On the Modeling of Automotive Security: A Survey of Methods and Perspectives

: As the intelligent car-networking represents the new direction of the future vehicular development, automotive security plays an increasingly important role in the whole car industry chain. On condition that the accompanying problems of security are proofed, vehicles will provide more convenience while ensuring safety. Security models can be utilized as tools to rationalize the security of the automotive system and represent it in a structured manner. It is essential to improve the knowledge about security models by comparing them besides proposing new methods. This paper aims to give a comprehensive introduction to the topic of security models for the Intelligent Transport System (ITS). A survey of the current methodologies for security modeling is conducted and a classiﬁcation scheme is subsequently proposed. Furthermore, the existing framework and methods to build automotive security models are broadly examined according to the features of automotive electronic system. A number of fundamental aspects are deﬁned to compare the presented methods in order to comprehend the automotive security modeling in depth.


Introduction
With the rapid development of the high technologies, such as Mobile Internet, Big Data, Artificial Intelligence and Cloud Computing, the automobile has gradually become a new-type of intelligent travel carrier [1,2].There are more and more communication demands and scenarios between automobiles and the external.Due to interconnection and intelligence, the automobile is transformed from a closed system to open.Nevertheless, it also provides more connecting controllers and sensors for the attackers to be exploited, especially when the access to Internet is activated.Compromising the security of the automobile results in not only financial loss and a privacy breach, but also malicious control and a threat to safety.A demonstrative attack was conducted to remotely disable the car's brakes on a highway [3].Recently, researchers and white hat hackers explored and manifested a number of the vulnerabilities of automobiles as shown in [4][5][6][7][8].In the beginning, automotive security mainly concerned the locking systems and immobilizers because of the usage of keyless entry systems [9].Many studies have demonstrated the possibility to access the system without permission [10][11][12][13][14].With the increasing connectivity of vehicles, the external communication can be seen as new attack surfaces in modern vehicles.For example, there are various services that could affect cybersecurity, such as communicating via telematics system, connecting to OBD (on-board diagnostics) port, or reflashing ECUs (Electronic Control Unit) by OTA (Over-The-Air).The feasibility to attack vehicles by exploiting the potential weakness in these services are examined in [15].
Additionally, the manipulations from wireless connection are also used to perform attacks [16][17][18][19].Since the autonomous vehicles on levels 2 and above need to be equipped with dozens of sensors for collecting data from the environment [20], they are vulnerable to a variety of possible security attacks [21,22].The cameras on vehicles can be blinded [23] and the LiDAR system can be deceived with fake echoes [24].Reference [25] listed the automotive security incidents from 2010 to 2019.Reference [26] surveyed the theoretical and practical attacks with different approaches and [27] provided a comprehensive taxonomy so that the information derived from attacks can be used for vehicular development and testing.
It is significant to attach great importance to the security of intelligent connected automobiles since the security threats are increasing substantially.Moreover, it is necessary to implement well-grounded security practices for ITS.Managing the security on different levels is a basic requirement for security activity.Therein, the elemental step is to assess and prioritize the risks with security analysis techniques.In order to improve the security of the system, we need firstly to understand what threat and risk the system will confront.The interaction and information that influence the system should be processed and analyzed primarily.It is necessary to utilize systematic approaches to identify the vulnerabilities and the latent threats.Based on that, the security objectives can be settled and the countermeasures to mitigate the risk impacts can be derived.
A security model can be built to explore all the correlated factors in an organized manner [28].Instead of simply brainstorming and informal group discussions of the possible intentions of the adversaries, security models are exploited systematically to investigate the vulnerabilities to ensure high coverage.It is particularly important for cyber-physical systems like automobiles since it has direct physical effects on the environment instead of virtual ones [29].Security models are developed to describe the security characteristics of systems formally and to explain the reasons for the security-related behaviors of systems accurately [30].Since threat modeling allows to prioritize recovery strategies and decision-making regarding threats and risks, it should be started at the early stages of the design and evolved through the life cycle of the application [31,32].
There are a number of researches studying the methodologies to obtain security models.As suggested in [33], it is important to improve the knowledge about security models by comparing them besides proposing new methods.It is constructive to propose a taxonomy for the existing security models rather than enumerating the methods exhaustively.The aim of this paper is to introduce a classification scheme for describing the security modeling methods and provide a survey and a comparison about the automotive security models.Moreover, it is helpful to evaluate the automotive security models and link them to the methods from the other fields.After reviewing the previous work on security models, three main contributions are made:

1.
Classifies the methods for security models into quantitative and qualitative categorizes.

2.
Identifies the existing framework and methods to build security models for automobiles and provides a comprehensive overview of them.

3.
Compares the available automotive security models for the design phase of automotive products, which are originally planned from security perspectives.The characteristics of each methodology are summarized.Based on the rational assessment, it gives a reference for automotive engineers to understand the methods then to choose the appropriate ones to initiate security evaluations.
The remainder of this paper is as follows: In Section 2, the security modeling methods are reviewed and classified from a different point of view.After that, the automotive security models are surveyed and compared with several fundamental aspects in Section 3. Finally, the discussion and concluding remarks are given in Sections 4 and 5.The structure of this article is illustrated in Figure 1.

