1 Introduction

With the vehicles becoming more intelligent and connected, the automotive system is also becoming increasingly complex [1,2,3,4]. The construction of a more open system is inevitable in the development of the automotive industry, which, however, has some downsides. Increment of feature sets, connectivity, and complexity can lead to a large number of interactions in data, thus causing vulnerabilities that may be exploited by hackers, criminals, terrorists, and spies. The automotive system, while having the attributes of information technology (IT) systems, pays more attention to the safety of the road users [5,6,7,8,9]. The dynamic, diversified, and high-level attacks faced by intelligent vehicles may lead to issues involving personal privacy and safety, and even national security [10, 11]. In view of the occurrence of more and more security incidents, automotive cybersecurity has become an important research topic, and a variety of security solutions have been proposed [12, 13]. However, cybersecurity risks cannot be addressed at once because the existing security solutions mainly provide passive and single protection against specific security problems [14]. By identifying and evaluating potential cybersecurity risks, risk assessment helps to provide theoretical supports for choosing security measures. Moreover, a security classification protection system for automotive cybersecurity can be constructed scientifically based on risk assessment and should be performed throughout the entire vehicle lifecycle (i.e., concept, development, production, operation, maintenance, and decommissioning phase) [15, 16]. In addition, the UN regulation on the vehicle approval concerning cybersecurity and cybersecurity management system also puts forward corresponding requirements for cybersecurity risk assessment.

Automotive cyberattacks may cause certain safety implications on cars and drivers, which are different from attacks in IT systems. The automotive cybersecurity risk assessment and IT security assessment differ in assessment methods, although their process is generally consistent. Some analysis methods for automotive cybersecurity risk assessment have been proposed in the past few years, however, few systematic risk assessment frameworks for automobiles have been proposed. This paper presents a systematic risk assessment framework comprised of a specific assessment process and systematic assessment methods.

The rest of this paper is organized as follows. In Sect. 2, the widely used IT risk assessment methods and automobile risk assessment methods are investigated and analyzed. The systematic risk assessment framework of automotive cybersecurity is proposed in Sect. 3. The applicability and feasibility of the proposed framework are presented in Sect. 4. Finally, the conclusions of this study are drawn in Sect. 5.

2 Surveys on Risk Assessment Methods

The cybersecurity risk assessment methods for IT systems have been relatively mature, with some automated assessment tools. As a crucial part of the information system lifecycle, cybersecurity risk assessment involves a series of standards and normative documents, such as GB/T 20984-2007 and 31509-2015. Moreover, several risk assessment methods for information cybersecurity have been applied to other industries as shown in Table 1. These methods are designed to identify the possible harms (e.g., vulnerabilities and threats) and resolve security issues. Although these risk assessment methods have some overlapping characteristics, they focus on different issues.

Table 1 Analysis of risk assessment methods
Full size table

Automotive industry cannot directly adopt existing risk assessment methods of IT security, but certain assessment models and parameters can be used for automotive cybersecurity risk assessment. STRIDE method considered threats based on what the attackers were trying to achieve rather than the infinite variety of attacks and attack techniques [24]. This method can be used to identify potential threats to automobiles. CVSS can be applied directly to rating IT security vulnerabilities. In the cybersecurity risk assessment of automobiles, some CVSS indicators can be used to assess risk elements [21, 25]. The OWASP method determined the severity of the risk by considering the quantifiable probability and impact parameters. Such two factors can be also considered to determine the risk level of the automotive cybersecurity.

