A Systematic Approach to Modeling Software-Defined Vehicles and their Security Needs

Inhalt:
UNECE R 155 came into force in January 2021 and demands a cybersecurity risk management system for newly developed vehicles. The released international standard ISO/SAE 21434 provides general requirements how to perform risk assessments. One of the most challenging tasks is risk management across the supply chain and how suppliers for the automotive sector can contribute to it. We present an approach for suppliers to participate in the risk management process. We propose inputs for use to perform cybersecurity risk analysis for the supplier and how the risk management process can be used to contribute to security by design. Our approach consists of three parts. The first part uses Model Based Systems Engineering (MBSE) and SysMod to model our device and use case. The second part uses Microsoft STRIDE methodology to identify and model threats and the third part uses Modular Risk Assessment (MoRA) to perform risk analysis. To show how to identify threats and risks during development of a device from a supplier’s perspective, we model and analyze use cases on different abstraction layers. Finally, we show how to group functions according to their security needs which are then translated to requirements allocated to their components.