ProductServicesIn useTrainingInsightsSupport ↗Career ↗Newsletter ↗
中文
Get started →
Gilad Bandel
Apr 12, 2024

Automotive Risk Management Optimization

Share this on

Abstract

Original Equipment Manufacturers (OEMs) and their supply chain must engage in a prioritized and comprehensive approach to risk management and mitigation to ensure cyber-secure vehicles and regulatory compliance. This entails orchestration across various organizational units such as Research and Development (R&D), risk management, penetration testing, homologation, Vehicle Security Operations Center (VSOC) and more. Optimizing this multifaceted process is imperative for achieving both effectiveness and efficiency in the risk management process.

To attain optimal outcomes, it is essential to integrate, consolidate and synergize the diverse information sources, including abstract system models, vulnerability data, threat intelligence, financial considerations, etc. By teaming these inputs, we can enhance the overall process and yield the desired optimized results. Neglecting this integrated approach could lead to significant futile expenses and compromised cybersecurity in vehicles.

Note: This article is a continuation of the article “The pillars of automotive risk management” which can be found here: https://systemweaver.com/insights/the-pillars-of-automotive-risk-management 


The challenge

The risk management process often operates in isolation, neglecting integration with other crucial organizational functions. Several examples illustrate this point:

  1. Compliance-focused approach: Risk management efforts may prioritize regulatory compliance over broader cybersecurity objectives. While compliance is important, it should be integrated into a comprehensive risk management framework that addresses evolving cyber threats effectively.
  2. Disconnected tools and systems: Each department may utilize its own set of tools and systems for risk assessment and management, leading to disjointed processes and inconsistent outcomes. Integration of these tools is essential for streamlining operations and enhancing overall effectiveness.
  3. Vulnerabilities: Typically prioritized based solely on their Common Vulnerability Scoring System (CVSS) severity score, irrespective of contextual considerations. This often resultsfor example in OEMs indiscriminately forwarding all high and critical severity vulnerabilities to their Tier 1 suppliers for fixing. For instance:
    1. A medium-severity vulnerability identified in a Telematics Control Unit (TCU) connected to a cellular network should bear higher priority due to its exposure to potential cyber threats.
    2. Conversely, a high-severity vulnerability detected in a Body Control Module (BCM) situated behind two secured gateways (GW) might be dismissed, as the risk is mitigated by transference to the gateways, rendering the BCM effectively protected.
  4. Threat intelligence: May circulate within the organization, but it often fails to influence R&D priorities. For instance, a particular In-Vehicle Infotainment (IVI) system may become a prime target for hackers, necessitating heightened security measures. However, vulnerabilities within this system might still be addressed solely based on their severity, without considering the specific intelligence regarding hackers' intent to exploit them.
  5. Commercial considerations: Typically overlooked in decision-making processes. However, when faced with budget constraints, OEMs should prioritize implementing controls that impact larger fleets or commercial vehicles, as they pose a greater risk of causing severe accidents. Additionally, prestigious sports cars may also warrant prioritization due to the potential for significant brand damage in the event of a cybersecurity incident.
  6. Lack of collaboration: Risk management teams may work independently, without sufficient interaction with other departments such as R&D, procurement, or legal. This siloed approach limits the effectiveness of risk mitigation efforts.
  7. Incomplete information sharing: Critical information related to cybersecurity threats or vulnerabilities may not be adequately communicated between different departments. This fragmented communication hampers the organization's ability to address risks comprehensively. The controls resulting from the abstract system model analysis disregard the cost of implementation. There might be a case in which addressing three relatively cheap controls versus an expensive one may ultimately result in an improved cybersecurity posture.


Optimized risk management

The figure below illustrates the pillars of automotive risk management:

Figure 1 - The pillars of automotive risk management

These pillars serve as the foundational elements guiding effective risk management practices within the automotive industry. The pillars on the left-hand side of the figure are:

  • Security requirements – the pivotal source of information. Originate from OEMs' own Threat Analysis and Risk Assessment (TARA). Cascaded down the supply chain (and to self-sufficient OEMs).
  • System abstract model – output of the engineering process.
  • Vulnerabilities – a concrete source of information for generating threat scenarios that lead to damage.
  • Threat Intelligence – information source holds the power to impact the severity and the priority assigned to security requirements and controls in response to emerging threats.
  • Penetration testing –the final line of defense before production.
  • Real-time security events – this is the true last line of defense and the only security dedicated, devoted, and independent component in the vehicle. All qualified security events are dispatched to the VSOC through the Security Incidents and Events Management (SIEM).


