The Journal of The Korea Institute of Intelligent Transport Systems (한국ITS학회 논문지)

The Korea Institute of Intelligent Transport Systems (한국ITS학회)
권호 표지
DOI QR코드

DOI QR Code

Deriving Essential Security Requirements of IVN through Case Analysis

사례 분석을 통한 IVN의 필수 보안 요구사항 도출

  • Song, Yun keun (Cyber Security Division, ESCRYPT) ;
  • Woo, Samuel (Electronics and Telecommunications Research Institute(ETRI)) ;
  • Lee, Jungho (Korea Information Certificate Authority Inc.(KICA)) ;
  • Lee, You sik (Cyber Security Division, ESCRYPT)
  • 송윤근 (에스크립트 사이버보안사업팀) ;
  • 우사무엘 (한국전자통신연구원 초연결통신연구소) ;
  • 이정호 (한국정보인증 서비스운영팀) ;
  • 이유식 (에스크립트 사이버보안사업팀)
  • Received : 2019.04.01
  • Accepted : 2019.04.26
  • Published : 2019.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

One of the issues of the automotive industry today is autonomous driving vehicles. In order to achieve level 3 or higher as defined by SAE International, harmonization of autonomous driving technology and connected technology is essential. Current vehicles have new features such as autonomous driving, which not only increases the number of electrical components, but also the amount and complexity of software. As a result, the attack surface, which is the access point of attack, is widening, and software security vulnerabilities are also increasing. However, the reality is that the essential security requirements for vehicles are not defined. In this paper, based on real attacks and vulnerability cases and trends, we identify the assets in the in-vehicle network and derive the threats. We also defined the security requirements and derived essential security requirements that should be applied at least to the safety of the vehicle occupant through risk analysis.

오늘날 자동차 산업의 화두 중 하나는 자율주행차량이다. 국제자동차기술자협회(SAE International)가 정의한 레벨 3이상을 달성하기 위해서는 자율주행 기술과 커넥티드 기술의 조화가 필수적이다. 현재의 차량은 자율주행과 같은 새로운 기능을 가지게 됨에 따라 전장 부품의 수뿐 만 아니라 소프트웨어의 양과 복잡성도 늘어났다. 이로 인해 공격 표면(Attack surface)이 확대되고, 소프트웨어에 내재된 보안 취약점도 늘어나고 있다. 실제로 커넥티드 기능을 가진 차량의 보안 취약점을 악용하여 차량을 강제 제어할 수 있음이 연구자들에 의해 증명되기도 했다. 하지만 차량에 적용 되어야 하는 필수적인 보안 요구 사항은 정의되어 있지 않는 것이 현실이다. 본 논문에서는 실제 공격 및 취약점 사례를 바탕으로 차량내부네트워크(In-Vehicle Network)에 존재하는 자산을 식별하고, 위협을 도출하였다. 또한 보안요구사항을 정의 하였고, 위험 분석을 통해 사이버 보안으로 인한 안전 문제를 최소화하기 위한 필수 보안 요구 사항을 도출하였다.

Keywords

References

  1. Alexander K., Daniel A., Herve S., Tyrone S. and Marko W.(2013), "Trust assurance levels of cybercars in v2x communication," 2013 ACM workshop on Security, privacy & dependability for cyber vehicles, pp.49-60.
  2. Charlie M. and Chris V.(2015), Remote exploitation of an unaltered passenger vehicle, Black Hat USA 2015.
  3. Common Vulnerabilities and Exposures, "CVE-2017-6054," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6054, accedded 2019.03.29.
  4. Common Vulnerabilities and Exposures, "CVE-2018-1170," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1170, accessed 2019.03.29, 2019e
  5. Common Vulnerabilities and Exposures, "CVE-2018-16806," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16806, accessed 2019.03.29, 2019d
  6. Common Vulnerabilities and Exposures, "CVE-2018-18071," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18071, accessed 2019.03.29, 2019c
  7. Common Vulnerabilities and Exposures, "CVE-2018-18203," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18203, accessed 2019.03.29, 2019b
  8. Common Vulnerabilities and Exposures, "CVE-2018-9322," https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9322, accessed 2019.03.29, 2019a
  9. Conde Nast, https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/, 2019. 03. 29.
  10. for Information Technology Security Evaluation - Evaluation methodology, https://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R5.pdf.
  11. Hiro O.(2012), "Paradigm change of vehicle cyber security," 2012 4th International Conference on Cyber Conflict(CYCON 2012), pp.1-11.
  12. ISO, ISO/SAE CD 21434 Road Vehicles - Cybersecurity engineering, https://www.iso.org/standard/70918.html", accessed 2019.04.26.
  13. ISO/IEC 15408(2017), Common Methodology
  14. Karl K., Alexei C., Franziska R., Shwetak P., Tadayos K., Stephen C., Damon M., Brian K., Danny A., Hovav S and Stefan S, (2010), "Experimental Security Analysis of a Modern Automobile," 2010 IEEE Symposium on Security and Privacy, pp.447-462.
  15. Marko W. and Michael S.(2009), A Systematic Approach to a Quantified Security Risk Analysis for Vehicular IT Systems, Automotive-Safety Security 2012, pp.195-210.
  16. Marko W.(2018), "Strategies against being taken hostage by ransomware," ATZelektronik worldwide, vol. 13, no. 2, pp.44-47. https://doi.org/10.1007/s38314-018-0011-3
  17. Pen Test Partners LLP, https://www.pentestpartners.com/security-blog/hacking-the-mitsubishi-outlander-phev-hybrid-suv, 2019. 03. 29.
  18. PricewaterhouseCoopers(PwC) GmbH(2017), The 2017 Strategy & Digital Auto Report, https://www.strategyand.pwc.com/media/file/2017-Strategyand-Digital-Auto-Report.pdf.
  19. PricewaterhouseCoopers(PwC) GmbH(2018), Five trends transforming the Automotive Industry, https://www.pwc.at/de/publikationen/branchen-und-wirtschaftsstudien/eascy-five-trends-transforming-the-automotive-industry_2018.pdf.
  20. SAE International(2018), $J3016^{TM}$ Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles, https://saemobilus.sae.org/content/J3016_201806.
  21. Sen N., Ling L. and Yuefeng D.(2017), Free-Fall: Hacking Tesla From Wireless to Can Bus, Black Hat USA 2017.
  22. Tencent Keen Security Lab, https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/, 2019.03.31.
  23. US DoT(2017), An Introduction to Connected Automated Vehicles, https://www.its.dot.gov/presentations/2017/CAV2017_AdvTechTransport.pdf.
  24. Yousik L., Samuel W., Jungho L., Yunkeun S., Heeseok M. and Donghoon L.(2019), "Enhanced Android App-Repackaging Attack on In-Vehicle Network," Wireless Communications and Mobile Computing, vol. 2019, no. 5650245, p.13.