Risk Analysis and Threat Analysis –

The Starting Point of an Effective Security Concept

Dr. Joachim Leder

2019-02-19

PROCESS MANAGEMENT AND METHODS

FOR SOFTWARE-BASED SYSTEMS
Outline

➢ Basis: Security in Manufacturing

➢ Analysis Breakdown

➢ System Analysis

➢ Threat Analysis

➢ Risk Analysis

➢ Summary

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 2

Basis: Security in Manufacturing

Attack
Detection and
Security
Response Assessment

Security
Lifecycle
Monitor and Goals, Policies,
Manage Planning

Training,
Enforcement,
Implementation

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 3

Basis: Security in Manufacturing

Attack Security
Detection and
Response Assessment
Analysis

Security
Lifecycle
Monitor and Goals, Policies,
Manage Planning

Training,
Enforcement,
Implementation

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 4

Basis: Security in Manufacturing

Attack Security
Detection and
Response Assessment
Analysis

Security
Lifecycle
Monitor and Planning
Goals, Policies,
Manage Planning

Training,
Enforcement,
Implementation

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 5

Basis: Security in Manufacturing

Attack Security
Detection and
Response Assessment
Analysis

Security
Lifecycle
Monitor and Planning
Goals, Policies,
Execution
Manage Planning

Training,
Enforcement,
Implementation

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 6

Analysis Breakdown

The purpose of a security analysis is to understand security risks.

Risk is evaluated by understanding the external threats and actors that can attack vulnerable assets,
resulting in damage or loss.

• System security analysis is the process of identifying the boundaries and assets of the system,
understanding the system vulnerabilities and evaluating the damage that would result from a
successful attack.

• Threat analysis is the process of identifying and understanding the threats and their actors,
evaluating their capabilities and motivations.

• Risk analysis combines the results of the threat and system analyses to create a priority-ordered list
of risks and associated controls. This list provides the overview of what must be done to reduce risk
to acceptable levels.

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 7

Analysis Breakdown

1. Setup Security Model 2. Estimate Impacts 5. Assess the Risks

• Identify assets • Identify vulnerabilities • Assign risk levels to compromise
• Define impact levels • Assign impact level methods
• Map CIA triad to impact levels • Prioritize the risks

4. Analyse Threat Actors

3. Analyse Threat Sources
• Identify threat actors
• Identify threat sources
• Estimate their capability and motivation
• Estimate their capability and priority

CIA
Triad

Page 8 Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 8
 System Analysis
Example: ADAS / AD
3rd Party
3rd Party
Apps
Information
OEM Apps Cloud
OTA Update*

Infrastructure Vehicles

7 2 Perception 3 Interpretation
4 Applications

Object Obj Collision

V2X Object Fusion Warning
Detection Classification
Environment
Sensors Positioning Model Emergency
Stop
Database
Mission Driving
1 Goals Hand Over

Lane Keep
Assistance
Vehicle Dynamics and Behavior Situation
Actors Control Planning Prediction Blind Spot
Warning

Execution …
6 5 Planning

Base Platform Application Platform Applications

System

* OTA: Over The Air

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 9
System Analysis
Patterned on ISO/SAE 21434

Damage Scenarios Vulnerability Analysis

Identify Assets •
• C: Eavesdropping C&I&A: V2V and V2I communication is highly open
• V2X is an asset (V2V, V2I, V2C)
• I: Spoofing • C&A: V2C uses internet and requires an access point
• …
• A: (D)DoS attack • I: V2C providers can be hacked to provide incorrect data

Impact Assessment Attack Analysis

• C: IL1 (vehicle more easily tracked) • C: Listen to V2V and V2I communication channels
• I: IL2 (incorrect inputs to environment model) • I: Broadcast false V2V or V2I information
• A: IL2 (loss of cloud information to system) • C&I: Hack V2C gateway
• A: (D)DoS attack of V2V/V2I communication or V2C gateway

Risk Assessment
• C: Low
• I: Low Attack Feasibility Assessment
• A: Moderate • C: Highly feasible
• I: Highly feasible
• C&I: Moderate to low feasibility
Risk Treatment • A: Moderate feasibility
• C: Ignore
• I: Higher weighting for internal sensor data
combined with strong plausibility checking
• A: Fallback mode based on local data and
processing capability only.
Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 10
 V2X
System Analysis