As the foundation of vehicle cybersecurity engineering, risk assessment is a challenging research content. Many researchers have focused on the cybersecurity risk assessment of automobiles and proposed some risk assessment methods. After considering the severity of potential consequences, the possibility of attack, and controllability, Ruddle et al. [26] proposed an automotive cybersecurity risk assessment method in the E-safety vehicle intrusion protection application (EVITA) project. In the EVITA method, the attack potentiality parameters were obtained from common criteria [27], while other parameters (such as safety, financial, operational, and privacy parameter) were considered in the impact aspect. This method provided a detailed definition of safety parameters, while the definitions of the other three impact parameters were vague. Wolf and Sheibel [28] proposed a systematic and quantitative security risk analysis method based on evaluating the difficulty of attack and potential damage factors. Although this approach proposed some improvements in risk calculation, the privacy impact was ignored. Boudguiga et al. [29] proposed a risk analysis method by combining EVITA and TVRA methods. This method of risk analysis improved the EVITA attack tree method by using functional descriptions instead of attack objectives. In addition, the risk rating scheme of this method was consistent with that of TVRA through the risk computation method based on EVITA controllability. However, the feasibility of the risk analysis method for cooperative engines had not been demonstrated.

The STRIDE method shifts the focus from identifying specific attacks to the result of potential attacks, which does not require high cybersecurity skills and attack experience. Some recent studies have applied the STRIDE model to assess the potential risks of automobiles. Macher et al. [30] proposed a risk assessment method that integrated the STRIDE threat model into the hazard analysis and risk assessment. The method mapped the cyberattack goals to safety use cases in ISO 26262-3:2018 and added the security factor to assess automobiles [31]. However, the security-level parameters only considered the required knowledge, tools and threat criticality, and no other attack possibility or impact parameters were involved. Islam et al. [32] presented a threat analysis and risk assessment method by combining with the STRIDE model. The method mapped security objectives with impact parameters in the risk assessment and helped to describe possible threat impacts on stakeholders. Although this method provided an estimation of industry-based impact parameters, the method was only applicable to the concept phase of the vehicle lifecycle.

Dominic et al. [33] proposed a risk assessment method of cooperative automated driving that combined STRIDE classification and reference architecture of automated driving. However, the complexity of the threat model parameters presented in their method increased the evaluation workload. Monteuuis et al. [34] considered the threat analysis against human omissions and the trustworthiness for fully autonomous vehicles and proposed a controllability measure for attack observation. They adopted an improved STRIDE model and an attack tree method to analyze threats and compute risk value. The method presented a novel idea for the risk assessment of automotive cybersecurity.

The risk assessment methods for IT systems in the automotive industry have been applied in some international research projects, such as the EVITA project and healing vulnerabilities to enhance software security and safety (HEAVENS) project. The EVITA method was based on the attack trees model [35] and considered the driver controllability factor concerning safety-related threats [26]. This method did not consider the legislation factor of risk rating and focused on all the possible potential attacks against TOE, although the attacks are dynamic and practical. As an improved method of EVITA, the HEAVENS method focused on the threat analysis and risk assessment of automotive security engineering processes [24]. In the threat analysis, the architecture overview in the threat modeling process of STRIDE was no longer considered, the decomposition application step was eliminated, and the threat rating was performed in the risk assessment process. As a threat-centric model developed based on the STRIDE, this method established a mapping between security attributes and threats. However, the HEAVENS method is mainly used for the concept phase of the vehicle lifecycle.

The majority of studies have focused on risk rating methods, but the overall cybersecurity risk assessment process and systematic assessment methods of automobiles are rarely proposed. Some of the above methods are only applicable to the concept phase of the vehicle lifecycle. As the threat environment or TOE changes in different stages of the vehicle lifecycle, security vulnerabilities will emerge at some stages, leading to security risks for automobile assets. These methods hardly take into account the changes of the threat environment, TOE, and available information in the vehicle lifecycle. Moreover, the attack tree method and the STRIDE model have been used in the threat analysis of EVITA and HEAVENS, respectively. However, the attack tree method in EVITA required highly specialized evaluators, and the threat analysis using the STRIDE model lacked depth and details. In this study, a systematic risk assessment framework for automobile cybersecurity is proposed, including the assessment process and systematic assessment methods. The applicability and feasibility of the assessment framework are demonstrated with the use case of a telematics box (T-Box) remote-control function.

