A Study on Threat Analysis and Risk Assessment Based on the &#x201C;Asset Container&#x201D; Method and CWSS

Yasuyuki Kawanishi; Hideaki Nishihara; Hirotaka Yoshida; Hideki Yamamoto; Hiroyuki Inoue

doi:10.1109/ACCESS.2023.3246497

IEEE Access (Jan 2023)

A Study on Threat Analysis and Risk Assessment Based on the “Asset Container” Method and CWSS

Yasuyuki Kawanishi,
Hideaki Nishihara,
Hirotaka Yoshida,
Hideki Yamamoto,
Hiroyuki Inoue

Affiliations

Yasuyuki Kawanishi: ORCiD; Cyber-Security Research and Development Office, Research and Development Unit, Sumitomo Electric Industries Ltd, Osaka, Japan
Hideaki Nishihara: ORCiD; SEI-AIST Cyber Security Cooperative Research Laboratory, Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology (AIST), Osaka, Japan
Hirotaka Yoshida: SEI-AIST Cyber Security Cooperative Research Laboratory, Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology (AIST), Osaka, Japan
Hideki Yamamoto: Cyber-Security Research and Development Office, Research and Development Unit, Sumitomo Electric Industries Ltd, Osaka, Japan
Hiroyuki Inoue: ORCiD; SEI-AIST Cyber Security Cooperative Research Laboratory, Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology (AIST), Osaka, Japan

DOI: https://doi.org/10.1109/ACCESS.2023.3246497
Journal volume & issue: Vol. 11
pp. 18148 – 18156

Abstract

Read online

In recent years, legislation and standardization of cyber security management for cyber-physical systems such as automotive systems have been progressing steadily. ISO/SAE 21434, published in 2021, addresses the management and analysis of electrical systems within road vehicles from a cybersecurity perspective. It also recommends some methods for the threat analysis and risk assessment (TARA) process. However, there are two problems in the evaluation methods derived from conventional security analysis approaches. One problem is related to the insufficient evaluation of attack feasibilities for cyber-physical systems by the CVSS-based approach. Another problem is the unclear relationship between damage factors in analyzing the impact of damage to each asset. In this paper, we focus on the TARA process, and apply an “asset container” method for threat classification, proposed by the authors at DECSoS 2017, and a CWSS-based risk quantification method. Moreover, we can also add some perspective to improve risk evaluation suitable for automotive systems. Following our past studies on methodologies to evaluate the risk of such special cyber-physical systems, we can quantify risks limited to some cyber-physical systems, such as direct access attacks to in-vehicle networks.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords