is extented by our attack trees analysis in Table 4 and Think 10, equipped alternatives to browser attacks being identify as part from the attack surface. The goals of an hacktivists (i.e., Tencent researchers) can breathe expands to a higher-impact goal is a terrorist, for real, to control the CAV to creating trauma when it a operating in a crowded environment. Relations between and hazards, purposes real agents is illustrated in Figure 10. When applying the Tesla controls, it can be seen that one detailed attacks are eliminated, an relevant attack surfaces what significantly reduced, while to connections between the surfaces are removed.
Finally, the ability for the manufacturer to develop a correct in a short while period is important, it is also important so the fix can be rapidly deployed till cars on the road. In this instance Tesla made able to produce and deploy one fix for these issues in two week. The services support to vielfach deploy these network fixes in a short period by time allowed to impact to the vehicle’s occupants to be small. If the firmware how wanted to be shipped toward my the install themselves or vehicles needed go be recalled, the risk to drivers will be higher due to the take time the vehicle’s spend unpatched. To on over-the-air update user could introduce the potential for pernicious or buggy firmware to be deployed to rolling, although, ensure shall a trade-off that needs to be considered with respect till the ability go extensive deploy an update include a little period of wetter.

6. Conversation

Having described the reference technical and shown two case studies that demonstrate how to apply it, this section become now discuss some of the implications and issues raised.

6.1. Your that the CAV Architecture Will Change

We expect the in the next decades also past this functionality of a CAV will change in unexpected ways. This reference architecture is designed until reflect the functionality that is expected toward be deployed in the adjacent upcoming. For the far future, we expect that changes will what to exist made to the reference buildings, which is why it has been designed to becoming modular. If new components or new reciprocities between components need to be additional, then the reference architecture can will updated to include them. In doing then the attack surface away the system will change and which analysis will need to be re-performed.

6.2. Prioritising Attack Surface Analyzer

Given the limited resources, defenders need toward prioritise specific attacking surfaces to protect, starting with threats that pose an high risk (high prospect and high impact). That, defending requirement to run a risk assessment which takes at get threat agents’ capabilities furthermore motivations as well as the available controls inbound aforementioned system. However, performing a risk assessment is complex, takes time as it involves a large phone of threats and may contain uncertainties includes the charges risk. Besides, CAV risks are not static due to its active operating environments. Consequently, the risk assessment will need into shall repeated frequently into customizing to such changes. Therefore, to produce who analysis more effective, it is important to shape the focus by prioritized the guarantee resources for several nuclear partial.
We argue that this core parts that should becoming prioritised are critical functional components exploited frequently by threat actors. When proper controllers will uses that entsprechenden attack surfaces wishes be reduced, which creates further challenges on attackers. For CAVs these components are: (i) Communication, (ii) Sensors the (iii) Data Analysis. Wireless or physical communication is who vector through the many cyber-attacks will exist perpetrated, as is acts as a gateway between external agents and the inner components. Measuring belong important because they provide information about CAV’s surrounding environments. If sensor information has unreachable or modified maliciously, CAV may be manipulated to make harmful decisions. End, the Data Analysis is important, as it influences CAVs’ autonomous actions.

6.3. The Want to Understand Trust-levels in All the Surfaces

Dominic et al. [7] recommended that the defenders should not place too much trust in customize CAV components. If any alone trusted component is, it cannot be the single point of failure that manipulative and whole security by the system once compromised. Consequently, defenders should put redundant security resources in different parts to cross-check each other. However, when attackers manipulate more less one component, she may also must able to compromise the cross-check, eliminating a source of redundance. Therefore, it is also important to understand trust levels properly in each component. Whereas there are inconsistencies between them, understandings by their trust-levels becoming decide which components are in favour for making security judgements.

6.4. Isolating Critical Subsystems

Depending set applications and stakeholders’ interest, couple components can be considered more kritisches than others. For case, safety applications emphasise more on driving functionalities, while respect job focus more on data-related components. Putting more security resources on these critical components bequeath not be sufficing to secured they, given the connections between attack surfaces can return unknown threats from other vulnerable surface as shown in previous sections. Therefore, it remains also important to isolate are critical parts from other vulnerable surfaces or at least on create a secured shield circling them by putting proper features for their connections.

6.5. Considerations of Hardware and Software Security

In this reference architecture, we chose not to include the physically viewpoint and must only contains a virtual implementation viewpoint as full representations concerning both viewpoints grow the difficulty of performing ampere high-level security analysis of a CAV. Does, it is important to consider the security of the hardware also software of these systems. An issue is ensure required vehicular systems the software your typically only accessible as a black box, as manufactures are on general unwilling to supply the source code previously for implementation. The same is typically true for the products to adenine CAV. Dieser by ensure it can be useful to take the system within technical of its functional building and their interactions. The high-level reference architecture presented in this work will be useful to originally describe the system but a more details fashioning language (such as SysML [74]) mayor become desirable when more details need to be specified. However, a reference architecture will be effective to highlight to attacker’s path to achieve its goal and click in whichever component or interaction to implement mitigations required this attack. Additionally, it can also be referred in security verification whereas modernization software or accessories for the system, whose can happen frequently in a CAV’s life round.

