Michele Scalas,Giorgio Giacinto

DOI: https://doi.org/10.48550/arXiv.1910.01037

2019-10-02

Abstract:The automotive industry is experiencing a serious transformation due to a digitalisation process and the transition to the new paradigm of Mobility-as-a-Service. The next-generation vehicles are going to be very complex cyber-physical systems, whose design must be reinvented to fulfil the increasing demand of smart services, both for safety and entertainment purposes, causing the manufacturers' model to converge towards that of IT companies. Connected cars and autonomous driving are the preeminent factors that drive along this route, and they cause the necessity of a new design to address the emerging cybersecurity issues: the "old" automotive architecture relied on a single closed network, with no external communications; modern vehicles are going to be always connected indeed, which means the attack surface will be much more extended. The result is the need for a paradigm shift towards a secure-by-design approach.

Cryptography and Security

Zeinab El-Rewini,Karthikeyan Sadatsharan,Daisy Flora Selvaraj,Siby Jose Plathottam,Prakash Ranganathan

DOI: https://doi.org/10.1016/j.vehcom.2019.100214

IF: 6.7

2020-06-01

Vehicular Communications

Abstract:As modern vehicles are capable to connect to an external infrastructure and Vehicle-to-Everything (V2X) communication technologies mature, the necessity to secure communications becomes apparent. There is a very real risk that today's vehicles are subjected to cyber-attacks that target vehicular communications. This paper proposes a three-layer framework (sensing, communication and control) through which automotive security threats can be better understood. The sensing layer is made up of vehicle dynamics and environmental sensors, which are vulnerable to eavesdropping, jamming, and spoofing attacks. The communication layer is comprised of both in-vehicle and V2X communications and is susceptible to eavesdropping, spoofing, man-in-the-middle, and sybil attacks. At the top of the hierarchy is the control layer, which enables autonomous vehicular functionality, including the automation of a vehicle's speed, braking, and steering. Attacks targeting the sensing and communication layers can propagate upward and affect the functionality and can compromise the security of the control layer. This paper provides the state-of-the-art review on attacks and threats relevant to the communication layer and presents countermeasures.

telecommunications,transportation science & technology

Claudiu Vasile Kifor,Aurelian Popescu

DOI: https://doi.org/10.3390/s24186139

2024-09-23

Abstract:Modern vehicles are increasingly interconnected through various communication channels, which requires secure access for authorized users, the protection of driver assistance and autonomous driving system data, and the assurance of data integrity against misuse or manipulation. While these advancements offer numerous benefits, recent years have exposed many intrusion incidents, revealing vulnerabilities and weaknesses in current systems. To sustain and enhance the performance, quality, and reliability of vehicle systems, software engineers face significant challenges, including in diverse communication channels, software integration, complex testing, compatibility, core reusability, safety and reliability assurance, data privacy, and software security. Addressing cybersecurity risks presents a substantial challenge in finding practical solutions to these issues. This study aims to analyze the current state of research regarding automotive cybersecurity, with a particular focus on four main themes: frameworks and technologies, standards and regulations, monitoring and vulnerability management, and testing and validation. This paper highlights key findings, identifies existing research gaps, and proposes directions for future research that will be useful for both researchers and practitioners.

Feng Luo,Xuan Zhang,Zhenyu Yang,Yifan Jiang,Jiajia Wang,Mingzhi Wu,Wanqiang Feng

DOI: https://doi.org/10.3390/s22239211

2022-11-26

Abstract:Modern vehicles are more complex and interconnected than ever before, which also means that attack surfaces for vehicles have increased significantly. Malicious cyberattacks will not only exploit personal privacy and property, but also affect the functional safety of electrical/electronic (E/E) safety-critical systems by controlling the driving functionality, which is life-threatening. Therefore, it is necessary to conduct cybersecurity testing on vehicles to reveal and address relevant security threats and vulnerabilities. Cybersecurity standards and regulations issued in recent years, such as ISO/SAE 21434 and UNECE WP.29 regulations (R155 and R156), also emphasize the indispensability of cybersecurity verification and validation in the development lifecycle but lack specific technical details. Thus, this paper conducts a systematic and comprehensive review of the research and practice in the field of automotive cybersecurity testing, which can provide reference and advice for automotive security researchers and testers. We classify and discuss the security testing methods and testbeds in automotive engineering. Furthermore, we identify gaps and limitations in existing research and point out future challenges.

