Software or hardware development permits vulnerabilities;
Network design introduces vulnerabilities;
Physical loss of data can occur;
Unintended transfer of data can occur;
Physical manipulation of systems can enable an attack.
The threat analysis should also consider possible attack outcomes. These can help identify ascertain the severity of a risk and identify additional risks and possible mitigations. Possible attack outcomes could include:
Safe operation of vehicle affected
More detailed examples of vulnerabilities or attack methodologies are given against each entry in table 1 of annex 1. This is sufficiently representative to enable the reader to further understand the entries above and for the reader to consider how they are addressing them. It is anticipated that new and unforeseen examples of vulnerability and attack methodologies will emerge over time. Therefore neither the list above nor the examples should be considered to be an exhaustive list.
Mitigations
The following provides a high level description of mitigations which the reader would be expected to consider and address in their design of a new or modified product or service:
Security Controls shall be applied to back-end systems to minimize the risk of insider attack
Security Controls shall be applied to back-end systems to minimize unauthorized access
Where back-end servers are critical to the provision of services there are recovery measures in case of system outage
Security Controls shall be applied to minimize risks associated with cloud computing
Security Controls shall be applied to back-end systems to prevent data leakage
Systems shall implement security by design to minimize risks
Access control techniques and designs shall be applied to protect system data/code
Through system design and access control it should not be possible for unauthorized personnel to access personal or system critical data
Systems should be designed to be resilient to attacks and respond appropriately when its defenses or sensors fail
For each threat example one of the above mitigation principle/objective has been identified which the reader would be expected to consider and address in their design of the new or modified product or service. These are provided in table 2 of annex 1.
Table 2 of annex 1 further provides the reader with examples of how the mitigation principle/objective might be achieved. These are not exhaustive and may not be applicable for the specific implementation of the product or service. Therefore the reader should consider the applicability of the examples provided and whether there might be better solutions for the examples identified.
A detailed description of all the mitigations, with their associated examples that could be used to implement them, can be found in Appendix 2. These are not exhaustive and may not be applicable for the specific implementation of the product or service. Therefore the reader should consider the applicability of the examples provided and whether there might be better solutions for the examples identified.
To help identify specific mitigations, each threat example may be assessed against an “Extended CIA” model. During this assessment the reader should consider how an attack relating to the threat or vulnerability could be initiated and propagate through a vehicles networks. The extended CIA model identifies seven categories which an attack might impact:
Confidentiality
Integrity
Availability
Non-repudiation
Authenticity
Accountability
Authorization.
Figure 4: The “Extended CIA” model
Using this additional information the reader can further determine how changes being introduced might be impacted by a cyber-attack.