Taxonomy of Security Models
Because of widespread use of the interconnection, security becomes one of the main concerns in the industrial domain, which includes automobiles.Unlike safety, the security of a system is defined in the dimensions of intents and external influence in [34].Generally, security is the ability to defend the confidentiality and integrity of the system by implementing protections to prevent unauthorized access [35][36][37].In the automotive context, the security means all functions and interfaces of road vehicles and the automotive ecosystem are protected against cybersecurity threats.Since security is related to uncertainties like malicious events and environmental interactions, security models can be used as a tool to rationalize the security of the system and represent it in a structured manner [38].
Security models are developed to describe the security characteristics of systems formally.They are used to explain the reasons for the security-related behaviors of systems accurately [39].There are various security models according to different purpose, for instance: the access control model, the integrity model and the threat model.In this paper, we only focus on the threat model to identify the potential threats and risks that could affect the system.It is significant for system security engineering to derive the security requirements and protection mechanisms based on the threat model [40].Hence, the threat models are commonly used in automotive security.There are several developed threat modeling methods for software systems as illustrated in [41].We review and categorize these approaches, which stimulate the automotive threat modeling development.
Threat modeling is a group of planned activities for identifying and assessing application threats and vulnerabilities [28] as shown in Figure 2. We propose a classification scheme to categorize the methods of threat modeling into the qualitative models, which are mainly in descriptive form, and the quantitative models like stochastic models.

Qualitative Security Methods
Qualitative methods aim to analytically discover and state the security threats.Different from informal group discussions of the potential threats, qualitative security models can be used as a tool to investigate the vulnerabilities systematically.The models can be built either from the developers' perspective or the attackers'.

Taxonomy of Security Models
Because of widespread use of the interconnection, security becomes one of the main concerns in the industrial domain, which includes automobiles.Unlike safety, the security of a system is defined in the dimensions of intents and external influence in [34].Generally, security is the ability to defend the confidentiality and integrity of the system by implementing protections to prevent unauthorized access [35][36][37].In the automotive context, the security means all functions and interfaces of road vehicles and the automotive ecosystem are protected against cybersecurity threats.Since security is related to uncertainties like malicious events and environmental interactions, security models can be used as a tool to rationalize the security of the system and represent it in a structured manner [38].
Security models are developed to describe the security characteristics of systems formally.They are used to explain the reasons for the security-related behaviors of systems accurately [39].There are various security models according to different purpose, for instance: the access control model, the integrity model and the threat model.In this paper, we only focus on the threat model to identify the potential threats and risks that could affect the system.It is significant for system security engineering to derive the security requirements and protection mechanisms based on the threat model [40].Hence, the threat models are commonly used in automotive security.There are several developed threat modeling methods for software systems as illustrated in [41].We review and categorize these approaches, which stimulate the automotive threat modeling development.
Threat modeling is a group of planned activities for identifying and assessing application threats and vulnerabilities [28] as shown in Figure 2. We propose a classification scheme to categorize the methods of threat modeling into the qualitative models, which are mainly in descriptive form, and the quantitative models like stochastic models.

Taxonomy of Security Models
Because of widespread use of the interconnection, security becomes one of the main concerns in the industrial domain, which includes automobiles.Unlike safety, the security of a system is defined in the dimensions of intents and external influence in [34].Generally, security is the ability to defend the confidentiality and integrity of the system by implementing protections to prevent unauthorized access [35][36][37].In the automotive context, the security means all functions and interfaces of road vehicles and the automotive ecosystem are protected against cybersecurity threats.Since security is related to uncertainties like malicious events and environmental interactions, security models can be used as a tool to rationalize the security of the system and represent it in a structured manner [38].
Security models are developed to describe the security characteristics of systems formally.They are used to explain the reasons for the security-related behaviors of systems accurately [39].There are various security models according to different purpose, for instance: the access control model, the integrity model and the threat model.In this paper, we only focus on the threat model to identify the potential threats and risks that could affect the system.It is significant for system security engineering to derive the security requirements and protection mechanisms based on the threat model [40].Hence, the threat models are commonly used in automotive security.There are several developed threat modeling methods for software systems as illustrated in [41].We review and categorize these approaches, which stimulate the automotive threat modeling development.
Threat modeling is a group of planned activities for identifying and assessing application threats and vulnerabilities [28] as shown in Figure 2. We propose a classification scheme to categorize the methods of threat modeling into the qualitative models, which are mainly in descriptive form, and the quantitative models like stochastic models.

Qualitative Security Methods
Qualitative methods aim to analytically discover and state the security threats.Different from informal group discussions of the potential threats, qualitative security models can be used as a tool to investigate the vulnerabilities systematically.The models can be built either from the developers' perspective or the attackers'.

