Journal article 101 views 15 downloads
Integrated Attack Tree in Residual Risk Management Framework
Ahmed Nawaz Khan,
Jeremy Bryans,
Giedre Sabaliauskaite 
,
Hesamaldin Jadidbonab
,
Hesamaldin Jadidbonab
Information, Volume: 14, Issue: 12, Start page: 639
Swansea University Author:
Giedre Sabaliauskaite
-
PDF | Version of Record
© 2023 by the authors. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Download (1.1MB)
DOI (Published version): 10.3390/info14120639
Abstract
Safety-critical cyber-physical systems (CPSs), such as high-tech cars having cyber capabilities, are highly interconnected. Automotive manufacturers are concerned about cyber attacks on vehicles that can lead to catastrophic consequences. There is a need for a new risk management approach to address...
| Published in: | Information |
|---|---|
| ISSN: | 2078-2489 |
| Published: |
MDPI AG
2023
|
| Online Access: |
Check full text
|
| URI: | https://cronfa.swan.ac.uk/Record/cronfa65213 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| first_indexed |
2023-12-04T14:45:21Z |
|---|---|
| last_indexed |
2023-12-04T14:45:21Z |
| id |
cronfa65213 |
| recordtype |
SURis |
| fullrecord |
<?xml version="1.0" encoding="utf-8"?><rfc1807 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><bib-version>v2</bib-version><id>65213</id><entry>2023-12-04</entry><title>Integrated Attack Tree in Residual Risk Management Framework</title><swanseaauthors><author><sid>6a674e2dbda3ec5f20599ce38199a7c3</sid><ORCID>0000-0003-1183-7001</ORCID><firstname>Giedre</firstname><surname>Sabaliauskaite</surname><name>Giedre Sabaliauskaite</name><active>true</active><ethesisStudent>false</ethesisStudent></author></swanseaauthors><date>2023-12-04</date><deptcode>MACS</deptcode><abstract>Safety-critical cyber-physical systems (CPSs), such as high-tech cars having cyber capabilities, are highly interconnected. Automotive manufacturers are concerned about cyber attacks on vehicles that can lead to catastrophic consequences. There is a need for a new risk management approach to address and investigate cybersecurity risks. Risk management in the automotive domain is challenging due to technological improvements and advances every year. The current standard for automotive security is ISO/SAE 21434, which discusses a framework that includes threats, associated risks, and risk treatment options such as risk reduction by applying appropriate defences. This paper presents a residual cybersecurity risk management framework aligned with the framework presented in ISO/SAE 21434. A methodology is proposed to develop an integrated attack tree that considers multiple sub-systems within the CPS. Integrating attack trees in this way will help the analyst to take a broad perspective of system security. Our previous approach utilises a flow graph to calculate the residual risk to a system before and after applying defences. This paper is an extension of our initial work. It defines the steps for applying the proposed framework and using adaptive cruise control (ACC) and adaptive light control (ALC) to illustrate the applicability of our work. This work is evaluated by comparing it with the requirements of the risk management framework discussed in the literature. Currently, our methodology satisfies more than 75% of their requirements.</abstract><type>Journal Article</type><journal>Information</journal><volume>14</volume><journalNumber>12</journalNumber><paginationStart>639</paginationStart><paginationEnd/><publisher>MDPI AG</publisher><placeOfPublication/><isbnPrint/><isbnElectronic/><issnPrint/><issnElectronic>2078-2489</issnElectronic><keywords>automotive cybersecurity; risk management framework; risk assessment; attack tree; ISO/SAE 21434</keywords><publishedDay>29</publishedDay><publishedMonth>11</publishedMonth><publishedYear>2023</publishedYear><publishedDate>2023-11-29</publishedDate><doi>10.3390/info14120639</doi><url/><notes/><college>COLLEGE NANME</college><department>Mathematics and Computer Science School</department><CollegeCode>COLLEGE CODE</CollegeCode><DepartmentCode>MACS</DepartmentCode><institution>Swansea University</institution><apcterm/><funders>This research received no external funding.</funders><projectreference/><lastEdited>2024-07-11T15:22:23.6337103</lastEdited><Created>2023-12-04T14:41:07.3296586</Created><path><level id="1">Faculty of Science and Engineering</level><level id="2">School of Mathematics and Computer Science - Computer Science</level></path><authors><author><firstname>Ahmed Nawaz</firstname><surname>Khan</surname><order>1</order></author><author><firstname>Jeremy</firstname><surname>Bryans</surname><order>2</order></author><author><firstname>Giedre</firstname><surname>Sabaliauskaite</surname><orcid>0000-0003-1183-7001</orcid><order>3</order></author><author><firstname>Hesamaldin</firstname><surname>Jadidbonab</surname><orcid>0000-0002-5481-9789</orcid><order>4</order></author></authors><documents><document><filename>65213__29200__8fda39a55bd44d26b0062f8acda960d2.pdf</filename><originalFilename>65213_GVOR.pdf</originalFilename><uploaded>2023-12-04T14:44:32.0193737</uploaded><type>Output</type><contentLength>1155744</contentLength><contentType>application/pdf</contentType><version>Version of Record</version><cronfaStatus>true</cronfaStatus><documentNotes>© 2023 by the authors. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.</documentNotes><copyrightCorrect>true</copyrightCorrect><language>eng</language><licence>https://creativecommons.org/licenses/by/4.0/</licence></document></documents><OutputDurs/></rfc1807> |
| spelling |
