The increasing autonomy and connectivity of off-highway vehicles—such as tractors, harvesters, and construction equipment—introduce new cybersecurity challenges, particularly within the sensor-to-control data flow that governs real-time decision-making and actuation. These architectures comprise a mix of embedded sensors, electronic control units (ECUs), communication buses (e.g., CAN, Ethernet), and actuators, all of which are susceptible to cyber-physical threats that can compromise safety, performance, and reliability.
This paper proposes a systematic application of threat modeling, using the STRIDE framework, to assess and mitigate risks in sensor-control systems specific to autonomous off-highway machinery. It provides a practical methodology for identifying trust boundaries, constructing Data Flow Diagrams (DFDs), and mapping threats such as spoofing of GNSS/GPS inputs, CAN message injection, sensor data tampering, and control logic manipulation.
By contextualizing threat modeling within industry standards such as ISO24882 and regulatory frameworks like EU Cyber Resilience Act, this work bridges the gap between cybersecurity compliance and engineering execution. The paper also introduces repeatable workflow and mitigation strategies tailored for embedded environments typical in off-highway applications, where deterministic control, limited computational resources, and safety-critical operations are paramount.
The proposed approach empowers product security engineers, embedded developers, and controls architects to incorporate cybersecurity earlier in the design lifecycle—resulting in robust, cyber-resilient machines that can withstand modern threats while operating in challenging off-highway environments.