All these pillars typically operate independently, akin to parallel structures, as is common with pillars. This article aims to propose strategies for harnessing synergies among these pillars to optimize the utilization of information. The following organizational functions stand to gain significant benefits from this integrated approach:

  • R&D for left-shift and early software security
  • Risk management controlling and minimizing risk
  • Compliance required by vehicle cybersecurity regulation
  • VSOC for inputs of security-qualified events
  • Product Security Operations Center (PSOC) for managing the product risk evaluation and minimization



The method


Vulnerabilities + System Abstract Model 

The binary image stands out as the most dependable source for scanning and extracting vulnerabilities and Software Bill of Materials (SBOM). Additionally, it unveils a set of potential issues such as:

  • Hard-coded credentials
  • Inadequate kernel security configurations
  • Overly permissive file attributes
  • Insufficiently fortified compilation flags
  • Instances of weak cryptographic usage
  • And more


Each vulnerability listed in a Common Vulnerabilities and Exposures (CVE) enumeration database (DB) such as the National Vulnerabilities Database (NVD) is accompanied by a CVSS severity. For instance:

  • Vulnerabilities facilitating simple execution of Remote Procedure Calls (RPC) or unauthorized elevation of privileges typically warrant a critical rating.
  • Potential data leakage with no functional impact is often deemed minor.


However, this software-centric narrow-sighted perspective fails to consider the broader context of the image, the Electronic Control Unit (ECU) and the overall vehicle architecture.

To fully leverage the system abstract model, additional contextual information reflecting the importance and sensitivity of each component must be integrated. Some of this information can be automatically generated by the system through predefined rules and AI algorithms. For instance:

  • Analyzing the vehicle network topology can identify connected devices as prime targets for hackers, thereby assigning them a higher criticality factor.
  • Safety-critical components like the Advanced Driver Assistance System (ADAS).
  • Dependent units such as the Autonomous Driving (AD) and Brake Control Unit (BCU) would warrant elevated criticality ratings.
  • Kill chains exploiting several medium-severity vulnerabilities is a critical case.
  • Data leakage of Personally Identifiable Information (PII) would bear a higher factor.
  • Less vital components like the environmental control unit would be associated with lower criticality factors.



By incorporating criticality factors into the vulnerability scoring process, a more nuanced prioritization of vulnerabilities emerges, better aligning with the actual risk landscape. To enable this automated approach, the system abstract model should be expanded to include asset management capabilities encompassing logistics and configuration data such as:

  • Vehicle make
  • Model
  • Generation
  • Year model
  • ECU vendor
  • Part numbers
  • Hardware version
  • Firmware version
  • Software versions
  • etc.


This information is used for profiling the components. By correlating asset management information with vulnerability data, organizations can effectively prioritize remediation efforts and enhance overall cybersecurity resilience. 

Note that in the aftermarket, while the vehicle is on the road, the firmware and software versions might change. Equally, an ECU with another hardware version might be changed in a certain vehicle. This adds to the configuration management and complexity of the required continual compliance.

Moreover, when the same vulnerability is identified across multiple items within the system abstract model, it implies that once a solution is developed to address the vulnerability in one instance, it can be efficiently replicated and applied to all other instances. Essentially, by addressing the vulnerability in one place, the effort expended translates into swift remediation across all affected areas. This streamlined approach significantly optimizes work efforts and facilitates the reuse of solutions across multiple components. Achieving this level of efficiency is not feasible through individual analysis of each image and Software Bill of Materials (SBOM), but rather requires a collaborative and integrated approach.

The system abstract model serves as a comprehensive asset management entity, delineating the architecture, topology, and components of the vehicle and ECUs. Augmenting it with SBOM data obtained from vulnerability management enriches its value by providing crucial insights. Consequently, the system abstract model becomes the definitive single source of truth, empowering cybersecurity experts to perform their tasks with enhanced efficiency and effectiveness.


Threat intelligence + System abstract model

Indeed, ECUs and system components vary in criticality, leading to different levels of susceptibility to cyberattacks. By analyzing the system model, we can assess and predict which components are more likely to be targeted by attackers and prioritize their cybersecurity measures accordingly. This assessment involves profiling items based on criteria such as safety criticality, connectivity, and other relevant factors.

However, this approach has limitations as it relies solely on internal assessments and may not fully capture real-world threats. To address this gap, integrating threat intelligence into the analysis provides an additional perspective by highlighting assets that are more likely to be targeted based on external threats and attack trends.

To enable this comprehensive analysis, it is essential to incorporate asset management information into the system abstract model. This information includes details such as ECU vendors, hardware and firmware versions, connectivity status, and other relevant data. By integrating this asset management information with threat intelligence data, organizations can identify and prioritize vulnerable components that require additional attention and protection, thereby enhancing overall cybersecurity resilience.


