Automotive industry standards recommend threat modelling as a key element in strengthening the cybersecurity of road vehicles. Modern cars contain multiple networks and can feature numerous data connections to the outside world, which need to be evaluated. James Tyrrell provides an overview of available tools from simple drawing and flow-charting applications through to more automated threat-generation solutions with built-in libraries and templating options.
ISO/SAE 21434, due for release in 2020, brings consensus on cybersecurity engineering for the automotive sector. The guidelines consider all phases of a vehicle’s life – design & engineering, production, customer use, maintenance & service, and decommissioning – and their scope includes on-board systems, components, software and connections to external devices & networks.
The upcoming standard builds on SAE’s ‘Cybersecurity Guidebook for Cyber-physical Systems’ (J3061), released in 2016, which bolstered current functional safety process guidelines (ISO 26262) by offering recommendations on how to inject cybersecurity into product design, validation and communication, acknowledging the interconnectivity of today’s and future vehicles.
Drill down into the process and you’ll soon find a requirement for threat analysis and risk assessment (TARA), which brings us to the topic of this blog post – what tools are available to enhance the exercise and identify security weaknesses more readily?
In his book, ‘Threat Modeling: Designing for Security’ – which has done a great job in introducing people to the world of threat modelling, Adam Shostack reminds readers that all you need to get started is a pencil and paper or a white board. Drawing tools could be added to this list, as a first step in automating the process.
A free web app for producing flowcharts, including data flow diagrams (DFDs). Libraries have been created by users to enhance the tool’s threat modelling capabilities – for example, see drawing elements created by Michael Henriksen, which suit DFD and attack tree methods.
An online tool with paid-for ‘advanced’ and ‘starter’ subscriptions as well as a free ‘express’ option. The ability to produce DFDs and threat modelling diagrams is available on both ‘starter’ and ‘advanced’ plans.
THREAT MODELLING SOLUTIONS
Adding industry-relevant threat libraries and templates to the modelling process speeds up threat generation and allows participants to apply knowledge from ‘outside the room’.
Microsoft’s offering is a popular and free tool that can be loaded with threat-filled templates based on the STRIDE (Spoofing, Tampering, Repudiation, Information loss, Denial of service and Elevation of privilege) framework.
Once a template has been selected, dragging and dropping icons (stencils) onto an on-screen canvas allows users to create DFDs for analysis. Switching to the analysis view displays an exportable list of threats that are generated according to the various element-element interactions present in the DFD.
At Microsoft, the tool is used by software architects, but it has been applied in other sectors too. For example, medical device and automotive specific templates have been made available by their creators — GE Healthcare and NCC Group, respectively — which others can, and have, used and adapted.
Case studies featuring the MS Threat Modeling Tool include analysis of interior lighting (Karahasanovic et al., 2017) and adaptive cruise control (Wolf, 2018). Also worth adding to the list, based on their use of STRIDE, are threat models of an emergency brake light system (Van Winsen, 2017) and a head unit within a connected car (Knight, 2018).
Developed by Swedish firm foreseeti, securiCAD is a commercial threat modelling solution that – as well as providing a list of threats — can generate data such as the ‘average time to compromise’ and highlight high risk exposure as well as ‘choke points’ between potential attackers and high-value assets.
Foreseeti is working with Volvo, and other partners, as part of a work package dubbed THREAT MOVE (THREAT MOdeling and simulation of VEhicle IT). The four year project, funded through Sweden’s innovation agency – Vinnova, runs until 2021 and interim results have been published in a 2018 report.
Geared towards ISO 21434, Yakindu security analyst – created by German firm, Itemis – “enables a comprehensive risk analysis of technical systems in the (automotive) development process”. Users can choose to model components, interfaces and data flows either textually or graphically. Site manager, Dirk Leopold adds more detail on where threat modelling fits into the upcoming standard in the firm’s latest blog post.
Available via an annual subscription, ThreatModeler is a commercial package featuring drag and drop icons and templates. In a recent video, the team has shown how its tool can be used to threat model a connected vehicle platform. Other features of the tool include automatic attack tree generation.
Now is a good time to mention ADTool, which takes the application of attack trees a step further by enabling the creation and editing of attack-defence trees. The method not only models attacker behaviour, but also captures possible countermeasures. The software is developed by researchers based at the University of Luxembourg, who also provide a library of trees.
To see an example of an automotive attack tree (although not one necessarily created using ADTool), check out a 2017 study by researchers at Warwick University who examined threats that could lead to the failure of collaborative cruise control.
Delivered through the Open Web Application Security Project (OWASP), Threat Dragon is a free, open-source, threat modelling application that aims to fill a cross-platform (Windows, Mac & Linux) gap by supporting teams implementing the STRIDE approach. More details, including how to download the desktop and get started with Threat Dragon for the first time, can be found at docs.threatdragon.org.
First developed in 2014, the cutely named SeaSponge remains available as an online demo. Although the code is no longer maintained, the tool nonetheless highlights the potential for an accessible, intuitive web-based approach to threat modelling.