Automated TARA Framework for Cybersecurity Compliance of Heavy Duty Vehicles

Recent advancements towards autonomous heavy-duty vehicles are directly associated with increased interconnectivity and software driven features. Consequently, rise of this technological trend is bringing forth safety and cybersecurity challenges in form of new threats, hazards and vulnerabilities. As per the recent UN vehicle regulation 155, several risk-based security models and assessment frameworks have been proposed to counter the growing cybersecurity issues, however, the high budgetary cost to develop the tool and train personnel along with high risk of leakage of trade secrets, hinders the automotive manufacturers from adapting these third party solutions. This paper proposes an automated Threat Assessment & Risk Analysis (TARA) framework aligned with the standard requirements, offering an easy to use and fully customizable framework. The proposed framework is tailored specifically for heavy-duty vehicular networks and it demonstrates its effectiveness on a case study. The proposed framework incorporates the findings of UN Task Force on Cyber Security and over-the-air (OTA) issues and guidelines from ISO/SAE 21434 to identify the security lapses in the design phase of a vehicular electrical and/or electronic E/E network. It is designed to automate the process of TARA, thereby assisting the security analysts and reducing the inconsistencies in TARA evaluation. It draws the architectural model of the case study using data flow diagrams (DFD), performs threat modeling, estimates the risk value for the system and suggests controls for the reported threats. The versatile nature of the framework enables it to be adapted for threat modeling of other types of vehicles and cyber physical systems in general.*