v2 65213 2023-12-04 Integrated Attack Tree in Residual Risk Management Framework 6a674e2dbda3ec5f20599ce38199a7c3 0000-0003-1183-7001 Giedre Sabaliauskaite Giedre Sabaliauskaite true false 2023-12-04 MACS Safety-critical cyber-physical systems (CPSs), such as high-tech cars having cyber capabilities, are highly interconnected. Automotive manufacturers are concerned about cyber attacks on vehicles that can lead to catastrophic consequences. There is a need for a new risk management approach to address and investigate cybersecurity risks. Risk management in the automotive domain is challenging due to technological improvements and advances every year. The current standard for automotive security is ISO/SAE 21434, which discusses a framework that includes threats, associated risks, and risk treatment options such as risk reduction by applying appropriate defences. This paper presents a residual cybersecurity risk management framework aligned with the framework presented in ISO/SAE 21434. A methodology is proposed to develop an integrated attack tree that considers multiple sub-systems within the CPS. Integrating attack trees in this way will help the analyst to take a broad perspective of system security. Our previous approach utilises a flow graph to calculate the residual risk to a system before and after applying defences. This paper is an extension of our initial work. It defines the steps for applying the proposed framework and using adaptive cruise control (ACC) and adaptive light control (ALC) to illustrate the applicability of our work. This work is evaluated by comparing it with the requirements of the risk management framework discussed in the literature. Currently, our methodology satisfies more than 75% of their requirements. Journal Article Information 14 12 639 MDPI AG 2078-2489 automotive cybersecurity; risk management framework; risk assessment; attack tree; ISO/SAE 21434 29 11 2023 2023-11-29 10.3390/info14120639 COLLEGE NANME Mathematics and Computer Science School COLLEGE CODE MACS Swansea University This research received no external funding. 2024-07-11T15:22:23.6337103 2023-12-04T14:41:07.3296586 Faculty of Science and Engineering School of Mathematics and Computer Science - Computer Science Ahmed Nawaz Khan 1 Jeremy Bryans 2 Giedre Sabaliauskaite 0000-0003-1183-7001 3 Hesamaldin Jadidbonab 0000-0002-5481-9789 4 65213__29200__8fda39a55bd44d26b0062f8acda960d2.pdf 65213_GVOR.pdf 2023-12-04T14:44:32.0193737 Output 1155744 application/pdf Version of Record true © 2023 by the authors. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license. true eng https://creativecommons.org/licenses/by/4.0/ |
| title |
Integrated Attack Tree in Residual Risk Management Framework |
| spellingShingle |
Integrated Attack Tree in Residual Risk Management Framework Giedre Sabaliauskaite |
| title_short |
Integrated Attack Tree in Residual Risk Management Framework |
| title_full |
Integrated Attack Tree in Residual Risk Management Framework |
| title_fullStr |
Integrated Attack Tree in Residual Risk Management Framework |
| title_full_unstemmed |
Integrated Attack Tree in Residual Risk Management Framework |
| title_sort |
Integrated Attack Tree in Residual Risk Management Framework |
| author_id_str_mv |
6a674e2dbda3ec5f20599ce38199a7c3 |
| author_id_fullname_str_mv |
6a674e2dbda3ec5f20599ce38199a7c3_***_Giedre Sabaliauskaite |
| author |
Giedre Sabaliauskaite |
| author2 |
Ahmed Nawaz Khan Jeremy Bryans Giedre Sabaliauskaite Hesamaldin Jadidbonab |
| format |
Journal article |
| container_title |
Information |
| container_volume |
14 |
| container_issue |
12 |
| container_start_page |
639 |
| publishDate |
2023 |
| institution |
Swansea University |
| issn |
2078-2489 |
| doi_str_mv |
10.3390/info14120639 |
| publisher |
MDPI AG |
| college_str |
Faculty of Science and Engineering |
| hierarchytype |
|
| hierarchy_top_id |
facultyofscienceandengineering |
| hierarchy_top_title |
Faculty of Science and Engineering |
| hierarchy_parent_id |
facultyofscienceandengineering |
| hierarchy_parent_title |
Faculty of Science and Engineering |
| department_str |
School of Mathematics and Computer Science - Computer Science{{{_:::_}}}Faculty of Science and Engineering{{{_:::_}}}School of Mathematics and Computer Science - Computer Science |
| document_store_str |
1 |
| active_str |
0 |
| description |
Safety-critical cyber-physical systems (CPSs), such as high-tech cars having cyber capabilities, are highly interconnected. Automotive manufacturers are concerned about cyber attacks on vehicles that can lead to catastrophic consequences. There is a need for a new risk management approach to address and investigate cybersecurity risks. Risk management in the automotive domain is challenging due to technological improvements and advances every year. The current standard for automotive security is ISO/SAE 21434, which discusses a framework that includes threats, associated risks, and risk treatment options such as risk reduction by applying appropriate defences. This paper presents a residual cybersecurity risk management framework aligned with the framework presented in ISO/SAE 21434. A methodology is proposed to develop an integrated attack tree that considers multiple sub-systems within the CPS. Integrating attack trees in this way will help the analyst to take a broad perspective of system security. Our previous approach utilises a flow graph to calculate the residual risk to a system before and after applying defences. This paper is an extension of our initial work. It defines the steps for applying the proposed framework and using adaptive cruise control (ACC) and adaptive light control (ALC) to illustrate the applicability of our work. This work is evaluated by comparing it with the requirements of the risk management framework discussed in the literature. Currently, our methodology satisfies more than 75% of their requirements. |
| published_date |
2023-11-29T15:22:22Z |
| _version_ |
1804292841971646464 |
| score |
11.016235 |