3 Systematic Risk Assessment Framework

The cybersecurity risk assessment of automobiles should cover the whole vehicle lifecycle and consider the changes of threat environment, TOE, and available information in vehicle lifecycle. In addition to financial loss and information leakage, personal safety is also subject to automotive cybersecurity threats. Moreover, due to the wide variety of automotive cybersecurity assets and various attack means, the risk assessment of automotive cybersecurity is very complicated. For this reason, a systematic framework is presented in this study. The framework is organized into two blocks, namely the risk assessment process and systematic assessment methods. The risk assessment process consists of risk identification, risk analysis, and risk assessment; the assessment methods in each activity are described in the corresponding process as shown in Fig. 1.

Fig. 1
figure 1

Risk assessment framework of automotive cybersecurity

Full size image

3.1 Risk Identification

In automotive risk identification, TOE or use cases should be determined before asset identification to judge whether the candidate in an item are true assets. Then, threat identification is performed to identify the threat scenarios in the cybersecurity properties of assets. According to the ENISA asset taxonomy method [36], automobile assets can be classified into eight categories (i.e., sensors and actuators, information, in-vehicle communication components, communication networks and protocols, vehicle functions, software management, decision-making algorithms, networks, and domain isolation features). Combined with the asset categories, the data flow diagram could be constructed on the basis of TOE/use case to identify fine-grained assets and describe the related security attributes and damage scenarios. After asset identification, the threat classification method of STRIDE as shown in Table 2 is adopted to identify threats and describe the threat scenario of each asset based on the data flow diagram. The STRIDE model focuses on identifying the influence of potential attacks or goals of the attacker with the SDL threat modeling tool [19, 24].

Table 2 STRIDE model threat classification
Full size table

3.2 Risk Analysis

Risk analysis aims to assess the impact of the threat scenario and attack feasibility of each attack path. It consists of impact assessment and attack analysis. Impact assessment aims to estimate the magnitude of damage caused by compromised cybersecurity properties of assets. Attack analysis activity mainly includes attack path analysis and attack feasibility assessment. Given that automotive cybersecurity problems presumably curtail driving safety, user privacy security, national security, and the associated impacts on stakeholders (i.e., safety (\(S\)), finance (\(F\)), operation (\(O\)), and privacy or legislation (\(P\))) could be determined [26, 32]. The impact assessment parameters can be quantified according to relevant industry standards, such as ISO 26262-3:2018 and BSI 100–4. The impact assessment parameters in this framework refer to those in the HEAVENS method, as shown in Table 3 [24].

Table 3 Automotive cybersecurity impact assessment parameters
Full size table

According to the estimated impact parameters, the sum can be computed to obtain the impact level as shown in Table 4. The equation is expressed as follows:

$$I = S{ + }F + O + P$$
(1)

where \(I\) is the total impact value.

Table 4 Automotive cybersecurity impact level
Full size table

Attack path analysis is used to identify the potential attack paths and then link them to threat scenarios. In this activity, the attack tree method [35] is utilized to construct the attack paths based on the identified threat scenarios that are considered to be the root node of the attack tree. Attack feasibility assessment is applied to assess the ease of exploiting each attack path. In the process of attack path analysis and attack feasibility assessment, the changes in the threat environment, TOE, and the available information during the vehicle lifecycle should be considered. Then, three attack feasibility assessment methods are adopted, i.e., attack potential-based method, CVSS exploitability-based method, and attack vector-based method. The selection of the attack feasibility assessment approach depends on the phase in the vehicle lifecycle and available information. When the attack feasibility level or impact level is equal to 0, there is no potential risk. In this paper, the impact level and attack feasibility level are divided into 4 levels (1–4), without considering the quality management level.

The attack potential is derived from ISO/IEC 18045:2008 and has been redefined considering the characteristics of automobiles. Based on this, the assessment parameters (i.e., expertise (\(EX\)), knowledge about TOE (\(KN\)), window of opportunity (\(WI\)), equipment (\(EQ\))) of attack feasibility are determined by referring to the HEAVENS method, as shown in Table 5. Similarly, the sum can be computed to derive the attack feasibility level according to the parameters shown in Table 6. Considering the attack feasibility level value is 0 when the sum of parameter values exceeds 9, this paper dose not analyze this case any longer. The equation is expressed as follows:

$$AF = EX + KN + WI + EQ$$
(2)

where \(AF\) is the total attack feasibility value.