Qualitative Security Methods
Qualitative methods aim to analytically discover and state the security threats.Different from informal group discussions of the potential threats, qualitative security models can be used as a tool to investigate the vulnerabilities systematically.The models can be built either from the developers' perspective or the attackers'.
One of the classical qualitative approaches is the STRIDE model proposed by Microsoft.It is a structured approach for identifying the threats according to the purposes of the attacks.STRIDE model was originally applied in a software system.STRIDE represents the acronym of potential threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege [42].Firstly, the evaluated system is described with a data flow diagram (DFD).The entities and the data flow of the system are labeled in the DFD as security-related elements.Then the elements are examined to check if their security attributes of confidentiality, integrity and availability are violated.Based on the examination, the threats are identified with associated terms from the potential types of threats.The advantage of the STRIDE model is that the possible attacks are generalized into limited kinds of threats instead of every specific attack.Moreover, it emphasizes the completeness and repeatability of identifying the threats and is applicable for non-security-experts [43].Myagmar et al. applied STRIDE model in [28] to derive security requirements for complex systems like networked systems.Three case studies of software applications and computer systems are presented in the paper to show the threat modeling process.There are many similar methods derived from STRIDE.For example, a method named LINDDUN is used for data security to assess privacy [44].It stands for linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness, and non-compliance [45,46].
Qualitative methods can be used to visualize threats from the attackers' counterpart.It allows to figure out what activities the attackers will perform, the way they carry out the attacks, and how they make decisions [47,48].Persona non Grata (PnG) is a method to model the threats by analyzing the motivations and skills of human attackers from an unintended use point of view [49].It helps the developers to realize the vulnerabilities and compromise spots from the other side [50].Refs.[51,52] respectively considered the security problems in the attackers' perspective and from the viewpoint of the misuse cases.While the former one proposed a persona methodology to understand the complex ways attackers might work, the latter one specified a sequences of actions to be avoided to prevent various threats.

Quantitative Security Methods
While qualitative models identify the threats in a descriptive language, quantitative methods are used to derive numerically description for security properties.Rather than assessing the executed security policies at the management level [53], the quantitative models referred to in this paper concern the operational aspects of security.It aims to measure the level of threats of implemented systems during operation.Verendel in [33] surveyed numbers of different quantitative methods to evaluate if security can be represented quantitatively.The quantitative methods are reviewed with a taxonomy including the parameters such as perspectives, targets, assumptions, and validation.The conclusion pointed out that quantified security is a weak hypothesis and can be hardly validated for most cases.However, quantification modeling is still a fundamental topic since it is worthwhile for risk assessment and management.Thus, there are numerous research efforts to explore quantitative methods on threat modeling.
The Common Vulnerability Scoring System (CVSS) is a numerical method that provides a scoring system to evaluate vulnerabilities and their severity [54].It is composed of three metric groups: Base, Temporal, and Environmental, with a set of elements, which reflect threats in each [55].A CVSS score is computed with a provided formula combining all possible metrics, which can be obtained from a vulnerability look-up table.There is an online calculator available for the computation of the score.The CVSS was developed for software vulnerabilities and now it has been adapted for cyber-physical platforms.
Attack trees are graphical representations to show possible attacks with a tree structure.The root of the tree is the attackers' goal.The means to achieve the goal are denoted by the leaf nodes of the tree and they are connected by logical gates "AND" and "OR" [56].Attack trees describe the different routes to exploit the vulnerabilities of the system to reach a desired state [57].They provide a quantitative basis to calculate the attack potential [58].Furthermore, attack trees can be used for the designers to decide which actions should be prevented.Thus, there are some exploratory extensions like attack-defense trees or the integration of countermeasures in the attack tree [34].A quantitative model of attack tree is presented in [59] to present the intrusion process.The quantitative analysis of attacker behavior was performed by identifying the probability of different attack phases according to the empirical data collected from intrusion experiments.
In addition, there are some stochastic methods to quantify security.In [60], a method is proposed to build the security model with existing tools for reliability.It suggests viewing the threat of a system as a system failure.A Markov model is used to quantify the vulnerabilities with the probability of potential attacks.The dynamic state transition is considered with the specified detecting probabilities to estimate the security such as availability of an embedded system.An automotive system, namely a cooperative adaptive cruise control system, is used to illustrate the analysis.The security attributes of an intrusion tolerant system are assessed quantitatively in [61].The general probability distribution functions are identified to describe the attacker behavior and the system's response.The probability of security failure is computed to demonstrate the violation impacts of different security attributes.
When the systems become more complex, the interdependences among their components are denser.Thus, the methods of the threat modeling are needed to be evolved.A hybrid method made of three types of threat modeling methods is proposed in [62].The attack trees are built according to the threat categories of STRIDE.Then the attack likelihood of the tree components are calculated with CVSS method.The method is validated with a case study of railway communications network.
The qualitative and quantitative threat modeling methods reviewed above offer a valuable foundation for automotive security modeling.The combination of these methods becomes a common tendency in applications like automotive system and they inspired the development of the automotive security model.

