Logo PTI Logo FedCSIS

Proceedings of the 17th Conference on Computer Science and Intelligence Systems

Annals of Computer Science and Information Systems, Volume 30

Heuristic Risk Treatment for ISO/SAE 21434 Development Projects

, , ,

DOI: http://dx.doi.org/10.15439/2022F136

Citation: Proceedings of the 17th Conference on Computer Science and Intelligence Systems, M. Ganzha, L. Maciaszek, M. Paprzycki, D. Ślęzak (eds). ACSIS, Vol. 30, pages 653662 ()

Full text

Abstract. Due to new technologies for connectivity, automotive systems shift from a closed to an open system approach. Therefore, automotive systems have a rising demand for security, letting security be an upcoming field in research and practice. Also, the newly published process standard ISO/SAE 21434 demands adjustments in the development process to address cybersecurity. The unique characteristics of automotive systems leave many approaches from other system types inapplicable. This work concentrates on the risk treatment step in the cybersecurity development process. Due to the vast amount of differing terminology, we see the need to define a flexible taxonomy adaptable to several system types and used in systems with normative references. We use this taxonomy to develop a heuristic approach for risk treatment based on a distinct terminology for security requirements. The presented method is extendable to include several trade-off points.


  1. ISO, “ISO/SAE 21434:2021 Road vehicles – Cybersecurity engineering,” 2021.
  2. C. Jakobs, B. Naumann, M. Werner, K. Schmidt, J. Eichler, and H. Heskamp, “Streamlining Security Relevance Analysis According to ISO 21434,” in Proceedings of the 5th International Conference on Networking, Information Systems & Security (NISS’22). IEEE, 2022, to appear.
  3. U. Nations, “Proposal for a New UN Regulation on Uniform Provisions Concerning the Approval of Vehicles with Regards to Cyber Security and Cyber Security Management System (UN Regulation No. 155),” 2020.
  4. C. Jouvray, A. Kung, M. Sall, A. Fuchs, S. Gürgens, R. Rieke, Y. Roudier, and B. Weyl, “EVITA Deliverable D3. 1: Security and trust model,” Tech. Rep. 3.1, 2009.
  5. C. P. Pfleeger and S. L. Pfleeger, Security in Computing, 3rd ed. Prentice Hall, 2003. ISBN 978-0-13-035548-5
  6. L. Chung, Ed., Non-Functional Requirements in Software Engineering, ser. The Kluwer International Series in Software Engineering. Kluwer Academic, 1999. ISBN 978-0-7923-8666-7
  7. A. Akhunzada, E. Ahmed, A. Gani, M. K. Khan, M. Imran, and S. Guizani, “Securing Software Defined Networks: Taxonomy, Requirements, and Open Issues,” IEEE Communications Magazine, vol. 53, no. 4, pp. 36–44, 2015. http://dx.doi.org/10.1109/MCOM.2015.7081073
  8. M. Ahmadvand, A. Pretschner, and F. Kelbert, “A Taxonomy of Software Integrity Protection Techniques,” in Advances in Computers. Elsevier, 2019, vol. 112, pp. 413–486.
  9. State Administration for Market Regulation; Standardization Administration of the People’s Republic of China., “Technical requirements and test methods for cybersecurity of on-board information interactive system (GB/T 40856-2021),” 2021.
  10. “Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies,” 2016-09. [Online]. Available: https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
  11. B. Weyl, M. Wolf, F. Zweers, T. Gendrullis, M. S. Idrees, Y. Roudier, H. Schweppe, H. Platzdasch, R. El Khayari, O. Henniger et al., “EVITA Deliverable D3. 2: Secure On-board Architecture Specification,” 2011.
  12. C. Irvine and T. Levin, “Toward a Taxonomy and Costing Method for Security Services,” in Proceedings 15th Annual Computer Security Applications Conference (ACSAC’99). IEEE Comput. Soc, 1999. doi: 10.1109/CSAC.1999.816026 pp. 183–188.
  13. K. Lee, Y. Lee, H. Lee, and K. Yim, “A Brief Review on JTAG Security, year=2016, pages=486-490, doi=10.1109/IMIS.2016.102,” in 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS).
  14. D. Angermeier, K. Beilke, G. Hansch, and J. Eichler, “Modeling Security Risk Assessments,” p. 14, 2019. http://dx.doi.org/10.13154/294-6670
  15. A. Ruddle, D. Ward, B. Weyl, S. Idrees, Y. Roudier, M. Friedewald, T. Leimbach, A. Fuchs, S. Gürgens, O. Henniger et al., “EVITA Deliverable D2.3: Security Requirements for Automotive on-Board Networks Based on Dark-Side Scenarios,” 2009.
  16. B. Schneier, “Academic: Attack Trees - Schneier on Security,” 1999. [Online]. Available: https://www.schneier.com/academic/archives/1999/12/attack_trees.html
  17. S. Mauw and M. Oostdijk, “Foundations of Attack Trees,” in Information Security and Cryptology - ICISC 2005, ser. Lecture Notes in Computer Science, D. H. Won and S. Kim, Eds. Springer Berlin Heidelberg, 2006, vol. 3935, pp. 186–198.
  18. G. Hansch, “Automating Security Risk and Requirements Management for Cyber-Physical Systems,” 2020.
  19. C. Jakobs, M. Werner, K. Schmidt, and G. Hansch, “Following the White Rabbit: Integrity Verification Based on Risk Analysis Results,” in Computer Science in Cars Symposium. ACM, 2021. http://dx.doi.org/10.1145/3488904.3493377
  20. C. Jakobs, M. Werner, and P. Tröger, “Dynamic Composition of Cyber-Physical Systems,” in 52th Hawaii International Conference on System Sciences (HICSS), 2019. http://dx.doi.org/10.24251/HICSS.2019.869
  21. C. Jakobs, B. Naumann, M. Werner, and K. Schmidt, “Verification of Integrity in Vehicle Architectures,” in Proceedings of the 3rd International Conference on Networking, Information Systems & Security. ACM, 2020. http://dx.doi.org/10.1145/3386723.3387883