Here are some interesting projects that worth your attention. There projects are funded by the FFI Automotive Security and Privacy Program. Please see the list as follows:
We have some results to share! Please visit HOLISEC Results for more information.
HoliSec – Holistic Approach to Improve Data Security
With the advent of connected and autonomous vehicles, security is of increasing importance to the automotive industry; however, security is very hard to address despite being directly linked to some of the most important attributes of the automotive industry, quality, and safety. As a result, there are no clear processes to follow for secure automotive software development and the influence of security mechanisms on safety still needs investigation. Appropriate handling of security issues in the automotive industry can potentially lead to the increased competitive advantage, revenue, and uptime.
We will develop integration-ready security development processes that are aligned with existing safety processes, verification & validation methods that address security, investigate security mechanism properties, and look at methods to secure both wired and wireless communication. We will take for the vehicular industry a unique holistic approach where we make sure security requirements are visible and influence all steps in the development chain, all the way from early development to late testing phases.
From the academic partners, several publications at both scientific and automotive conferences will be delivered. From an industrial perspective, the project will result in processes, methods, tools, models, and guidelines to reach the industry goal of “security by design”. Common processes and methods within the industry that aids communication between OEMs, academia, and suppliers, reducing lead times and complexities, making test results comparable between parties, simplify requirement handling and overall increase the knowledge about how to work with security in systematic ways.
The project will also arrange activities in the form of seminars and workshops to increase the awareness and knowledge about security, as well as disseminate results at external conferences and events. Results from the project will be demonstrated using proof of concept demonstrators.
The HoliSec consortium consists of ArcCore, Assured, Chalmers, SP, Volvo Car Corporation, Viktoria ICT and Volvo AB, with Volvo AB being the project coordinator.
We have some results to share! Please visit Threat MOVE Results for more information!
The increasing level of computerization makes modern vehicles vulnerable to cyber attacks. Software-based tools for threat modeling and simulation can be used to assess the probability that an attacker manages to reach different parts of the vehicle system. However, today there are no such tools for the transport domain. The goal is to develop a threat modeling and simulation language that allows for real-world modeling and simulation of vehicle information system attacks, as well as implementing and testing the language with real-world systems. This will help automotive IT security to be modeled and simulated in both design and operational phases, thus contributing to increased understanding of security challenges and risks. The proposed approach could well be a future best practice for the Swedish automotive industry.
Expected result is thus a threat modeling and simulation language for vehicle IT. This language is meant to be freely available to the automotive industry, academia and other interested parties. Furthermore, the language will be concretized as a module in the securiCAD software from foreseeti. The work will build up security skills in general and for vehicle IT specifically. Several research articles will be published where methods and models are presented and validated with use cases.
The project is expected to last from October 2017 to September 2021 and is divided into eight work packages: (i) project management, (ii) development of a framework for the domain-specific language, (iii) design of the domain-specific modeling and analysis language for security in automotive IT, (iv) implementation, (v) iterative testing and validation of the domain-specific language, (vi) inclusion of Tool chain integration, (vii) vehicle security parameters, and (viii) dissemination. The work will be done iteratively.
The vehicle industry is going from traditionally isolated to open systems. As vehicles continuously increase their connectivity to the surrounding world, becoming part of the Internet of Things, exposure becomes potentially world-wide and attacks may happen with speed and scale not possible before.
Adopting secure development techniques provides organizations with a generic level of assurance against the above-mentioned attacks. The key research question at the core of this project is, however, how a project manager can get precise assurance based on material, project-specific evidence that a system being developed is secure enough and can be released.
The goal is to provide managers with a tool to make go/no-go security decisions on product delivery. Such decisions are currently based on experience and intuition, while we aim at supporting evidence-based decisions. The key contribution of this projects is a methodology to build security assurance cases.
Security assurance cases (a.k.a. security cases) have been suggested in the past and also described by standards like ISO 15026. However, there is a research gap on how to practically build them. This project will address that gap by providing an answer to the following questions, especially in the automotive domain:
* What evidence needs to be collected throughout the software development process (code and design metrics, test results, code verification results, traceability information across artifacts, development effort figures, to name a few).
* How to build the security assurance argumentation from the available evidence.
Further, the automotive industry is going in the direction of defining security levels similarly to Automotive Safety Integrity Levels (ASIL). For instance, this is a research direction in FFI HoliSec. Therefore, we will investigate argumentation patterns that are specific to the different security levels (typically 5 levels). The methodology will also consider ways to build assurance cases at several levels of abstractions (e.g., subsystem vs function vs complete vehicle).
We acknowledge the existence of important trends in the automotive industry, like agility and continuous delivery. In this respect, the methodology should integrate rather than excessively constrain the agile activities.
WHERE WE’RE GOING, WE DON’T NEED ROADS. AUTOMOTIVE CYBERSECURITY IS THE FAST LANE!
As today’s vehicles become increasingly connected and automated, the opportunity for new cyber attacks has become a real threat. The automotive industry needs software developers who understand how these attacks work, and how to protect against them.
SUFFI is a cybersecurity education program for automotive software professionals and the training intends to give its audiences a theoretical and practical knowledge on how to discover and protect against automotive-specific security vulnerabilities. The educational program is targeted at automotive software developers with an interest in cybersecurity.
Three occasions will be available in fall 2018. If you are interested in participating in the program, please visit SUFFI’s page for more information and registration.
SUFFI-Cybersecurity education for automotive software professionals is a project financed by VINNOVA.