A Proposal of Security Requirements Definition Methodology in Connected Car Systems by CVSS V3

Ando, Eriko; Kayashima, Makoto; Komoda, Norishita

doi:10.1109/iiai-aai.2016.95

Cited by 10 publications

(12 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bajpai et al also demonstrate that the Common Vulnerability Scoring Systems (CVSS) [58] from classical IT can easily be adapted for the severity evaluation of automotive vulnerabilities. Other works by FFRI Inc. [59] and Ando et al [60] reach similar conclusions. In addition, the new ISO/IEC 21434 recommends the CVSS Exploitability metric for the evaluation of automotive attack feasibility.…”

Section: Related Discussionsupporting

confidence: 82%

Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges

Bolz

Kriesten

2021

JCP

View full text Add to dashboard Cite

Since several years, the overall awareness for the necessity to consider a vehicle as a potentially vulnerable system is facing accelerated growth. In 2015, the safety relevant exploitability of vulnerabilities through cyber attacks was exposed to a broader public for the first time. Only a few months after this attack has reached public awareness, affected manufacturer implemented one of the first bug bounty programs within the automotive field. Since then, many others followed by adapting some of ITs good practices for handling and responsibly disclose found and reported vulnerabilities for the automotive field. Nevertheless, this work points out that much remains to be done concerning quantity and quality of these measures. In order to cope with this, this present paper deals with what can be learned from IT and which conclusions can be drawn from these findings in the light of special conditions in the automotive environment. Furthermore, current handling and challenges regarding the disclosure process of vulnerabilities in the automotive sector are presented. These challenges are addressed by discussing desirable conditions for a beneficial disclosure culture as well as requirements and responsibilities of all parties involved in the disclosure process.

show abstract

Section: Related Discussionsupporting

confidence: 82%

Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges

Bolz

Kriesten

2021

JCP

View full text Add to dashboard Cite

show abstract

“…In this framework, the severity of different attack paths and efficiency of security strategies particularly at the device level is calculated, to prioritize the devices in terms of securing them. In a similar work, Ando et al (2016) performed the risk analysis of smart car sensors using a tree model with 5Ws (why, who, where, what, when) and CVSSv3 vector string. This study lacked mathematical analyses and the real-environmental case studies.…”

Section: Vulnerability Databases (National Vulnerabilitymentioning

confidence: 99%

IVQF_IoT: An intelligent vulnerability quantification framework for scoring internet of things vulnerabilities

et al. 2021

View full text Add to dashboard Cite

With time smart services have become more domineering than ever before however, the pertinent security considerations fade to correspond with growing heterogeneity in the internet of things (IoT) devices and new technologies coupled with resource constraints, crafting IoT-based systems more susceptible to cyber-attacks. To ensure a secure IoT environment, pro-active security mechanisms, like scanning vulnerabilities and prioritizing to remediate them timely, should be embedded in the system.Motivated by the facts, we in this paper, highlight the state of the art of several works trading with a common vulnerability scoring system (CVSS), its limitations, and the emendations recommended to conclude its maturity. CVSS is an industry standard that has been adopted worldwide to quantify the vulnerabilities in organizations for IT and IoT-based systems. The vulnerabilities mathematical score coalesces with environmental knowledge for finding attack paths and apt score for prioritization.The specific functionality and exclusive dynamics of IoT and cyber-physical systems in comparison to traditional computer networks, make the legacy cyber-security exemplars unfit for these advanced networks. This paper studies the relevance of CVSS for smart systems and present an intelligent vulnerability quantification framework for IoT systems grounded on the CVSS v3.1 framework with threat intelligence and machine learning models. Further by applying blockchain technology in the proposed framework, the issues concerning security, lack of trust, and privacy possibly will resolve by hiring a smart contract.

show abstract

“…This helps to prioritize which devices should be protected first. In the case study presented in [15], probabilities are assumed and numerical representation of a probability associated with devices is unexplored.…”

Section: Related Workmentioning

confidence: 99%

“…In [15], Ando proposed a theoretical mythology to analyse the risk of connected IoT cars sensors by mapping the vulnerability vector of CVSS v3 into a 5W-tree model (who, what, when, where, why). However, real-world case studies and detailed mathematical and experimental analyses are necessary before adopting such a methodology.…”

Section: Related Workmentioning

confidence: 99%

Vulnerability Modelling for Hybrid IT Systems

Ur-Rehman

Gondal

Kamruzzuman

et al. 2019

2019 IEEE International Conference on Industrial Technology (ICIT)

View full text Add to dashboard Cite

Common vulnerability scoring system (CVSS) is an industry standard that can assess the vulnerability of nodes in traditional computer systems. The metrics computed by CVSS would determine critical nodes and attack paths. However, traditional IT security models would not fit IoT embedded networks due to distinct nature and unique characteristics of IoT systems. This paper analyses the application of CVSS for IoT embedded systems and proposes an improved vulnerability scoring system based on CVSS v3 framework. The proposed framework, named CVSS IoT , is applied to a realistic IT supply chain system and the results are compared with the actual vulnerabilities from the national vulnerability database. The comparison result validates the proposed model. CVSS IoT is not only effective, simple and capable of vulnerability evaluation for traditional IT system, but also exploits unique characteristics of IoT devices.

show abstract

A Proposal of Security Requirements Definition Methodology in Connected Car Systems by CVSS V3

Cited by 10 publications

References 0 publications

Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges

Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges

IVQF_IoT: An intelligent vulnerability quantification framework for scoring internet of things vulnerabilities

Vulnerability Modelling for Hybrid IT Systems

Contact Info

Product

Resources

About

A Proposal of Security Requirements Definition Methodology in Connected Car Systems by CVSS V3

Cited by 10 publications

References 0 publications

Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges

Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges

IVQFIoT: An intelligent vulnerability quantification framework for scoring internet of things vulnerabilities

Vulnerability Modelling for Hybrid IT Systems

Contact Info

Product

Resources

About

IVQF_IoT: An intelligent vulnerability quantification framework for scoring internet of things vulnerabilities