Requirements for the Automated Generation of Attack Trees to Support Automotive Cybersecurity Assurance

As the need for automotive assurance continues to grow, it becomes necessary to develop approaches which can provide assurance cases in a systematic and efficient manner. In the case of cybersecurity, this problem is exacerbated by the increasing complexity of vehicular onboard systems, their inherent obscurity due to their heterogenous architecture, emergent behaviors, and the disparate motivations and resources of potential threat agents. Furthermore, the advancement of connected autonomous vehicles (CAV) may allow external attackers to leverage the naïve trust ECUs have for adjacent devices to compromise the safety and security of the vehicle. To that end, there is an increased interest in automatically producing threat models such as attack trees, which usually rely on intensive expert driven construction or rudimentary formally defined processes, to identify potential threats to a vehicle. Therefore, this paper will explore the ways in which such an automated scheme could be applied for a practicable identification and analysis of potential attack paths. Although ISO/SAE 21434 recommends the development of an assurance case for cybersecurity, the precise nature of a cybersecurity case is not explicitly defined within the standard. Therefore, this paper also explores the combination of threat modelling techniques with assurance case techniques adapted from accepted practice in vehicle safety for functional safety (per ISO 26262) while taking into consideration the relevant standards.