Florian Sommer,Mona Gierl,Reiner Kriesten,Frank Kargl,Eric Sax

DOI: https://doi.org/10.1145/3644075

IF: 2.717

2024-02-05

ACM Transactions on Privacy and Security

Abstract:Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, the vehicle is exposed to security attacks that are able to impact road safety. A profound understanding of security attacks, vulnerabilities, and mitigations is necessary to protect vehicles against cyber threats. While automotive threat descriptions, such as in UN R155, are still abstract, this creates a risk that potential vulnerabilities are overlooked and the vehicle is not secured against them. So far, there is no common understanding of the relationship of automotive attacks, the concrete vulnerabilities they exploit, and security mechanisms that would protect the system against these attacks. In this paper, we aim at closing this gap by creating a mapping between UN R155, Microsoft STRIDE classification, Common Attack Pattern Enumerations and Classifications (CAPECTM), and Common Weakness Enumeration (CWETM). In this way, already existing detailed knowledge of attacks, vulnerabilities, and mitigations is combined and linked to the automotive domain. In practice, this refines the list of UN R155 threats and therefore supports vehicle manufacturers, suppliers, and approval authorities to meet and assess the requirements for vehicle development in terms of cybersecurity. Overall, 204 mappings between UN threats, STRIDE, CAPEC attack patterns, and CWE weaknesses were created. We validated these mappings by applying our Automotive Attack Database (AAD) that consists of 361 real-world attacks on vehicles. Furthermore, 25 additional attack patterns were defined based on automotive-related attacks.

computer science, information systems

Vipin Kumar Kukkala,Sooryaa Vignesh Thiruloga,Sudeep Pasricha

DOI: https://doi.org/10.48550/arXiv.2201.10349

2022-01-20

Abstract:Autonomous vehicles are on the horizon and will be transforming transportation safety and comfort. These vehicles will be connected to various external systems and utilize advanced embedded systems to perceive their environment and make intelligent decisions. However, this increased connectivity makes these vehicles vulnerable to various cyber-attacks that can have catastrophic effects. Attacks on automotive systems are already on the rise in today's vehicles and are expected to become more commonplace in future autonomous vehicles. Thus, there is a need to strengthen cybersecurity in future autonomous vehicles. In this article, we discuss major automotive cyber-attacks over the past decade and present state-of-the-art solutions that leverage artificial intelligence (AI). We propose a roadmap towards building secure autonomous vehicles and highlight key open challenges that need to be addressed.

Cryptography and Security,Artificial Intelligence,Machine Learning

Stefan Marksteiner,Zhendong Ma

DOI: https://doi.org/10.48550/arXiv.1911.06589

2019-11-15

Cryptography and Security

Abstract:The advancing digitalization of vehicles and automotive systems bears many advantages for creating and enhancing comfort and safety-related systems ranging from drive-by-wire, inclusion of advanced displays, entertainment systems up to sophisticated driving assistance and autonomous driving. It, however, also contains the inherent risk of being used for purposes that are not intended for, raging from small non-authorized customizations to the possibility of full-scale cyberattacks that affect several vehicles to whole fleets and vital systems such as steering and engine control. To prevent such conditions and mitigate cybersecurity risks from affecting the safety of road traffic, testing cybersecurity must be adopted into automotive testing at a large scale. Currently, the manual penetration testing processes cannot uphold the increasing demand due to time and cost to test complex systems. We propose an approach for an architecture that (semi-)automates automotive cybersecurity test, allowing for more economic testing and therefore keeping up to the rising demand induced by new vehicle functions as well as the development towards connected and autonomous vehicles.