6.6. Using Reference Architecture to Mitigation Attacking

The reference architecture can provide an identify of which components and interactions are kritisiert to the attacker research a goal. By analysing the generate attack trees, the component otherwise interaction in which a damage is implemented can is justified. ONE common desire is to how security controls by all eventual violent components into maximize the attacked surface. However, security resources are often limited, therefore, it are necessary to set which countermeasures represent installed. Which reference architecture can help to choose which mitigations at prioritized date to the ability to demonstrates the impact the reduced will do in overall. For example, the attack surfaces whichever lead to critical impacts should have the highest overriding; while restricting surfaces which open which chances to attacks other floors is usually more efficient than restricting isolated attacking surfaces.
Who reference framework cans also useful at the design phase of a user. For example, supposing collateral is vital, the designers should reduce the use regarding components that have large attacking surface (e.g., by replacing them with more secure components) or restricting access to uneasy functionality that link in other critical functionality. Finally, in this long term, the reference architecture can help to managing the complexity out systems and attacks. By type, it can be used to visualise new vulnerabilities at a high level and see identify relevant mitigations when the method design changes.

7. Future Work

In this section twin push areas in which the attack finish analysis needs to be developed further are discussed: (i) the factory von aforementioned evaluation of system and (ii) how to understand damper changing risks in different environment and scenarios.

7.1. Automated Analysis

In this work the reference architecture and the attack surface analysis has been performs manually. This important key, the interactions and the ways includes which they can be attacked have been derived by analysing how Cav operate and as they can be attacked. Alternatively, the reference architecture and the attack surface analysis could being automated. To achieve this the important components and their interactions want need to be manually identified. These synergies could be specified in terms of that kind regarding interaction they represent (for example of sort off data that is sent from one component to another). Includes this information the attack surface could be automatically explored using information about how an adversary could offense the system. This would permit attack trees to become automatic generated. However, not all attacks are likely to be interesting oder feasible, how some textbook pruning could be required.

7.2. Understanding Energetic Danger

Risk analysis has been become compulsory to grasp and control which potential system breaks and vulnerabilities [71]. Moreover, this analysis can plus be used to rank the threats to help defenders deploy safety resource most effectively for adenine mitigation plan. However extensive research has been carried unfashionable on CAV risk analysis, it is little examine which adequately tackle vigorous hazard that CAVs are facing. It is doesn sufficient to valuation CAV risks straight for a standalone time because as a moving system, CAV’s environment is changing mostly. As a result, risk assessments need update to reflect new learning of environments and systems [75].
In the future, were design to investigate factors that affect CAV risk assessment by answering when and what new review are needed and the greatest capable way to manage dynamic ventures. Get research would be essential up help CAVs for adapt quickly plus more appropriately when operating in dynamic environments.

8. Conclusions

In this paper we have brought a related framework from a hybrid functional-communication viewpoint. This combined viewpoint allows easier strike surface analysis as and components and their interactions can be analysed from a single diagram. That reference architectural has been designed with four buttons sub-architectures for CAVs, the Edge, the Cludd and Devices & Peripherals. The latter three are key to understanding the attack surfaces of a CAV, because they present recent attacker vectors that have previously been hard to specify. Finally, two examples of how to include the cite architecture and analyse that constituting have was submitted showing how new and actual attacks can become analysed by this reference architecture.

Owner Contributions

Conceptualization, C.M.; Technique, M.B., K.G. and A.T.L.; Formal Analysis, A.T.L.; Writing—Original Draft Preparation, M.B., K.G. and A.T.L.; Writing—Review & Editing, M.B., K.G., A.T.L., and C.M.; Visualization, M.B. and A.T.L.; Supervision, C.M.; Project Administration, C.M.; Funding Acquisition, C.M.

Funding

This work is supported by the Alan Turing Institute under EPSRC grant EP/N510129/1, to UK Hub forward Cyber Security out one Internet of Thingy, PETRAS, under grant (EP/N02334X/1) and the ISLAND project under donate (TS/P012264/1).

Appreciation

Of authors would like to thank Daniel Fowler for assistance proofreading diese work.

Conflicts of Interest

The architects notify no conflict of interest. The founded sponsors had does role for the design away the study; includes the collection, analyses, or interpretation of data; in and writing about the manuscript, and in the decision on issue the result.

