research-article

Privacy Impact Assessment of Cyber Attacks on Connected and Autonomous Vehicles

Authors:

Sakshyam Panda,

Emmanouil Panaousis,

Konstantinos KentrotisAuthors Info & Claims

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

Article No.: 93, Pages 1 - 9

https://doi.org/10.1145/3600160.3605073

Published: 29 August 2023 Publication History

Abstract

Connected and autonomous vehicles (CAVs) are vulnerable to security gaps that can result in serious consequences, including cyber-physical and privacy risks. For example, an attacker can reconstruct a vehicle’s location trajectory by knowing the speed and steering wheel position of the vehicle. Such inferences not only lead to safety issues but also significantly threaten privacy. This paper assesses the privacy impacts of cyber threats on vehicular networks. We augment the Privacy Risk Assessment Methodology (PRAM), proposed by the National Institute of Standards and Technology, with cyber threats, with cyber threats, which are, in practice, mapped to PRAM impact metrics. We demonstrate the practical application of the enhanced PRAM methodology through a use case that highlights attacks leading to privacy risks in CAVs. The consideration of cyber attacks for privacy risk assessment addresses a major gap in current practices, which is to integrate privacy risk into cyber risk management.

References

[1]

[n. d.]. CNIL PIA (Privacy Impact Assessment). https://www.cnil.fr/en/privacy-impact-assessment-pia. Accessed: March 25, 2023.

[2]

2017. ISO/IEC 29134:2017 Information technology – Security techniques – Guidelines for privacy impact assessment. https://www.iso.org/standard/66390.html. Accessed: March 25, 2023.

[3]

2018. California Consumer Privacy Act. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 California Assembly Bill No. 375, Accessed: March 25, 2023.

[4]

2018. Data Protection Act. https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. Accessed: March 25, 2023.

[5]

Amir Shayan Ahmadian, Daniel Strüber, Volker Riediger, and Jan Jürjens. 2018. Supporting privacy impact assessment by model-based privacy analysis. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing. 1467–1474.

Digital Library

[6]

Muhammad Arif, Guojun Wang, and Valentina Emilia Balas. 2018. Secure VANETs: trusted communication scheme between vehicles and infrastructure based on fog computing. Stud. Inform. Control 27, 2 (2018), 235–246.

[7]

Soodeh Atefi, Sakshyam Panda, Manos Panaousis, and Aron Laszka. 2022. Principled data-driven decision support for cyber-forensic investigations. arXiv preprint arXiv:2211.13345 (2022).

[8]

Maria Azees, Pandi Vijayakumar, and Lazarus Jegatha Deborah. 2016. Comprehensive survey on security services in vehicular ad-hoc networks. IET Intelligent Transport Systems 10, 6 (2016), 379–388.

[9]

Tamas Bisztray and Nils Gruschka. 2019. Privacy impact assessment: comparing methodologies with a focus on practicality. In Secure IT Systems: 24th Nordic Conference, NordSec 2019, Aalborg, Denmark, November 18–20, 2019, Proceedings 24. Springer, 3–19.

[10]

Nadia Boumkheld, Sakshyam Panda, Stefan Rass, and Emmanouil Panaousis. 2019. Honeypot type selection games for smart grid networks. In Decision and Game Theory for Security: 10th International Conference, GameSec 2019, Stockholm, Sweden, October 30–November 1, 2019, Proceedings 10. Springer, 85–96.

[11]

Sean Brooks, Michael Garcia, Naomi Lefkovitz, Suzanne Lightman, and Ellen Nadeau. 2017. An introduction to privacy engineering and risk management in federal systems. Technical Report Tech. Rep. NIST IR 8062, Jan. 2017. National Institute of Standards and Technology, Washington, D.C.https://doi.org/10.6028/NIST.IR.8062

[12]

Paul Carsten, Todd R Andel, Mark Yampolskiy, and Jeffrey T McDonald. 2015. In-vehicle networks: Attacks, vulnerabilities, and proposed solutions. In Proceedings of the 10th Annual Cyber and Information Security Research Conference. 1–8.

Digital Library

[13]

Badreddine Chah, Alexandre Lombard, Anis Bkakria, Reda Yaich, Abdeljalil Abbas-Turki, and Stéphane Galland. 2022. Privacy Threat Analysis for connected and autonomous vehicles. Procedia Computer Science 210 (2022), 36–44.

Digital Library

[14]

Wonsuk Choi, Kyungho Joo, Hyo Jin Jo, Moon Chan Park, and Dong Hoon Lee. 2018. Voltageids: Low-level communication characteristics for automotive intrusion detection system. IEEE Transactions on Information Forensics and Security 13, 8 (2018), 2114–2129.

[15]

R Jason Cronk and Stuart S Shapiro. 2021. Quantitative Privacy Risk Analysis. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 340–350.

