As a result of the ever-increasing application of cyber-physical components in
the automotive industry, cybersecurity has become an urgent topic. Adapting
technologies and communication protocols like Ethernet and WiFi in connected
vehicles yields many attack scenarios. Consequently, ISO/SAE 21434 and UN R155
(2021) define a standard and regulatory framework for automotive cybersecurity,
Both documents follow a risk management-based approach and require a threat
modeling methodology for risk analysis and identification. Such a threat
modeling methodology must conform to the Threat Analysis and Risk Assessment
(TARA) framework of ISO/SAE 21434. Conversely, existing threat modeling methods
enumerate isolated threats disregarding the vehicle’s design and connections.
Consequently, they neglect the role of attack paths from a vehicle’s interfaces
to its assets. In other words, they are missing the TARA work products, e.g.,
attack paths compromising assets or feasibility and impact ratings. We propose a
threat modeling methodology to construct attack paths by identifying,
sequencing, and connecting vulnerabilities from a valid attack surface to an
asset. Initially, we transform cybersecurity guidelines to attack trees, and
then we use their formal interpretations to assess the vehicle’s design. This
workflow yields compositional construction of attack paths along with the
required TARA work products (e.g., attack paths, feasibility, and impact). More
importantly, we can apply the workflow iteratively in the context of connected
vehicles to ensure design conformity, privacy, and cybersecurity. Finally, to
show the complexity and the importance of preemptive threat identification and
risk analysis in the automotive industry, we evaluate the presented modelbased
approach in a connected vehicle testing platform, SPIDER.