Automotive Security Models
As the intelligent car-networking represents the new generation of the vehicular trend, security plays a more and more important role in automotive industry.Unlike IT security, the security of the automotive system can have an effect on the physical environment directly.Therefore, several research projects for security in transport systems were funded and conducted over the last decade.The projects like PRESERVE (preparing secure vehicle-to-X Communication systems), EVITA (E-safety vehicle intrusion protected applications) and OVERSEE (open vehicular secure platform) were launched to study how to ensure the security of the intelligent transport system by European Commission.The objectives of PRESERVE is to design a scalable security subsystem for the communication of ITS.It aimed to secure the V2X (vehicle to everything) communication and protect the data being abused by malicious attackers.The performance and the cost are also considered for the product deployment in close-to-market implementation [63].EVITA focused on the trustworthy intra-vehicular communication in order to protect the sensitive data, which are transferred inside a vehicle [64].The goal of EVITA is to design a secure automotive on-board architecture.The security requirements are specified after analyzing the relevant use cases and the threat scenarios.EVITA proposed hardware security modules as trust anchors for automotive controllers to fulfill the security requirements.To meet the demand of information and communication management for vehicular applications, OVERSEE targeted to realize an open vehicular IT platform [65].Based on the architecture of the platform, the applications are deployed in a secure and dependable way to avoid interfering with the functionality and safety of the vehicle.
Moreover, some standardization activities are carried out to address and enforce the security aspects for automotive industry [66].Some security standards for vehicles have been developed such as SAE J3061 [67] and ISO 20078 [68].Some are still under development like ISO/SAE 21434 [69], whose progress is reported in [70].In August of 2020, the UNECE WP.29 (the UN Economic Commission for Europe and the World Forum for Harmonization of Vehicle Regulations) released an exposure draft of uniform provisions.If it is passed, the member countries will be regulated to implement automotive cybersecurity practices and the cybersecurity management systems from January of 2021 [71].
The standards and the framework projects provide groundwork for in-depth study.They allow for supports for the applications in the field of automotive security.For the development of modern vehicles, rigorous security engineering is required as well as safety engineering [72].An overview on how to apply security testing technologies to automotive engineering is conducted in [73].Five techniques that are commonly used for automotive engineering are identified and classified according to the applications of different vehicle lifecycle phases and architecture layers.This paper addressed the need to develop testing methods to combine safety aspects for future work.As the security is brought up later than safety in automotive development, how to integrate them into the existing lifecycle is discussed in [74].The SAE J3061 suggests some interaction points between safety and security engineering during development processes [75].In [76], a process to integrate the properties of safety and security through automotive system development is proposed and illustrated with the use case of an electronic steering column lock system.Dürrwang et al. adapted the safety hazards analysis method with security guide-words in [77].It is used to identify the threats and security requirements during the safety analysis.In addition, there are several researches performed to adapt the safety models with security characteristics for system analysis, such as the model of Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) [78], and the model of Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS) [79].Unlike [80], this paper focuses on the perspectives of automotive security engineering-only the threat models originally designed for automotive security with independent inputs and outputs are considered.Thus, the adapted safety models are out of the scope of the discussion.

Security Modeling Methods for Automotive Industry
Since the outputs of threat models identify the potential attacks and the corresponding mitigation, modeling and assessing the security risks are demanded at the first stage of the design [81].Several automotive security modeling methods are proposed for automotive engineering [82].The J3061 Appendix A specifies some methods and techniques including the approach that originated from the framework project such as EVITA [64] and standards such as European Telecommunications Standards Institute (ETSI) Threat Vulnerability, and implementation Risk Analysis (TVRA) standard [83].In this section, we review the security risk analysis approaches, which are widely used by automotive industrial organizations and compare them from different aspects.It aims to provide hints for automotive engineer to better understand the security models.
The literature survey of the references on automotive security modeling was conducted and five representative methods for the subject were found.The modeling methods are introduced and their characteristics analyzed in the following section.

EVITA
A security process is described in EVITA project and a security model proposed to analyze the risks of a vehicular IT security system in [84].The threats are investigated and modeled from the dark-side scenarios.The security requirements are derived based on a set of use cases.Since the risk is determined by the probability of a successful attack and the damage effects caused by the attack, the proposed method took both of these two factors into account.It calculated the attack potential by using the Common Methodology for Information Technology Security Evaluation (CEM) [85].The CEM method is used for the Common Criteria for Information Technology Security Evaluation (CC) [86].The likelihood of mounting a successful attack depends on the parameters such as: the available information and the access to the target, the expertise and the tools of the attacks, and the elapsed time the attack takes.The attack paths to achieve attack objectives can be identified with attack trees.Moreover, the paper presented a method to compute the damage potential including four factors as: safety, finance, privacy, and operational performance for the automotive security domain.Among them, safety is a leading factor to determine the severity.The safety damage potential is valued according to automotive functional safety in [87].In [88], the authors summarized a risk matrix based on the EVITA method.The risk matrix is designed by taking the example from the railway safety engineering to indicate the risk acceptance values, from negligible to unacceptable [89].The paper also pointed out that the security threats and attack paths are identified from high-level security objectives, which are derived from the security questionnaires.This risk assessment approach can provide the automotive developers and the manufacturers with a systematic method to balance between costs and security risks and to make justifiable decisions effectively.The presented approach has been applied by some automotive manufacturers and been proven by a few projects.An automotive testing and evaluation methodology is proposed and validated for the case study of automotive Bluetooth interface [90].The testing is carried out based on the EVITA threat model and the attack trees after the analysis.The main elements and process of the EVITA methodology are summarized and illustrated in Figure 3.
Future Internet 2020, 12, x FOR PEER REVIEW 7 of 17 paper also pointed out that the security threats and attack paths are identified from high-level security objectives, which are derived from the security questionnaires.This risk assessment approach can provide the automotive developers and the manufacturers with a systematic method to balance between costs and security risks and to make justifiable decisions effectively.The presented approach has been applied by some automotive manufacturers and been proven by a few projects.An automotive testing and evaluation methodology is proposed and validated for the case study of automotive Bluetooth interface [90].The testing is carried out based on the EVITA threat model and the attack trees after the analysis.The main elements and process of the EVITA methodology are summarized and illustrated in Figure 3.

