Automotive Cybersecurity Part - 5: Risk Assessment Frameworks

December 21, 2024
Automotive CybersecurityPenetration TestingRisk AssessmentFrameworks

๐Ÿง  Understanding Automotive Risk Assessments

โ€œRisk comes from not knowing what youโ€™re doing.โ€ Warren Buffett

This post explores two industry standard frameworks HEAVENS and EVITA that help cybersecurity professionals perform effective threat and risk assessments for Cyber Physical Vehicles (CPVs).

๐Ÿ” What is Risk?

A risk assessment quantifies potential cybersecurity threats by evaluating

  • Vulnerabilities
  • Threats
  • Likelihood of exploitation
  • Impact on assets
  • Effectiveness of existing security controls

Common formulas

  • Risk = Threat * Vulnerability
  • Risk = Threat * Vulnerability * Asset Value
  • Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value

โš™๏ธ HEAVENS Framework

The HEAVENS model consists of three steps

  1. Determine Threat Level (TL)
  2. Determine Impact Level (IL)
  3. Determine Security Level (SL)

๐Ÿ”“ Threat Level Parameters

ParameterOptions and Values
ExpertiseLayman (0), Proficient (1), Expert (2), Multiple Expert (3)
Knowledge of TOEPublic (0), Restricted (1), Sensitive (2), Critical (3)
EquipmentStandard (0), Specialized (1), Bespoke (2), Multiple Bespoke (3)
Window of OpportunityLow (3), Medium (2), High (1), Critical (0)

Final TL Value is the sum of the four parameters.

๐Ÿ’ฅ Impact Level Parameters

  1. Safety
    • No Injury (0), Light/Moderate (10), Severe (100), Life Threatening (1000)
  2. Financial
    • No Impact (0), Low (10), Medium (100), High (1000)
  3. Operational
    • Ranges from No Impact (0) to Major Disruption (100)
  4. Privacy & Legislation
    • No Impact (0), Low (1), Medium (10), High (100)

๐Ÿ” Security Level (SL)

Final security levels are derived from TL and IL. A matrix is used to derive SL from the TL/IL combinations.

๐Ÿ›ก๏ธ EVITA Framework

EVITA is an EU funded initiative that evaluates risks across

  • ๐Ÿšง Safety
  • ๐Ÿ•ต๏ธ Privacy
  • ๐Ÿ’ฐ Financial Losses
  • โš™๏ธ Operational Impact

๐ŸŽฏ Severity Classes (0โ€“4)

ClassSafetyPrivacyFinancialOperational
0No injuriesNo data accessNo lossNo impact
4FatalitiesID leakageMulti vehicle lossesMulti vehicle failures

๐Ÿงฎ Attack Potential Factors

FactorLevels
Elapsed Timeโ‰ค1 day (0) to >6 months (19)
ExpertiseLayman (0), Expert (6), Multiple Experts (8)
System KnowledgePublic (0) to Critical (11)
Window of OpportunityUnlimited (0) to None (โˆž)
EquipmentStandard (0) to Multiple Bespoke (9)

๐ŸŽฒ Probability Mapping

Score RangeAttack Probability
0โ€“9Basic (5)
10โ€“13Enhanced-Basic (4)
14โ€“19Moderate (3)
20โ€“24High (2)
โ‰ฅ25Beyond High (1)

๐Ÿง  Key Takeaways

  • HEAVENS gives a structured method for scoring risk via TL and IL.
  • EVITA emphasizes attack effort and severity across various categories.
  • Both frameworks are invaluable for assessing cybersecurity in connected vehicles.

You can use these frameworks as part of your automotive pentesting checklist or integrate them into CI/CD security gates for embedded automotive software.

โ† Previous: Risk Management

Next: โ†’ Reporting