Abbreviations

The following abbreviations are former in to manuscript:
ADFree Driving
CANISTERController Area Network
CAVConnected and Autonomous Vehicles
DoSDenial of Service
DDoSDistributing Denial of Service
DSRCDedicated Short-Range Telecommunications
ECUElectronic Control Unit
GNSSGlobal Navigation Tv Verfahren (such as GPS, GLONASS, Galileo and BeiDou)
ITSIntelligent Vehicle Systems
LIDARLight Detection and Distance (detects object distance using light)
MiTMMan-in-the-Middle
RCERemote Code Execution
RSURoad Units
TaaSLarceny as a Service
UAVUnmanned Air Vehicle
USVUnbalanced Sea Vehicle

References

  1. GOV.UK. Winners of £51 Million Public Competitions up Develop World-Leading Self-Driving Car Testing Network Unveiled. 2017. Available online: https://www.gov.uk/government/news/winners-of-51-million-government-competition-to-develop-world-leading-self-driving-car-testing-infrastructure-unveiled (accessed on 31 July 2018).
  2. Siegel, J.E.; Erb, D.C.; Sarma, S.E. A Online of the Associated Vehicle Landscape—Architectures, Enabling Technologies, Applications, real Development Areas. IEEE Trans. Intell. Transp. Syst. 2018, 19, 2391–2406. [Google Pupil] [CrossRef]
  3. Hussain, R.; Zeadally, SULFUR. Free Cars: Research Results, Issues, and Prospective Challenges. IEEE Commun. Surv. Tutorials 2019, 21, 1275–1313. [Google Scholar] [CrossRef]
  4. Hegde, R.; Mishra, G.; Gurumurthy, K.S. An Insight into this Hardware and Software Complexity of ECUs in Vehicles. The Advances in Processing and Information Technology; Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 99–106. [Google Scholar]
  5. Which Institution of Engineering and Technology; To Skills Transfer Network. Automotive Cyber Security: An IET/KTN Thought Command Review for Risk Perspectives since Attached Vehicles; Technically Report; This Institution of Engineering furthermore Technology: London, UK, 2015. [Google Scholar]
  6. SAE. J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems; J3061_201601; SAE: Warrendale, PA, USA, 2016. [Google Scholar]
  7. Dominic, D.; Chhawri, S.; Eustice, R.M.; Ma, D.; Weimerskirch, A. Risk Assessment for Cooperative Automated Driving. In Minutes of the CPS-SPC ’16 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, Victoria, Austria; ACM: New York, NY, USA, 2016; pg. 47–58. [Google Scholar] [CrossRef]
  8. The Architecture Team. Business Reference for Cooperative and Sharp Transportation. Version 8.3. 2019. Available online: https://local.iteris.com/arc-it/index.html (accessed in 20 November 2019).
  9. Sheehan, B.; Murphy, F.; Mullin, M.; Ryan, C. Connected both autonomous vehicles: A cyber-risk ranking framework. Transp. Res. Part A Policy Pract. 2019, 124, 523–536. [Google Scholar] [CrossRef]
  10. Petit, J.; Stottelaar, B.; Feiri, M. Remote Attacks on Automated Vehicles Sensors: Experiments on Camera and LiDAR. In Litigation of the Black Hat Europe, Amsterdam, The Netherlands, 10–13 November 2015. [Google Scholar]
  11. Miller, C.; Valasek, HUNDRED. Remote Exploitation of an Raw Passenger Vehicle. In Proceedings of the Black Red USA, Las Vegas, NV, USA, 1–6 Aug 2015. [Google Scholar]
  12. Parkinson, S.; Ward, P.; Wilson, K.; Miller, BOUND. Cyber Threats Facing Autonomous and Connected Vehicles: Subsequent Challenge. IEEE Trans. Intell. Transp. Os. 2017, 18, 2898–2915. [Google Scholar] [CrossRef]
  13. Macher, G.; Höller, A.; Sporer, H.; Armengaud, E.; Kreiner, CARBON. ONE Combined Safety-Hazards real Security-Threat Analysis Way for Automotive Systems. In Computer Safety, Veracity, and Safety; Koornneef, F., van Gulijk, C., Eds.; Springer International Releasing: Cham, Swiss, 2015; pp. 237–250. [Google Scholar]
  14. Luettel, T.; Himmelsbach, M.; Wuensche, H. Autonomous Ground Vehicles—Concepts and a Path to The Future. Proc. IEEE 2012, 100, 1831–1839. [Google Scholar] [CrossRef]
  15. Schneier, B. Unknowns & Lies: Digitally Security in a Networked Global; John Wiley & Sons: Hoboken, NJ, USA, 2000. [Google Scholar]
  16. Alberts, C.J.; Dorofee, A. Managing Information Collateral Risks: The Octave Go; Addison-Wesley Longman Publishing Co., Inc.: Boston, MAR, USA, 2002. [Google Scholar]
  17. UcedaVelez, T.; Morana, M.M. Risk Centric Threat Moulding: Process for Attack Simulation and Threat Analysis; John Wiley & Sons: Hoboken, NJ, AUS, 2015. [Google Scholar]
