A Study on Comprehensive Evaluation of Intelligent Connected Vehicle Cybersecurity
To be published on April 2, 2019 by SAE International in United States
In view of the automotive cybersecurity incidents occur frequently, but there is no automotive cybersecurity evaluation standard, a comprehensive evaluation method is proposed, which firstly reviews the process of obtaining automotive cybersecurity function requirements through threat analysis and risk assessment. Then the international research projects on automotive cybersecurity and the key issues are summarized. It is proposed to score (0-100) from the three dimensions of cybersecurity level, intelligence level and enterprise incident response capacity, and comprehensively evaluate the cybersecurity performance level of automobile. Cybersecurity level includes cybersecurity concept design, protection scheme verification and penetration test. We conducted penetration testing from seven aspects, including network architecture, ECU, T-box, radio, IVI, cloud platform, APP, considering 30 test groups, including software security, hardware security, communication security, identity authentication, data security, etc., and 108 test cases. The intelligence level is evaluated according to 40 documents of 5 categories, and the enterprise's incident response capacity is evaluated according to 20 documents of 5 categories. The analytic hierarchy process (AHP) is adopted to determine the weight distribution of cybersecurity level, intelligence level and enterprise incident response capacity. To ensure the reasonableness of weight allocation, 50 people of different gender, occupation and education background were invited to fill in the questionnaire. The specific scoring method for three dimensions is given and the comprehensive evaluation case of vehicle information security is given. Finally, the finiteness of this method is summarized, and it is pointed out that it can be further studied in the aspect of vulnerability rating specification and document review rules.