[16]

Araya Kibrom Desta, Shuji Ohira, Ismail Arai, and Kazutoshi Fujikawa. 2020. ID sequence analysis for intrusion detection in the CAN bus using long short term memory networks. In 2020 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops). IEEE, 1–6.

[17]

Zeinab El-Rewini, Karthikeyan Sadatsharan, Daisy Flora Selvaraj, Siby Jose Plathottam, and Prakash Ranganathan. 2020. Cybersecurity challenges in vehicular communications. Vehicular Communications 23 (2020), 100214.

[18]

Aristeidis Farao, Sakshyam Panda, Sofia Anna Menesidou, Entso Veliou, Nikolaos Episkopos, George Kalatzantonakis, Farnaz Mohammadi, Nikolaos Georgopoulos, Michael Sirivianos, Nikos Salamanos, 2020. SECONDO: A platform for cybersecurity investments and cyber insurance decisions. In Trust, Privacy and Security in Digital Business: 17th International Conference, TrustBus 2020, Bratislava, Slovakia, September 14–17, 2020, Proceedings 17. Springer, 65–74.

Digital Library

[19]

Andrew Fielder, Emmanouil Panaousis, Pasquale Malacaria, Chris Hankin, and Fabrizio Smeraldi. 2016. Decision support approaches for cyber security investment. Decision support systems 86 (2016), 13–23.

[20]

Jack Freund and Jack Jones. 2014. Measuring and managing information risk: a FAIR approach. Butterworth-Heinemann.

[21]

András Gazdag, Szilvia Lestyán, Mina Remeli, Gergely Ács, Tamás Holczer, and Gergely Biczók. 2023. Privacy pitfalls of releasing in-vehicle network data. Vehicular Communications 39 (2023), 100565.

Digital Library

[22]

Anthony J Grosso, Gregory W Leffard, and Jeremiah G O’dwyer. 2014. System and method for analyzing privacy breach risk data. US Patent App. 13/683,422.

[23]

Zonghua Gu, Gang Han, Haibo Zeng, and Qingling Zhao. 2016. Security-aware mapping and scheduling with hardware co-processors for flexray-based distributed embedded systems. IEEE Transactions on parallel and distributed systems 27, 10 (2016), 3044–3057.

Digital Library

[24]

Ioannis Kalderemidis, Aristeidis Farao, Panagiotis Bountakas, Sakshyam Panda, and Christos Xenakis. 2022. GTM: Game Theoretic Methodology for optimal cybersecurity defending strategies and investments. In Proceedings of the 17th International Conference on Availability, Reliability and Security. 1–9.

Digital Library

[25]

Stamatis Karnouskos and Florian Kerschbaum. 2017. Privacy and integrity considerations in hyperconnected autonomous vehicles. Proc. IEEE 106, 1 (2017), 160–170.

[26]

Xinghua Li, Yanbing Ren, Laurence T Yang, Ning Zhang, Bin Luo, Jian Weng, and Ximeng Liu. 2020. Perturbation-hidden: Enhancement of vehicular privacy for location-based services in internet of vehicles. IEEE Transactions on Network Science and Engineering 8, 3 (2020), 2073–2086.

[27]

Zi Li, Qingqi Pei, Ian Markwood, Yao Liu, Miao Pan, and Hongning Li. 2018. Location privacy violation via GPS-agnostic smart phone car tracking. IEEE Transactions on Vehicular Technology 67, 6 (2018), 5042–5053.

[28]

Wei Liang, Jing Long, Tien-Hsiung Weng, Xuhui Chen, Kuan-Ching Li, and Albert Y Zomaya. 2019. TBRS: A trust based recommendation scheme for vehicular CPS network. Future Generation Computer Systems 92 (2019), 383–398.

Digital Library

[29]

Jiajia Liu, Shubin Zhang, Wen Sun, and Yongpeng Shi. 2017. In-vehicle network attacks and countermeasures: Challenges and future directions. IEEE Network 31, 5 (2017), 50–58.

Digital Library

[30]

Kun Liu and Evimaria Terzi. 2010. A framework for computing the privacy scores of users in online social networks. ACM Transactions on Knowledge Discovery from Data (TKDD) 5, 1 (2010), 1–30.

[31]

Nai-Wei Lo and Hsiao-Chien Tsai. 2007. Illusion attack on vanet applications-a message plausibility problem. In 2007 IEEE Globecom Workshops. IEEE, 1–8.

[32]

Zhaojun Lu, Gang Qu, and Zhenglin Liu. 2018. A survey on recent advances in vehicular network security, trust, and privacy. IEEE Transactions on Intelligent Transportation Systems 20, 2 (2018), 760–776.