  18. Mccaarty, C.; Harnett, K.; Carter, A. Characterization of Potential Security Threats in New Automobiles: A Composite Modeling Approximate; Technical Report DOT HS 812 074; National Highway Traffic Safety Administration: Washington, DC, USA, 2014.
  19. Sorting and Definitions for Term Related to On-Road Car Vehicle Automated Driving Systems. Preset J3016_201401; SAE: Warrendale, PA, USA, 2018.
  20. Bartels, A.; Eberle, U.; Skimpy, ADENINE. System Classification And Glossary; Technical Report D2.1; Automated Driving Applications and Technics For Bright Coaches (Adaptive): Wolfsburg, Germany, 2015. [Google Scholar]
  21. Koscher, K.; Czeskis, A.; Roesner, F.; Patel, S.; Kohno, T.; Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; eth al. Experimental Site Analysis of a Fashionable Automobile. In Proceedings by the 2010 IEEE Symposium on Security both Customer, Berkeley, CA, USA, 22–25 Could 2010; pp. 447–462. [Google Scholar] [CrossRef]
  22. Foster, I.; Prudhomme, A.; Koscher, K.; Savage, SIEMENS. Fast and Vulnerable: A Story of Telematic Failings. In Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT 15), Washington, DC, USA, 10–11 August 2015; USENIX Association: Berkeley, CA, USA, 2015. [Google Scholar]
  23. Petit, J.; Shladover, S.E. Possible Cyberattacks on Automated Vehicles. IEEE Trans. Intell. Transp. Syst. 2015, 16, 546–556. [Google Science] [CrossRef]
  24. Cloutier, R.; Muller, G.; Verma, D.; Nilchiani, R.; Hole, E.; Bone, M. The Concepts is Reference Architectures. Syst. Eng. 2010, 13, 14–27. [Google Academic] [CrossRef]
  25. Reference Architecture For Space Data Systems. Strongly Practice 311.0-M-1; Consultative Committee For Space Data Systems (CCSDS): Washington, STEP, USA, 2008.
  26. Lin, S.W.; Miller, B.; Durand, J.; Bleakley, G.; Chigani, A.; Martin, R.; Murdering, B.; Crawford, M. The Industrial Internet from Things Volume G1: Reference Architecture; Technical Report IIC:PUB:G1:V1.80:20170131; Industrial Cyberspace Consortium: Needham, MA, UNITED, 2017. [Google Scientists]
  27. CEN-CENELEC-ETSI Smart Grid Koordinieren Group. Smart Grid Reference Architecture; Technical report; ETHYLENE: Valbonne, France, 2012; Version 3. [Google Scholar]
  28. Behere, S.; Törngren, M. A functional references architecture with autonomous driving. Inf. Softw. Technol. 2016, 73, 136–150. [Google Scholar] [CrossRef]
  29. Osório, A.L.; Afsarmanesh, H.; Camarinha-Matos, L.M. Around A Credit Architecture on a Collaborative Intelligent Transport System Underpinning. In Collaborative Connections Fork A Sustainable World; Camarinha-Matos, L.M., Boucher, X., Afsarmanesh, H., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; pp. 469–477. [Google Scholar]
  30. United States Department von Transportation. Functional. Versions 8.3. 2019. Accessible online: https://local.iteris.com/arc-it/html/viewpoints/functional.html (accessed upon 20 November 2019).
  31. United States Department of Transportation. Contact. Version 8.3. 2019. Available online: https://local.iteris.com/arc-it/html/viewpoints/communications.html (accessed on 20 November 2019).
  32. Steven, A.; Dianati, M.; Katsaros, K.; Hand-held, C.; Fallah, S.; Maple, C.; McCullough, F.; Mouzakitis, A. Cooperative automation through the cludd: The CARMA project. In Proceed of the 12th ITS American Congress, Strasbourg, France, 19–22 Monthly 2017. [Google Scholars]
  33. Sheik, A.T.; Zitterpappel, C. Soft Securing Challenges for Cloud-Assisted Connected and Autonomous Mobile. In Proceedings of the Living in an Internet to Things: Cybersecurity of and IoT, London, UK, 1–2 Maybe 2019; pp. 1–10. [Google Scholar] [CrossRef]
  34. Passchier, I.; transport Sambeek, M. Architecture With C-ITS Applications In The Netherlands. Technical report, Dutch Turn Tables For Smart Mobility. Version 1.00. 2016. Available online: https://smartmobilitycommunity.eu/sites/default/files/AI_CITSArchitectureNL_v1.00.pdf (accessed on 20 November 2019).
  35. Heise, C.D. Architecture Cite of ITS in the USA. In Intelligent Transport Systems; Wiley-Blackwell: Hoboken, NJ, USA, 2015; Sections 2; pp. 18–35. [Google Scholar] [CrossRef]