Ignacio Fernandez de Arroyabe,Tim Watson,Olga Angelopoulou

DOI: https://doi.org/10.1080/08874417.2022.2103853

2022-08-03

Journal of Computer Information Systems

Abstract:This paper presents a systematic literature review (SLR) on cybersecurity in the automotive industry. Using the R tool Bibliometrix, a total of 537 papers related to cybersecurity and the automotive industry were analyzed. First, our paper contributes to academia by showing that research on this topic is grouped into four clusters that correspond to four lines of research: Automotive Security; Vehicle Engineering; Smart Vehicle; IT Security . Second, our paper contributes to the literature by highlighting the existing gaps. On the subject of standards and framework, there are gaps in terms of what the security requirements must be for the vehicle. This is very important since, given the heterogeneity of technology that vehicles from different manufacturers have, the cybersecurity requirements are different. Additionally, a gap can also be observed in the literature on the supply chain, which has a very small number of papers. In general, they do not cover or elaborate on the supply chain security, when, from a manufacturing point of view, it is very important to manage an effective cybersecurity strategy for the vehicles. Moreover, our paper also contributes to managers and policy-makers' understanding of cybersecurity. We show that adequate implementation of cybersecurity in the automotive must involve a multidimensional perspective. First, it should be a multistage model , ranging from the first stages of design in interconnection with the suppliers to the final stages of use by the customer. Second, it should be a multi-level model , as a consequence of the interconnection of the vehicle's control systems. Finally, the model should be multi-feedback , structuring the process design as a feedback system, including incident response, diagnosis services and vehicle updates.

computer science, information systems

Nicola Scarano,Luca Mannella,Alessandro Savino,Stefano Di Carlo

2024-07-10

Abstract:The increasing adoption of connectivity and electronic components in vehicles makes these systems valuable targets for attackers. While automotive vendors prioritize safety, there remains a critical need for comprehensive assessment and analysis of cyber risks. In this context, this paper proposes a Social Media Automotive Threat Intelligence (SOCMATI) framework, specifically designed for the emerging field of automotive cybersecurity. The framework leverages advanced intelligence techniques and machine learning models to extract valuable insights from social media. Four use cases illustrate the framework's potential by demonstrating how it can significantly enhance threat assessment procedures within the automotive industry.

Social and Information Networks

Giampaolo Bella,Gianpietro Castiglione,Sergio Esposito,Mario Raciti,Salvatore Riccobene

2024-10-18

Abstract:Data and derived information about target victims has always been key for successful attacks, both during historical wars and modern cyber wars. Ours turns out to be an era in which modern cars generate a plethora of data about their drivers, and such data could be extremely attractive for offenders. This paper seeks to assess how well modern cars protect their drivers' data. It pursues its goal at a requirement level by analysing the gaps of the privacy policies of chief automakers such as BMW and Mercedes with respect to the General Data Protection Regulation (GDPR). It is found that both brands are still imprecise about how they comply with a number of GDPR articles, hence compliance often results non-verifiable. Most importantly, while BMW exhibits slightly broader compliance, both brands still fail to comply with a number of relevant articles of the regulation. An interpretation of these findings is a non-negligible likelihood that your car may turn against you should cyberwarfare break out.