HEAVENS
A Swedish project HEAVENS, acronym for "healing vulnerabilities to enhance software security and safety" is funded by VINNOVA to study the methods and tools for security evaluation of automotive electrical and/or electronic systems (E/E) systems [91].It outlined a modeling framework to analyze threats, assess risks and estimate security levels.In the end, security requirements and security measures can be derived.One of the deliverable of the projects is about automotive security models.It mentioned several security models from other fields and discussed the distinctions of their work from others in [92].The security attributes are extended from the classic CIA (confidentiality, integrity and availability) triad to eight security attributes for the objectives applied to vehicles.The STRIDE method is used for threat analysis.The assets of the evaluated system are identified and the corresponding threats are analyzed to characterize the relations between threats and vulnerabilities.Similar to the method of EVITA, the threat levels, which reflect the likelihood of the threat, are computed based on the same parameters used in Common Criteria [85].The impact of the threats is quantified by considering the expected loss of the objectives, which are safety, finance, operation, and privacy & legislation.Then the security level is derived based on the threat level and the impact level to guide the management of the risks for each asset/threat pair.The process of the security model also parallels to automotive safety design [93].Unlike the EVITA approach to identify all possible attacks from dark scenarios, the HEAVENS approach focuses more on the effects of possible attacks being labeling by a limited number of threat categories.Moreover, the impact of legislation is taken into account in the HEAVENS approach with specific guidelines as well as for the other three objectives from the related standards and regulations in [94][95][96].The general process of HEAVENS methodology is described in Figure 4.

HEAVENS
A Swedish project HEAVENS, acronym for "healing vulnerabilities to enhance software security and safety" is funded by VINNOVA to study the methods and tools for security evaluation of automotive electrical and/or electronic systems (E/E) systems [91].It outlined a modeling framework to analyze threats, assess risks and estimate security levels.In the end, security requirements and security measures can be derived.One of the deliverable of the projects is about automotive security models.It mentioned several security models from other fields and discussed the distinctions of their work from others in [92].The security attributes are extended from the classic CIA (confidentiality, integrity and availability) triad to eight security attributes for the objectives applied to vehicles.The STRIDE method is used for threat analysis.The assets of the evaluated system are identified and the corresponding threats are analyzed to characterize the relations between threats and vulnerabilities.Similar to the method of EVITA, the threat levels, which reflect the likelihood of the threat, are computed based on the same parameters used in Common Criteria [85].The impact of the threats is quantified by considering the expected loss of the objectives, which are safety, finance, operation, and privacy & legislation.Then the security level is derived based on the threat level and the impact level to guide the management of the risks for each asset/threat pair.The process of the security model also parallels to automotive safety design [93].Unlike the EVITA approach to identify all possible attacks from dark scenarios, the HEAVENS approach focuses more on the effects of possible attacks being labeling by a limited number of threat categories.Moreover, the impact of legislation is taken into account in the HEAVENS approach with specific guidelines as well as for the other three objectives from the related standards and regulations in [94][95][96].The general process of HEAVENS methodology is described in Figure 4.

SINA
A methodology named Security In Networked Automotive (SINA) is presented in [97] to analyze and identify security issues for connected vehicle systems.The car2X scenarios are distinguished according to the communication participants in order to classify the different security threats for chosen problems.Similar to the method of STRIDE, SINA also applied the data flow diagrams to analyze the target system.The potential threats are described with a keyword-based threat classes.Beyond that, SINA defined an entity named communication zone as boundaries in the communication networks and the threats are categorized into seven classes.Besides the threats like tampering, denial of services, and information disclosure listed in STRIDE, SINA employed other specific threat types like "creation of additional data on a communication channel", "modification of transient information as it is exchanged in a data flow", "eavesdropping on a communication channel", and "blocking of a data flow".A model based approach is used to enumerate the threats based on the DFDs.In order to improve the coverage, attack trees are built for the most severe threats to reveal the risks.The method is designed in alignment with an automotive safety development process so that the potential security threats can be identified at the design phase.The risks of the probable effects are evaluated according to the safety severity.Other impacts like privacy and finance are not considered in SINA.The general process of SINA methodology is shown in Figure 5.

SAHARA
A security-aware hazard and risk analysis method (SAHARA) is proposed to combine automotive security and safety analysis for earlier development phases [98].The threats are classified with STRIDE method on the basis of the hazard analysis and risk assessment (HARA) for safety analysis.Then the impact of the threats is quantified based on three parameters, the resources (R), the knowledge (K) and the threat's criticality (T).A security level is defined based on these factors, as illustrated in Figure 6.Instead of estimating the likelihood of the threats, SAHARA focused on the high criticality of the threats, which would violate the safety goals.If the safety goal is breached, the threats need to be handed over to the safety analysis again.With this step, the completeness of safety analysis can be improved.In the later work presented in [99], they extended their threat and risk analysis from one single car to the whole car fleets.Moreover, the remote attacks are considered.They proposed a new threat classification approach to quantify the threats with five parameters, which are damage potential, reproducibility, exploitability, affected users, and discoverability.A risk priority number is derived by adding the impact factors for each threat.This method has been applied to the use case of automotive battery management.