[33]

Adnan Mahmood, Wei Emma Zhang, and Quan Z Sheng. 2019. Software-defined heterogeneous vehicular networking: The architectural design and open challenges. Future Internet 11, 3 (2019), 70.

[34]

Eleni-Laskarina Makri, Zafeiroula Georgiopoulou, and Costas Lambrinoudakis. 2020. A proposed privacy impact assessment method using metrics based on organizational characteristics. In Computer Security: ESORICS 2019 International Workshops, CyberICPS, SECPRE, SPOSE, and ADIoT, Luxembourg City, Luxembourg, September 26–27, 2019 Revised Selected Papers 5. Springer, 122–139.

[35]

Sahar Mazloom, Mohammad Rezaeirad, Aaron Hunter, and Damon McCoy. 2016. A Security Analysis of an In-Vehicle Infotainment and App Platform. In WOOT.

[36]

Yassine Mekdad, Ahmet Aris, Leonardo Babun, Abdeslam El Fergougui, Mauro Conti, Riccardo Lazzeretti, and A Selcuk Uluagac. 2023. A survey on security and privacy issues of UAVs. Computer Networks (2023), 109626.

[37]

Ahmed Refaat Mousa, Pakinam NourElDeen, Marianne Azer, and Mahmoud Allam. 2016. Lightweight authentication protocol deployment over FlexRay. In Proceedings of the 10th International Conference on Informatics and Systems. 233–239.

Digital Library

[38]

Jianbing Ni, Kuan Zhang, Yong Yu, Xiaodong Lin, and Xuemin Shen. 2018. Privacy-preserving smart parking navigation supporting efficient driving guidance retrieval. IEEE Transactions on Vehicular Technology 67, 7 (2018), 6504–6517.

[39]

Antonia Nisioti, George Loukas, Aron Laszka, and Emmanouil Panaousis. 2021. Data-driven decision support for optimizing cyber forensic investigations. IEEE Transactions on Information Forensics and Security 16 (2021), 2397–2412.

[40]

U.S. Department of Health & Human Services. 2002. Privacy Rule of the Health Insurance Portability and Accountability Act. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html Accessed: March 25, 2023.

[41]

National Institute of Standards and Technology. 2020. NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. Technical Report Version 1.0, Includes updates as of January 16, 2020. U.S. Department of Commerce, Washington, D.C.https://doi.org/10.6028/NIST.CSWP.01162020

[42]

Information Commissioner’s Office. 2018. Data Protection Impact Assessment. Technical Report. https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessment-dpia-1-0.pdf Accessed: March 25, 2023.

[43]

Habeeb Olufowobi, Clinton Young, Joseph Zambreno, and Gedare Bloom. 2019. SAIDuCANT: Specification-based automotive intrusion detection using controller area network (CAN) timing. IEEE Transactions on Vehicular Technology 69, 2 (2019), 1484–1494.

[44]

Basker Palaniswamy, Seyit Camtepe, Ernest Foo, and Josef Pieprzyk. 2020. An efficient authentication scheme for intra-vehicular controller area network. IEEE Transactions on Information Forensics and Security 15 (2020), 3107–3122.

[45]

Sakshyam Panda, Aristeidis Farao, Emmanouil Panaousis, and Christos Xenakis. 2021. Cyber-Insurance: Past, Present and Future. In Encyclopedia of Cryptography, Security and Privacy. Springer, 1–4.

[46]

Sakshyam Panda, Emmanouil Panaousis, George Loukas, and Christos Laoudias. 2020. Optimizing investments in cyber hygiene for protecting healthcare users. From Lambda Calculus to Cybersecurity Through Program Analysis: Essays Dedicated to Chris Hankin on the Occasion of His Retirement (2020), 268–291.

[47]

Sakshyam Panda, Stefan Rass, Sotiris Moschoyiannis, Kaitai Liang, George Loukas, and Emmanouil Panaousis. 2022. HoneyCar: a framework to configure honeypot vulnerabilities on the internet of vehicles. IEEE Access 10 (2022), 104671–104685.

[48]

Sakshyam Panda, Daniel W Woods, Aron Laszka, Andrew Fielder, and Emmanouil Panaousis. 2019. Post-incident audits on cyber insurance discounts. Computers & Security 87 (2019), 101593.

Digital Library

[49]

Ying Qiu, Yi Liu, Xuan Li, and Jiahui Chen. 2020. A novel location privacy-preserving approach based on blockchain. Sensors 20, 12 (2020), 3519.

[50]

Laurens Sion, Dimitri Van Landuyt, Kim Wuyts, and Wouter Joosen. 2019. Privacy risk assessment for data subject-aware threat modeling. In 2019 IEEE Security and Privacy Workshops (SPW). IEEE, 64–71.

[51]

Daniel J Solove. 2006. A taxonomy of privacy. University of Pennsylvania law review (2006), 477–564.

