Reaching Grey Havens: Industrial Automotive Security Modeling with SAM


Autonomous vehicles have a greater attack potential than any previous individual mobility vehicle. This is primarily due to the considerable communication demands of the vehicles, which on the one hand emerge for reasons of functionality and safety, and on the other hand for reasons of comfort. Driverless vehicles require communication interfaces to the environment, direct connections (e.g., Vehicle-to-X) and connections to an original equipment manufacturer backend service or a cloud. These communication connections could all be used as backdoors for attacks. Most existing countermeasures against cyber attacks, e.g., the use of message cryptography, concentrate on concrete attacks and do not consider the complexity of the various access options offered by modern vehicles. This is mainly due to a solution-oriented approach to security problems. The model- based technique SAM (Security Abstraction Model) adds to the early phases of (automotive) software architecture development by explicitly documenting attacks and managing them with the appropriate security countermeasures. It additionally estab- lishes the basis for comprehensive security analysis techniques, e.g., already available attack assessment methods. SAM thus contributes to an early, problem-oriented and solution-ignorant understanding combining key stakeholder knowledge. This paper provides a detailed overview of SAM and evaluates this security technology using interviews with industry experts and a grounded theory analysis. The resulting analyses of this evaluation show that SAM puts the security-by-design principle into practice by enabling collaboration between automotive system engineers, system architects and security experts. The application of SAM aims to reduce costs, improve overall quality and gain competitive advantages. Based on our evaluation results, SAM is highly suitable, comprehensible and complete to be used in the industry.

International Journalon Advances in Security