Towards a Framework for Alignment Between Automotive Safety and Security Standards

Modern automotive systems increasingly rely on software and network connectivity for new functions and features. Security of the software and communications of the on-board system of systems becomes a critical concern for the safety of new generation vehicles. Besides methods and tools, safety and security of automotive systems requires frameworks of standards for holistic process and assurance. As a part of our ongoing work, this paper investigates the possibility of a combined safety and security approach to standards in the automotive domain. We examine existing approaches in the railway and avionics domain with similar challenges and identify speci c requirements for the automotive domain. We evaluate ISO 15408 as a potential candidate for a combined safety and security approach for complementing automotive safety standard ISO 26262, and discuss their points of alignment

Towards a Model-driven Performance Prediction Approach for Internet of Things Architectures

Indisputable, security and interoperability play major concerns in Internet of Things (IoT) architectures and applications. In this paper, however, we emphasize the role and importance of performance and scalability as additional, crucial aspects in planning and building sustainable IoT solutions. IoT architectures are complicated system-of-systems that include different developer roles, development processes, organizational units, and a multilateral governance. Its performance is often neglected during development but becomes a major concern at the end of development and results in supplemental efforts, costs, and refactoring. It should not be relied on linearly scaling for such systems only by using up-to-date technologies that may promote such behavior. Furthermore, different security or interoperability choices also have a considerable impact on performance and may result in unforeseen trade-offs. Therefore, we propose and pursue the vision of a model-driven approach to predict and evaluate the performance of IoT architectures early in the system lifecylce in order to guarantee efficient and scalable systems reaching from sensors to business applications

Towards a Standardised Framework for Securing Connected Vehicles

Vehicular security was long limited to physical security - to prevent theft. However, the trend of adding more comfort functions and delegating advanced driving tasks back to the vehicle increased the magnitude of attacks, making cybersecurity inevitable. Attackers only need to find one vulnerability in the myriad of electronic control units (ECUs) and communication technologies used in a vehicle to compromise its functions. Vehicles might also be attacked by the owners, who want to modify or even disable certain vehicle functions.Many different parties are involved in the development of such a complex system as the functions are distributed over more than 100 ECUs, making it difficult to get an overall picture of the achieved security. Therefore, moving towards a standardised security framework tailored for the automotive domain is necessary.In this thesis we study various safety and security standards and proposed frameworks from different industrial domains with respect to their way of classifying demands in the form of levels and their methods to derive requirements. In our proposed framework, we suggest security levels appropriate for automotive systems and continue with a mapping between these security levels and identified security mechanisms and design rules to provide basic security. We further study in detail a mechanism which provides freshness to authenticated messages, namely AUTOSAR SecOC Profile 3, and present a novel extension that offers a faster synchronisation between ECUs and reduces the number of required messages for synchronisation

Open Problems when Mapping Automotive Security Levels to System Requirements

Securing the vehicle has become an important matter in the automotive industry. The communication of vehicles increases tremendously, they communicate with each other and to the infrastructure, they will be remotely diagnosed and provide the users with third-party applications. Given these areas of application, it is evident that a security standard for the automotive domain that considers security from the beginning of the development phase to the operational and maintenance phases is needed. Proposed security models in the automotive domain describe how to derive different security levels that indicate the demand on security, but do not further provide methods that map these levels to predefined system requirements nor security mechanisms. We continue at this point and describe open problems that need to be addressed in a prospective security framework for the automotive domain. Based on a study of several safety and security standards from other areas as well as suggested automotive security models, we propose an appropriate representation of security levels which is similar to, and will work in parallel with traditional safety, and a method to perform the mapping to a set of predefined system requirements, design rules and security mechanisms

Employing Digital Twins for Security-by-Design System Testing

Ever since cyber attacks focused on industrial and critical infrastructure settings, the awareness of the security issues of these systems has increased. These industrial control systems (ICS) mainly focus on operation and availability — instead of providing general security features. Moreover, the current Industry 4.0 movement aggravates this security gap by connecting the ICS to the enterprise network, which facilitates targeting these systems. Proper system testing can reveal the system's vulnerabilities and provide remedies. However, security measures are usually neglected or addressed after an emerging incident only, which results in high costs. To maximize the benefit of system testing, we argue that it should be carried out as early as possible, especially to render systems secure-by-design. In this work, we propose an approach for introducing security-by-design system testing by the application of a digital twin. A digital twin is able to represent a system virtually along its lifecycle. To enable security-by-design, the simulation capability of digital twin is harnessed to create a prospective environment of a planned system. This allows detecting vulnerabilities before they can emerge in the real-world and providing a adequate risk strategy. Our work shows how security-by-design system testing is anchored in the security applications along a system's lifecycle. Next to proposing a security-by-design system testing approach with digital twins, we implement a digital twin representing a pressure vessel, and demonstrate how to carry out each step of our proposed approach. During this proof-of-concept, we identify vulnerabilities and show how an attacker can compromise the system by manipulating values of the pressure vessel with the potential to cause over-pressure, which, in turn, can result in an explosion of the vessel

