Computer Science in Cars Symposium 2021
DOI: 10.1145/3488904.3493378
|View full text |Cite
|
Sign up to set email alerts
|

Proposing HEAVENS 2.0 – an automotive risk assessment model

Abstract: Risk-based security models have seen a steady rise in popularity over the last decades, and several security risk assessment models have been proposed for the automotive industry. The new UN vehicle regulation 155 on cybersecurity provisions for vehicle type approval, as part of the 1958 agreement on vehicle harmonization, mandates the use of risk assessment to mitigate cybersecurity risks and is expected to be adopted into national laws in 54 countries within 1 to 3 years. This new legislation will also apply… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
17
0

Year Published

2023
2023
2024
2024

Publication Types

Select...
5
1

Relationship

0
6

Authors

Journals

citations
Cited by 19 publications
(17 citation statements)
references
References 22 publications
0
17
0
Order By: Relevance
“…Threat models for the previous generation of the automotive industry are targeted for automotive E/E architecture, which are either adapted from IT and software industry (e.g., Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE) [34], confidentiality, integrity, and availability (CIA) [35] threat, vulnerability and risk assessment (TVRA) [36], E-safety vehicle intrusion protected applications (EVITA) [37], and healing vulnerabilities to enhance software security and safety (HEAVENS)) [24] or heavily influenced by safety analysis models such as fault tree analysis, Hazard Analysis and Risk Assessment (e.g., security-aware hazard analysis and risk assessment (SAHARA)) [38]. In 2021, the ISO/SAE 21434 standard was published for Road Vehicles-Cybersecurity Engineering, which included EVITA, HEAV-ENS, and TVRA in recommendations for automotive threat modeling.…”
Section: A Threat Analysis Methods In Practice For Automotivementioning
confidence: 99%
See 1 more Smart Citation
“…Threat models for the previous generation of the automotive industry are targeted for automotive E/E architecture, which are either adapted from IT and software industry (e.g., Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE) [34], confidentiality, integrity, and availability (CIA) [35] threat, vulnerability and risk assessment (TVRA) [36], E-safety vehicle intrusion protected applications (EVITA) [37], and healing vulnerabilities to enhance software security and safety (HEAVENS)) [24] or heavily influenced by safety analysis models such as fault tree analysis, Hazard Analysis and Risk Assessment (e.g., security-aware hazard analysis and risk assessment (SAHARA)) [38]. In 2021, the ISO/SAE 21434 standard was published for Road Vehicles-Cybersecurity Engineering, which included EVITA, HEAV-ENS, and TVRA in recommendations for automotive threat modeling.…”
Section: A Threat Analysis Methods In Practice For Automotivementioning
confidence: 99%
“…In 2021, ISO/SAE 21434 standard was published that provides a threat analysis and risk assessment (TARA) guideline for E/E systems within road vehicles [23]. Most of these threat modeling approaches have the foundation of IT-based threat models with some modifications relevant to E/E systems [24]. However, an ADS has a different kind of operating environment and requires a stricter real-time response to changes in that environment than devices in an IT environment.…”
Section: Introductionmentioning
confidence: 99%
“…The extension HEAVENS 2.0 is improved according to gaps that could be identified when comparing HEAVENS 1.0 to the requirements of ISO/SAE 21434. It includes an attack path analysis and risk treatment decisions with the result of identifying cybersecurity goals, and claims to be compliant with the regulation [ 13 ]. HEAVENS 1.0 and 2.0, as mentioned in [ 13 ], have the potential to be used in industries with similar characteristics, such as the medical device industry, with some slight modifications.…”
Section: Background and State Of The Artmentioning
confidence: 99%
“…Besides the SAE J3061 Cybersecurity guidebook, the ISO/SAE 21434 regulation defines an automotive-specific cybersecurity engineering standard concerning the whole vehicle life cycle [ 65 ]. A key aspect of the standard is the TARA, which is used to identify security risks and threats, with the purpose of developing countermeasures and mitigation strategies [ 13 ].…”
Section: Background and State Of The Artmentioning
confidence: 99%
See 1 more Smart Citation