[52]

Xiaoqiang Sun, F Richard Yu, and Peng Zhang. 2021. A survey on cyber-security of connected and autonomous vehicles (CAVs). IEEE Transactions on Intelligent Transportation Systems 23, 7 (2021), 6240–6259.

Digital Library

[53]

Jun Tang, Yong Cui, Qi Li, Kui Ren, Jiangchuan Liu, and Rajkumar Buyya. 2016. Ensuring security and privacy preservation for cloud data services. ACM Computing Surveys (CSUR) 49, 1 (2016), 1–39.

Digital Library

[54]

Maria Tsiodra, Sakshyam Panda, Michail Chronopoulos, and Emmanouil Panaousis. 2023. Cyber Risk Assessment and Optimisation: A Small Business Case Study. IEEE Access (2023).

[55]

Hiroshi Ueda, Ryo Kurachi, Hiroaki Takada, Tomohiro Mizutani, Masayuki Inoue, and Satoshi Horihata. 2015. Security authentication system for in-vehicle network. SEI technical review 81 (2015), 5–9.

[56]

Paul Voigt and Axel Von dem Bussche. 2017. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing 10, 3152676 (2017), 10–5555.

[57]

Yuan Wu, Li Ping Qian, Haowei Mao, Xiaowei Yang, Haibo Zhou, Xiaoqi Tan, and Danny HK Tsang. 2018. Secrecy-driven resource management for vehicular computation offloading networks. IEEE Network 32, 3 (2018), 84–91.

[58]

Kim Wuyts and Wouter Joosen. 2015. LINDDUN privacy threat modeling: a tutorial. CW Reports (2015).

[59]

Chulin Xie, Zhong Cao, Yunhui Long, Diange Yang, Ding Zhao, and Bo Li. 2022. Privacy of Autonomous Vehicles: Risks, Protection Methods, and Future Directions. arXiv preprint arXiv:2209.04022 (2022).

Cited By

Cai XShi KSun YCao JWen SQiao CTian Z(2024)Stability Analysis of Networked Control Systems Under DoS Attacks and Security Controller Design With Mini-Batch Machine Learning SupervisionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334788919(3857-3865)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3347889
Mann ZPetit JThornton SBuchholz MMillar J(2024)SPIDER: Interplay Assessment Method for Privacy and Other Values2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00007(1-8)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00007
Tanaji BRoychowdhury S(2024)BWM Integrated VIKOR method using Neutrosophic fuzzy sets for cybersecurity risk assessment of connected and autonomous vehiclesApplied Soft Computing10.1016/j.asoc.2024.111628159(111628)Online publication date: Jul-2024
https://doi.org/10.1016/j.asoc.2024.111628

Index Terms

Privacy Impact Assessment of Cyber Attacks on Connected and Autonomous Vehicles

Recommendations

Revisiting Attacks and Defenses in Connected and Autonomous Vehicles
Security, Privacy, and Anonymity in Computation, Communication, and Storage
Abstract
With the development of the automotive industry, the security of connected and autonomous vehicles (CAVs) has become a hot research field in recent years. However, previous studies mainly focus on the threats and defending mechanisms from the ...
A survey on security attacks and defense techniques for connected and autonomous vehicles
Abstract
Autonomous Vehicle has been transforming intelligent transportation systems. As telecommunication technology improves, autonomous vehicles are getting connected to each other and to infrastructures, forming Connected and Autonomous ...
PIER: cyber-resilient risk assessment model for connected and autonomous vehicles
Abstract
As more vehicles are being connected to the Internet and equipped with autonomous driving features, more robust safety and security measures are required for connected and autonomous vehicles (CAVs). Therefore, threat analysis and risk assessment ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

August 2023

1440 pages

ISBN:9798400707728

DOI:10.1145/3600160

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ARES 2023

ARES 2023: The 18th International Conference on Availability, Reliability and Security

August 29 - September 1, 2023

Benevento, Italy

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
173
Total Downloads

Downloads (Last 12 months)114
Downloads (Last 6 weeks)3

Reflects downloads up to 15 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cai XShi KSun YCao JWen SQiao CTian Z(2024)Stability Analysis of Networked Control Systems Under DoS Attacks and Security Controller Design With Mini-Batch Machine Learning SupervisionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334788919(3857-3865)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3347889
Mann ZPetit JThornton SBuchholz MMillar J(2024)SPIDER: Interplay Assessment Method for Privacy and Other Values2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00007(1-8)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00007
Tanaji BRoychowdhury S(2024)BWM Integrated VIKOR method using Neutrosophic fuzzy sets for cybersecurity risk assessment of connected and autonomous vehiclesApplied Soft Computing10.1016/j.asoc.2024.111628159(111628)Online publication date: Jul-2024
https://doi.org/10.1016/j.asoc.2024.111628

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten