https://www.mdu.se/

The increasing use of software and connectivity in modern vehicles has made cybersecurity an important issue in the automotive industry. ISO 21434 is a standard for automotive cybersecurity engineering that provides guidelines for the development and validation of secure automotive systems. For effective implementation and practical use of ISO 21434, it must be incorporated into existing automotive industry development workflows.

In this paper, we investigate the practical applicability of ISO 21434 in the context of the Security Abstraction Model (SAM), a security modeling approach for the domain-specific modeling language EAST-ADL, and provide insights into the benefits and consequences of this approach. In doing so, we describe the methodological opportunities of integrating ISO 21434 into SAM on the one hand and present a case study illustrating the application of this integrated approach in the development of a secure automotive system on the other hand. Our results suggest that the integration of ISO 21434 into SAM better supports automotive system security in the early development phases and makes it transparent to a wide range of stakeholders. At the same time, it becomes clear that a representation of the interrelationships in the form of a metamodel, in contrast to ISO 21434 in which these are only described textually, significantly improves conceptual understanding and ultimately enables pragmatic usability in industrial development.

Development of reliable systems requires that safety and security concerns are acknowledged during system development. Adding them afterwards is risky as many concerns are missed if not elicited together with the system requirements. Unfortunately, languages for systems engineering, like SysML, typically ignore security and safety forcing development teams to split the work into different formats, languages and tools without easy collaboration, with limited traceability, separate versioning and restricted use of automation that tools can provide. We present a model-based approach targeting automotive that integrates safety and security aspects with other system development practices. This is achieved via a comprehensive domain-specific modeling language that is extendable by language users. We demonstrate this approach with practical examples on how security and safety concerns are recognized along with traditional system design and analysis phases.

Security cannot be implemented into a system retrospectively without considerable effort, so security must be takeninto consideration already at the beginning of the system development. The engineering of automotive softwareis by no means an exception to this rule. For addressing automotive security, the AUTOSAR and EAST-ADLstandards for domain-specific system and component modeling provide the central foundation as a start. The EASTADLextension SAM enables fully integrated security modeling for traditional feature-targeted attacks. Due to theCOVID-19 pandemic, the number of cyber-attacks has increased tremendously and of these, about 98 percent arebased on social engineering attacks. These social engineering attacks exploit vulnerabilities in human behaviors,rather than vulnerabilities in a system, to inflict damage. And these social engineering attacks also play a relevantbut nonetheless regularly neglected role for automotive software. The contribution of this paper is a novel modelingconcept for social engineering attacks and their criticality assessment integrated into a general automotive softwaresecurity modeling approach. This makes it possible to relate social engineering exploits with feature-related attacks.To elevate the practical usage, we implemented an integration of this concept into the established, domain-specificmodeling tool MetaEdit+. The tool support enables collaboration between stakeholders, calculates vulnerabilityscores, and enables the specification of security objectives and measures to eliminate vulnerabilities.