SINA
A methodology named Security In Networked Automotive (SINA) is presented in [97] to analyze and identify security issues for connected vehicle systems.The car2X scenarios are distinguished according to the communication participants in order to classify the different security threats for chosen problems.Similar to the method of STRIDE, SINA also applied the data flow diagrams to analyze the target system.The potential threats are described with a keyword-based threat classes.Beyond that, SINA defined an entity named communication zone as boundaries in the communication networks and the threats are categorized into seven classes.Besides the threats like tampering, denial of services, and information disclosure listed in STRIDE, SINA employed other specific threat types like "creation of additional data on a communication channel", "modification of transient information as it is exchanged in a data flow", "eavesdropping on a communication channel", and "blocking of a data flow".A model based approach is used to enumerate the threats based on the DFDs.In order to improve the coverage, attack trees are built for the most severe threats to reveal the risks.The method is designed in alignment with an automotive safety development process so that the potential security threats can be identified at the design phase.The risks of the probable effects are evaluated according to the safety severity.Other impacts like privacy and finance are not considered in SINA.The general process of SINA methodology is shown in Figure 5.

SINA
A methodology named Security In Networked Automotive (SINA) is presented in [97] to analyze and identify security issues for connected vehicle systems.The car2X scenarios are distinguished according to the communication participants in order to classify the different security threats for chosen problems.Similar to the method of STRIDE, SINA also applied the data flow diagrams to analyze the target system.The potential threats are described with a keyword-based threat classes.Beyond that, SINA defined an entity named communication zone as boundaries in the communication networks and the threats are categorized into seven classes.Besides the threats like tampering, denial of services, and information disclosure listed in STRIDE, SINA employed other specific threat types like "creation of additional data on a communication channel", "modification of transient information as it is exchanged in a data flow", "eavesdropping on a communication channel", and "blocking of a data flow".A model based approach is used to enumerate the threats based on the DFDs.In order to improve the coverage, attack trees are built for the most severe threats to reveal the risks.The method is designed in alignment with an automotive safety development process so that the potential security threats can be identified at the design phase.The risks of the probable effects are evaluated according to the safety severity.Other impacts like privacy and finance are not considered in SINA.The general process of SINA methodology is shown in Figure 5.

SAHARA
A security-aware hazard and risk analysis method (SAHARA) is proposed to combine automotive security and safety analysis for earlier development phases [98].The threats are classified with STRIDE method on the basis of the hazard analysis and risk assessment (HARA) for safety analysis.Then the impact of the threats is quantified based on three parameters, the resources (R), the knowledge (K) and the threat's criticality (T).A security level is defined based on these factors, as illustrated in Figure 6.Instead of estimating the likelihood of the threats, SAHARA focused on the high criticality of the threats, which would violate the safety goals.If the safety goal is breached, the threats need to be handed over to the safety analysis again.With this step, the completeness of safety analysis can be improved.In the later work presented in [99], they extended their threat and risk analysis from one single car to the whole car fleets.Moreover, the remote attacks are considered.They proposed a new threat classification approach to quantify the threats with five parameters, which are damage potential, reproducibility, exploitability, affected users, and discoverability.A risk priority number is derived by adding the impact factors for each threat.This method has been applied to the use case of automotive battery management.

SAHARA
A security-aware hazard and risk analysis method (SAHARA) is proposed to combine automotive security and safety analysis for earlier development phases [98].The threats are classified with STRIDE method on the basis of the hazard analysis and risk assessment (HARA) for safety analysis.Then the impact of the threats is quantified based on three parameters, the resources (R), the knowledge (K) and the threat's criticality (T).A security level is defined based on these factors, as illustrated in Figure 6.Instead of estimating the likelihood of the threats, SAHARA focused on the high criticality of the threats, which would violate the safety goals.If the safety goal is breached, the threats need to be handed over to the safety analysis again.With this step, the completeness of safety analysis can be improved.In the later work presented in [99], they extended their threat and risk analysis from one single car to the whole car fleets.Moreover, the remote attacks are considered.They proposed a new threat classification approach to quantify the threats with five parameters, which are damage potential, reproducibility, exploitability, affected users, and discoverability.A risk priority number is derived by adding the impact factors for each threat.This method has been applied to the use case of automotive battery management.

TVRA
The European Telecommunications Standards Institute (ETSI) proposed a threat, vulnerability and risk analysis (TVRA) methodology for their standards developers to deal with security issues originally in the telecommunications industry.Then ETSI adapts this method for ITS based on European V2V communication platform [82].The target of the TVRA method evaluation is used to identify the threats and risks of the communications and services of vehicle-to-vehicle and vehicle-to-roadside network infrastructure in the ITS.The security objectives are evaluated by specifying the CIAAA attributes, namely confidentiality, integrity, availability, authenticity and accountability.The TVRA is a systematic method to identify the assets of the system and the threats the system may be subject to.The classifications of threats are defined as interception, manipulation, denial of service, and repudiation of sending and receiving [100].The potential of the threats is evaluated based on the parameters like knowledge, time, expertise, opportunity, and equipment.The intensity level of an attack is scaled with three levels from 1 to 3. Then the likelihood and the impact of a risk can be quantified and the security requirements are derived.

