Identifying attack surfaces in the evolving space industry using reference architectures

The space environment is currently undergoing a substantial change and many new entrants to the market are deploying devices, satellites and systems in space; this evolution has been termed as NewSpace. The change is complicated by technological developments such as deploying machine learning based autonomous space systems and the Internet of Space Things (IoST). In the IoST, space systems will rely on satellite-to-x communication and interactions with wider aspects of the ground segment to a greater degree than existing systems. Such developments will inevitably lead to a change in the cyber security threat landscape of space systems. Inevitably, there will be a greater number of attack vectors for adversaries to exploit, and previously infeasible threats can be realised, and thus require mitigation. In this paper, we present a reference architecture (RA) that can be used to abstractly model in situ applications of this new space landscape. The RA specifies high-level system components and their interactions. By instantiating the RA for two scenarios we demonstrate how to analyse the attack surface using attack trees

A privacy-preserving querying mechanism with high utility for electric vehicles

Electric vehicles (EVs) are becoming more popular due to environmental consciousness. The limited availability of charging stations (CSs), compared to the number of EVs on the road, has led to increased range anxiety and a higher frequency of CS queries during trips. Simultaneously, personal data use for analytics is growing at an unprecedented rate, raising concerns for privacy. One standard for formalising location privacy is geo-indistinguishability as a generalisation of local differential privacy. However, the noise must be tuned properly, considering the implications of potential utility losses. In this paper, we introduce the notion of approximate geo-indistinguishability (AGeoI), which allows EVs to obfuscate their query locations while remaining within their area of interest. It is vital because journeys are often sensitive to a sharp drop in quality of service (QoS). Our method applies AGeoI with dummy data generation to provide two-fold privacy protection for EVs while preserving a high QoS. Analytical insights and experiments demonstrate that the majority of EVs get “privacy-for-free” and that the utility loss caused by the gain in privacy guarantees is minuscule. In addition to providing high QoS, the iterative Bayesian update allows for a private and precise CS occupancy forecast, which is crucial for unforeseen traffic congestion and efficient route planning

Differential privacy-enabled location data sharing solutions for vehicle ecosystems

Connected autonomous vehicles (CAVs) are moving from futuristic realms to becoming increasingly encountered in modern society, with the promise of improved safety, efficiency and sustainability. The functions of CAVs rely on data from multiple sources, including vehicular onboard sensors, other vehicles and the infrastructure. However, the public, industry and government are increasingly concerned that data can be revealing, particularly spatio-temporal data, which is sensitive since it can reveal private information about the user, such as habits, health conditions, etc. There are many ways to protect privacy, but differential privacy remains the only mechanism providing mathematical privacy guarantees that enables the quantification of privacy loss. However, when applying such techniques, the affordance of privacy comes at the cost of utility. This thesis explores the cost of privacy in real-time location data sharing for CAV functions with respect to efficacy and provides novel techniques to minimise this cost. It is composed of three essential components. The first study focuses on real-time frequency estimation using central and local differentially private data sharing. The output data of this scheme is for a vehicle route planning function. The second study addresses the efficacy challenge raised in the first study regarding the practical application of local differential privacy for a location-based querying function. Both of these works can be considered to offer privacy-preserving data aggregation through a central server. In contrast, the third study involves the development of a federated mechanism to enable collaboration without the need for sharing raw data with a central server. Extensive experimentation provides results that demonstrate the proposed schemes achieve high efficacy for their respective functions and have the potential to guide research for a broader practical deployment of privacy-enhancing technologies

A privacy-preserving route planning scheme for the Internet of Vehicles

Internet of the Things (IoT) is being integrated into applications that are continuing to reshape many elements of our daily life. One of the major application areas is the Internet of Vehicles which can enhance existing capabilities, such as efficient vehicle route planning. Such systems usually rely on real-time traffic information that includes the temporal location feed of a vehicle. Despite offering clear advantages (such as overcoming congestion, saving fuel/energy/time, and reducing emission), privacy concerns emerge due to the use of location data. Motivated by this, a privacy-preserving vehicular location (e.g. positioning) sharing scheme is developed for edge cloud-assisted vehicles. In addition, data utility bounds are theoretically analysed, and vehicle routing efficacy is empirically analysed to evaluate the impact of the proposed scheme. Rather than sharing perturbed location on two-dimensional space, we propose a graph-based differential privacy solution for sharing location. The novelty of this work relies on translating the vehicular geospatial data to the graph-structured data for its higher applicability on the road network, designing a real-time application, and empirical analysis of privacy-efficacy optimality

A comparative study of cyber threats on evolving digital identity systems

Identity empowers global citizens; it helps an individual to play an active part in international development. To do so, there is often a need for individuals to formally identify themselves. This empowers them to engage in financial services, voting rights, business rights, land titles, social protection, school and various other benefits. Organisations are becoming increasingly customer-centric and many are realising the importance of digital identity as a key to improve customer experience. However, a significant proportion of the human population does not have access to credentials, and in a number of instances, identities have been counterfeited or misused. Robust identification and associated management systems need to be introduced and implemented to address these challenges. Novel digitised decentralised approaches are being explored, and this emerging field promises to empower individuals with an identity; however, emerging threats and risks prevent such systems from being trusted. Firstly, this paper aims to describe the existing model of evolving Digital Identity Management System(IDMS) and investigate the related cyber security requirements and challenges to such systems. Secondly, the STRIDE threat modelling approach is described in the context of IDMS. Finally, the paper identifies the threat landscape of IDMS by employing the threat modelling approach