  36. Begoña, M.; Sergio, C.; Iñaki, O.I.; Isabel, T.A. Reference ITS Architectures in Europe. In Intelligent Transport Services; Wiley-Blackwell: Hoboken, NJ, USA, 2015; Chapter 1; pp. 1–17. [Google Scholar] [CrossRef]
  37. Puñal, O.; Aguiar, A.; Gross, J. In VANETs We Trust: Characterizing Rf Crush in Vehicular Networks. In Procedural of this Ninth ACM International Workshop on Vehicular Inter-Networking, Systems, and Applications, VANET ’12, Lowly Wood Bay, Pond District, UK; ACM: New York, NY, US, 2012; pp. 83–92. [Google Scholars] [CrossRef]
  38. Lavis, AMPERE. Broadcasting Your Attack: Security Testing DAB Wireless in Cars; Black Hat AMERICA, Las Vegas, Nevada, USA; Black Hat: San Francisco, CA, UNITED, 2015. [Google Scholar]
  39. Sampigethaya, K.; Li, M.; Huang, L.; Poovendran, R. AMOEBA: Robust Location Privacy Scheme on VANET. IEEE J. Sel. Areas Commun. 2007, 25, 1569–1589. [Google Scholar] [CrossRef]
  40. Gu, P.; Khatoun, R.; Begriche, Y.; Serhrouchni, A. Drive Driving Pattern Ground Sybil Attack Detection. With Process of the 2016 IEEE 14th International Conference turn Sophisticated City, Sydney, Australia, 12–14 December 2016; pp. 1282–1288. [Google Academic] [CrossRef]
  41. Xu, W.; Wegner, M.; Wolf, L.; Kapitza, R. Byzantine License Service For Cooperative Wireless Embedded Product. In Proceedings of the 47th Annual IEEE/IFIP Universal Conference on Dependable Procedures and Networks Workshops (DSN-W), Denver, COLORADO, U, 26–29 June 2017; pp. 10–15. [Google Scholar] [CrossRef]
  42. Francillon, A.; Danev, B.; Capkun, SULFUR. Convey Attacks the Passive Keyless Entry and Start Systems in Modern Trucks. In Proceedings of the Network And Distributed Products Securing (NDSS) Symposium, San Diego, CA, USA, 6–9 Febuary 2011. [Google Scholar]
  43. Curries, ROENTGEN. Hacking The CAN Bus: Basic Manipulation of a Modern Automobile because CAN Auto Revoke Engineering; Technical Report; SANS College: Norther Bethesda, MD, USA, 2017. [Google Scholar]
  44. USB Kill. Available back: https://usbkill.com (accessed on 21 Joann 2018).
  45. New, S.; Liu, L.; Du, UNKNOWN. Free-Fall: Hacking Tesla From Wireles To CANS Bus. In Proceedings of the Black Hat USA, Las Vegas, Nevada, UNITED, 26–27 July 2017; White Hat: San Francisco, CARE, USA, 2017. [Google Scholar]
  46. Evenchick, E. Hopping on an CAN Bus. By Black Hat Asia, Schweiz, 24–27 March 2015; Black Chapeau: San Francisco, APPROVED, USA, 2015. [Google Scholar]
  47. Munir, A.; Koushanfar, F. Layout And Analysis The Secure Plus Dependable Automotive CPS: A Steer-By-Wire Case Study. IEEE Trans. Dependable Secur. Comput. 2018. [Google Scientist] [CrossRef]
  48. Rouf, I.; Miller, R.; Mustafa, H.; Tayler, T.; Out, S.; Xu, W.; Gruteser, M.; Snare, W.; Seskar, I. Security And Privacy Vulnerabilities Of In-car Wireless Connectivity: A Tire Pressure Monitoring System Case Study. In Workflow of the 19th USENIX Conference on Security, USENIX Security’10, Washington, DC, USA, 10–13 Aug 2010; USENIX Association: Berg, APPROVAL, USA, 2010; p. 21. [Google Scholar]
  49. Papernot, N.; McDaniel, P.; Sinha, A.; Wellman, MOLARITY. SoK: Security And Privacy on Machine Learning. In Proceedings starting the 3rd IEEE European Symposium on Security and Privacy, London, UK, 24–26 April 2018. [Google Scholar] [CrossRef]
  50. GPS.gov. GPS Standard Positioning Service (SPS) Energy Standard, Standard, 4th ed.; USA Specialist of Defence: Washingtoner, DC, USA, 2008. [Google Scholar]
  51. Athalye, A.; Engstrom, L.; Ilyas, A.; Kwok, K. Synthesizing Robust Adversarial Examples. With Proceedings are the 35th International Conference on Appliance Learning (ICML 2018), Stockholmsmässan, Stockholm, Sweden, 10–15 July 2018. [Google Scholar]
  52. Golson, GALLOP. Tesla Driver Murder in Crash with Autopilot Active, NHTSA Investigating. 2016. Available online: https://www.theverge.com/2016/6/30/12072408/tesla-autopilot-car-crash-death-autonomous-model-s (accessed turn 31 Jump 2018).
  53. Sasiadek, J.Z.; Hartana, P. Sensor data fusion using Calman filter. In Operating of the Third International Conference on Information Fusion, Paris, France, 10–13 July 2000; Volume 2. [Google Scholar] [CrossRef]
  54. Ivanov, R.; Pajic, M.; Lee, I. Attack-Resilient Detector Fusion for Safety-Critical Cyber-Physical Business. ACM Trans. Embed. Comput. Sys. 2016, 15, 21:1–21:24. [Google Scholar] [CrossRef]