Cryptography and Security,Emerging Technologies

Marco De Vincenzi,Mert D. Pesé,Chiara Bodei,Ilaria Matteucci,Richard R. Brooks,Monowar Hasan,Andrea Saracino,Mohammad Hamad,Sebastian Steinhorst

2024-11-16

Abstract:The growing reliance on software in vehicles has given rise to the concept of Software-Defined Vehicles (SDVs), fundamentally reshaping the vehicles and the automotive industry. This survey explores the cybersecurity and privacy challenges posed by SDVs, which increasingly integrate features like Over-the-Air (OTA) updates and Vehicle-to-Everything (V2X) communication. While these advancements enhance vehicle capabilities and flexibility, they also come with a flip side: increased exposure to security risks including API vulnerabilities, third-party software risks, and supply-chain threats. The transition to SDVs also raises significant privacy concerns, with vehicles collecting vast amounts of sensitive data, such as location and driver behavior, that could be exploited using inference attacks. This work aims to provide a detailed overview of security threats, mitigation strategies, and privacy risks in SDVs, primarily through a literature review, enriched with insights from a targeted questionnaire with industry experts. Key topics include defining SDVs, comparing them to Connected Vehicles (CVs) and Autonomous Vehicles (AVs), discussing the security challenges associated with OTA updates and the impact of SDV features on data privacy. Our findings highlight the need for robust security frameworks, standardized communication protocols, and privacy-preserving techniques to address the issues of SDVs. This work ultimately emphasizes the importance of a multi-layered defense strategy,integrating both in-vehicle and cloud-based security solutions, to safeguard future SDVs and increase user trust.

Cryptography and Security,Operating Systems

Jerry Emmanuel,Chidera Prince Eze,Jelili Oyelade,Itunuoluwa Isewon,Christopher Iyanu-Oluwa Onietan

DOI: https://doi.org/10.1109/SEB-SDG57117.2023.10124561

2023-04-05

Abstract:The increasing integration of technology in automobiles has raised industry concerns about cyber-security. This paper provides an overview of the most recent developments in automobile cyber-security practices, pointing out the most important areas of cyber security that need more research in the context of self-driving cars and the automobile industry. Considering the different communities of cybersecurity mapped out by previous researchers, we explored each of these communities with respect to automobiles. The community of cybersecurity is subjected to intrusion detection, cryptography, sensor networks, information hiding, intrusion detection, biometrics, authentication, usable security, and access control. From the systematic review done, we found out the bulk of security research in the automobile industry is geared towards intrusion detection. The use of chaos-based picture encryption, visual cryptography, biometric fingerprinting, keystroke dynamics, background subtraction, gait identification, provable security, provable data possession, block ciphers, differential power analysis, hardware trojans, physical unclonable functions, etc., although used in the industry, has yet to be explored with respect to the security of vehicles, their networks, and the automobile industry. The results show that some of the different communities of cybersecurity towards automobiles are still in their infancy with opportunities for novel work.

Engineering,Computer Science

Yuefeng Du,Zhiqiang Cai,Le Yu,Wenkai Zhang,Pengfei Jing,Yingjie Cao,Shi Wu,Sen Nie,Xiapu Luo,Chenxiong Qian

DOI: https://doi.org/10.1109/SP54263.2024.00080

2024-05-19

Abstract:As modern vehicles become increasingly complex in terms of both external attack surfaces and internal in-vehicle network (IVN) topology, ensuring their cybersecurity remains a challenge. Existing standards and regulations, such as WP29 R155e and ISO 21434, attempt to establish a baseline for automotive cybersecurity, but their sufficiency in addressing the evolving threats is unclear. To fill in this gap, we first carried out an in-depth interview study with 15 experts in automotive cybersecurity, uncovering the particular challenges encountered during security activities and the limitations of current regulations. We identified 20 key insights from the interview data, ranging from the challenges and gaps in the existing automotive security industry to the limitations and recommendations for current regulations. Notably, we discovered that the quality of threat cases provided by existing regulations is unsatisfactory, and the Threat Analysis and Risk Assessment (TARA) process is often highly inefficient due to the lack of automatic tools. In response to the above limitations, we first built an improved threat database for automotive systems using the collected interview data, which enhanced the existing database both quantitatively and qualitatively. Additionally, we present CarVal, a datalog-based approach designed to infer multi-stage attack paths in IVNs and calculate risk values, thereby making TARA more efficient for automotive systems. By applying CarVal to five real vehicles, we performed extensive security analysis based on the generated attack paths and successfully exploited the corresponding attack chains in the newly gateway-segmented IVN, uncovering new automotive attack surfaces that previous research failed to cover, including the in-vehicle browser, official mobile app, backend server, and in-vehicle malware.

