A Comparative Study of JASO TP15002-Based Security Risk Assessment Methods for Connected Vehicle System Design

In recent years, much attention has been paid to autonomous vehicles and security threats on such vehicles have become an important issue. One of these examples is a command injection issue on a gateway ECU, which was reported in 2016. In order to mitigate these threats, the secure design of connected vehicle systems, which is done at the concept phase during development, has become increasingly important in industry. From this perspective, a security guideline such as JASO TP15002 which specifies two concrete methods, CRSS (CVSS Based Risk Scoring System) and RSMA (Risk Scoring Methodology for Automotive System), was made public in 2015. The latest work on the application of TP15002 to the ITU-T X.1373 standard was published in 2017. However, the risk assessment in this publication seems limited. It is not clear from this publication how systematically the risk assessment task in TP15002 can be performed at the implementation level. Another interesting question is how different methods affect the risk scores of connected vehicle systems. In this paper, we focus on the risk assessment phase in JASO TP15002. For a systematic risk assessment, we introduce an idea of asset container and propose to extend CRSS to a novel RSS (Risk Scoring System), RSS-CVSSv3, by appropriately replacing CVSSv2 vulnerability scoring system on which CRSS is based with CVSSv3. To address the above questions, we perform a comparative study on CRSS, RSMA, and RSS-CVSSv3 for multiple use cases such as a CGW (Central Gateway) and a drone, to examine the efficiency and usefulness of our methods. For this comparative purpose, we devise an interesting approach for the refinement of RSMA to the obstacles in comparing CRSS with RSMA