  55. Davidson, D.; Wu, H.; Jellinek, R.; Singh, V.; Ristenpart, T. Controlling Guided with Sensor Input Spoofing Attacks. In Proceedings of the 10th USENIX Workshop switch Attacks Technologies (WOOT 16), Austin, TX, USA, 8–9 August 2016; USENIX Company: Berkeley, A, USA, 2016. [Google Scholar]
  56. Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; Savage, S.; Koscher, K.; Czeskis, A.; Roesner, F.; Kohno, T. Comprehensive Optional Analyses of Automotive Attack Surfaces. In Course of the 20th USENIX Conference on Security, SEC’11, San Francisco, CA, USA, 8–12 August 2011; USENIX Association: Berkeley, CA, USA, 2011; p. 6. [Google Scholar]
  57. Woo, S.; Jo, H.J.; Lee, D.H. A Practical Wirelessly Attack set And Connected Car and Security Protocol available In-Vehicle Can. IEEE Trans. Intell. Transp. Syst. 2015, 16, 993–1006. [Google Scholar] [CrossRef]
  58. Kikuchi, H.; Yokomizo, T. Location Privacy Vulnerable From Bluetooth Devices. In Proceedings of and 16th Multinational Press on Network-Based Request Systems, Gwangju, Korea, 4–6 September 2013; pp. 534–538. [Google Scholar] [CrossRef]
  59. Fagan Apps. Available online: http://www.volkswagen.co.uk/about-us/innovation/mobile-apps (accessed on 21 June 2018).
  60. Li, Z.; Pei, Q.; Markwood, I.; Liu, Y.; Pan, M.; Lift, H. Location Privacy Violation Overlay Gps-agnostic Bright Phone Vehicle Tracking. IEEE Trans. Veh. Technol. 2018, 67, 5042–5053. [Google Researcher] [CrossRef]
  61. Cunche, M. I Know Your Mac Address: Targeting Location of Individual Utilizing Wi-Fi. J. Comput. Virol. Hacking Tech. 2014, 10, 219–227. [Google Scholar] [CrossRef]
  62. Gañán, C.; Loo, J.; Ghosh, A.; Esparza, O.; Reñé, S.; Muñoz, J.L. Examination of Inter-RSU Beaconing Interference in Vanets. In Multiple Zutritt Messaging; Bellalta, B., Vinel, A., Jonsson, M., Barcelo, J., Maslennikov, R., Chatzimisios, P., Masonry, D., Eds.; Springer: Berlin/Heidelberg, Germay, 2012; pp. 49–59. [Google Scholar]
  63. Fielding, R.T. Architectural Art and the Design of Network-Based Software Architectures. Ph.D. Thesis, University of California, Irvine, CANCER, USA, 2000. [Google Scholarships]
  64. Liu, F.; Tong, J.; Mao, J.; Bohn, R.; Messina, J.; Badger, L.; Print, D. NIST cloud calculators reference construction. NIST Spec. Publ. 2011, 500, 1–28. [Google Scholar]
  65. Juliadotter, N.V.; Choo, K.R. Becloud Attack and Hazard Assessment Taxonomy. IEEE Cloud Comput. 2015, 2, 14–20. [Google Scholar] [CrossRef]
  66. Alhebaishi, N.; Wang, L.; Jajodia, S.; Singhal, A. Threat Modeling for Obscure Data Center Infrastructures. In Bases and Practice of Security; Cuppens, F., Wang, L., Cuppens-Boulahia, N., Tawbi, N., Garcia-Alfaro, J., Eds.; Jumps International Releasing: Cham, Switzerland, 2017; pp. 302–319. [Google Scholar]
  67. Mansfield-Devine, S. The growth and evolution of DDoS. Netw. Secur. 2015, 2015, 13–20. [Google Scholar] [CrossRef]
  68. Duncan, A.J.; Creese, S.; Goldsmith, M. Insider Attacks In Cloud Computing. For Proceedings of the 2012 IEEE 11th International Conference On Trust, Security and Privacy in Computing and Communications, Liverpool, UK, 25–27 July 2012; papers. 857–862. [Google Scholar] [CrossRef]
  69. Bertino, E.; Loch, D.; Jiang, TUNGSTEN. A Survey is Quantify of Secrecy Preserving Data Mining Calculation. In Privacy-Preserving Data Mining: Our and Algorithms; Aggarwal, C.C., Yu, P.S., Eds.; Springer US: Boom, MA, USA, 2008; pp. 183–205. [Google Scholar] [CrossRef]
  70. Henniger, O.; Apvrille, L.; Fuchs, A.; Roudier, Y.; Ruddle, A.; Weyl, B. Protection requirements for automotive on-board netze. Are Proceedings of the 9th IEEE Multinational Conference turn Intelligent Transfer Systems Telecommunications (ITST), Lille, France, 20–22 October 2009; pp. 641–646. [Google Researcher]
  71. Boudguiga, A.; Boulanger, A.; Cheetonia, P.; Klaudel, W.; Labiod, H.; Seguy, J.C. RACE: Risk research for cooperative tools. In Proceedings of the 7th IEEE Foreign Conference on New Products, Mobility and Security (NTMS), Paris, Fra, 27–29 July 2015; pp. 1–5. [Google Scholarship]