Vulnerabilities + Threat intelligence 

Despite conducting vulnerability management within the context of individual items, it remains within a confined universe, detached from the broader landscape teeming with black hat hackers and other malicious actors posing threats to vehicles. In light of this reality, leveraging threat intelligence becomes crucial for refining the prioritization of vulnerability mitigation efforts. By incorporating threat intelligence, organizations can better assess and prioritize vulnerabilities based on the actual threats posed by cyber adversaries.

For instance, a vulnerability with an equal severity score may warrant different levels of urgency depending on its prevalence and interest among potential attackers. If a vulnerability is widely circulated on the dark web and attracts attention from malicious actors, it should be prioritized over another vulnerability of the same severity score that remains ignored by hackers.

Therefore, integrating threat intelligence into vulnerability management processes enables organizations to align their mitigation efforts with the dynamic threat landscape, ensuring a more effective and proactive approach to cybersecurity defense.


User stories + System abstract model

As an integral part of the Software Development Life Cycle (SDLC), R&D typically translates functional requirements into user stories for coding. However, risk management often comes into play later in the process, sometimes necessitating R&D to revisit and adapt their work to meet cybersecurity requirements. Our goal is to left-shift this paradigm by implementing a Secure Software Development Life Cycle (SSDLC), where cybersecurity is embedded from the outset.

In this approach, cybersecurity considerations are integrated from day zero. This means that as soon as user stories are drafted, they undergo thorough analysis through the TARA process. By leveraging the system model, we can swiftly derive inputs, security requirements, and controls, thus ensuring that security measures are implemented early in the development process.

This proactive method not only enhances security but also proves cost-effective. By addressing potential vulnerabilities at an earlier stage, we minimize the need for costly revisions later on, resulting in a secure software product delivered at a reduced overall expense.


Controls + System abstract model 

As part of the TARA process, cybersecurity experts establish goals and assign controls to secure various components, aiming to mitigate risks to an acceptable level. Throughout this process, the same control may be utilized multiple times across different items. However, without a comprehensive view of the entire system, each control is often applied independently, without consideration for its potential use elsewhere. For example, a control that is used as part of the risk treatment by avoidance is more important than a control used in a risk-sharing scenario.

Optimization of this process involves taking a holistic approach and recognizing instances where the same control can be effectively applied in multiple places. By assessing the broader picture, the system can identify situations where implementing a specific control provides coverage for several components. This approach offers significant benefits in terms of efficiency and cost-effectiveness.

It is reasonable to assume that implementing the same control multiple times reduces the effort required to implement the subsequent ones. Rather, it streamlines the process, saving time and resources. Therefore, by leveraging optimization strategies and identifying opportunities for control reuse, organizations can enhance efficiency, reduce redundancy, and effectively manage cybersecurity risks across their systems.


Financial considerations + Risk mitigation (Vulnerabilities and Controls)

Typically, the prioritization of implementing vulnerability corrections or controls is based on factors such as severity and other relevant criteria. However, this approach often overlooks the associated work effort or cost of implementation. Consequently, it may not fully optimize the allocation of resources.

Integrating a cost factor into the decision-making process for vulnerability fixing or control implementation allows for a more refined and optimized prioritization of risk reduction efforts. For instance, it may reveal that for the same investment, addressing one complex vulnerability yields the same technical priority as remedying three simpler vulnerabilities.

By incorporating cost considerations, organizations can adopt a best price-performance approach, ensuring maximum return on investment in cybersecurity. This method facilitates the most effective allocation of resources, enabling organizations to address critical vulnerabilities while optimizing budget utilization. Ultimately, it fosters a more robust and resilient cybersecurity posture, balancing technical priorities with financial constraints.


Commercial considerations + Risk mitigation (Vulnerabilities and Controls)

Indeed, it is widely acknowledged that resources are limited, necessitating the consideration of commercial aspects in prioritizing cybersecurity tasks. For instance, controls that impact a larger fleet of vehicles should receive priority over those affecting smaller fleets. Moreover, vehicles capable of causing significant damage, such as hazardous materials trucks or heavy commercial trucks, should take precedence over smaller passenger vehicles.

In addition to fleet size and vehicle capabilities, other factors should also be considered to better protect road users and prevent brand damage. These considerations may include the potential impact on public safety, the severity of potential accidents, and the reputational risks associated with cybersecurity incidents. By incorporating these commercial aspects into the prioritization process, organizations can effectively allocate resources to mitigate cybersecurity risks in a manner that maximizes protection for both consumers and the brand.