Identify Assets Damage Scenarios

V2I

Impact Assessment RF-receiver: connection

to infrastructure
Internet Gateway: IP (reception of periodic
connection to cloud broadcasts)
(application pull or
V2C/V2N cloud service push)

RF transmit/receiver: V2V
V2P connection to vehicle
(periodic send and
continuous receive)

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 11

 System Analysis

Identify Assets Damage Scenarios

V2V RF receiver

Impact Assessment Filter or modify received

information which should be
forwarded to internal
Eavesdropping on status of applications. IL5
Impact surrounding vehicles (e.g ID,
levels position, direction or speed) Spoof vehicle ID with false
Category IL1 IL2 IL3 IL4 IL5 IL6 position, direction or speed
information
Minor distraction
Significant safety
notifications lost.
Minor distraction to over a longer period Possible loss of
Critical safety
notifications lost. Major distraction. Total loss of control
Driver in danger of a Driver highly likely to of the car. Critical
IL2 CIA IL4
the driver or brief of time to the driver. control, increased serious crash. lose control of the systems definitely

Safety -
driver/bystanders
loss of control. Loss Loss of control
of superficial
notifications.
unlikely, minor
injuries possible.
risk of crash.
Moderate injury
possible.
Serious injury, loss of car. Loss of life
limbs possible,
survival probable.
possible, survival
uncertain.
affected. Loss of life
targeted and survival
uncertain.
Triad
Unpredicted but Significant and Massive financial
manageable cost exceptional cost impact over an
Negligable cost. Minor and budgeted (e.g. replacement of Unpredicted but over a short period extended period of
Resolvable without cost (e.g. minor whole device). manageable cost. of time. Reputation time (e.g. loss of car
OEM - Reputation modification of the optional or hidden Reputation still Reputation damaged temporarily severely sales, multiple
and Financial vehicle. update). intact. but fixable. damaged. recalls).
Longer term
Minor but longer significant drop in
Minor but short term quality of life quality of life. Serious drop in
End User - not
safety.
term quality of life
drop. Manageable
drop. Temporary
financial trouble
Significant assitance lifestyle required. Long term quality of
with money required Permanent drop in life affected.
Suppress received information
Financial, Quality of financial trouble. (e.g. car broken). (e.g. car stolen). quality of life. Secret Bankrupt. Top secret
Life, Privacy, User
Experience
Negligable cost,
minor annoyance.
User is unsatisfied
with the car.
Information in
danger.
Information
compromised.
information
compromised.
information
compromised. IL4

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 12

Threat Analysis
Vulnerability Analysis

V2V RF receiver o Spoof a legitimate sender and

provide false information
o Suppress received information
Attack Analysis
o Eavesdropping

Attack Feasibility Assessment

Script kiddies

Attackers Disgruntled employees

Competitors

Researchers

Individual criminals /
terrorists
Criminal / terrorists
groups

Foreign states

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 13

Threat Analysis
Vulnerability Analysis

V2V RF receiver o Spoof a legitimate sender and

provide false information
o Suppress received information
Attack Analysis
o Eavesdropping

Capability
(skills & resources) Attack Feasibility Assessment

Script kiddies low

Attackers Disgruntled employees low

Competitors medium+

Researchers high-

Individual criminals / high-

terrorists
Criminal / terrorists high
groups

Foreign states very high

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 14

Threat Analysis
Vulnerability Analysis

V2V RF receiver o Spoof a legitimate sender and

provide false information
o Suppress received information
Attack Analysis
o Eavesdropping

Capability
(skills & resources) Attack Feasibility Assessment

Script kiddies low

Attackers Disgruntled employees low

Competitors medium+
MOTIVATION
Researchers high-

Individual criminals / high-

terrorists
Criminal / high
terrorists groups
Foreign states very high

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 15

Threat Analysis
Vulnerability Analysis

V2V RF receiver o Spoof a legitimate sender and

provide false information
o Suppress received information
Attack Analysis
o Eavesdropping

Capability
(skills & resources) Attack Feasibility Assessment

Script kiddies low

Capability
Attackers Disgruntled employees low Threat Level
Very Low Low Medium High Very high
Estimate