Comparisons of the Automotive Security Modeling Methods
After reviewing the methods, the considerations and variables of these methods are analyzed and compared in order to utilize them appropriately.There are a number of aspects to differentiate the above methods for understanding.First, even though all these methods are designed for the automotive field, each method is studied in its specific application context.Second, the different security attributes are considered as the objectives in the different methods.Third, automotive security modeling methods are inspired by traditional IT security modeling methods so they use the quantitative and qualitative methods for references.Fourth, safety is the principle factor for vehicles and many automotive security modeling methods are designed to align with safety process.Finally, unlike the traditional security modeling methods, risk analysis is a significant part of the method, and the impact elements are considered for the different purposes.In order to clarify these aspects, a comparison is made with respect to the reviewed methods and the results are showed in Table 1.


Application context: The five modeling methods for automotive security reviewed in the last section are exploited for different usage scope.Some methods targeted on the systems on the vehicle and others took the V2X scenarios into account.For example, the method of the TVRA is designed to evaluate the communications and services of network infrastructure in the ITS.


Security attributes: The security attributes are the protected targets of the valuable asset.Ordinarily, security is composed of the attributes of confidentiality, integrity and availability.The attributes and security objectives in the context of the automotive systems are extended by adding authenticity, accountability, authorization, privacy, non-repudiation, and freshness.The 3.1.5.TVRA The European Telecommunications Standards Institute (ETSI) proposed a threat, vulnerability and risk analysis (TVRA) methodology for their standards developers to deal with security issues originally in the telecommunications industry.Then ETSI adapts this method for ITS based on European V2V communication platform [82].The target of the TVRA method evaluation is used to identify the threats and risks of the communications and services of vehicle-to-vehicle and vehicle-to-roadside network infrastructure in the ITS.The security objectives are evaluated by specifying the CIAAA attributes, namely confidentiality, integrity, availability, authenticity and accountability.The TVRA is a systematic method to identify the assets of the system and the threats the system may be subject to.The classifications of threats are defined as interception, manipulation, denial of service, and repudiation of sending and receiving [100].The potential of the threats is evaluated based on the parameters like knowledge, time, expertise, opportunity, and equipment.The intensity level of an attack is scaled with three levels from 1 to 3. Then the likelihood and the impact of a risk can be quantified and the security requirements are derived.

Comparisons of the Automotive Security Modeling Methods
After reviewing the methods, the considerations and variables of these methods are analyzed and compared in order to utilize them appropriately.There are a number of aspects to differentiate the above methods for understanding.First, even though all these methods are designed for the automotive field, each method is studied in its specific application context.Second, the different security attributes are considered as the objectives in the different methods.Third, automotive security modeling methods are inspired by traditional IT security modeling methods so they use the quantitative and qualitative methods for references.Fourth, safety is the principle factor for vehicles and many automotive security modeling methods are designed to align with safety process.Finally, unlike the traditional security modeling methods, risk analysis is a significant part of the method, and the impact elements are considered for the different purposes.In order to clarify these aspects, a comparison is made with respect to the reviewed methods and the results are showed in Table 1.

•
Application context: The five modeling methods for automotive security reviewed in the last section are exploited for different usage scope.Some methods targeted on the systems on the vehicle and others took the V2X scenarios into account.For example, the method of the TVRA is designed to evaluate the communications and services of network infrastructure in the ITS.

•
Security attributes: The security attributes are the protected targets of the valuable asset.Ordinarily, security is composed of the attributes of confidentiality, integrity and availability.The attributes and security objectives in the context of the automotive systems are extended by adding authenticity, accountability, authorization, privacy, non-repudiation, and freshness.The explanation of the attributes can be referred to in [83,92].Each method specifies different security attributes as objectives.

•
Reference methods: Since automotive security is developed based on the traditional IT security modeling methods, the approaches to build a threat model used either the quantitative or the qualitative methods.Most of the methods have been reviewed in Section 2.

•
Safety related: The safety has always been regarded as a critical engineering concern for the automotive industry.Unlike IT security, the safety process is essential for automotive design.

•
Risk impacts: Risk assessment is employed to rank the threat with impact level parameters.It aids to analyze the potential impacts of threats on the stakeholders like user, dealer or manufacturer of the vehicles.The impact factors can be considered such as the safety of the car occupants and road users, the direct and indirect financial cost for the stakeholders, the operational incidents, and the violation of privacy and regulations.These factors assist to derive the security objectives.

•
Inputs and outputs: These factors can be used to better understand the models especially from the engineering point of view.The perspectives of analysis are different from the methods, and thus, the required and start point are different.Since the objectives of each method are various, the outcomes are diverse accordingly.