Additional synergies

The options mentioned above serve as examples of effective approaches, but there are numerous other alternatives and combinations that merit consideration. These may include engaging in Penetration Testing (PT), utilizing VSOCs or PSOCs, and exploring various other strategies.


Risk-based weighted model for R&D prioritization

The figure below illustrates the comprehensive process, encompassing all stages and components:

Figure 2 - Detailed process

This detailed depiction captures the entirety of the process, providing a clear overview of each step and its interconnectedness within the larger framework. 

  • The process commences with the engineering of the system abstract model, which integrates incoming security requirements for conducting TARA.
  • The system abstract model needs to be fed with asset management information and items profiled.
  • This information can be augmented with inputs from source code analysis or binary image static scanning and analysis performed by the vulnerability management system.
  • As a result, the system produces an SBOM and identifies vulnerabilities that can be correlated with the abstract system model, enabling more nuanced prioritization beyond mere severity scores.
  • To further enhance prioritization, incorporating threat intelligence into the system abstract model and vulnerability information yields even more optimized results.
  • Additionally, integrating customer financial and commercial inputs provides a comprehensive view of the overall landscape.


To operationalize this process, a model needs to be developed to systematically process the available information and generate optimized priorities for each task, whether it be vulnerability remediation, control implementation, or other cybersecurity measures. This model would serve as a valuable tool for decision-making and resource allocation, ensuring that efforts are focused on addressing the most critical risks with maximum efficiency and effectiveness.

Each task, such as vulnerability remediation, is assigned a score, such as the CVSS severity score.

  • The system then generates factors for each category based on the available information from the process.
  • For each of these factors, the customer (OEM, Tier 1/2 supplier, etc.) assigns a relative weight that reflects the importance of the organization awards for each factor type.
  • These weights can be adjusted based on organizational priorities and considerations.


The priority of each task is established through a comprehensive calculation, which involves multiplying the task score by the factors and the corresponding weights. This process generates a prioritization score, effectively guiding the order in which tasks should be addressed. By incorporating factors such as impact, urgency, and other relevant considerations, this approach ensures that tasks are prioritized in accordance with the organization's objectives and resource allocation strategies. As a result, resources are directed toward addressing the most critical and pressing issues, thereby maximizing the effectiveness of cybersecurity efforts.

As part of the work plan, the system is designed to generate a comprehensive report listing tasks sorted by their calculated priority. This report serves two primary purposes:

  • Risk Management: The report enables risk management teams to determine the threshold for acceptable risks by delineating the tasks above and below a designated priority line. Tasks above the line represent risks deemed unacceptable and thus require immediate attention, while those below the line may be considered acceptable within current risk tolerance levels.
  • Project Management: The report provides project management teams with a clear roadmap for planning and executing cybersecurity tasks according to the prescribed order of priority. This ensures that resources are allocated efficiently and that tasks are addressed in a systematic and effective manner.


By employing this method, organizations can execute cybersecurity initiatives optimally, maximizing effectiveness while minimizing resource wastage. This systematic approach facilitates informed decision-making and ensures that cybersecurity efforts are aligned with organizational objectives and risk management strategies. Balancing, scaling and finetuning the weight coefficients provides the tool for flexibility and true reflection of each organization's individual risk management policy.

A continual compliance process is required; therefore, this activity needs to be continuously performed throughout the entire lifecycle of the vehicle while monitoring for new vulnerabilities and threat intelligence. Those might influence the cybersecurity posture of the vehicle posing new risks and therefore might require some corrective action to maintain the cybersecurity and safety of the vehicle and road users.


Summary

The following benefits result from employing the methods proposed above:

  • Synchronized single source of truth with information sharing and reuse
  • Enhanced knowledge and value created
  • Risks scored relative to the full system
  • Focus on addressing the prioritized real severe risks
  • Suitable for complex environments and Agile way of work
  • Continual compliance left shift during design for R&D and aftermarket for VSOC
  • Ensures customer success and overloads works when needed
  • Cost savings
  • Fewer human resources
  • Better risk assessments
  • More efficient risk remediation

Risk management is a vital process for every participant in the automotive industry, propelled by regulatory mandates and the necessity to provide cyber-secure vehicles. Achieving these goals requires the integration of all possible sources of information into a unified and comprehensive risk management system that addresses the varied needs of OEMs and their suppliers. However, the challenge lies in implementing such a system in a manner that balances effectiveness with efficiency.

_____________________________________________________________________________________

by Gilad Bandel – VP Cybersecurity, SystemWeaver

For more information, you are welcome to contact me at gilad.bandel@systemweaver.com 

Follow us on LinkedIn at https://www.linkedin.com/company/systemite 

← All blog posts