Engineering,Computer Science

Shah Khalid Khan,Nirajan Shiwakoti,Peter Stasinopoulos,Matthew Warren

DOI: https://doi.org/10.1016/j.aap.2023.107054

Abstract:Technological advancements in Connected and Automated Vehicles (CAVs), particularly the integration of diverse stakeholder groups (communication service providers, road operators, automakers, repairers, CAV consumers, and the general public) and the pursuit of new economic opportunities, have resulted in the emergence of new technical, legal, and social challenges. The most pressing challenge is deterring criminal behaviour in both the physical and cyber realms through the adoption of CAV cybersecurity protocols and regulations. However, the literature lacks a systematic decision tool to analyze the impact of the potential cybersecurity regulations for dynamically interacting stakeholders, and to identify the leverage points to minimise the cyber-risks. To address this knowledge gap, this study uses systems theory to develop a dynamic modelling tool to analyze the indirect consequences of potential CAVs cybersecurity regulations in the medium to long term. It is hypothesized that CAVs Cybersecurity Regulatory Framework (CRF) is the property of the entire ITS stakeholders. The CRF is modelled using the System Dynamic based Stock-and-Flow-Model (SFM) technique. The SFM is founded on five critical pillars: the Cybersecurity Policy Stack, the Hacker's Capability, Logfiles, CAV Adopters, and intelligence-assisted traffic police. It is found that decision-makers should focus on three major leverage points: establishing a CRF grounded on automakers' innovation; sharing risks in eliminating negative externalities associated with underinvestment and knowledge asymmetries in cybersecurity; and capitalising on massive CAV-generated data in CAV operations. The formal integration of intelligence analysts and computer crime investigators to strengthen traffic police capabilities is pivotal. Recommendations for automakers include data-profiteering in CAV design, production, sales, marketing, safety enhancements and enabling consumer data transparency.Furthermore, CAVs-CRF necessitate a balanced approach to the trade-off between: i) data accessibility constraints on CAV automakers and ITS service providers; ii) regulator command and control thresholds; iii) automakers' business investment protection; and iv) consumers' data privacy guard.

Shah Khalid Khan,Nirajan Shiwakoti,Peter Stasinopoulos,Yilun Chen,Matthew Warren

DOI: https://doi.org/10.1016/j.tranpol.2024.11.019

IF: 6.173

2024-01-01

Transport Policy

Abstract:Connected and Automated Vehicles (CAVs) cybersecurity is an inherently complex, multi-dimensional issue that goes beyond isolated hardware or software vulnerabilities, extending to human threats, network vulnerabilities, and broader system-level risks. Currently, no formal, comprehensive tool exists that integrates these diverse dimensions into a unified framework for CAV cybersecurity assessment. This study addresses this challenge by developing a System Dynamics (SD) model for strategic cybersecurity assessment that considers technological challenges, human threats, and public cybersecurity awareness during the CAV rollout. Specifically, the model incorporates a novel SD-based Stock-and-Flow Model (SFM) that maps six key parameters influencing cyberattacks at the system level. These parameters include CAV communication safety, user adoption rates, log file management, hacker capabilities, understanding of hacker motivations (criminology theory maturity), and public awareness of CAV cybersecurity.The SFM's structure and behaviour were rigorously tested and then used to analyse five plausible scenarios: i) Baseline (Technological Focus Only), ii) Understanding Hacker Motivations, iii) CAV User and OEM Education, iv) CAV Penetration Rate Increase, and v) CAV Penetration Rate Increase with Human Behavior Analysis. Four metrics are used to benchmark CAV cybersecurity: communication safety, probability of hacking attempts, probability of successful defence, and number of CAV adopters. The results indicate that while baseline technological advancements strengthen communication framework robustness, they may also create new vulnerabilities that hackers could exploit. Conversely, a deeper understanding of hacker motivations (Criminology Theory Maturity) effectively reduces hacking attempts. It fosters a more secure environment for early CAV adopters. Additionally, educating CAV users and OEM increases the probability of defending against cyberattacks. While CAV penetration increases the likelihood of hack defence due to a corresponding rise in attempts, there is a noticeable decrease in hacking attempts with CAV penetration when analysing human behaviour. These findings, when translated into policy instruments, can pave the way for a more optimised and resilient cyber-safe ITS.