Competitors medium+ Negligible Negligible Low Low Moderate

Very Low
1 1 2 2 3
Negligible Negligible Low Moderate Substantial
Researchers high- Low
1 1 2 3 4

Motivation
Negligible Low Moderate Substantial Severe
Individual criminals / Medium
high- 1 2 3 4 5
terrorists Low Low Moderate Severe Severe
High
2 2 3 5 5
Criminal / high Low Moderate Substantial Severe Critical
terrorists groups Very High
2 3 4 5 6
Foreign states very high

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 16

Risk Analysis
Patterned on ISO/SAE 21434
Attackers
Threat Level
Attacks (CIA)
Impact Level
Researchers Terrorist Groups Foreign States
Low - TL2 Substantial - TL4 Moderate - TL3
Eavesdropping surrounding
vehicles IL2

Filter/modify received
Information IL5

Spoof vehicle ID
IL4

Risk Assessment Suppress received

Information IL4

Risk Treatment

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 17

Risk Analysis
Attackers
Threat Level
Attacks (CIA)
Impact Level
Researchers Terrorist Groups Foreign States
Low - TL2 Substantial - TL4 Moderate - TL3
Eavesdropping surrounding
vehicles IL2

Filter/modify received
Information IL5
IL  TL
Spoof vehicle ID
CAL =
6
IL4
Cybersecurity Assurance Level
Risk Assessment Suppress received
Information IL4

Risk Treatment

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 18

Risk Analysis
Attackers
Threat Level
Attacks (CIA)
Impact Level
Researchers Terrorist Groups Foreign States
Low - TL2 Substantial - TL4 Moderate - TL3
Eavesdropping surrounding
0.7 1.3 1.0
vehicles IL2

Filter/modify received
1.7 3.3 2.5
Information IL5

Spoof vehicle ID
1.3 2.7 2.0
IL4

Risk Assessment Suppress received

1.3 2.7 2.0
Information IL4

Risk Treatment

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 19

Risk Analysis

Attacks (CIA) Possible Mitigation

Impact Level

Eavesdropping surrounding none possible

vehicles IL2
1) Harden V2V module against compromise
Filter/modify received 2) Run-time monitoring of integrity of module
Information IL4 IL5 3) Identify failure mode
4) Detect conflicts between V2V and other channels

Spoof vehicle ID 1) Compare V2V information with input from other sensors (e.g. V2I)
IL3 IL4 2) Detect conflicts between V2V and other channels

Risk Assessment Suppress received 1) Harden V2V module against compromise

2) Run-time monitoring of integrity of module
Information IL4 3) Identify failure mode

Risk Treatment

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 20

Risk Analysis
Security: Patterned on ISO/SAE 21434
Attackers
Threat Level
Attacks (CIA)
Impact Level (Mitigated)
Researchers Terrorist Groups Foreign States
Low – TL2 Substantial - TL4 Moderate - TL3
Eavesdropping surrounding
0.7 1.3 1.0
vehicles IL2

Filter/modify received
1.3 2.7 2.0
Information IL4

Spoof vehicle ID
1.0 2.0 1.5
IL3

Risk Assessment Suppress received

1.3 2.7 2.0
Information IL4

Risk Treatment

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 21

Summary: What needs to be done

• System Analysis
• Identify assets and the consequences/damage when they are compromised
• Assess impact → IL

• Threat Analysis
• Assess vulnerabilities
• Identify aggressors, their goals and their capabilities/motivations
Analysis
• Assess threat → TL

• Risk Analysis
• Understand damage that would result from successful attack
• Estimate severity of risk → CAL
• Define risk/threat catalogue
• Specify mitigations for risks

• Prioritisation
• Define rating criteria (effort, timing, cost,…)
Planning • Prioritize risk/threat catalogue, including mitigation concepts

• Mitigation
• Describe mitigation concepts for all relevant Risks/Threats

Execution • Implementation, monitor/manage, attack detection/response

Risk Analysis and Threat Analysis, Dr. Joachim Leder, 2019, 22

Drive the change to accepted processes
+49 (0) 176 23691929
[email protected]
www.joachimleder.com
+49 (0) 152 5672 8209
[email protected]