Table 5 Attack potential-based feasibility parameters
Full size table
Table 6 Attack potential-based feasibility level
Full size table

In the early phase of product development, the attack feasibility can be qualitatively estimated based on the attack vector, when the available information is insufficient to determine a specific attack path. Attack vectors can be divided into 4 categories, namely network, adjacent, local, and physical, as shown in Table 7 [21]. The attack feasibility level increases with the increasing of the remoteness of the attack path. The CVSS exploitability-based method can be determined by the exploitability metrics group in the CVSS base metrics. The exploitability metrics group includes 4 parameters, i.e., attack vector (\(V\)), attack complexity (\(C\)), privileges required (\(P\)), and user interaction (\(U\)), as shown in Tables 8 and 9. In the CVSS exploitability-based method, the equation is expressed as follows [21]:

$$E = {8}{\text{.22}} \times V \times C \times P \times U$$
(3)
Table 7 Attack vector-based feasibility level
Full size table
Table 8 CVSS exploitability-based attack feasibility parameters
Full size table
Table 9 CVSS exploitability-based attack feasibility level
Full size table

where \(E\) is the exploitability value.

3.3 Risk Assessment

To determine the risk level, risk assessment is performed according to the impact level of damage scenarios and the attack feasibility level of attack paths. After the aforementioned activities, the risk values can be calculated, forming a risk matrix to be used for risk assessment. In the aforementioned risk assessment methods, most of the risk levels are determined by risk matrix. The construction of risk matrix mainly depends on the evaluation experience, without quantitative analysis. In this study, the global rating algorithm [37] is used to construct the risk matrix of automotive cybersecurity, as shown in Table 10. The risk value is calculated as follows:

$$R = \sqrt {m\left( I \right)^{2} + n\left( {AF} \right)^{2} }$$
(4)
Table 10 Automotive cybersecurity risk matrix
Full size table

where \(R\) is the risk value, \(m\) and \(n\) are the weight parameters of \(I\) and \(AF\), respectively. The impact and attack feasibility factors are hypothesized to have the same contribution to risk. Thus, \(m\) and \(n\) are both set to 0.5.

The risk level should also be determined based on the impact level and the attack feasibility level. The risk values calculated from Eq. (4) can be used to construct the cybersecurity risk matrix. The equation is expressed as follows:

$$RL = F\left( {IL,AL} \right)$$
(5)

where \(RL\) is risk level value; \(IL\) is impact level value; \(AL\) is attack feasibility level value; \(F\) represents the risk function of \(IL\) and \(AL\).

3.4 Advantages of the Proposed Framework

The systematic risk assessment framework of the automotive cybersecurity presented in this study shows the following advantages:

  1. (1)

    Compared with existing risk assessment methods for automobiles, the proposed framework has a specific risk assessment process and systematic risk assessment methods, which make it more effective.

  2. (2)

    The proposed framework demonstrates a comprehensive manner to analyze the possible attack paths of system assets through the integration of the STRIDE model and attack tree.

  3. (3)

    This framework considers the changes in the threat environment, TOE, the available information, and proposes three attack feasibility assessment methods. Thus, the proposed systematic risk assessment framework can be applied throughout the vehicle lifecycle.

  4. (4)

    The automotive cybersecurity risk matrix has been constructed using a global rating algorithm, which can create quantitative risk metrics and enhance the objectivity of assessment results.

4 Risk Assessment Application

As a key equipment of the automotive network connection system, telematics box (T-Box) is mainly used for automobile communication with telematics service and applications. T-Box is an embedded system that integrates MCU/CPU, flash, GPS, 3G/4G, Wi-Fi, bluetooth, and other modules and provides the connection between in-vehicle networks and the mobile phone/PC through the cloud platform. Therefore, there are many communication interfaces for vehicle connection, e.g., Wi-Fi, cellular network, GPS, serial port, and gateway. While these communication interfaces provide attack channels and remote attack possibility for vehicular function systems. According to the real-world cybersecurity vulnerabilities and the attack feasibility of vehicles, a T-Box device is taken as a use case for cybersecurity risk assessment. The data flow diagram of T-Box is shown in Fig. 2.

