Risk Assessment Methodology
Previous chapters mainly describe cybersecurity activities at the macro level. Starting from chapter 8, 21434 will provide detailed description of cybersecurity requirements and activities for each phase of the project lifecycle. Among them, Risk Assessment is one of the earliest and most important cybersecurity activities, serving as a prerequisite for the implementation of the entire cybersecurity work.
Risk analysis is usually referred to as TARA (Threat Analysis and Risk Assessment). Its purpose is to identify potential threats and security vulnerabilities in the early stage of vehicle product development, and to determine the possible risks and their risk levels by considering factors such as attack feasibility, impact level, etc. This leads to the corresponding cybersecurity objectives, which provide the basis for cybersecurity requirements formation and input to design and development. Risk assessment is an activity that was not present in the traditional software development process, thus it represents a clear incremental work in the implementation of cybersecurity for projects.
Currently, the mainstream TARA methodologies internationally include EVITA, HEAVENS, OCTAVE, etc. These methodologies are introduced in SAE J3061, the predecessor of 21434. In 21434, 7 necessary steps of TARA analysis are summarized:
- Asset definition
- Threat scenario analysis
- Impact level
- Attack path analysis
- Attack feasibility level
- Risk determination
- Risk disposal decision-making
In practice, OEMs can choose suitable methodologies for evaluation based on their own needs and preferences. The work of risk assessment is usually carried out by specialized teams, whose members need to have certain cybersecurity or penetration background. The various activities in risk assessment will be explained one by one in subsequent articles.
Asset Definition
What is asset?
Simply put, assets are information that needs to be protected from cyber attacks during the use of a vehicle, including communication data, user privacy data, ECU firmware, algorithms, and other types of information.
The purpose of asset definition
The purpose of asset definition is to identify these assets, determine the cybersecurity attributes of each asset, and analyze potential damage scenarios.Convert the Chinese Markdown text below to English Markdown text, preserving the HTML tags inside the Markdown. Only output the corrected and improved parts of the translation, without explanations.
How to Identify?
Three methods are provided in 21434:
- Enumeration based on impact rating;
- Enumeration based on threat scenarios;
- Enumeration based on predefined classifications;
The first two can be understood as inferring based on harm scenarios or attack scenarios, relying more on past experience. The method based on predefined classifications defines asset classifications in advance, such as communication data, software, and privacy data. When defining assets, the assets on each node on the link can be enumerated according to these classifications, thereby identifying assets as comprehensively as possible.
Network Security Attributes
Each asset has corresponding network security attributes. In the HEAVENSE method, Microsoft’s STRIDE model is used to map network security attributes and threats, and each type of threat in STRIDE is mapped to a corresponding set of security attributes. By enumerating commonly encountered threat scenarios, the corresponding assets that need to be protected and their network security attributes can be identified. For example, in an entertainment system, a common threat scenario is an attack on the car machine system, and the customer’s personal information is leaked. Then, it can be inferred that the corresponding asset is the user’s privacy data, and the corresponding network security attribute is confidentiality. An asset may correspond to multiple network security attributes.
Damage Scenario Identification
Based on the assets and attributes identified in the previous step, a list of damage scenarios can be compiled, where each damage scenario corresponds to the destruction of an asset’s attribute. Here is a simple example:
Finally, let us summarize the three steps of asset definition: asset identification, network security attribute determination, and damage scenario identification. The process of asset identification depends more on the network security experience of analysts and the accumulation of security events in organizations. At the same time, analysts need to have a certain understanding of the system being analyzed. The best practice is for the network security team to take the lead and cooperate fully with system engineers. In addition, asset identification is an ongoing activity during the network security development process, and assets and their attributes can be continuously modified and supplemented during the entire product lifecycle.
Threat Scenario Definition
Next, let’s talk about the second step of the risk assessment method: threat scenario definition.
First, let’s take a look at the input and output of this step.### Threat Scenario Definition Process:
Before identifying threat scenarios, let’s clarify the relationship between assets, network security attributes, damage scenarios, and threat scenarios:
From the diagram, we can see that:
- Each asset may have multiple network security attributes;
- Each attribute may correspond to one or more damage scenarios;
- Each damage scenario corresponds to one or more threat scenarios.
A threat scenario is the analysis of possible actions for a damage scenario identified in the previous step, describing factors such as timing, environment, and attack methods that can cause harm.
How to Define Threat Scenarios?
21434 provides a relatively general description:
- Brainstorming approach;
- Based on misuse cases;
- Based on STRIDE classification.
The first two methods rely mainly on the analyst’s experience and past security incident experience, while the STRIDE method can be referred to the previous article’s description. 21434 also specifies three elements included in a threat scenario: target assets, network security attributes for attack, and actions to complete the damage scenario. Below is an example of a threat scenario:
Conclusion
Defining threat scenarios is a significant step in TARA analysis, where the output risk level and risk treatment decision are based on threat scenarios. Enumerating threat scenarios through brainstorming requires a high level of analyst’s attack and defense experience and network security development knowledge. STRIDE classification provides a more accessible and replicable method, where STRIDE modeling, security event libraries, and expert experience can be combined to obtain a more comprehensive list of threat scenarios. Furthermore, identifying threat scenarios is an ongoing process that needs to be continually updated and supplemented as technology advances or new security incidents occur. In subsequent activities, an analysis of attack paths and attack feasibility will be conducted for each threat scenario.
Impact Level Assessment
Next, let’s talk about the third activity in risk assessment – impact level assessment.
During this phase, the impact level of each damage scenario is evaluated considering only the degree of harm when the damage scenario occurs, without taking into account the attack path or the attack methods.
Inputs and Outputs:Translate the Chinese markdown text below into English markdown text, professionally, keep the HTML tags inside the Markdown, and output only the results.
How to evaluate the impact level?
According to the standard 21434, the loss scenarios should be evaluated from four aspects: safety, property, operation, and privacy (S, F, O, P) to assess the adverse impact on stakeholders. If there are impacts beyond these four categories, they need to be recorded in the document. Appendix H provides rating standards for four types of impact levels, in which the evaluation standard of safety impact refers to the severity evaluation standard in ISO 26262.
21434 provides S, F, O, P qualitative impact evaluation standards. In actual impact level evaluation, the HEAVENS method proposed quantitative evaluation method can also be used to assign corresponding score ranges to different impact levels and score the S, F, O, P four levels for each damage scenario, then accumulate to get the total score of the damage scenario, and finally derive the corresponding impact level. In the HEAVENS method, the impact levels of safety and property have relatively high weights (0-1000), while the damage impact levels in operation and privacy aspects are relatively low, and the weights are also low (0-100).
Summary
It is not difficult for engineers familiar with functional safety to see that the analysis approach of TARA is closely related to the HARA analysis in functional safety. Both evaluate system risks from the two dimensions of the likelihood of risk occurrence and the severity of hazards. The impact assessment method on the safety level in TARA directly cites the severity evaluation standard in ISO 26262. The evaluation result can be the impact level of the damage scenario in the S, F, O, P four categories or a overall impact level, and the purpose is to identify the scenarios that cause serious damage in the system.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.