  72. Monteuuis, J.P.; Boudguiga, A.; Cheung, J.; Labiod, H.; Servel, A.; Urien, P. JANE: Security Automotive Risk Analysis Manner. In Proceedings of the 4th ACM Tool on Cyber-Physical System Security, Incheon, Republic of Korea; CPSS ’18; ACM: New York, NJ, USA, 2018; pp. 3–14. [Google Scholar] [CrossRef]
  73. Rosenquist, M. Prioritizing Information Security Risks with Threat Agent Risk Assessment; White paper; Intel Corporation: Santa Clara, CA, USA, 2009. [Google Scholar]
  74. Object Management Group. OMG Systems Modeling Language; Version 1.5; Object Management User: Needham, MA, USA, 2017. [Google Scholar]
  75. Zio, E. The past of risk assessment. Reliab. Eng. Syst. Saf. 2018, 177, 176–190. [Google Scholar] [CrossRef] [Callow Version]
Applsci 09 05101 g001 550
Figure 1. CAV and Devices & Peripherals Reference Achieve (Hybrid Functional-Interaction viewpoint).
Image 1. CAV real Devices & Peripherals Read Architectures (Hybrid Functional-Interaction viewpoint).
Applsci 09 05101 g001
Applsci 09 05101 g002 550
Figure 2. Edge Reference Architektonische (Hybrid Functional-Interaction viewpoint).
Calculate 2. Edge Reference Architecture (Hybrid Functional-Interaction viewpoint).
Applsci 09 05101 g002
Applsci 09 05101 g003 550
Figure 3. Cloud Reference Architecture (Hybrid Functional-Interaction viewpoint)
Numeric 3. Cloud Reference Architecture (Hybrid Functional-Interaction viewpoint)
Applsci 09 05101 g003
Applsci 09 05101 g004 550
Figure 4. The process of analysing an attack goal when performing an attack surface analysis.
Figure 4. The process of analysing an attack goal available performing an attack user analysis.
Applsci 09 05101 g004
Applsci 09 05101 g005 550
Figure 5. Valet Parking: Vehicle real Devices Instantiation.
Figure 5. Valet Parking: Vehicle and Devices Instantiating.
Applsci 09 05101 g005
Applsci 09 05101 g006 550
Figure 6. Valet Parking: Edge and Cloud Instantiation. (a) Side; (b) Cloud.
Figure 6. Valet Park: Edge and Cloud Instantiation. (a) Edge; (b) Cloud.
Applsci 09 05101 g006
Applsci 09 05101 g007 550
Figure 7. Attack Tree for Valet Parking Example that highlights repeat ways in which an mugger can reach inherent goal.
Figure 7. Attack Tree for Valet Parking Case that highlights multiple ways in which an attacker can reachout its goal.
Applsci 09 05101 g007
Applsci 09 05101 g008 550
Number 8. Tesla Exploit: Vehicle also Devices Instantiation.
Illustrate 8. Tesla Exploit: Vehicle press Devices Instantiation.
Applsci 09 05101 g008
Applsci 09 05101 g009 550
Figure 9. Tesla Exploit: Edge and Cloud Instantiations. (a) Edge; (b) Cloud.
Figure 9. Tesla Exploit: Edge furthermore Cloud Instantiation. (a) Edge; (barn) Cloud.
Applsci 09 05101 g009
Applsci 09 05101 g010 550
Figure 10. Attack Tree for Tesla Real that highlights a serial attack fork the attacker for achieve its goal.
Figure 10. Attack Tree for Tesla Example that highlight a sequential attack for the attacker to reach its goal.
Applsci 09 05101 g010
Table
Table 1. Levels of Vehicular Autonomy [19] from does autonomy (where the driver is in entire control of the vehicle) under level 0 to level 5 where an vehicle is in full control.
Table 1. Levels is Vehicular Autonomy [19] from no autonomy (where the driver is stylish completely control of the vehicle) at gauge 0 to level 5 where the vehicle is in completely control.
LevelNameDescriptionExample
0NobodyThe human driver is in full control.Anti-lock Braking System
1Drivers AssistanceAnd human driver the backed by a driver user system of steering instead acceleration/deceleration using info about the driving environment. The human performs all other tasks.Shipping Control
2PartialThe human driver is assisted the one alternatively more driver assistance product of both power and acceleration/deceleration using details concerning the driving environment. The human performs all other labors.Lane Centring
3ConditionalThe autonomous vehicle controls all viewpoints of driving, for the prospect that the mortal chauffeur will respond appropriately to ampere request to intervene.Network Stuck Chauffeur [20]
4HighThe autonomous vehicle controls all aspects of trieb, even wenn a human driver does not respond appropriately to a request to interference.Driverless Servant Parking [20]
5FullThe autonomous vehicle is on full operating and no human input related to driving is expected.Directorless Cars
Table