Discussion
Security analysis is a fundamental activity in the security engineering process.The purpose of security analysis is to identify threats and assess potential risks, and then to manage the risks with countermeasures.Security models are built up to expound the security characteristics of systems.There are various security models from different domains, other than surveys there are few taxonomies to categorize the existing models.According to different conditions and usages, some systems only need to enumerate the threats, which may be encountered with given types of threats.Thus, descriptive models, for example STRIDE, are sufficient to discover and analyze the security threats.For other applications, vulnerabilities must be evaluated in a quantitative form to testify its security rating.Numerical or stochastic models such as CVSS are needed to present the security properties.
To overcome the security problems in automotive system development, security models as essential methods are needed to be explored urgently.There are several security models designed or adapted for the automotive industry as introduced in the standard of SAE J3061.However, how to differentiate the existing automotive security models and apply them in a proper and efficient manner are unclear and confused.Hence, the common methods that have been used for vehicles have been reviewed and compared with six fundamental aspects, which are most interested in automotive electronic and electrical (EE) design.
The security models are chosen depending on the different analysis objects.SINA is used for the V2X system of vehicles.The communication between the vehicle and the backend can be analyzed with TVRA method.The automotive electrical and/or electronic systems includes the IT system and the embedded systems.Thus, HEAVENS can be applied to a larger scope than EVITA and SAHARA.STRIDE is utilized by three of the mentioned methods to list the potential threats for the further analysis.The attack paths of dark scenarios are sorted out with attack trees in EVITA.This reflects one of the major differences of EVITA from the other methods, that is, EVITA starts the analysis from the attacker's point of view, while other methods are from the designer's point of view.
Moreover, the qualitative and quantitative methods from traditional IT security are referenced in the automotive security models.Qualitative methods are used as systematic tools to investigate and state the security threats in a descriptive language.Three of the listed automotive security models have used STRIDE method to identify the threats.Since STRIDE is well-structured and well applied in IT security, it helps engineers to frame the threats and limit the kinds of threats.The importance of the threat models is to identify the protected goals and the security requirements for the further design in the security process, other than enumerating all the threats.Thus, the qualitative methods are preferred for the automotive security models at this stage.Quantitative modeling methods are used to derive numerical description for security properties.In the method of EVITA, the method of attack tree is used to analyze the potential attacks from the dark scenarios and to calculate the probability of the attack.This also reflects a common fact in the field of security.It is difficult to characterize security in quantitative terms due to the subjective nature of security.Experts' opinions and descriptive forms are often needed.The method of SINA used STRIDE model firstly to derive the threats then used attack trees to determine a minimal set of attacks.Generally, the probabilistic approaches are not well developed and seldom applied in automotive security.Besides the inherent difficulties of assessing the security, the automotive security focuses more on the risk level, which will determine the following actions.
In addition, different security properties are considered for different targets.One of the important objectives of security is to guard the safety functions for vehicles.If the safety is a primary requirement, the above methods except TVRA considered it in the security modeling.To implement the threat modelling for automotive security, the introduction of use cases is required for most methods.For the method of SAHARA, the outcomes of safety analysis are needed as well.The other methods referred safety as an impact factor.They are all designed from the security perspective.Different from the traditional security models, the methods used for automotive security include threat or severity levels for risk determination.These numerical parameters are defined by considering the impact factors, which are typical for the automotive industry.They are different from the quantitative security methods introduced in chapter 2. However, there is still no unified criteria to standardize the risk level to guide the industry.To develop a security assurance level for automobiles is one of the industry's biggest demands currently.

Conclusions and Outlook
Security modeling is required within virtually all security design cycles especially for automotive design.The systematic approaches to model threats and rank security risks can be used as the inputs to architectural design for secure systems.To better understand the problem of automobile security, it is necessary to analyze the threat and assess the risk at the beginning of the design.By knowing in-depth the security threats and risks faced by the intelligent connected vehicle, it is conducive to fundamentally cope with the security problems.Moreover, the upcoming automotive security standard underlines the importance for threat modeling and it requires the designers to utilize the suitable methods for modeling.Based on the survey and comparison, the rational choice of proper method can be made for security evaluation in automotive security engineering.Afterwards, the appropriate methods will be derived and applied for the corresponding protected systems and scenarios.Furthermore, the security models for different phases in the lifecycle of automobiles can be investigated.Since the integration and coordination of safety and security in automotive domain are still in exploration, the models combining these two properties deserve further discussions.

Figure 1 .
Figure 1.The structure of this article.

Figure 1 .
Figure 1.The structure of this article.

Future 17 Figure 1 .
Figure 1.The structure of this article.

Figure 3 .
Figure 3.The main elements and process of EVITA method.

Figure 3 .
Figure 3.The main elements and process of EVITA method.

Figure 4 .
Figure 4.The general process of HEAVENS method.

Figure 5 .
Figure 5.The diagram of SINA method.

Figure 4 .
Figure 4.The general process of HEAVENS method.

Figure 4 .
Figure 4.The general process of HEAVENS method.

Figure 5 .
Figure 5.The diagram of SINA method.

Figure 5 .
Figure 5.The diagram of SINA method.

Figure 6 .
Figure 6.The criteria to derive security level in SHARA method.

Figure 6 .
Figure 6.The criteria to derive security level in SHARA method.

Table 1 .
Comparison of the automotive security models.