Abstract
Modern vehicles are increasingly software intensive and connected. The potential hazards and economic losses due to cyberattacks have become real and eminent in recent years. Consequently, cybersecurity must be adequately addressed among other dependability attributes such as safety and reliability in the automotive domain. J3061, officially published in January 2016 by SAE International, is a much anticipated standard for cybersecurity for the automotive industry. It fills an important gap which is previously deemed irrelevant in the automotive domain. In this paper, we report our activities of applying J3061 to security engineering of an automotive Electronic Control Unit (ECU) as a communication gateway. As an ongoing work, we share our early experience on the concept phase of the process, with a focus on the part of Threat Analysis and Risk Assessment (TARA). Based on our experience, we propose improvements and discuss its link to ISO 26262.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Due to page limit and the scope, we refer interested readers to the appendix of J3061 standard or the references for more details.
References
E-safety vehicle intrusion protected applications (EVITA). http://www.evita-project.org/
HEAling Vulnerabilities to ENhance Software Security and Safety (HEAVENS) project. https://research.chalmers.se/en/project/5809
Carnegie Mellon University Software Engineering Institute: Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework (OCTAVE)
Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Conference on Security (2011)
ETSI TS 102 165-1: Telecommunications and internet converged services and protocols for advanced networking (tispan); methods and protocols; part 1: Method and proforma for threat, risk, vulnerability analysis (2011)
Foster, I., Prudhomme, A., Koscher, K., Savage, S.: Fast and vulnerable: a story of telematic failures. In: 9th USENIX Workshop on Offensive Technologies (WOOT 2015) (2015)
Henniger, O., Apvrille, L., Fuchs, A., Roudier, Y., Ruddle, A., Weyl, B.: Security requirements for automotive on-board networks. In: Proceedings of the 9th International Conference on Intelligent Transport System Telecommunications (ITST 2009), Lille, France (2009)
International Organization for Standardization: ISO 26262 Road vehicles - Functional safety (2011)
Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp. 621–624 (2015)
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle (2015)
Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability. Technical report, DTIC Document (2001)
SAE International: J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, January 2016
Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Heidelberg (2014). doi:10.1007/978-3-319-10506-2_21
Schmittner, C., Ma, Z.: Towards a framework for alignment between automotive safety and security standards. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015 Workshops. LNCS, vol. 9338, pp. 133–143. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24249-1_12
Schoitsch, E., Schmittner, C., Ma, Z., Gruber, T.: The need for safety and cyber-security co-engineering and standardization for highly automated automotive vehicles. In: Schulze, T., Müller, B., Meyer, G. (eds.) Advanced Microsystems for Automotive Applications 2015. Lecture Notes in Mobility, pp. 251–261. Springer, Switzerland (2016)
Srivatanakul, T., Clark, J.A., Polack, F.A.C.: Effective security requirements analysis: HAZOP and use cases. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 416–427. Springer, Heidelberg (2004)
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond (2004)
Acknowledgement
This work is partially supported by EU ARTEMIS project EMC2 (contract no. 621429) and Austrian Research Promotion Agency FFG on behalf of Austrian Federal Ministry of Transport, Innovation and Technology BMVIT. This work also derives from the activities within SCRIPT project (no. 1326126), funded by the Vienna Business Agency under the Call “Pro Industry 2015”.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Schmittner, C., Ma, Z., Reyes, C., Dillinger, O., Puschner, P. (2016). Using SAE J3061 for Automotive Security Requirement Engineering. In: Skavhaug, A., Guiochet, J., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2016. Lecture Notes in Computer Science(), vol 9923. Springer, Cham. https://doi.org/10.1007/978-3-319-45480-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-45480-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45479-5
Online ISBN: 978-3-319-45480-1
eBook Packages: Computer ScienceComputer Science (R0)