Sara Landini

DOI: https://doi.org/10.1007/978-3-030-27386-6_14

2019-12-05

Abstract:The digitalization of mobility and the associated increase of data are creating new requirements to be met by vehicle safety and infrastructure in a way to satisfy the requirements of the protection of personal rights and freedoms of data subjects. Automated and connected autonomous vehicles and driving systems (CAVs) require clear cybersecurity and data protection requirements. CAVs are under the obligation to perform their functions safely and reliably across national borders. As the automation and interconnectivity of driving functions increases, the issues of data encryption and cybersecurity will become more important. The rights to individual mobility data, which will emerge, will accordingly need to be clearly regulated.This chapter aims to show the benefits and threats associated with the use of automated cars, starting from the definition of automation and self-learning machines. Interventions are reported in terms of legislation and guidelines in Community law. The chapter discusses ethical issues in relation to the use of autonomous vehicles (AVs) and cybersecurity aspects affecting the use of AVs. The chapter concludes by highlighting the importance of giving relevance to the decision-making autonomy of machines in regulation.

David Fernández Blanco,Frédéric Le Mouël,Trista Lin,Marie-Pierre Escudié

DOI: https://doi.org/10.1109/access.2023.3294256

IF: 3.9

2023-07-29

IEEE Access

Abstract:Over the last few decades, automotive embedded Information and Communication Technology (ICT) systems have been used to enhance vehicle performance and enrich peopleâ's driving experience, increasing the panel of software features within them. However, even though until now automakers have kept up with the innovation pace in terms of the functionalities that have been offered to passengers, the majority of automakers' efforts have concentrated on bringing in these new functionalities by adding an unceasingly larger set of ECUs. All of this has been done without evolving any of the embedded software architecture consequently, due to budgetary constraints, legislative limitations, retro-compatibility problems, and a lack of awareness of the trending IT innovation. This unbalanced progress has then led to a substantial increase in in-vehicle architectural complexity, which has become a major concern for automakers nowadays as it makes the vehicle repairing process more complex, decreases software traceability and clashes with the objective of having higher business flexibility, modularity, and dynamicity within the vehicles. In this paper, we are going to go through literature, both academic and industrial, and propose a comprehensive study into automotive system transformation. We begin by giving a detailed analysis of the causes of evolution under five axes - i.e., society, business, industry, application, and technical. Then, we discuss the convergence of cars and software life cycles and propose a three-layered analysis of automotive ICT systems consisting of architecture design, software pipelines, and run-time management. Finally, we are going to propose certain detailed guidelines on the evolution perspectives for automotive systems through deriving from the convergence of advances in IT, as well as current and future automotive environmental constraints.

computer science, information systems,telecommunications,engineering, electrical & electronic