Challenges in threat modelling of new space systems : a teleoperation use-case

A growing number of adversaries are targeting space missions, and as such, there have been increasing academic and industrial efforts in identifying threats and risks through modelling techniques. In parallel, the research communities are collaborating to lower the entry barriers for space activities to deliver more innovative and cost-effective space missions. This evolution has been termed as New Space. However, this transformation of the space ecosystem has led to changes in the threat landscape, introducing new threat vectors and threat actors intent on compromising space systems and missions. As a result, it is expected that cyber threats could increase against space systems. Furthermore, teleoperation, a significant use case for building extraterrestrial habitats, has already been shown vulnerable in other domains as well. For example, teleoperated robots developed for remote surgery have been shown to be vulnerable to threats, such as malicious control due to an elevation-of-privilege attack. Threat modelling is a systematic and structured method to determine associated system vulnerabilities, possible attack entry points and vectors, and potential impacts on the system. In this work, we examine the efficacy of the de facto threat modelling methods such as STRIDE/DREAD in capturing highly adaptive security requirements and threats from a system-centric perspective for the teleoperation mission scenario. Understanding and protecting these hardware-software assets and their interaction in the mission is of foremost importance since security breaches threaten human safety across the broader New Space ecosystem. This research presents the limitations of existing threat modelling approaches in capturing hardware-software interaction in space systems, which is an open area for scientific enquiry. Moreover, research challenges are raised to improve the safety and security of the teleoperation mission. The output of this work can then be used to develop more appropriate threat modelling approaches to support security requirement engineering for different New Space mission scenarios

Human factors for vehicle platooning : a review

Vehicle platooning (a group of two or more consecutive connected autonomous vehicles that travel simultaneously at the same velocity with a short inter-vehicular distance based on vehicle to vehicle communication) has significant potential to advance traffic, including enhancing travel safety, improving traffic efficacy and decreasing energy consumption. Much focus has been put on developing machine learning-based autonomous driving systems. However, the interactions between humans and the autonomous driving system have not been widely studied, although understanding the human factor is critical as that can cause human errors and potential accidents. Besides, vehicle platooning introduces a new cooperative driving paradigm for drivers. From such circumstances may emerge a new pattern for human interaction with the vehicle platoons. This study presents a semisystematic methodology to review existing studies of human factors in vehicle platoons. Among the human factors, user acceptance and trust significantly impact the sustained development of autonomous driving and concerned user satisfaction. Achieving higher user satisfaction can present business advantages for vehicle platooning service providers in the future. In this paper, the human-vehicle platoon interaction is classified into three groups: pedestrians, other drivers and in-platoon driver interaction. Then the research gaps are highlighted for the field

Analysing cyber attacks and risks in V2X-assisted autonomous highway merging

Off-board information, provided through V2X systems, can make a crucial difference in safety and efficiency of autonomous driving functions, particularly, in complex scenarios where on-board sensors can be impaired (e.g., by occlusions). However, such solutions must be secured against potential cyber security threats. While generic solutions, e.g., encryption and authentication, can help to some extent to mitigate such threats, each autonomous function, e.g., platooning, overtaking, highway merging, etc., must be separately analysed from cyber security perspective, because it uses on- and off-board information in a unique way. This paper considers a V2X-assisted autonomous merging function, where off-board information is used to enhance the autonomous vehicle view of the environment, which is crucial for safe and efficient merging but cannot be often reliably observed by on-board sensors. We consider a generic reference architecture (RA) that abstractly models a V2X-assisted merging function that fuses off-board radar and camera sensors with the vehicle’s on-board sensors. A bespoke threat analysis model is adopted, and an attack tree is devised to help analyse threats to the off-board system components. We also discuss potential mitigation strategies for the underlying system RA within the context of the subject V2X-assisted merging function

Privacy Challenges with Protecting Live Vehicular Location Context

Future Intelligent Transport Systems (ITS) will require that vehicles are equipped with Dedicated Short Range Communications (DSRC). With these DSRC capabilities, new privacy threats are emerging that can be taken advantage of by threat actors with little experience and cheap components. However, the origins of these privacy threats are not limited to the vehicle and its communications, but extend to non-vehicular devices carried by the driver and passengers. A shortcoming of existing work is that it tends to focus on a specific aspect of privacy leakage when attempting to protect location privacy. In doing so, interactions between privacy threats are not considered. In this work, we investigate the privacy surface of a vehicle by considering the many different ways in which location privacy can be leaked. Following this, we identify techniques to protect privacy and that it is insufficient to provide location privacy against a single threat vector. A methodology to calculate the interactions of privacy preserving techniques is used to highlight the need to consider the wider threat landscape and for techniques to collaborate to ensure location privacy is provided against multiple sources of privacy threats where possible