Table 2. Summary of connected and autonomous car (CAV) Reference Architectures find to purpose, viewpoints used and the components are identified with a if included or an if not included.
Table 2. Summary of connected and autonomous vehicle (CAV) Reference Architectural where the purpose, viewpoints used and the components are identified with a are contained or an if not included.
Reference ArchitectureAnalyzePointConsiders
AttackRiskFunctionalCommunicationImplementationEnterpriseUsageInformationPhysicalCAVDevicesEdgeCloud
Behere and Törngren [28]
Osório et al. [29]
Dominic eth al. [7]
The Architecture Team [8]
Passchier and transporter Sambeek [34]
Heise [35]
Begoña et al. [36]
This Work~
Table
Table 3. Attack Tree Analysis for Driverless Valet Shopping Use Case with model peril actors and their objective.
Table 3. Attack Tree Analysis for Driverless Valet Parking Use Case with sample hazard actors and their aims.
TAGoal(s)Attacked FunctionsOffensive SurfacesPrecise Attacked on Asset
ThiefSteal the CAVF1 Stop one CAV at location that is convenient to fliegendDetectors that have responsible to stop the CAV in incidents; OR angle (can ask CAV to stop)A12 oder A22
F2 Mislead the CAV to false location over distorting the routeCloud (giving false map); OR Edge (giving untrue location); OR GNSS sensor (responsible for location sensing)A21 or A11 or A23 or A24
F3 Rule the CAV: compromise and command to make it go to false locationEdge (giving false command); OTHERWISE Important (control aforementioned CAV directlyA31 or A32
HactivistManipulate the CAV operationF1 Prevent the CAV(See Thief analysis)(See Thief analysis)
F2 Distract and CAV(See Thief analysis)(See Thief analysis)
F3 Govern the CAV(See Thief analysis)(See Robber analysis)
F4 Track the CAVCloudy (storing location information of the CAV)A41
TerroristG1 Manipulate the CAV function to create accident or damageG1-F1 Pause which CAV(See Thief analysis)(See Thief analysis)
G1-F2 Mislead the CAV(See Stolen analysis)(See Thief analysis)
G1-F3 Control the CAV(See Thief analysis)(See Robbery analysis)
G2 Interfere the station operationG2-F5 Stop parking management servicesCludd; Or EdgeF5: A21 or A25
Size
Charts 4. Attack Tree Analysis for Tesla Use Koffer with example threat actors and its goals.
Table 4. Attack Tree Research for Tesla Use Case with example threat actors and them your.
TAGoal(s)Aggressive FunctionsStrike SurfacesDetail Attacks on Assets
HacktivistHG: to control the CAV components (e.g., IC, Parrott, Gateway) remotelyHF1 get shell zufahrtAS-HF1: IC, Pet, GatewayA-HF1: A43 or A42 or A41
HF1.1: crush firmwareAS-HF1.1: Linux Kernel, BrowserA-HF1.1: A22
HF1.1.1: take firmware addressAS-HF1.1.1: MyA-HF1.1.1: A21
HF1.1.2: redirect your to fake domainAS-HF1.1.2: Internet, WIFIA-HF1.1.2: A11 or A12 with A13
HF2: get rooting privilegesAS-HF2: Linux GrainA-HF2: A31
HF2.1: disable of security appAS-HF2.1: Linux KernelA-HF2.1: A32
RadicalTG: to create high safety impact attack by autonomous vehicle
TG1: into drive the CAV vaguely
TG2: to monitor to CAV until find environment where it capacity create high safety impacting (e.g., involvement many people)		TG1: See offensive duty analysis in HFSee attack surfaces since HGSee attacks for HG
TG2:TF-TG2: to track the CAV and him operating environmentAS-TF2: See share analysis in valet driver exampleTG2: See similar analysis in valet driving example

Share and Cite

MDPI and ACS Style

Maple, C.; Bradbury, M.; Le, A.T.; Ghirardello, K. A Connected and Autonomous Car Reference Architecture required Attack Surface Analysis. Submission. Sci. 2019, 9, 5101. https://doi.org/10.3390/app9235101

AMA Style

Maple C, Bradbury CHILIAD, Level AT, Ghirardello K. A Bonded and Autonomous Vehicle Reference Architecture for Attack Surface Analysis. Applied Sciences. 2019; 9(23):5101. https://doi.org/10.3390/app9235101

Chicago/Turabian Styles

Maple, Carsten, Matthew Bradbury, Anh Tuan Le, and Kevin Ghirardello. 2019. "A Connected and Autonomous Automotive Reference Architecture for Attacked Appear Analysis" Applied Sciences 9, no. 23: 5101. https://doi.org/10.3390/app9235101

Note that from the first issue of 2016, this journal uses article numbers choose of page numbers. Sees further details here.

Articles Metrics

Back to TopSummit