Fig. 2
figure 2

Automotive T-Box data flow diagram

Full size image

T-Box can realize vehicle remote control, anti-theft, bluetooth control, firmware over-the-air, and other vehicle remote-control functions. Users can send door-unlocking instructions through the mobile phone application. The instruction is sent to the T-Box in the vehicle through the telematics service provider (TSP) cloud platform, and then the T-Box sends the instruction to the controller area network (CAN) to unlock the doors. The module of T-Box remote-control function is shown in Fig. 3.

Fig. 3
figure 3

T-Box remote-control function module

Full size image

The attackers can reverse the analysis of the T-Box firmware, and send spoof control commands to unlock the doors. An example of the T-Box is given to show how to use the framework to assess the cybersecurity risk of automobiles. The in-vehicle infotainment system (IVI) is accessed through the hotspot. The command execution vulnerability is used to execute the system command and bounces the shell window to the terminal test computer. After entering the IVI system, the route information is viewed through the route command to obtain the T-Box IP address. Through secure shell roaming in the T-Box, the firmware of the application program is analyzed, and the remote-control program is called to unlock the door.

This paper analyzes the feasibility of the attack event using the attack potential-based feasibility parameters as shown in Table 5. The attackers should have a certain understanding of cybersecurity and should be a practitioner, then the required TOE knowledge can be controlled by the developers. Besides these, it is necessary to purchase some dedicated equipment or write attack scripts or programs. This attack event can be realized through remote accessing and attacking, and the window of opportunity is relatively high. Therefore, the results of attack feasibility assessment are \(EX\) = 1, \(KN\) = 1, \(WI\) = 1, \(EQ\) = 1, and \(AL\) = 2 according to Tables 5 and 6. The significance of this score is not to accurately quantify the probability of a successful attack, but to evaluate the correlation coefficient of risk in an abstract way. In terms of impact assessment, an attacker can illegally open the door, to steal property or the vehicle, causing financial loss. In addition, the attack case has a certain impact on operation. According to the information listed in Tables 3 and 4, the results of impact assessment are \(S\) = 0, \(F\) = 10, \(O\) = 10, \(P\) = 0, and \(IL\) = 2. Therefore, the risk level value can be set to 2 according to the risk matrix in Table 10. The results of risk assessment of automotive cybersecurity could provide proper evidence to support security measures for automobiles. This use case proves the applicability and feasibility of the proposed systematic assessment framework.

5 Conclusions

As an important evaluation method for security assurance, cybersecurity risk assessment assists in determining the security status of automotive systems and extracting the automotive security requirements. This study proposes a systematic risk assessment framework of automotive cybersecurity that comprises a specific risk assessment process and systematic risk assessment methods, which is applicable to all phases of the vehicle lifecycle. A comprehensive method has been established to analyze cybersecurity assets, threats, and attack paths of automobiles. Moreover, the proposed framework provides assessment indicators of impact and attack feasibility and a quantitative cybersecurity risk matrix, which helps to enhance the objectivity of risk assessment. Finally, the applicability and feasibility of the proposed framework are demonstrated by assessing the potential risk of the T-Box remote-control function.

As an important foundation for the realization of automotive cybersecurity, risk assessment provides effective solutions for the security of intelligent vehicles. In the entire vehicle lifecycle, cybersecurity risk assessment activities have clear pertinence and focus. However, there are still some difficulties in the research, such as the lack of a unified assessment indicator system and the distraction of subjective factors.

In future research, the following aspects will be further investigated: improving the theoretical system of cybersecurity risk assessment to enhance the practicability of assessment models and methods; improving the cybersecurity risk assessment indicator system to enhance the comparability of risk assessment results (e.g., impact and attack feasibility indicators).