A Catalog of Reusable Design Decisions for Developing UML/MOF-based Domain-specific Modeling Languages

In model-driven development (MDD), domain-specific modeling languages (DSMLs) act as a communication vehicle for aligning the requirements of domain experts with the needs of software engineers. With the rise of the UML as a de facto standard, UML/MOF-based DSMLs are now widely used for MDD. This paper documents design decisions collected from 90 UML/MOF-based DSML projects. These recurring design decisions were gained, on the one hand, by performing a systematic literature review (SLR) on the development of UML/MOF-based DSMLs. Via the SLR, we retrieved 80 related DSML projects for review. On the other hand, we collected decisions from developing ten DSML projects by ourselves. The design decisions are presented in the form of reusable decision records, with each decision record corresponding to a decision point in DSML development processes. Furthermore, we also report on frequently observed (combinations of) decision options as well as on associations between options which may occur within a single decision point or between two decision points. This collection of decision-record documents targets decision makers in DSML development (e.g., DSML engineers, software architects, domain experts).Series: Technical Reports / Institute for Information Systems and New Medi

On the Secure and Resilient Design of Connected Vehicles: Methods and Guidelines

Vehicles have come a long way from being purely mechanical systems to systems that consist of an internal network of more than 100 microcontrollers and systems that communicate with external entities, such as other vehicles, road infrastructure, the manufacturer’s cloud and external applications. This combination of resource constraints, safety-criticality, large attack surface and the fact that millions of people own and use them each day, makes securing vehicles particularly challenging as security practices and methods need to be tailored to meet these requirements.This thesis investigates how security demands should be structured to ease discussions and collaboration between the involved parties and how requirements engineering can be accelerated by introducing generic security requirements. Practitioners are also assisted in choosing appropriate techniques for securing vehicles by identifying and categorising security and resilience techniques suitable for automotive systems. Furthermore, three specific mechanisms for securing automotive systems and providing resilience are designed and evaluated. The first part focuses on cyber security requirements and the identification of suitable techniques based on three different approaches, namely (i) providing a mapping to security levels based on a review of existing security standards and recommendations; (ii) proposing a taxonomy for resilience techniques based on a literature review; and (iii) combining security and resilience techniques to protect automotive assets that have been subject to attacks. The second part presents the design and evaluation of three techniques. First, an extension for an existing freshness mechanism to protect the in-vehicle communication against replay attacks is presented and evaluated. Second, a trust model for Vehicle-to-Vehicle communication is developed with respect to cyber resilience to allow a vehicle to include trust in neighbouring vehicles in its decision-making processes. Third, a framework is presented that enables vehicle manufacturers to protect their fleet by detecting anomalies and security attacks using vehicle trust and the available data in the cloud

Applied information technology (IT) for ship design, production and lifecycle support : a total systems approach

Thesis (S.M. in Naval Construction and Engineering)--Massachusetts Institute of Technology, Dept. of Ocean Engineering; and (S.M. in Ocean Systems Management)--Massachusetts Institute of Technology, Dept. of Ocean Engineering, 1999.Includes bibliographical references (leaves 108-110).by Gary H. Dunlap.S.M.in Ocean Systems ManagementS.M.in Naval Construction and Engineerin

Efficiency improvement of product definition and verification through Product Lifecycle Management

The correct and complete geometrical definition of a product is nowadays a critical activity for most companies. To solve this problem, ISO has launched the GPS, Geometrical Product Specifications and Verification, with the goal of consistently and completely describe the geometric characteristics of the products. With this project, it is possible to define a language of communication between the various stages of the product lifecycle based on "operators": these are an ordered set of mathematical operations used for the definition of the products. However, these theoretical and mathematical concepts require a level of detail and completeness of the information hardly used in usual industrial activities. Consequently in industrial practice the definition and verification of products appears to be a slow process, error-prone and difficult to control. Product Lifecycle Management (PLM) is the activity of managing the company's products throughout their lifecycle in the most efficient way. PLM describes the engineering aspects of the products, ensuring the integrity of product definition, the automatic update of the product information and then aiding the product to fulfil with international standards. Despite all these benefits, the concepts of PLM are not yet fully understood in industry and they are difficult to implement for SME's. A first objective of this research is to develop a model to depict and understand processes. This representation is used as a tool during the application of a case study of a whole set of a GPS standards for one type of tolerance. This procedure allows the introduction of the GPS principles and facilitates its implementation within a PLM process. Until now, PLM is presented on isolated aspects without the necessary holistic approach. Furthermore, industry needs people able to operate in PLM context, professional profiles that are not common on the market. There is therefore an educational problem; besides the technical knowledge, the new profile of engineers must be also familiar with the PLM philosophy and instruments to work effectively in a team. With the aim of solving this problem, this thesis presents a PLM solution that gives the guidelines for a correct understanding of these topic