Feng Luo,Yifan Jiang,Jiajia Wang,Zhihao Li,Xiaoxian Zhang

DOI: https://doi.org/10.3390/s23104979

2023-05-22

Abstract:The rapid development of intelligent connected vehicles has increased the attack surface of vehicles and made the complexity of vehicle systems unprecedented. Original equipment manufacturers (OEMs) need to accurately represent and identify threats and match corresponding security requirements. Meanwhile, the fast iteration cycle of modern vehicles requires development engineers to quickly obtain cybersecurity requirements for new features in their developed systems in order to develop system code that meets cybersecurity requirements. However, existing threat identification and cybersecurity requirement methods in the automotive domain cannot accurately describe and identify threats for a new feature while also quickly matching appropriate cybersecurity requirements. This article proposes a cybersecurity requirements management system (CRMS) framework to assist OEM security experts in conducting comprehensive automated threat analysis and risk assessment and to help development engineers identify security requirements prior to software development. The proposed CRMS framework enables development engineers to quickly model their systems using the UML-based (i.e., capable of describing systems using UML) Eclipse Modeling Framework and security experts to integrate their security experience into a threat library and security requirement library expressed in Alloy formal language. In order to ensure accurate matching between the two, a middleware communication framework called the component channel messaging and interface (CCMI) framework, specifically designed for the automotive domain, is proposed. The CCMI communication framework enables the fast model of development engineers to match with the formal model of security experts for threat and security requirement matching, achieving accurate and automated threat and risk identification and security requirement matching. To validate our work, we conducted experiments on the proposed framework and compared the results with the HEAVENS approach. The results showed that the proposed framework is superior in terms of threat detection rates and coverage rates of security requirements. Moreover, it also saves analysis time for large and complex systems, and the cost-saving effect becomes more pronounced with increasing system complexity.

Shah Khalid Khan,Nirajan Shiwakoti,Peter Stasinopoulos,Yilun Chen

DOI: https://doi.org/10.1016/j.aap.2020.105837

Abstract:Modern-day Connected and Autonomous Vehicles (CAVs) with more than 100 million code lines, running up-to a hundred Electronic Control Units (ECUs) will create and exchange digital information with other vehicles and intelligent transport networks. Consequently, ubiquitous internal and external communication (controls, commands, and data) within all CAV-related nodes is inevitably the gatekeeper for the smooth operation. Therefore, it is a primary vulnerable area for cyber-attacks that entails stringent and efficient measures in the form of "cybersecurity". There is a lack of systematic and comprehensive review of the literature on cyber-attacks on the CAVs, respective mitigation strategies, anticipated readiness, and research directions for the future. This study aims to analyse, synthesise, and interpret critical areas for the roll-out and progression of CAVs in combating cyber-attacks. Specifically, we described in a structured way a holistic view of potentially critical avenues, which lies at the heart of CAV cybersecurity research. We synthesise their scope with a particular focus on ensuring effective CAVs deployment and reducing the probability of cyber-attack failures. We present the CAVs communication framework in an integrated form, i.e., from In-Vehicle (IV) communication to Vehicle-to-Vehicle (V2X) communication with a visual flowchart to provide a transparent picture of all the interfaces for potential cyber-attacks. The vulnerability of CAVs by proximity (or physical) access to cyber-attacks is outlined with future recommendations. There is a detailed description of why the orthodox cybersecurity approaches in Cyber-Physical System (CPS) are not adequate to counter cyber-attacks on the CAVs. Further, we synthesised a table with consolidated details of the cyber-attacks on the CAVs, the respective CAV communication system, its impact, and the corresponding mitigation strategies. It is believed that the literature discussed, and the findings reached in this paper are of great value to CAV researchers, technology developers, and decision-makers in shaping and developing a robust CAV-cybersecurity framework.

Jürgen Dobaj,Damjan Ekert,Jakub Stolfa,Svatopluk Stolfa,Georg Macher,Richard Messnarz

DOI: https://doi.org/10.3897/jucs.72367

2021-08-28

Abstract:Cybersecurity has become a crucial challenge in the automotive sector. At the current stage, the framework described by the ISO/SAE 21434 is insufficient to derive concrete methods for the design of secure automotive networked embedded systems on the supplier level. This article describes a case study with actionable steps for designing secure systems and systematically eliciting traceable cybersecurity requirements to address this gap. The case study is aligned with the ISO/SAE 21434 standard and can provide the basis for integrating cybersecurity engineering into company-specific processes and practice specifications.